diff --git a/add-to-your-blog.php b/add-to-your-blog.php
index 3584e6e..b80930c 100755
--- a/add-to-your-blog.php
+++ b/add-to-your-blog.php
@@ -163,28 +163,6 @@
 	}// end if isSet($_POST["add-to-your-blog-php-submit-button"])
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lXSRFVulnerabilityAreaBallonTip = $BubbleHintHandler->getHint("XSRFVulnerabilityArea");
-   		$lHTMLandXSSandSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("HTMLandXSSandSQLInjectionPoint");   		
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[XSRFVulnerabilityArea]').attr("title", "<?php echo $lXSRFVulnerabilityAreaBallonTip; ?>");
-		$('[XSRFVulnerabilityArea]').balloon();
-		$('[HTMLandXSSandSQLInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSandSQLInjectionPointBallonTip; ?>");
-		$('[HTMLandXSSandSQLInjectionPoint]').balloon();		
-	});
-</script>
-
 <!-- BEGIN HTML OUTPUT  -->
 <script type="text/javascript">
 	var onSubmitBlogEntry = function(/* HTMLForm */ theForm){
@@ -232,7 +210,7 @@
 			</tr>
 			<tr><td></td></tr>
 			<tr>
-				<td id="id-blog-form-header-td" ReflectedXSSExecutionPoint="1" class="form-header">
+				<td id="id-blog-form-header-td" class="form-header">
 					Add blog for <?php echo $lLoggedInUser?>
 				</td>
 			</tr>
@@ -244,7 +222,7 @@
 			</tr>
 			<tr>
 				<td>
-					<textarea 	name="blog_entry" HTMLandXSSandSQLInjectionPoint="1" rows="8" cols="65"
+					<textarea 	name="blog_entry" rows="8" cols="65"
 								autofocus="autofocus"
 						<?php 
 							if ($lEnableHTMLControls) {
@@ -338,9 +316,9 @@
 
 			echo "<tr>
 					<td>{$lRowNumber}</td>
-					<td ReflectedXSSExecutionPoint=\"1\">{$lBloggerName}</td>
+					<td>{$lBloggerName}</td>
 					<td>{$lDate}</td>
-					<td ReflectedXSSExecutionPoint=\"1\">{$lComment}</td>
+					<td>{$lComment}</td>
 				</tr>\n";
 		}//end while $lRecord
 		echo "</table><div>&nbsp;</div>";		
diff --git a/arbitrary-file-inclusion.php b/arbitrary-file-inclusion.php
index 4844b60..6fbbde3 100755
--- a/arbitrary-file-inclusion.php
+++ b/arbitrary-file-inclusion.php
@@ -45,25 +45,6 @@
     }// end try;
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lLocalFileInclusionVulnerabilityBallonTip = $BubbleHintHandler->getHint("LocalFileInclusionVulnerability");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[LocalFileInclusionVulnerability]').attr("title", "<?php echo $lLocalFileInclusionVulnerabilityBallonTip; ?>");
-		$('[LocalFileInclusionVulnerability]').balloon();
-	});
-</script>
-
 <div class="page-title">Arbitrary File Inclusion</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -75,7 +56,7 @@
 	</tr>
 	<tr><td>&nbsp;</td></tr>
 	<tr style="text-align: left;">
-		<td ReflectedXSSExecutionPoint="1" class="label">Current Page: <?php echo $lPage; ?></td>
+		<td class="label">Current Page: <?php echo $lPage; ?></td>
 	</tr>
 	<tr>
 		<td LocalFileInclusionVulnerability="1" class="label">
diff --git a/browser-info.php b/browser-info.php
index 1192e39..0131ec4 100755
--- a/browser-info.php
+++ b/browser-info.php
@@ -65,25 +65,6 @@
     }// end try;
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lJavaScriptInjectionPointBallonTip = $BubbleHintHandler->getHint("JavaScriptInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[JavaScriptInjectionPoint]').attr("title", "<?php echo $lJavaScriptInjectionPointBallonTip; ?>");
-		$('[JavaScriptInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Browser Information</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -94,8 +75,8 @@
 	<tr><th class="report-label">Client IP</th><td class="report-data"><?php echo $lClientIP; ?></td></tr>
     <tr><th class="report-label">Client Hostname</th><td class="report-data"><?php echo $lClientHostname; ?></td></tr>
     <tr><th class="report-label">Operating System</th><td class="report-data"><?php echo $lOperatingSystem ?></td></tr>
-    <tr><th class="report-label">User Agent String</th><td class="report-data" ReflectedXSSExecutionPoint="1"><?php echo $lClientUserAgentString; ?></td></tr>
-    <tr><th class="report-label">Referrer</th><td class="report-data" ReflectedXSSExecutionPoint="1"><?php echo $lClientReferrer; ?></td></tr>
+    <tr><th class="report-label">User Agent String</th><td class="report-data"><?php echo $lClientUserAgentString; ?></td></tr>
+    <tr><th class="report-label">Referrer</th><td class="report-data"><?php echo $lClientReferrer; ?></td></tr>
     <tr><th class="report-label">Remote Client Port</th><td class="report-data"><?php echo $lClientPort; ?></td></tr>
     <tr><th class="report-label">WhoIs info for client IP</th><td class="report-data"><pre><?php echo $lWhoIsInformation; ?></pre></td></tr>
 	<?php 
@@ -105,7 +86,7 @@
 		}// end foreach
 	}else{
 		foreach ($_COOKIE as $key => $value){
-	    	echo '<tr><th class="report-label" ReflectedXSSExecutionPoint="1" class="non-wrapping-label">Cookie '.$key.'</th><td class="report-data">'.$value.'</pre></td></tr>';
+	    	echo '<tr><th class="report-label" class="non-wrapping-label">Cookie '.$key.'</th><td class="report-data">'.$value.'</pre></td></tr>';
 		}// end foreach
 	}// end if
 	?>    
@@ -154,8 +135,8 @@
 		<td class="report-data" id="id_color_depth_enabled_td"></td>
 	</tr>
 	<tr>
-		<th class="report-label" JavaScriptInjectionPoint="1">Referrer</th>
-		<td class="report-data" id="id_referrer_td" JavaScriptInjectionPoint="1"></td>
+		<th class="report-label">Referrer</th>
+		<td class="report-data" id="id_referrer_td"></td>
 	</tr>
 	<tr>
 		<th class="report-label">Plug-Ins</th>
diff --git a/capture-data.php b/capture-data.php
index aa74926..d9ac13f 100755
--- a/capture-data.php
+++ b/capture-data.php
@@ -19,12 +19,6 @@
 	 * ------------------------------------------ */
 	require_once ('./includes/constants.php');
 	require_once(__ROOT__.'/includes/minimum-class-definitions.php');
-	
-	/* ------------------------------------------
- 	* initialize balloon-hint handler
- 	* ------------------------------------------ */
-	require_once (__ROOT__.'/classes/BubbleHintHandler.php');
-	$BubbleHintHandler = new BubbleHintHandler(__ROOT__."/owasp-esapi-php/src/", $_SESSION["security-level"]);
 		
 	/* ------------------------------------------
  	* initialize Client Information Handler
@@ -142,25 +136,6 @@
 	include_once(__ROOT__."/includes/log-visit.php");
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("SQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[SQLInjectionPoint]').attr("title", "<?php echo $lSQLInjectionPointBallonTip; ?>");
-		$('[SQLInjectionPoint]').balloon();
-	});
-</script>
-
 <link rel="stylesheet" type="text/css" href="./styles/global-styles.css" />
 <div class="page-title">Capture Data</div>
 
@@ -181,7 +156,7 @@
 	</tr>
 	<tr><td>&nbsp;</td></tr>
 	<tr>
-		<td SQLInjectionPoint="1">
+		<td>
 			This page is designed to capture any parameters sent and store them in a file and a database table. It loops through
 			the POST and GET parameters and records them to a file named <span class="label"><?php print $lFilename; ?></span>. On this system, the 
 			file should be found at <span class="label"><?php print $lFilepath; ?></span>. The page
@@ -191,7 +166,7 @@
 	</tr>
 	<tr><td>&nbsp;</td></tr>
 	<tr>
-		<th ReflectedXSSExecutionPoint="1">
+		<th>
 			The data captured on this request is: <?php print $lCapturedData; ?>
 		</th>
 	</tr>
diff --git a/captured-data.php b/captured-data.php
index b97431b..d9f4368 100755
--- a/captured-data.php
+++ b/captured-data.php
@@ -56,22 +56,6 @@
    	
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
 <script>
 	var DeleteCapturedData = function(){
 		if (window.confirm("Please confirm all captured data should be deleted")){
@@ -164,9 +148,9 @@
 					<td>{$lHostname}</td>
 					<td>{$lClientIPAddress}</td>
 					<td>{$lClientPort}</td>
-					<td ReflectedXSSExecutionPoint=\"1\">{$lClientUserAgentString}</td>
-					<td ReflectedXSSExecutionPoint=\"1\">{$lClientReferrer}</td>
-					<td ReflectedXSSExecutionPoint=\"1\">{$lData}</td>
+					<td>{$lClientUserAgentString}</td>
+					<td>{$lClientReferrer}</td>
+					<td>{$lData}</td>
 					<td>{$lCaptureDate}</td>
 				</tr>\n";
 		}//end while $row
diff --git a/classes/BubbleHintHandler.php b/classes/BubbleHintHandler.php
deleted file mode 100755
index e60dbaf..0000000
--- a/classes/BubbleHintHandler.php
+++ /dev/null
@@ -1,128 +0,0 @@
-<?php
-class BubbleHintHandler {
-	protected $encodeOutput = FALSE;
-	protected $stopSQLInjection = FALSE;
-	protected $mSecurityLevel = 0;
-	protected $mHintLevel = 0;
-	protected $mHintsEnabled = TRUE; // Decides if system wants to see hints
-	protected $mDisplayHints = TRUE; // Decides if user wants to see hints
-
-	// private objects
-	protected $mMySQLHandler = null;
-	protected $mESAPI = null;
-	protected $mEncoder = null;
-	
-	private function doSetSecurityLevel($pSecurityLevel){
-		$this->mSecurityLevel = $pSecurityLevel;
-		
-		switch ($this->mSecurityLevel){
-	   		case "0": // This code is insecure, we are not encoding output
-			case "1": // This code is insecure, we are not encoding output
-				$this->encodeOutput = FALSE;
-				$this->stopSQLInjection = FALSE;
-				$this->mHintsEnabled = TRUE;
-	   		break;
-		    		
-			case "2":
-			case "3":
-			case "4":
-	   		case "5": // This code is fairly secure
-	  			// If we are secure, then we encode all output.
-	   			$this->encodeOutput = TRUE;
-	   			$this->stopSQLInjection = TRUE;
-	   			$this->mHintsEnabled = FALSE;
-	   		break;
-	   	}// end switch		
-	}// end function
-
-	private function doShowHideHints($pboolShow){
-		$this->mDisplayHints = $pboolShow;
-		$_SESSION["BubbleHintHandler"]["mDisplayHints"] = $pboolShow;
-	}// end function
-
-	public function __construct($pPathToESAPI, $pSecurityLevel){
-		
-		$this->doSetSecurityLevel($pSecurityLevel);
-		
-		//initialize OWASP ESAPI for PHP
-		require_once ($pPathToESAPI . 'ESAPI.php');
-		$this->ESAPI = new ESAPI($pPathToESAPI . 'ESAPI.xml');
-		$this->Encoder = $this->ESAPI->getEncoder();
-
-		/* Initialize MySQL Connection handler */
-		require_once ('MySQLHandler.php');
-		$this->mMySQLHandler = new MySQLHandler($pPathToESAPI, $pSecurityLevel);
-		$this->mMySQLHandler->connectToDefaultDatabase();
-		
-		if(!isset($_SESSION["BubbleHintHandler"]["mDisplayHints"])){
-			//$this->doShowHideHints(TRUE);
-			$this->doShowHideHints(FALSE);
-		}else{
-			$this->doShowHideHints($_SESSION["BubbleHintHandler"]["mDisplayHints"]);
-		}//end if
-
-	}// end function __construct
-	
-	/* PHP cant remeber any information in class after request is over, hence the 
-	disgusting hack of using the session to remember settings. Its total hack but
-	PHP is limited.
-	*/
-	public function showHints(){
-		$this->doShowHideHints(TRUE);
-	}// end function
-
-	public function hideHints(){
-		$this->doShowHideHints(FALSE);
-	}// end function
-	
-	public function hintsAreDispayed(){
-		return $this->mDisplayHints;
-	}// end function
-	
-	public function setSecurityLevel($pSecurityLevel){
-		$this->doSetSecurityLevel($pSecurityLevel);
-		$this->mMySQLHandler->setSecurityLevel($pSecurityLevel);
-	}// end function
-
-	public function getSecurityLevel($pSecurityLevel){
-		return $this->mSecurityLevel;
-	}// end function
-	
-	public function setHintLevel($pHintLevel){
-		$this->mHintLevel = $pHintLevel;
-	}// end function
-
-	public function getHintLevel(){
-		return $this->mHintLevel;
-	}// end function
-	
-	public function getHint($pTipKey){
-
-		// if user doesnt want to see hints, return nothing
-		if (!$this->mDisplayHints){
-			return "";
-		}// end if
-		
-		//if system has disabled hints. return innocuous message.
-		if (!$this->mHintsEnabled){
-			return "Not allowed to give hints at this security level.";
-		}// end if
-
-		/* There used to be different hint levels. These were merged into the super-hint system.
-		 * Overall this was a big improvement but now the bubble hints can no longer increase
-		 * in verbosity as the hint level increases. Until I get around to fixing this, Im setting
-		 * the bubble hint level to maximum verbosity (level =2).
-		 */
-		//$lQuery  = "SELECT tip FROM balloon_tips WHERE tip_key ='" . $pTipKey . "' AND hint_level = " . $this->mHintLevel . ";";
-		$lQuery  = "SELECT tip FROM balloon_tips WHERE tip_key ='" . $pTipKey . "' AND hint_level = 2;";
-		
-		try{
-    		$lResult = $this->mMySQLHandler->executeQuery($lQuery);
-    		$lDataRow = $lResult->fetch_object();
-			return $lDataRow->tip;
-		} catch (Exception $e) {
-			return "Error attempting to read from hint table: ".$e->getMessage();
-		}// end try
-	}// end method
-
-}// end class
\ No newline at end of file
diff --git a/client-side-control-challenge.php b/client-side-control-challenge.php
index 97d19d8..176a941 100755
--- a/client-side-control-challenge.php
+++ b/client-side-control-challenge.php
@@ -337,28 +337,6 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 //-->
 </script>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lBufferOverflowInjectionPointBalloonTip = $BubbleHintHandler->getHint("BufferOverflowInjectionPoint");
-		$lHTMLandXSSInjectionPointBalloonTip = $BubbleHintHandler->getHint("HTMLandXSSInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[BufferOverflowInjectionPoint]').attr("title", "<?php echo $lBufferOverflowInjectionPointBalloonTip; ?>");
-		$('[BufferOverflowInjectionPoint]').balloon();		
-		$('[HTMLandXSSInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSInjectionPointBalloonTip; ?>");
-		$('[HTMLandXSSInjectionPoint]').balloon();		
-	});
-</script>
-
 <style>
 	input.box:hover {
 	    left: 200px;
@@ -414,48 +392,48 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label" style="text-align: left;">Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="textbox" id="id_textbox" size="15" maxlength="15" required="required" autofocus="autofocus" />
+					<input type="text" name="textbox" id="id_textbox" size="15" maxlength="15" required="required" autofocus="autofocus" />
 				</td>
 			</tr>			<tr>
 				<td class="label" style="text-align: left;">Read-only Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="readonly_textbox" id="id_readonly_textbox" size="15" maxlength="15" required="required" autofocus="autofocus" readonly="readonly" value="42" />
+					<input type="text" name="readonly_textbox" id="id_readonly_textbox" size="15" maxlength="15" required="required" autofocus="autofocus" readonly="readonly" value="42" />
 				</td>
 			</tr>			
 			<tr>
 				<td class="label" style="text-align: left;">Short Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="short_textbox" id="id_short_textbox" size="3" maxlength="3" required="required" />
+					<input type="text" name="short_textbox" id="id_short_textbox" size="3" maxlength="3" required="required" />
 				</td>
 			</tr>
 			<tr>
 				<td class="label" style="text-align: left;">Disabled Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="disabled_textbox" id="id_disabled_textbox" size="15" maxlength="15" required="required" disabled="disabled" style="background-color:#dddddd;" />
+					<input type="text" name="disabled_textbox" id="id_disabled_textbox" size="15" maxlength="15" required="required" disabled="disabled" style="background-color:#dddddd;" />
 				</td>
 			</tr>
 			<tr>
 				<td class="label" style="text-align: left;">Hidden Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="hidden" name="hidden_textbox" id="id_hidden_textbox" size="15" maxlength="15" required="required" />
+					<input type="hidden" name="hidden_textbox" id="id_hidden_textbox" size="15" maxlength="15" required="required" />
 				</td>
 			</tr>
 			<tr>
 				<td class="label" style="text-align: left;">"Secured by JavaScript" Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="tricky_textbox" id="id_tricky_textbox" size="15" maxlength="15" required="required" onfocus="javascript:this.blur();" />
+					<input type="text" name="tricky_textbox" id="id_tricky_textbox" size="15" maxlength="15" required="required" onfocus="javascript:this.blur();" />
 				</td>
 			</tr>
 			<tr>
 				<td class="label" style="text-align: left;">Vanishing Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="vanishing_textbox" id="id_vanishing_textbox" size="15" maxlength="15" required="required" onmouseover="javascript:this.type='hidden';" />
+					<input type="text" name="vanishing_textbox" id="id_vanishing_textbox" size="15" maxlength="15" required="required" onmouseover="javascript:this.type='hidden';" />
 				</td>
 			</tr>
 			<tr>
 				<td class="label" style="text-align: left;">Shy Text Box</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="shy_textbox" id="id_shy_textbox" size="15" maxlength="15" required="required" class="box" />
+					<input type="text" name="shy_textbox" id="id_shy_textbox" size="15" maxlength="15" required="required" class="box" />
 				</td>
 			</tr>
 			<tr>
@@ -467,13 +445,13 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label" style="text-align: left;">Password</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="password" name="password" id="id_password" size="15" maxlength="15" required="required" value="Hint: If you use Burp-Suite this exercise is much easier" />
+					<input type="password" name="password" id="id_password" size="15" maxlength="15" required="required" value="Hint: If you use Burp-Suite this exercise is much easier" />
 				</td>
 			</tr>
 			<tr>
 				<td class="label" style="text-align: left;">Drop-down Box</td>
 				<td style="text-align: left;">
-					<select HTMLandXSSInjectionPoint="1" name="select" id="id_select" required="required">
+					<select name="select" id="id_select" required="required">
 						<option value="1">One</option>
 						<option value="2">Two</option>
 						<option value="3">Buckle my shoe</option>
diff --git a/content-security-policy.php b/content-security-policy.php
new file mode 100644
index 0000000..719bc1e
--- /dev/null
+++ b/content-security-policy.php
@@ -0,0 +1,138 @@
+<?php
+/* Command Injection
+ * Method Tampering
+ * Cross Site Scripting
+ * HTML Injection */
+
+try {
+    switch ($_SESSION["security-level"]){
+        case "0": // This code is insecure. No input validation is performed.
+            $lEnableJavaScriptValidation = FALSE;
+            $lEnableHTMLControls = FALSE;
+            $lProtectAgainstMethodTampering = FALSE;
+            $lProtectAgainstCommandInjection=FALSE;
+            $lProtectAgainstXSS = FALSE;
+            break;
+            
+        case "1": // This code is insecure. No input validation is performed.
+            $lEnableJavaScriptValidation = TRUE;
+            $lEnableHTMLControls = TRUE;
+            $lProtectAgainstMethodTampering = FALSE;
+            $lProtectAgainstCommandInjection=FALSE;
+            $lProtectAgainstXSS = FALSE;
+            break;
+            
+        case "2":
+        case "3":
+        case "4":
+        case "5": // This code is fairly secure
+            $lProtectAgainstCommandInjection=TRUE;
+            $lEnableHTMLControls = TRUE;
+            $lEnableJavaScriptValidation = TRUE;
+            $lProtectAgainstMethodTampering = TRUE;
+            $lProtectAgainstXSS = TRUE;
+            break;
+    }// end switch
+    
+    $lFormSubmitted = FALSE;
+    if (isset($_POST["message"]) || isset($_REQUEST["message"])) {
+        $lFormSubmitted = TRUE;
+    }// end if
+    
+    if ($lFormSubmitted){
+        
+        $lProtectAgainstMethodTampering?$lMessage = $_POST["message"]:$lMessage = $_REQUEST["message"];
+        
+        if ($lProtectAgainstXSS) {
+            /* Protect against XSS by output encoding */
+            $lMessageText = $Encoder->encodeForHTML($lMessage);
+        }else{
+            $lMessageText = $lMessage; 		//allow XSS by not encoding output
+        }//end if
+        
+    }// end if $lFormSubmitted
+    
+}catch(Exception $e){
+    echo $CustomErrorHandler->FormatError($e, "Error setting up configuration on page content-security-policy.php");
+}// end try
+?>
+
+<script src="javascript/on-page-scripts/content-security-policy.js"></script>
+<div class="page-title"><span style="font-size: 18pt;">Content Security Policy (CSP)</div>
+
+<?php include_once (__ROOT__.'/includes/back-button.inc');?>
+<?php include_once (__ROOT__.'/includes/hints/hints-menu-wrapper.inc'); ?>
+
+<form action="index.php?page=content-security-policy.php" 
+	  method="post" 
+	  enctype="application/x-www-form-urlencoded"
+	  id="idCSPForm">		
+	<table style="margin-left:auto; margin-right:auto;">
+		<tr id="id-bad-cred-tr" style="display: none;">
+			<td colspan="2" class="error-message">
+				Error: Invalid Input
+			</td>
+		</tr>
+		<tr><td></td></tr>
+		<tr>
+			<td colspan="2" class="form-header">Enter injection...errr...message</td>
+		</tr>
+		<tr><td></td></tr>
+		<tr>
+			<td class="label">Message</td>
+			<td>
+				<input 	type="text" id="idMessageInput" name="message" size="20" 
+						autofocus="autofocus"
+						<?php
+							if ($lEnableHTMLControls) {
+								echo('minlength="1" maxlength="20" required="required"');
+							}// end if
+						?>
+				/>
+			</td>
+		</tr>
+		<tr><td></td></tr>
+		<tr>
+			<td colspan="2" style="text-align:center;">
+				<input name="content-security-policy-php-submit-button" class="button" type="submit" value="Submit" />
+			</td>
+		</tr>
+		<tr><td></td></tr>
+		<tr><td></td></tr>
+	</table>
+</form>
+<script nonce="<?php echo $CSPNonce; ?>">
+    document.addEventListener('DOMContentLoaded', function () {
+        document.getElementById('idCSPForm').addEventListener('submit', 
+            function(event){
+                <?php 
+                    if($lEnableJavaScriptValidation){
+            	         echo "if(!onSubmitOfForm(this)){event.preventDefault()}";
+                    }else{
+                         echo "return true;";
+                    }
+            	?>
+    		});
+	});
+</script>
+
+<?php
+/* Output results of shell command sent to operating system */
+if ($lFormSubmitted){
+	    try{
+	        echo '<div class="report-header">Results for '.$lMessageText.'</div>';
+	        
+	        if ($lProtectAgainstCommandInjection) {
+	            echo '<pre class="report-header" style="text-align:left;">You typed '.$lMessage.'</pre>';
+	            $LogHandler->writeToLog("Executed PHP command: echo " . $lMessageText);
+	        }else{
+	            echo '<pre class="report-header" style="text-align:left;">You typed "'.shell_exec("echo -n " . $lMessage).'"</pre>';
+	            $LogHandler->writeToLog("Executed operating system command: echo " . $lMessageText);
+	        }//end if
+
+    	}catch(Exception $e){
+			echo $CustomErrorHandler->FormatError($e, "Input: " . $lMessage);
+    	}// end try
+    	
+	}// end if (isset($_POST)) 
+?>
\ No newline at end of file
diff --git a/credits.php b/credits.php
index 8c84ba0..7817afe 100755
--- a/credits.php
+++ b/credits.php
@@ -33,22 +33,6 @@
    	}// end switch
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lArbitraryRedirectionPointBallonTip = $BubbleHintHandler->getHint("ArbitraryRedirectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ArbitraryRedirectionPoint]').attr("title", "<?php echo $lArbitraryRedirectionPointBallonTip; ?>");
-		$('[ArbitraryRedirectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Credits</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -56,7 +40,7 @@
 
 <div class="label">Developed by <a href="https://twitter.com/webpwnized" target="_blank">Jeremy "webpwnized" Druin</a>. Based on Mutillidae 1.0 from Adrian &quot;<a href="http://www.irongeek.com" target="_blank">Irongeek</a>&quot; Crenshaw.</div>
 <div>&nbsp;</div>
-<div class="label" ArbitraryRedirectionPoint="1"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lOWASPURLReference; ?>">OWASP</a></div>
-<div class="label" ArbitraryRedirectionPoint="1"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lKYISSAURLReference; ?>">ISSA Kentuckiana</a></div>
-<div class="label" ArbitraryRedirectionPoint="1"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lOWASPLouisvilleURLReference; ?>">OWASP Louisville</a></div>
-<div class="label" ArbitraryRedirectionPoint="1"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lMutillidaeFirefoxAddOnsURLReference; ?>">Helpful Firefox Add-Ons</a></div>
+<div class="label"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lOWASPURLReference; ?>">OWASP</a></div>
+<div class="label"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lKYISSAURLReference; ?>">ISSA Kentuckiana</a></div>
+<div class="label"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lOWASPLouisvilleURLReference; ?>">OWASP Louisville</a></div>
+<div class="label"><a href="index.php?page=redirectandlog.php&forwardurl=<?php echo $lMutillidaeFirefoxAddOnsURLReference; ?>">Helpful Firefox Add-Ons</a></div>
diff --git a/dns-lookup.php b/dns-lookup.php
index a8018d4..3d2283f 100755
--- a/dns-lookup.php
+++ b/dns-lookup.php
@@ -58,33 +58,16 @@
 				$lTargetHostText = $lTargetHost; 		//allow XSS by not encoding output	    		
 	    	}//end if
 	    	
-		}// end if $lFormSubmitted    	
-    	
-		try{
-    		$lOSCommandInjectionPointBallonTip = $BubbleHintHandler->getHint("OSCommandInjectionPoint");
-       		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-		} catch (Exception $e) {
-			echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-		}// end try
-    		    	    	
+		}// end if $lFormSubmitted  
 	}catch(Exception $e){
-		echo $CustomErrorHandler->FormatError($e, "Error setting up configuration on page dns-lookup.php");
-	}// end try	
+	    echo $CustomErrorHandler->FormatError($e, "Error setting up configuration on page html5-storage.php");
+	}// end try
 ?>
 
 <div class="page-title">DNS Lookup</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
 <?php include_once (__ROOT__.'/includes/hints/hints-menu-wrapper.inc'); ?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[OSCommandInjectionPoint]').attr("title", "<?php echo $lOSCommandInjectionPointBallonTip; ?>");
-		$('[OSCommandInjectionPoint]').balloon();
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
     
 <!-- BEGIN HTML OUTPUT  -->
 <script type="text/javascript">
@@ -132,7 +115,7 @@
 		</tr>
 		<tr><td></td></tr>
 		<tr>
-			<td colspan="2" class="form-header">Who would you like to do a DNS lookup on?<br/><br/>Enter IP or hostname</td>
+			<td colspan="2" class="form-header">Enter IP or hostname</td>
 		</tr>
 		<tr><td></td></tr>
 		<tr>
@@ -140,7 +123,6 @@
 			<td>
 				<input 	type="text" id="idTargetHostInput" name="target_host" size="20" 
 						autofocus="autofocus"
-						OSCommandInjectionPoint="1"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="20" required="required"');
@@ -161,11 +143,11 @@
 </form>
 
 <?php
-/* Output results of shell command sent to operating system */
-if ($lFormSubmitted){
+    /* Output results of shell command sent to operating system */
+    if ($lFormSubmitted){
 	    try{
 	    	if ($lTargetHostValidated){
-	    		echo '<div class="report-header" ReflectedXSSExecutionPoint="1">Results for '.$lTargetHostText.'</div>';
+	    		echo '<div class="report-header">Results for '.$lTargetHostText.'</div>';
     			echo '<pre class="report-header" style="text-align:left;">'.shell_exec("nslookup " . $lTargetHost).'</pre>';
 				$LogHandler->writeToLog("Executed operating system command: nslookup " . $lTargetHostText);
 	    	}else{
@@ -177,4 +159,4 @@
     	}// end try
     	
 	}// end if (isset($_POST)) 
-?>
\ No newline at end of file
+?>
diff --git a/document-viewer.php b/document-viewer.php
index be32d10..6c254cc 100755
--- a/document-viewer.php
+++ b/document-viewer.php
@@ -93,25 +93,6 @@
 	$LogHandler->writeToLog("User chose to view document: " . $lDocumentToBeFramed);   	
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lParameterPollutionInjectionPointBallonTip = $BubbleHintHandler->getHint("ParameterPollutionInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[ParameterPollutionInjectionPoint]').attr("title", "<?php echo $lParameterPollutionInjectionPointBallonTip; ?>");
-		$('[ParameterPollutionInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Document Viewer</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -176,14 +157,14 @@
 			<tr><td></td></tr>
 			<tr>
 				<td style="text-align:center;">
-					<input ParameterPollutionInjectionPoint="1" name="document-viewer-php-submit-button" class="button" type="submit" value="View Document" />
+					<input name="document-viewer-php-submit-button" class="button" type="submit" value="View Document" />
 				</td>
 			</tr>
 		</table>
 	</form>
 
 	<div>&nbsp;</div>
-	<div class="label" ReflectedXSSExecutionPoint="1">
+	<div class="label">
 	<?php 
 		if (!$lEncodeOutput){
 			echo $lDocumentToBeFramedMessage; 
diff --git a/documentation/change-log.txt b/documentation/change-log.txt
deleted file mode 100755
index 73e1363..0000000
--- a/documentation/change-log.txt
+++ /dev/null
@@ -1,3935 +0,0 @@
-TODO: Add privilege levels
-TODO: Make it super cool to be an administator
-TODO: Add more authentication types
-TODO: Add password recovery page
-TODO: Add password hashes into the project
-TODO: Make these videos: buffer overflows, xml entity expansion
-
-
-Date: 5/18/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.11: ---
-	
-		--- Fixed typos found by J.Townsend aka L1ghtn1ng @jay_townsend1 ---
-		
-		
-Date: 4/24/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.10: ---
-	
-		--- Added examples of remote file inclusion and local file inclusion into
-		hint for Insecure Direct Object Reference (IDOR) ---
-
-
-Date: 3/2/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.9: ---
-	
-		--- BUG FIX: Set up database throws error on latest version of Maria DB 
-		due to creation of store procedures. Removed procedures since they are not
-		used. ---
-		
-
-Date: 2/14/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.8: ---
-	
-		--- BUG FIX: Cross-site Request Forgery (CSRF) hints typo ---
-		
-		
-Date: 1/23/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.7: ---
-	
-		--- BUG FIX: Docker file had typo from previous merge conflict ---
-		
-		
-Date: 1/5/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.6: ---
-	
-		--- Added more logging to make it easier to do log poisoning ---
-		--- Minor update to log page ---
-		--- Added log entry when users logs out ---
-		
-	
-Date: 1/5/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.5: ---
-
-		--- Deleted several images that are no longer in use to make project size smaller ---
-		--- Consolodated all YouTube icons into one ---
-		
-		
-Date: 1/4/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.4: ---
-
-		--- Simplified Home page links by removing about half of them. Some links
-		were stale anyway. ---
-		
-		
-Date: 1/3/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.3: ---
-
-		--- BUG FIX: Added documentation for edit-account-profile.php and echo.php to vulnerabilities.php ---
-		--- BUG FIX: Made Edit Profile icon smaller for faster load time. Delay is gone now.  ---
-		--- Added register.php and edit-account-profile.php to main menu ---
-		--- Added link to login, if not already logged in, to edit-account-profile.php ---
-		--- BUG FIX: Adding missing links to main menu ---
-		
-		
-Date: 1/2/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.2: ---
-
-		--- NEW PAGE: edit-account-profile.php added with traditional IDOR vulnerability ---
-		--- Moved process-commands.php to the includes directory ---
-		--- Removed user signature from menu bar ---
-		--- Added Edit Profile button to menu bar next to username if user logged in ---
-		--- BUG FIX: Minor issue in register.php ---
-		--- BUG FIX: Removed extraneous code in register.php ---
-		--- BUG FIX: Removed extraneous code in header.php ---
-		--- BUG FIX: Fixed link in login.php ---
-		--- BUG FIX: Cast to interger bug in CSRFTokenHandler.php ---
-		
-		
-Date: 1/1/2019 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.1: ---
-
-		--- BUG FIX: Minor issue in OWASP logger class ---
-		--- BUG FIX: Minor issue in JavaScript message displayed if JavaScript validation failed ---
-
-
-Date: 12/22/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.7.0: ---
-
-		--- Added new page with new defense. The echo page will implement
-		XSS and command injection. In security level 5, encoding will
-		be used to protect the page from XSS. For command injection, 
-		a call to the PHP API will be used instead of a call to shell.
-		This is much stronger defense than the input validation 
-		used by the DNS Lookup page (the other page with command
-		injection ---
-		--- Added more filters to the JavaScript form validation for 
-		DNS Lookup and Conference Room Lookup pages ---
-		--- Optimized JavaScript in several pages ---
-		--- BUG FIX: Fixed JavaScript form validation error message 
-		in several pages ---
-		--- Added new echo page to several menus ---
-		--- BUG FIX: JavaScript bug in RegEx syntax in several pages ---
-		
-		
-Date: 12/21/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.78: ---
-
-		--- Added examples of short injections on SQL injection hints page ---
-		--- Updated LogPatternParser.php for PHP 7.3 ---
-		
-		
-Date: 12/15/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.77: ---
-
-		--- Added more examples of stealing cookies to XSS hints and videos page ---
-		
-
-Date: 11/26/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.76: ---
-
-		--- Changed format of change log from HTML to text to better fit GitHub ---
-		--- Moved CSRF into XSS menu since CSRF is no longer an OWASP Top Ten category
-		and CSRF has always been a particular use of XSS ---
-		--- Left CSRF under the 2013 menu for those use to the old menu ---
-
-
-Date: 11/26/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.75: ---
-	
-		--- BUG FIX: Removed reference to onLoadOfBody function in header.php ---
-		--- BUG FIX: Merged pull request from JohnPMurphy to fix JavaScript RegEx bug ---
-	
-
-Date: 11/21/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.74: ---
-	
-		--- Added 3 video tutorials on LDAP injection ---
-	
-
-Date: 11/14/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.73: ---
-	
-		--- Split LDAP injection hints from LDAP set up documentation ---
-		--- Added new page: ldap-setup-hint.inc ---
-	
-
-Date: 11/13/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.72: ---
-	
-		--- Added new vulnerability: LDAP injection ---
-		--- Added new page: conference-room-lookup.php ---
-		--- Added new page: ldap-injection-hint.inc ---
-		--- Added new page: ldap-config.inc ---
-		--- Updated vulerabilities.php ---
-		--- Renamed database-config.php to database-config.inc ---
-	
-
-Date: 10/24/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.71: ---
-	
-		--- Added CSRF examples to Help page ---
-	
-
-Date: 10/21/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.70: ---
-	
-		--- Added more XSS examples to Help page ---
-		--- BUG FIX: Updated several links on Home page ---
-		--- Updated links from SourceForge to GitHub (Mutillidae is now hosted on GitHub) ---
-	
-
-Date: 09/30/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.69: ---
-	
-		--- BUG FIX: Removed bookmark site button. The function does not work on recent browsers ---
-		--- Added README for installation ---
-	
-
-Date: 09/26/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.68: ---
-	
-		--- BUG FIX: Corrected several errors in MySQLHandler.php including not trying various passwords
-		from various installations of Mutillidae. The passwords that will be tried automatically
-		are blank, samurai, mutillidae and the password in config file includes/database-config.php
-		 ---	
-	
-
-Date: 09/26/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.67: ---
-	
-		--- Added hints page for setting up HTTPS with self signed certificate ---
-		--- Added link to jump to videos on help pages ---
-		--- Made a new hint about setting up Apache virtual hosts ---
-		--- Made a new hint about setting up local hostnames ---
-		--- Fixed minor formatting bug in IDOR hint ---
-		--- Updated Usage Instructions ---
-		--- Moved installation instructions into documenation folder ---
-		--- Removed obsolete documentation file how-to-access-Mutillidae-over-Virtual-Box-network.php ---
-		--- Updated the installation instructions ---
-		--- Added video tutorials to the installation instructions ---
-		--- Added a logo in front of video links --- 
-		--- Fixed spacing issue with video links ---
-	
-
-Date: 09/20/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.65: ---
-	
-		--- BUG FIX: Fixed error in two documentation files that recommend php-curl ---
-		--- Removed warning about MySQL moving away from blank passwords ---
-		--- BUG FIX: Fixed documentation on Creating Virtual Hosts ---
-	
-
-Date: 09/19/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.64: ---
-	
-		--- BUG FIX: Fixed error in documentation that incorrectly showed how to add
-		an entry to the /etc/hosts file ---
-		--- Added new documentation to virtual hosts page ---
-	
-
-Date: 09/12/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.63: ---
-	
-		--- Updated project for Raspberry Pi 3 B+, Ubuntu 18.04, PHP 7.2 and MariaDB MySQL 5.7 ---
-		--- Changed root database password to "mutillidae". MySQL will not accept blank password
-		in latest versions. This is a big change for a lot of users of Mutillidae. ---
-		--- An attempt has been made to lessen the impact of the new database password. The database
-		connection will try all old and new passwords that Mutillidae has ever used in hopes one of them
-		work for the user. This will help new users as much as possible.
-		 ---
-		--- Added HSTS header removal code when the project is set to Security Level 0 and 1 ---
-		--- BUG FIX: Fixed mispelling in RequiredSoftwareHandler ---
-		--- Added new documentation pages for virtual hosts and local hostnames ---
-	
-
-Date: 04/26/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.62: ---
-	
-		--- BUG FIX: Constant __ROOT__ no longer defined in MySQLHandler.php 
-		after update to PHP 7.0.285 on Ubuntu, Mint and probably others ---
-		--- Removed unused constant __DOCUMENT_ROOT__ from constants.php ---
-		--- Updated the help page that shows if the database seems offline in database-offline.php ---
-		--- Generally preparing project to add more web services ---
-	
-
-Date: 04/25/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.61: ---
-	
-		--- BUG FIX: File path in MySQLHandler not prepended with __ROOT__ ---
-		--- BUG FIX: File paths in lookup-pen-test-tools.php not prepended with __ROOT__ ---
-		--- Removed superfluous reference to constants.php in add-to-your-blog.php ---
-		--- Removed superfluous reference to constants.php in view-someones-blog.php ---
-		--- Updated nusoap to version 0.95 ---
-		--- BUG FIX: Patched issues in nusoap version 0.9.5 
-		using https://raw.githubusercontent.com/econea/nusoap/master/src/nusoap.php ---
-	
-
-Date: 03/12/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.60: ---
-	
-		--- Added video section to CSRF hints page ---
-		--- Added 4 XSS video tutorials to CSRF hint ---
-		--- Added 2 new CSRF video tutorials to CSRF hints ---
-	
-
-Date: 03/09/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.59: ---
-	
-		--- Added 4 new XSS video tutorials ---
-		--- Embedded the 20 part Cross-Site Scripting Explained series into the Cross-Site Scripting hints ---
-	
-
-Date: 02/20/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.58: ---
-	
-		--- Added x-content-type-options and x-xss-protection headers in security level 5 ---
-		--- Rewrote HTTP header handling functionality ---
-		--- BUG FIX: Cache-control was not removed if user went from level 5 to level 0 ---
-		--- BUG FIX: Security level session variable not defined in page hint wrapper ---
-		--- BUG FIX: Updated installation guide for Ubuntu ---
-		--- BUG FIX: Hints not showing if no page parameter present in URL ---
-		--- BUG FIX: Fixed username enumeration vulnerability in security level 5 ---
-		--- Added 4 new SQL injection videos ---
-	
-
-Date: 02/19/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.57: ---
-	
-		--- 
-			Created independent configuration file for database credentials
-			to make it easier to add Mutillidae into Samurai WTF 4.
-			The congiuration file is includes/database-config.php.
-			The class that handles the database connection is still
-			MySQLHandler.php. The config file contains the following by
-			default:
-			<br/>
-			define('DB_HOST', '127.0.0.1');
-			define('DB_USERNAME', 'root');
-			define('DB_PASSWORD', '');
-			define('DB_NAME', 'mutillidae');
-		 ---
-		--- 
-			Changed the default database name to mutillidae to make it more
-			obvious which database belongs to which application on systems
-			with lots of target applications
-		 ---
-		--- Added another video on command injection ---
-	
-
-Date: 02/15/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.56: ---
-	
-		--- Added 9 new videos across topics of Burp, Zap and Command Injection ---
-	
-
-Date: 01/20/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.55: ---
-	
-		--- Added 6 pages to the Security Misconfiguration menu ---
-		--- Added 10 new video tutorials ---
-		--- Added new video to robots.txt hint ---
-		--- Added 4 new videos to OWASP ZAP hint ---
-		--- Added 2 videos to Method Tampering hint ---
-		--- Added new video to Burp-Suite hints ---
-		--- Added 5 new videos to Information Disclosure hint ---
-		--- Adjusted font for videos links to make them easier to read ---
-	
-
-Date: 01/20/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.54: ---
-	
-		--- 
-			Removed files and folders in images directory that were orphaned
-		 ---
-		--- Updated project title ---
-		--- Added Repeater and Character Frobber videos to Burp-Suite help ---
-		--- Added Character Frobber video to CBC but flipping help ---
-		--- Added video Introduction to Burp-Suite Intruders Grep-Extract Feature ---
-		--- Added new help section and 5 videos on using OWASP ZAP ---
-		--- Added new video on Foxy Proxy to Burp Suite help ---
-		--- Added new videos showing fuzzing with OWASP ZAP ---
-	
-
-Date: 01/06/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.53: ---
-	
-		--- 
-			Added videos for xpath injection, redirects/forwards, sslscan, 
-			nmap ssl-checks, parameter addition, method tampering, 
-			frame source injection
-		 ---
-	
-
-Date: 01/01/2018 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.52: ---
-	
-		--- 
-			Changes the form method to POST on the XML validator
-			to allow for easier XML external entity injection attacks.
-			Browsers restrict the lenght of the URI so performing
-			quadratic expansion attacks is easier when the request
-			method is set to POST by default. The user can change
-			the method to GET to perform method tampering attacks.
-			The code still allows for GET. Its just POST by default.
-		 ---
-		--- 
-			Removed spaces from testing input at the top of
-			the XML Validator page in case folks do not
-			realize that spaces cannot appear before the XML
-			declaration
-		 ---
-		--- Improved parameter addition hint ---
-		--- Added new hint for XML entity expansion ---
-		--- Added new video to path relative style sheet injection hint ---
-		--- Added code examples to Client-side Comments hint ---
-		--- Added code examples to Robots.txt hint ---
-		--- Added code examples to SSL Misconfiguration hint ---
-		--- Improved SSL Misconfiguration page ---
-		--- Added SSL Misconfiguration in several menu locations ---
-		--- Added Hints and Videos hint to Home page ---
-		--- BUG FIX: Menu mislabeled on two links ---
-		--- BUG FIX: Minor space issue on a link ---
-	
-
-Date: 12/30/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.51: ---
-	
-		--- Added page title to all Hints so hint topic will show at the top of each browser tab ---
-		--- Added new hint for Client-side Comments ---
-		--- Added video tutorial on client-side comments ---
-		--- Added video tutorial on Beef Framework ---
-		--- Added video tutorial on Burp Suite Installation ---
-		--- Added multiple video tutorials on finding sentitive comments ---
-		--- Added multiple video tutorials on hidden (unlinked) directory discovery ---
-		--- BUG FIX: Minor HTML syntax error in Beef Hint page ---
-		--- BUG FIX: Broken links to Usage Instructions in 2 places ---
-	
-
-Date: 12/05/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.50: ---
-	
-		--- 
-			BUG FIX: Missing list element in menu messing up the menu formatting
-		 ---
-		--- Updated "2017" menu in response to release of the final version of OWASP Top Ten 2017. Credit to Eric Conrad. ---
-		--- Updated "2013" menu to include the items removed from the final version of OWASP Top Ten 2017 ---
-		--- Updated "Others" menu to include items not found in any version of the OWASP Top Ten ---
-	
-
-Date: 12/04/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.49: ---
-	
-		--- 
-			BUG FIX: The popup bubble confirming hint level has changed still
-			referred to hints level 2. Level 2 was rolled into the new Hints
-			and Videos feature. Credit to Eric Conrad.
-		 ---
-	
-
-Date: 07/09/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.48: ---
-	
-		--- 
-			BUG FIX: The documenation and resources menus were not showing due to a bug
-			in the smooth menu JavaScript file
-		 ---
-		--- 
-			Added instructions showing how to create a self-seigned SSL certificate
-			for Mutillidae on Ubuntu.
-		 ---
-		--- Moved the usage instructions into the documentation folder ---
-	
-
-Date: 07/09/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.47.1: ---
-	
-		--- 
-			Updated YouTube video handler to play videos in a new tab instead of the 
-			hints page to allow users to have a better experience if they are trying to follow along.
-		 ---
-	
-
-Date: 07/08/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.47: ---
-	
-		--- BUG FIX: Updated web service for PHP 7 by merging in contribution from 
-		edwardsaus ---
-	
-
-Date: 04/20/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.46: ---
-	
-		--- Updated menu for OWASP Top Ten 2017 ---
-		--- BUG FIX: Deleted superfluous words in menu to make more narrow ---
-		--- BUG FIX: Secret admin pages was under Security Misconfiguration instead of 
-		Broken Access Control ---
-	
-
-Date: 04/30/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.45: ---
-	
-		--- Added more error handling output to database setup script for the line that drops the databaseM ---
-		--- BUG FIX: Minor HTML tag errors ---
-	
-
-Date: 04/20/2017 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.44: ---
-	
-		--- Updated menu for OWASP Top Ten 2017 ---
-		--- BUG FIX: Deleted superfluous words in menu to make more narrow ---
-		--- BUG FIX: Secret admin pages was under Security Misconfiguration instead of 
-		Broken Access Control ---
-	
-
-Date: 09/21/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.43: ---
-	
-		--- Updated project to work on OpenJDK 8 on Ubuntu 16.04 ---
-		--- Updated project to work on PHP 7.0 ---
-		--- BUG FIX: Mis-spelled word in MySQLHandler.php ---
-		--- Made the database-offline.php more user-friendly by providing 
-			a link to reset or build the database if the startup script
-			realizes the project database cannot be selected.
-		 ---
-		--- Removed donation link for HFC. Johnny is back in USA from his mission. Awaiting
-			more information about his next steps.
-		 ---
-		--- BUG FIX: Nasty bug in pen test tools lookup (and the AJAX version). The
-		SQL injected single quote would break the resulting JSON syntax ruining the fun.
-		Added escaping for single quotes that show up in the JSON.
-		This will prevent the JSON from getting an errant
-		single quote that would break the JSON string later in the JavaScript that 
-		creates the table from the JSON results. Credit to richardwei for pointing 
-		out the bug.
-		 ---
-		--- Added donation link to left menu. (Thank you if you donate by the way. Its helps) ---
-		--- Removed title from the home page to make all the links easier to see and easier to fit
-		on smaller screens
-		 ---
-		--- 
-			BUG FIX: Three tables using obsolete center attribute not compatible with HTML5. 
-			Switched to using style instead
-		 ---
-		--- 
-			BUG FIX: Two frames tables using obsolete attribute not compatible with HTML5. 
-			Switched to using style instead
-		 ---
-		--- 
-			BUG FIX: Table styles were using obsolete attribute not compatible with HTML5. 
-			Switched to using stylesheet classes instead. This affectd browser-info.php, 
-			user-poll.php, user-agent-impersonation.php
-		 ---
-		--- 
-			BUG FIX: Some special HTML characters were not properly escapted. Example would
-			be ampersand &amp; is supposed to be escaped as &amp;amp; or equivalent.
-		 ---
-		--- BUG FIX: Small error in command injection documentation. ---
-		--- BUG FIX: Forgot to close anchor tag in register.php ---		
-		--- BUG FIX: Incorrect img tag syntax in rene-magritte.php ---
-		--- BUG FIX: Missing DOCTYPE xml in accounts.xml ---		
-		--- BUG FIX: Errant tag in auth bypass hint ---		
-		--- BUG FIX: autofocus, required and checked HTML attributes did not have correct values ---		
-	
-
-Date: 09/21/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.42: ---
-	
-		--- 
-			Added more help for remote file inclusion hint about pulling in
-			a web shell
-		 ---
-		--- BUG FIX: Problems reported with show log and display captured data pages. Report
-		that the page width is very wide. This only occurs if a lot of data is injected
-		such as a buffer overflow. Also the data has to be continuous without a page or line break.
-		The page-break style has been added to the affected pages. This might work in some
-		browsers but probably not because the condition that causes the issue
-		is data that has no breaks built in.
-		 ---
-		--- BUG FIX: Corrected missing variable name in upload-file.php that was throwing a Warning ---
-	
-
-Date: 06/16/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.41: ---
-	
-		--- 
-			Compressed the left menu bar for systems with not so great resolution.
-			You know who you are!
-		 ---
-		--- BUG FIX: Refactored some code in the main menu that should not have been there ---
-		--- Alphabetized the Other Injection menu ---
-	
-
-Date: 06/16/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.40: ---
-	
-		--- 
-			Improved hints for Command Injection
-		 ---
-		--- 
-			BUG FIX: User info XML page did not have XMLHandler instantiation
-			in TRY/CATCH
-		 ---
-		--- 
-			BUG FIX: Setup script did not escape special XML characters when 
-			building XML version of accounts table
-		 ---
-		--- BUG FIX: User info XML page had multiple undefined variables ---
-		--- Added error handling to the XMLParser class ---
-	
-
-Date: 06/07/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.39: ---
-	
-		--- Added two more examples to the SQL injection hint ---
-		--- 
-			Greatly enhanced the SQLMAP tutorial. Click on the 
-			SQLMAP hint to access.
-		 ---
-		--- 
-			BUG FIX: Bubble hints aka pop-up hints were showing
-			in security level 5 even when disabled
-		 ---
-		--- 
-			BUG FIX: There used to be different hint levels. These were merged into the super-hint system.
-			Overall this was a big improvement but now the bubble hints can no longer increase
-			in verbosity as the hint level increases. Until I get around to fixing this, Im setting
-			the bubble hint level to maximum verbosity (level = 2).
-		  ---
-	
-
-Date: 06/05/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.38: ---
-	
-		--- 
-			BUG FIX: Some folder paths still referred to 'hints' from 
-			the days of multiple levels. Now these paths just refer to 'hints'
-		 ---
-		--- 
-			BUG FIX: New page about HTML and JavaScript comments added called 
-			client-side-comments.php. Link previously went nowhere.
-			Issue found by Lee Baird.
-		 ---
-		--- BUG FIX: Updated listing of vulnerabilities with missing items ---
-		--- 
-			BUG FIX: x-frame-options-header menu links were not pointing
-			to correct pages about framing and click-jacking.
-			Issue found by Lee Baird.
-		 ---
-		--- 
-			BUG FIX: Added new page about cache-control. Link
-			was pointing to nowhere.
-			Issue found by Lee Baird.
-		 ---
-	
-
-Date: 03/17/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.37: ---
-	
-		--- BUG FIX: Login script was missing exit() method that prevented HTTP
-		body from being populated when the HTTP request was only going to 
-		redirect the user anyway
-		 ---
-		--- 
-			BUG FIX: Minor issue that three blank spaces were output between end of
-			HTTP reponse header and begining of HTTP reponse body. Per the RFC only
-			one blank line should appear.
-		 ---
-		--- Added video to Command Injection hints: Solving Password Challenge In Mutillidae With Command Injection ---
-	
-
-Date: 02/08/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.36: ---
-	
-		--- Added video tutorials for Burp-Suite into hints ---
-		--- 
-			Added more "secret" pages. This is done by adding page names to 
-			index.php that trigger Mutillidae to load the phpinfo page
-		 ---
-		--- 
-			Added CSS selector and a style to phpinfo.php page to better
-			format the php info page to fix various screen sizes
-		 ---
-		--- Minor bug in one of the YouTube video names ---
-		--- 
-			Added new videos into hints: How to Show hints in security level 5,
-			Introduction to Password Cracking with John the Ripper,
-			Introduction to Fuzzing Web Applications with Burp-Suite Intruder Tool,
-			How to Show Secret Page in Security Level 5
-		 ---
-		--- Added video tutorials to Secret Administrative Pages hint ---
-		--- Minor repair of formatting on some hint pages ---
-		--- Improved hints in robots.txt hint ---
-		--- Added video tutorials to Remote File Inclusion hint ---
-		--- Added video tutorials to Platform Path Disclosure hint ---
-		--- Added video tutorials to IDOR hint ---
-		--- Added video tutorials to Insufficient TLS hint ---
-		--- Added video tutorials to DOM injection hint ---
-		--- Added video tutorials to Directory browsing hint ---
-		--- Added video tutorials to XSS hint ---
-		--- Added video tutorials to Authenctication Bypass hint ---
-		--- Added video tutorials to application log injection hint ---
-		--- Added video tutorials to application path disclosure hint ---
-	
-
-Date: 1/31/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.35: ---
-	
-		--- Added new hint dedicated to BeEF framework ---
-	
-
-Date: 1/11/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.34: ---
-	
-		--- 
-			BUG FIX: Starting in PHP 5.3 users are required to set their date.timezone setting
-			in PHP.ini. Added code into the version of NuSOAP used by Mutillidae to 
-			set the timezone for the user if they do not set the timezone in php.ini.
-			The default timezone will be EST.
-		 ---
-	
-
-Date: 1/10/2016 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.33: ---
-	
-		--- Added valid sample requests to documentation for each soap web service ---
-	
-
-Date: 12/28/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.32: ---
-	
-		--- Updated the usage instructions to account for recent improvements ---
-		--- Added link to usage instructions under Documentation menu ---
-	
-
-Date: 12/25/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.31: ---
-	
-		--- Removed insufficient transport layer protection hint from the login page. ---
-		--- 
-			Wrote a new version of the insufficient transport layer protection hint
-			with exapnded detail and example
-		 ---
-		--- 
-			Added the insufficient transport layer protection hint into the "Help"
-			button
-		 ---
-	
-
-Date: 11/26/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.30: ---
-	
-		--- 
-			BUG FIX: Function startsWith() was orphaned on the index.php page. Moved into the 
-			RemoteFileHandler.php as a private function
-		 ---
-		--- 
-			BUG FIX: Patched Local File Inclusion vunerability in Level 5 - Secure 
-			discovered by Josh Mitchell. Added a more restricted regular expression
-			to validate the page name.
-		 ---
-		--- 
-			Added more secret page names that will pull up the phpinfo.php page
-			if a user fuzzes one of the secret page name values into the index.php PAGE
-			parameter. The values are filenames from the FuzzDB. The file is from SkipFish. 
-			The file can be found on GitHub at 
-			fuzzdb/discovery/predictable-filepaths/filename-dirname-bruteforce/WordlistSkipfish.fuzz.txt.
-			This will make it easier for instructors to do demos and students to 
-			successfully fuzz.
-		 ---
-		--- 
-			Eliminated level 2 hints entirely. All have been merged into level 2 hints
-			so the user can find all the hints in the same place
-		 ---
-		--- 
-			BUG FIX: When the user has looped back around to security level 0,
-		    the hints were not showing again
-		 ---
-		--- 
-			BUG FIX: $RemoteFileHandler and $RequiredSoftwareHandler classes did not have
-			security level corrected when the user changes to a new security level
-		 ---
-	
-
-Date: 11/01/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.29: ---
-	
-		--- 
-			Merged cross-site scripting level-2 hints with the 
-			level-1 hints so all the hints show easily for the user
-		 ---
-		--- 
-			Removed the reliance on the OWASP ESAPI $Encoder-&gt;encodeForHTML()
-			method in the hints to make the page static and simple
-		 ---
-	
-
-Date: 11/01/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.28: ---
-	
-		--- 
-			Split the SQLMap help section off from the SQL injection
-			hints page
-		 ---
-		--- Added new help page dedicated to SQLMap ---
-		--- 
-			Combined the level-2 SQL injection hints into the level-1
-			SQL injection hints
-		 ---
-		--- Removed SQL injection level-2 hints from project ---
-		--- BUG FIX: Repaired hints not honoring the order preference ---
-	
-
-Date: 11/01/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.27: ---
-	
-		--- Minor updates to formatting of main menu ---
-		--- Refactored some of the inefficient code on the User Poll page ---
-		--- Removed redundant bold tags from table formatting ---
-		--- Insert SQL injection vulnerability added to user poll page ---
-		--- Persistent cross-site scripting added to user poll page ---
-		--- User poll page stores and tallies user votes ---
-		--- 
-			BUG FIX: Repaired HTTP_REFERER does not exist in corner case
-			on database set up page
-		 ---
-		--- Minor improvements to hints menu ---
-		--- 
-			Added videos Introduction to SQL Injection for Beginners
-			and Introduction to SQL Injection with SQLMap
-			to SQL injection help page
-		 ---
-	
-
-Date: 07/26/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.26: ---
-	
-		--- 
-			Added link to CBC-bit flipping challenge to 3 addition menus 
-			(injection, components with known vulnerabilities and 
-			privilege escalation)
-		 ---
-		--- 
-			Greatly improved the CBC-bit flipping hints with additional 
-			material
-		 ---
-		--- Added HTML Injection hints to the HTML5 web storage page ---
-		--- Repaired format error on Unvalidated Redirect help file ---
-		--- Improved main menu slightly ---
-		--- 
-			Replaced HTML5 values with new values that are placed into session
-			and local storage when the user visits any page if the session or local
-			storage is empty. There are more values now.
-		 ---
-		--- 
-			BUG FIX: The JavaScript on the HTML5 storage page was not displaying
-			all values
-		 ---
-		--- 
-			Added code to the JavaScript on the HTML5 storage page to not display
-			some values as a challenge to the user
-		 ---
-	
-
-Date: 07/26/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.25: ---
-	
-		--- 
-			BUG FIX: CSRF token increments by a fairly predictable value in security
-			level 1. Credit: David Hazar
-		 ---
-		--- 
-			BUG FIX: Robots.txt example from this hints had a rogue ; just before the close change-log tag.
-			Credit: Robin @digininja Wood
-		 ---
-		--- 
-			BUG FIX: External entity injection no longer working since update to libxml2. Added 
-			Added call to libxml_disable_entity_loader(TRUE);
-			and $lDOMDocument->substituteEntities = true to make the code vulnerable again.
-			It's getting harder and harder to write code as awful as I would like.
-		 ---
-		--- 
-			Added a new hint to the XML enternal entity injection hints. Credit: Robin @digininja Wood
-		 ---
-		--- 
-			BUG FIX: When setting up the database the youTubeVideos table is created with this column
-			identificationToken varchar(16). The first entry you then try to put into it has a token of 
-			"YouTubeVideoIdentifier" which is longer than 16 characters so doesn't fit.
-			This caused an error on the setup script if mysql is running in strict mode. 
-			Credit: Robin @digininja Wood
-		 ---
-	
-
-Date: 07/26/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.24: ---
-	
-		--- BUG FIX: Fixed undeclared objects in styling.php ---
-		--- Added "are you sure" to Delete Captured Data button ---
-		--- Merged level 2 hints for command injection into level 1 ---
-		--- Deleted file command-injection-tutorial.inc from project ---	
-		--- Merged level 2 hints for parameter pollution into level 1 ---
-		--- Deleted file http-parameter-pollution-tutorial.inc from project ---	
-	
-
-Date: 07/22/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.23: ---
-	
-		--- 
-			Installed new hint handling system that displays the hints into a new tab rather than
-			having the hint shown inline on the target web page. This frees up a lot of 
-			space on the target page and makes it possible to move back and forth
-			between the hint and the page.
-		 ---
-		--- Hints now show by default but are contained in a hidden div element ---
-		--- Created new page hints-page-wrapper.php ---
-		--- Renamed hints-wrapper.inc to hints-menu-wrapper.inc ---
-		--- Renamed hints.js.inc to hints-menu.js.inc ---
-		--- Added new column level_1_help_include_file_description to table level_1_help_include_files ---
-		--- 
-			BUG FIX: The YouTubeVideoHandlerClass was missing a reference to the remote file handler class.
-			This error went unnoticed because the index.php already included a reference that the 
-			You Tube handler happended to be able to use.
-		 ---
-		--- BUG FIX: Minor documentation errors in SQLQueryHandler.php ---
-		--- BUG FIX: Minor formatting improvements on teh Insecure Direct Object References (IDOR) Hint page ---
-		--- Removed TODO item "Have level-1 hints open in new tab"" from todo list
-	
-
-Date: 06/28/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.22: ---
-	
-		--- Added client-side controls to listing of vulnerabilities in documentation ---
-		--- Merged cross-site request forgery level-2 hints into level-1 hints ---
-		--- Optimized loading of back button, sql logo, xml logo, add icon
-		cage icon images ---
-		--- Removed from TODO list as complete: Resize pictures to needed size ---
-		--- Removed from TODO list as complete: Enhance cross-site request forgery tutorial ---
-		--- BUG FIX: Accounts XML contained second copy of username in the signature field ---
-		--- 
-			New feature: Systems dynamically generates the secret password file and places in the
-			passwords folder as a target for local file inclusion and command injection attacks.
-			Removed this item from the TODO list
-		 ---
-	
-
-Date: 06/09/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.21: ---
-	
-		--- BUG FIX: Removed unneeded code from Repeater.php ---
-		--- Optimized size of back button image ---
-		--- Optimized size of OWASP logo ---
-		--- Image resizing saving 200K on average page load. Pages should load faster. ---
-	
-
-Date: 06/08/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.20: ---
-	
-		--- 
-			BUG FIX: One of the links that was supposed to talk about the 
-			back buttons was pointing to the HTML5 web storage page
-		 ---
-		--- 
-			BUG FIX: Fixed name of JavaScript validation function in DNS
-			lookup page, user-info and user-info-xpath
-		 ---
-		--- 
-			BUG FIX: The directory browsing page pointed to the wrong
-			place for hints
-		 ---
-		--- 
-			BUG FIX: All of the radio buttons on the document viewer page
-			were checked by default
-		 ---
-		--- 
-			BUG FIX: Added output encoding to source viewer page in security level 5.
-			Otherwise their was a cross-site scripting vulnerability in the page
-			in security level 5.
-		 ---
-		--- 
-			BUG FIX: Removed the maxlength attribute from the login page
-			username and password fields in level 0. Only level 1 should use HTML
-			client side controls.
-		 ---
-		--- 
-			BUG FIX: Changed username label on login page from name to username.
-		 ---
-		--- 
-			BUG FIX: Added password generator to HTMLi, HTMLi via DOM injection,
-			reflected cross-site scripting, and	DOM-based cross-site scripting 
-			menus
-		 ---
-		--- BUG FIX: Added autofocus to username field on register user page ---
-		--- BUG FIX: Repaired errant encoding for ReflectedXSSExecutionPoint in footer.php ---
-		--- BUG FIX: Repaired errant encoding for SQLInjectionPoint in view-someones-blog.php ---
-		--- 
-			Updated XSS examples in the level 1 hints for XSS
-		 ---
-		--- Added extra XSS example for Samurai WTF users in the level 1 hints for XSS ---
-		--- 
-			Made DOM-based XSS easier for level 0 users
-			by only including JavaScript
-			validation starting in level 1
-		 ---
-		--- Added more CSRF samples to Mutillidae-Test-Scripts.php  ---
-		--- 
-			Converted many pages to use the newer HTMLInputElement autofocus attribute
-			rather than use JavaScript autofocus scripts
-		 ---
-		--- 
-			Tightened the add to your blog form elements to make them display better
-			in demos, low resolution screens and training
-		 ---
-		--- 
-			Added a new menu entry for Cross-Frame Framing (Third-party Framing)
-			under the "Others" main menu entry
-		 ---
-		--- 
-			Tightened up the notification bar (under the site title) to fit better
-			on training slides and low resolution monitors
-		 ---
-		--- 
-			Updated titles for security levels to Security Level: 1 (Client-side Security)
-			and Security Level: 5 (Server-side Security)
-		 ---
-		--- Added password generator link to register user page ---
-		--- Added JavaScript validation to register user page in security level 1 ---
-		--- Added JavaScript validation to set background color page in security level 1 ---
-		--- Added JavaScript validation to upload file page in security level 1 ---
-		--- Added JavaScript validation to user info in security level 1 ---
-		--- Added JavaScript validation to user info xpath page in security level 1 ---
-		--- Added client-side HTML controls to Add blog page in security level 1 ---
-		--- Added client-side HTML controls to DNS Lookup page in security level 1 ---
-		--- Added client-side HTML controls to document viewer page in security level 1 ---
-		--- Added client-side HTML controls to web storage page in security level 1 ---
-		--- Added client-side HTML controls to register user page in security level 1 ---
-		--- Added client-side HTML controls to source code viewer page in security level 1 ---
-		--- Added client-side HTML controls to text file viewer page in security level 1 ---
-		--- Added client-side HTML controls to upload file page in security level 1 ---
-		--- Added client-side HTML controls to user info page in security level 1 ---
-		--- Added client-side HTML controls to user info xpath page in security level 1 ---
-		--- Added client-side HTML controls to user poll page in security level 1 ---
-		--- Added client-side HTML controls to view someones blog page in security level 1 ---
-		--- Added client-side HTML controls to xml validator in security level 1 ---
-	
-		
-
-Date: 03/16/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.19: ---
-	
-		--- 
-			BUG FIX: Fixed style in the header that was causing the menu 
-			to double up in IE and Safari
-		 ---
-		--- Updated vulnerabilities.php with Path Relative Style Sheet Injection ---
-		--- Fixed link to PDF documentation for installation on Windows to open in new tab ---
-		--- 
-			BUG FIX: Fixed several absolute links into relative links. The absolute links
-			caused issued in the latest release of Samurai WTF
-		 ---
-		--- Removed unneeded code in styling.php ---
-	
-
-Date: 02/21/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.18: ---
-	
-		--- 
-			BUG FIX: Patched index.php page. Some paths to project
-			dependencies and included pages
-			were relative paths rather than absolute paths
-			that start from root. This left the paths vulnerable to 
-			path-relative stylesheet import (PRSSI) vulnerabilities.
-			This vulnerability was not intentional and could lead to 
-			page defacement when trying to implement some intentional 
-			vulnerabilities. Referece: http://blog.portswigger.net/2015/02/prssi.html
-		 ---
-		--- 
-			Patched add-to-your-blog.php for path-relative 
-			stylesheet import (PRSSI) vulnerabilities
-		 ---
-		--- 
-			Added new method getUserAccountByID() to SQLQueryHandler class
-		 ---
-		--- 
-			Updated index.php page to use object oriented query to fetch user
-			account information
-		 ---
-		--- Added a little more documentation comments to index.php ---
-		--- Moved favicon.ico into images directory ---
-		--- Fixed overly complex code for the click-jacking demonstration
-		in index.php and framing.php ---
-		--- Fixed IF statement in index.php that was overly complex ---
-		--- 
-			Removed hard-coded document-type meta tag from header element 
-			of each page. The content-type needs to be set with an HTTP
-			header.
-		 ---
-		--- Added the content-type via HTTP header within index.php ---
-		--- 
-			Added a new vulnerability: Path Relative Stylesheet Injection.
-			The page in Mutillidae that implements is styling.php. It is
-			acessible from several menus including XSS.
-			This is described by Gareth Heyes at 
-			http://www.thespanner.co.uk/2014/03/21/rpo/
-			and again on the Portswigger blog at http://blog.portswigger.net/.
-		 ---
-		--- 
-			Added Path Relative Stylesheet Injection to the bubble hints, the
-			"Help" button and the built-in hints. Extensive help is available in 
-			the built-in hints. The user has to click the "Toggle Hints" to activate the
-			hints system.
-		 ---
-		--- 
-			Created a video tutorial for Path Relative Stylesheet Injection and
-			uploaded to YouTube. The video can be accessed by opening the hints
-			for Path Relative Stylesheet Injection.
-		 ---
-		--- 
-			Added to several menus such as XSS, HTMLi and others
-		 ---		 
-	
-
-Date: 01/05/2015 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.17: ---
-	
-		--- Happy New Year ---
-		--- BUG FIX: Patched level 2 hints not showing when enabled
-		because the path was declared as absolute instead of relative.
-		Credit: Easy Hks
-		 ---
-		--- BUG FIX: Corrected error in sample code within hint file
-		HTML5 Web Storage Hint Body
-		Credit: Easy Hks
-		 ---
-	
-
-Date: 10/21/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.16: ---
-	
-		--- Added a try catch for the code that tries to create the XML
-		file version of the accounts table.
-		 ---
-		--- Ubuntu 12.04 does not support
-		the file_put_contents array syntax. Switched to using 
-		parameter syntax to better support Ubuntu 12.04 LTS.
-		Credit: @amirov and @spinkham
-		 ---
-	
-
-Date: 10/17/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.15: ---
-	
-		--- 
-			BUG FIX: /mutillidae/webservices/rest/ws-user-account.php REST web service.
-			The example links were hardcoded to localhost rather than being relative links.
-			Credit: Michael Horkan.
-		 ---
-		--- Improved documentation on ws-user-account.php REST web service ---
-		--- Added link back to home page from ws-user-account.php REST web service ---
-		--- 
-			Added RequiredSoftwareHandler class to contain methods which check if required software 
-			is installed. PHP5-CURL and PHP5-JSON have been added so far. ---
-		--- Added required software check to home page ---
-		--- Improved home page formatting slightly ---
-		--- 
-			Removed redundant code from RemoteFileHandler class and migrated to using
-			RequiredSoftwareHandler class
-		 ---
-	
-
-Date: 09/24/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.14: ---
-	
-		--- 
-			BUG FIX: Moved information disclosure comment that discloses database 
-			credentials from top of page to below the body tag to fix 
-			issue in Burp-Suite render tab. Note the issue did not affect
-			standard browsers. The render functionality in Burp-Suite does
-			not work if comment appears at top of page. Credit Kevin Johnson
-			(@secureideas).
-		 ---
-		--- 
-			Altered the startup to disable bubble hints (popup hints)
-			by default
-		 ---
-		--- 
-			Improved the initial status hint to more clearly let the user know help
-			is available
-		 ---
-		--- Added James Jardine to list of default accounts ---
-		--- Added firstname and lastname columns to the accounts table ---
-		--- 
-			Reorganized the menu bar to put toggle hints and toggle popup
-			hints together. Also moved the view logs and view captured data 
-			together.
-		  ---
-		 --- Updated the vulnerabilities.php page with xpath vulnerabilities ---
-		 --- 
-			 Updated listing of vulnerabilities under the Documentation 
-			 menu (vulnerabilities.php) to include several vulnerabilities
-			 that are built into the tool but not documented previously
-		  ---
-		 --- 
-			 Added XML Injection and XML Entity Expansion to the menu under
-			 Other Injection
-		  ---
-	
-
-Date: 09/12/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.13: ---
-	
-		--- 
-			New vulnerability added: XPath injection by inspired by
-			Tim Tomes (Twitter: @LanMaster53). 
-			Some of Tim's code base was used as well.
-		 ---
-		--- 
-			Created new directory "data" to hold text data like XML database
-			files
-		 ---
-		--- 
-			Enhanced set-up-database to create accounts.xml file which
-			is stored in the data directory
-		 ---
-		--- BUG FIX: Fixed style in set-up-database for failure message ---
-		--- Added a new type of message to set up database: warning ---
-		--- 
-			Created an accounts.xml file to be included with the project since
-			PHP cannot update the accounts.xml file on all systems
-		 ---
-		--- 
-			Added protection against the new XPath vulnerability when the security
-			level is set to 5.
-		 ---
-		--- Added quicklinks between user lookup XPath and user lookup SQL ---
-		--- Added User Info (XPath) to menu in several categories ---
-		--- Fixed a bug in SSLStrip documentation ---
-		--- Added help me documentation for XPath ---
-	
-
-Date: 09/05/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.12: ---
-	
-		--- Minor documentation improvements ---
-		--- Moved process-login-attempt.php into includes directory ---
-		--- Added Tim Tomes to included accounts ---
-	
-
-Date: 09/05/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.11: ---
-	
-		--- 
-			BUG FIX: Fixed bug in index.php page which
-			prevented remote file inclusion from working.
-			Bummer that I had accidentally made the site secure from RFI.
-			Fixed now.
-		 ---
-		--- Created a new class to handle remote file duties ---
-		--- Minor documentation improvements ---
-		--- Fixed function call in YouTubeVideoHandler.php ---
-		--- BUG FIX: Fixed misspelling of "Basketball" in index.php ---
-	
-
-Date: 03/23/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.10: ---
-	
-		--- 
-			BUG FIX: Fixed bug on register.php page which
-			caused the users password to be inserted into the 
-			user comments field. The bug was reported by
-			Rogue Coder ‏(@roguecod3r).
-		 ---
-	
-
-Date: 03/07/2014 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.9: ---
-	
-		--- Added more comments to code in index.php ---
-		--- 
-			Added a new security feature in level 5 which monitors
-			whether SSL is enabled. If SSL is enabled and the user
-			browses to HTTP, the site will refuse to serve content.
-			Also the site will not redirect the user to protect from
-			SSL stripping.
-		 ---
-	
-
-Date: 12/25/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.8: ---
-	
-		--- Created new menu with entires for OWASP Top Ten 2013, 2010 and 2007 ---
-	
-
-Date: 11/08/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.7: ---
-	
-		--- 
-			Aligned XML web service with RESTful web service so user
-			can call them the same way. Rewrote the service to use
-			less code, renamed the methods and WSDL, and made
-			logic more simple.
-		 ---
-		--- Renamed XML web service from lookupAccount to ws-user-account ---
-		--- Created new method CreateUser() in XML web service ws-user-account ---
-		--- Created new method UpdateUser() in XML web service ws-user-account ---
-		--- Created new method DeleteUser() in XML web service ws-user-account ---
-		--- Created new method in custom error handler class FormatErrorXML() ---
-		--- Added custom XML error handling to the ws-user-account Soap web service ---
-		--- Updated listing of vulnerabilities ---
-		--- 
-			Added a link to the project whitepaper to the side menu, documentation folder, 
-			and the instructions
-		 ---
-		--- Added add blog page to SQLi - Insert Injection menu ---
-		--- Added add blog page to Method Tampering (GET for POST) menu ---
-		--- Created new vulnerability: application log injection ---
-		--- Added add blog page to Application Log Injection menu ---
-		--- Added browser info page to reflected XSS menu ---
-		--- Added browser info page to HTMLi menu ---
-		--- Fixed bug with auto-help hints. Capture data is vulnerable to SQLi; not captured-data page ---
-		--- Added new page: back-button-discussion.php ---
-		--- Added more information to the unvalidated-redirects-and-forwards hints ---
-		--- Refactored some code in DNS lookup CMDi page ---
-		--- Added method tampering hint to DNS lookup CMDi page ---
-		--- Added DNS lookup CMDi page to Application Log Injection menu ---
-		--- Added document-viewer.php page to method tampering ---
-		--- Added DNS lookup CMDi page to Javascript Validation Bypass menu ---
-		--- Added method tampering and JS validation hints to DNS lookup CMDi page ---
-		--- Renamed JavaScript security menu to JavaScript Validation Bypass ---
-		--- Added document viewer page to Application Log Injection menu ---
-		--- BUG FIX: Erased an old-style hint from document viewer page. Was missed when new hint system installed. ---
-		--- BUG FIX: Erased duplicate vulnerability listing for xml-validator.php ---
-		--- Added login page to Application Log Injection menu ---
-		--- Added new hint to the hints system: application-log-injection ---
-		--- Added capture data page to Application Log Injection menu ---
-		--- Added registration page to Application Log Injection menu ---
-		--- Added repeater page to Javascript Validation Bypass menu ---
-		--- BUG FIX: Added missing page to vunerabilities listing ---
-		--- BUG FIX: Removed unneeded variables from upload.php page ---
-	
-
-Date: 11/07/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.6: ---
-	
-		--- 
-			Updated the help on the RESTful web service. Browse to the service
-			without any input parameters to see help.
-		 ---
-		--- 
-			BUG FIX: Fixed bug in GET method of the RESTful web service ws-user-account.php
-			which prevented SQL injection (ironic isnt it)
-		 ---
-		--- 
-			Added examples to help on the RESTful web service
-		 ---
-		--- 
-			Tested all of the methods in the RESTful service
-			along all code paths. Everything should work now.
-		 ---
-		--- Updated version on home page ---
-	
-		
-
-Date: 10/15/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.5: ---
-	
-		--- 
-			Altered the login process to allow for username enumeration
-			and authentication bypass at the same time.
-		 ---
-	
-		
-
-Date: 10/03/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.4.1: ---
-	
-		--- 
-			Added 9 new links under menus for OWASP A3
-			Broken authentication and session management
-		 ---
-		--- 
-			Added a landing page for cookie vulnerabilities
-			named privilege escalation
-		 ---
-		--- 
-			Added username enumeration to the help text content
-			for the login page
-		 ---
-		--- 
-			Added username enumeration to the REST and SOAP
-			web services menus
-		 ---
-	
-		
-
-Date: 10/03/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.4: ---
-	
-		--- Updated vulnerabilities.php listing ---		
-		--- Rewrote process login attempt. The whole thing was a mess. ---
-		--- Improved reliability of JavaScript on login page ---
-		--- 
-			New Vulnerability: Added user account enumeration to RESTful lookup user
-			account web service for the DELETE and the GET 
-			methods. Added for Tim Tomes (Lanmaster53).
-		 ---
-		--- 
-			New Vulnerability: Added user account enumeration to 
-			login process. Added for Tim Tomes (Lanmaster53).
-		 ---
-		--- 
-			New Vulnerability: Added user account enumeration to SOAP lookup user
-			information web service. Added for Tim Tomes (Lanmaster53).
-		 ---
-		--- 
-			Added some help text to new RESTful web service 
-			ws-user-account.php. Browse to page "normally"
-			(GET request) to see help.
-		 ---
-		--- Modified some messages in ws-user-account.php ---
-		--- Fixed version string ---
-		--- 
-			Fixed a bug in the pen test lookup tool AJAX which prevented
-			JavaScript error messages from appearing
-		 ---
-		--- 
-			Sorry to say the SQLi vuln in the JSON parser pages
-			has to be removed because it prevents the POST JSON exercise
-			from working (since the user must inject a single quote to 
-			do the exercise correctly.)
-		 ---
-		--- 
-			Created class CSRFTokenHandler (CSRFTokenHandler.php) to 
-			take over CSRF duties from the pages. This makes the CSRF
-			handling object oriented and reduces the code in the pages
-			that use CSRF protection. New pages can have CSRF protection
-			added easier.
-		 ---
-		--- 
-			Deleted CSRFTokenStructure.php. File is not being used
-		 ---
-		--- 
-			Added CSRFTokenHandler to Register user page, Add to your blog,
-			and Poll Question pages.
-		 ---
-		--- 
-			Consolodated some code in user-poll.php. Added CSRF protection in 
-			level 1 and level 5. Good luck in level 5.
-		 ---
-		--- 
-			The CSRF results report will print at the bottom of pages
-			protected by CSRF in all levels now
-		 ---
-		--- 
-			Added links to the equivalent web services from the 
-			user-info and dns-lookup pages
-		 ---
-		--- 
-			Fixed errors in soap web service lookup user information:
-			Notice that vairable undefined
-			log record pointed to wrong page
-		 ---
-		--- 
-			Changed output for soap web service lookup user information
-			from HTML to XML
-		 ---
-		--- 
-			Changed the return type for the soap web service 
-			lookup user information from string to XML
-		 ---
-		--- 
-			Changed output for soap web service dns lookup
-			from HTML to XML
-		 ---		
-	
-
-Date: 09/16/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.3: ---
-	
-		--- 
-			Added new RESTful web service ws-user-account.php.
-			Service accepts GET, PUT, POST, and DELETE methods
-			The GET method is overloaded. If username parameter is
-			passed as a URL parameter, then that account will
-			be fetched. If no username is passed, a list of
-			usernames will be returned.
-		 ---
-		--- 
-			Refactoring some of the web service code to make it 
-			easier to read. Getting ready for ISSA Conference
-			presentation.
-		 ---
-		--- 
-			Added CSRF protection to "Register User" page in 
-			Security levels 1 and 5. Good luck in level five.
-			That token is pretty random.
-		 ---
-		--- Moved SOAP web services into SOAP directory ---
-		--- Rewrote custom error handler to be more efficient ---
-		--- Fixed minor bug in log error handler ---
-		--- Added JSON output to custom error handler ---
-		--- Added authenticateAccount() method to SQL query handler
-		that allows username and password to be checked
-		 ---
-		--- 
-			Added getNonSensitiveAccountInformation() to SQL query
-			handler to lookup username and signature
-		 ---
-		--- 
-			Standardized all pages to use getUserAccount() to pull
-			user account
-		 ---
-		--- Added deleteUser() method to SQL Handler ---
-		--- 
-			Added accountExists() method to SQL Handler to allow pages to check
-			if account exists before inserting
-		 ---
-		--- 
-			Added updateUserAccount() method to SQL handler to allow
-			updates to user accounts. Eventually an update account page
-			will be added.
-		 ---
-	
-
-Date: 09/10/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.2: ---
-	
-		--- 
-			Altered all statically declared class variables to be
-			class properties so that the video tutorials will work
-			in Metasploitable 2.
-		 ---
-	
-
-Date: 09/09/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.1.0: ---
-	
-		--- 
-			BUG FIX: Credit Lee Baird and Skorpinok Rover.
-			Fixed a bug in the YouTubeVideoHandler.php that caused
-			a lot of errors in older versions of PHP that may not fully
-			support static constants in 
-			object oriented programming. One system affected was
-			Metasploitable 2.
-		 ---
-		--- 
-			Put the vulnerabilities in the vulnerability listing 
-			into alphabetical order
-		 ---
-		--- 
-			BUG FIX: Credit Lee Baird
-			Added wider table to vulns.php to make list easier to read
-			on some resolutions
-		 ---
-	
-
-Date: 09/08/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.6.0: ---
-	
-		--- 
-			A new section has been added to most hints on most pages. The "video"
-			section contains either a link to the video or a frame with the video
-			embedded. Mutillidae will detect if Curl is installed and if the Internet
-			is reachable. If those preconditions fail, the link will be displayed.
-			If Mutillidae is mistaken about connectivity and the link is displayed
-			rather than the frame, the user can still click the link to open 
-			the video in a new tab.
-		 ---
-		--- 
-			Add hint reminder to Home page growl notification 
-			to let users know hints are available
-		 ---
-		--- Fixed bug in code examples on XML XXE hint ---
-		--- Added new material to the XML XXE hint from ISSA workshop ---
-		--- 
-			On pages with multiple hints, the last hint opened will now
-			automatically close when the next hint is opened
-		 ---
-		--- BUG FIX (Credit Lee Baird): Fixed 3 broken links on credits.php ---
-		--- Rewrote credits.php to remove code redundancy ---
-		--- 
-			Deleted documentation files from OWASP ESAPI library to reduce
-			project size
-		 ---
-		 --- BUG FIX (Credit Lee Baird): Fixed title on virtual box instructions page ---
-		 --- BUG FIX (Credit Lee Baird): Fixed VB instruction page opening in new window ---
-		 --- BUG FIX (Credit Lee Baird): Fixed title bar on installation instructions ---
-		 --- BUG FIX (Credit Lee Baird): Fixed title bar on vulnerabilities page ---
-		 --- 
-			 SVN is gone due to instability issues with Sourceforge SVN. 
-			 Use the following to pull project via Git. 
-			 git clone git://git.code.sf.net/p/mutillidae/git mutillidae-git
-		  ---
-		 --- BUG FIX: Title on the information disclosure hints page ---
-	
-
-Date: 08/13/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.18: ---
-	
-		--- 
-			Renamed change-log.htm to change-log.txt in the 
-			project and on Sourceforge
-		 ---
-		--- 
-			BUG FIX: Disabled the error handler in the OWASP ESAPI
-			LoggerAppenderFile.php file. This will prevent warnings
-			when the LoggerAppenderFile.php cannot make a directory
-			or open a file.
-		 ---
-		--- 
-			Began work on the video handler class
-		 ---
-	
-
-Date: 08/02/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.17: ---
-	
-		--- BUG FIX: Double encoding in view blog in security level 5 ---
-		--- Simplified sidebar and footer ---
-		--- BUG FIX: pen-test-tool-lookup.php JavaScript error on first visit ---
-		--- Removed the bold tag from the change log ---
-		--- BUG FIX: 2013 change log dates were wrong ---
-		--- BUG FIX: Fixed bug report email address ---
-		--- BUG FIX: SSL Config hints when curl-php not installed on system ---
-		--- Updated the listing of vulnerabilities ---
-		--- BUG FIX: Notices in user info if page SQL injected ---
-		--- Show log page queries converted to object oriented ---
-		--- Show log page refactored to run faster and be easier to understand ---
-		--- BUG FIX: Removed depreciated styles from log file page ---
-		--- Log page will show message if no records found ---
-		--- Aligned all images vertically for a better look ---
-		--- 
-			BUG FIX: Refresh on show logs would delete records over again
-			if clicked right after delete logs ---
-		--- Added growler popup when logs are refreshed or deleted ---
-		--- 
-			BUG FIX: Alter the PHPMyAdmin config file.
-			Added 
-				$cfg['CheckConfigurationPermissions'] = FALSE;
-			to file in PHPMyadmin to allow project
-			to run on Mutilidae installed on Linux hosts with world-writable 
-			permissions set on the project
-		 ---
-	
-
-Date: 07/30/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.16: ---
-	
-		--- 
-			Well its official. Mutillidae II is now being developed
-			on Ubuntu Linux LAMP rather than Windows XP  XAMMP.
-		 ---
-		--- 
-			BUG FIX: Error in set up database that affected users
-			on Linux when setting up the database for the fist time which
-			resulted in a Page Not Found error on first visit. ---
-		--- 
-			BUG FIX: Forgot to update version string 3 versions
-			in a row.
-		 ---
-		--- ENHANCEMENT: Improved output on database offline page ---
-		--- 
-			QA: Verified web service exploits work from Ubuntu 13.04. 
-			Windows XP already verified.
-		 ---
-	
-
-Date: 07/26/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.15: ---
-	
-		--- 
-			In security level 0, allow client to determing file upload path when 
-			exploiting the Unrestricted File Upload vulnerability
-		 ---
-		--- Improve the Unrestricted File Upload hints ---
-		--- Added a simple shell and the Laudanum shell to 
-		the hints ---
-	
-
-Date: 07/15/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.14: ---
-	
-		--- Added new menu OWASP 2007 A6 - Improper Error Handling under "Others" ---
-		--- Added new vulnerability Unrestricted File Upload under the "Others" menu ---
-		--- Documented new vuln Unrestricted File Upload on vulns page ---
-		--- Refactored register.php code. Added control variables. ---
-		--- Converted register.php queries to object oriented from procedural ---
-		--- Altered formatting on register.php ---
-		--- Deleted the OWASP ESAPI "Test" Directory ---
-		--- 
-			Added new vulnerability Unrestricted File Upload on all 
-			security levels along with hints and bubble hints. This page
-			will allow the upload of shell code when security level is low
-			enough. The page is also vulnerable to HTMLi and XSS.
-		 ---
-	
-
-Date: 07/12/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.13: ---
-	
-		--- 
-			BUG FIX: Renamed account method.
-		 ---
-		--- Added some comments to index.php ---
-		--- BUG FIX: Undefined variable notice in login script ---
-		--- 
-			ADD FEATURE: Added failed login attempts that fail by exception to log messages.
-			Now users can cause failed logins on purpose to infect log files.
-		 ---
-		--- Updated some code in the login process ---
-		--- BUG FIX: Fixed links to open in new tab in Johnny Long HFC page ---
-		--- Removed unneeded code from AJAX lookup pen test tool page ---
-		--- 
-			ADD FEATURE: The JSON pages (pen test lookup tools) now use 
-			different parsers when in different security levels. A safer parser
-			is used in level 5.
-		 ---
-	
-
-Date: 06/22/2013 Author: Jeremy Druin/Lee Baird ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.12: ---
-	
-		--- 
-			BUG FIX: Bug found by Lee Baird. Professional Web Application Developer 
-			Quality Assurance Pack link broken on credits page. Fixed.
-		 ---
-		--- BUG FIX: Fixed documentation bug in vulnerability listing ---
-		--- 
-			BUG FIX: Added page not found functionality to the page fetcher
-			code in index.php to prevent a bug that would occur if the 
-			value of the page parameter pointed to a non-existent
-			target
-		 ---
-		--- BUG FIX: Bug found by Lee Baird. text-file-viewer.php
-			External links should open in new tabs.
-			http://www.textfiles.com/
-			Fixed.
-		 ---
-		--- BUG FIX: Bug found by Lee Baird. 
-			robots-txt.php
-			External links should open in new tabs.
-			Robots Exclusion Standard
-			Fixed.
-		 ---
-		--- Added automatic path separator detection to the capture data page ---
-		--- Added automatic temp file path detection to the capture data page ---
-		--- 
-			BUG FIX: Bug found by Lee Baird. 
-			capture-data.php
-			Warning: fopen(captured-data.txt) [function.fopen]: failed to open stream: Permission denied in /var/www/mutillidae/capture-data.php on line 104
-			Warning: fwrite(): supplied argument is not a valid stream resource in /var/www/mutillidae/capture-data.php on line 105
-			Fixed.
-		 ---
-		--- 
-			BUG	FIX: Bug found by Lee Baird. 
-			Warning: include_once(/var/www/mutillidae./includes/log-visit.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/mutillidae/capture-data.php on line 137
-			Warning: include_once() [function.include]: Failed opening '/var/www/mutillidae./includes/log-visit.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/mutillidae/capture-data.php on line 137
-			Fixed.
-		 ---
-		--- 
-			BUG	FIX: Bug found by Lee Baird. 
-			Dead link in pen-test-tool-lookup.php
-			http://localhost/mutillidae/index.php?page=pen-test-tool-lookup-ajax.php
-			Fixed.
-		 ---
-		--- BUG FIX: Fixed dead link in pen-test-tool-lookup-ajax.php ---
-		--- BUG FIX: Bug found by Lee Baird. Fixed dead link in add to your blog ---
-		--- BUG FIX: Bug found by Lee Baird. Fixed dead link in capture data ---
-		--- BUG FIX: Bug found by Lee Baird. Fixed absolute path bugs in all three web services documents ---
-	
-
-Date: 06/22/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.11: ---
-	
-		--- 
-			Renamed the phpmyadmin.php file to be lower case.
-			It appears some Linux PHP might be case senstive on
-			file names.
-		 ---
-		--- 
-			Added first iteration of web services by adapting
-			SecureIdeas (Kevin Johnson) DVWS project to work
-			in Mutillidae
-		 ---
-		--- 
-			Replaced the DVWS sqli web service with userLookup()
-			web service that has the full functionality of 
-			the user-info.php page (but in a web service)
-		 ---
-		--- 
-			There is now a web service for SQLi, Command Injection,
-			and a Hello World test page that just echos input
-		 ---
-		--- Added some comments to the sql query handler ---
-		--- 
-			Rewrote user-info.php page to set page 
-			parameters early, eliminate some code, and
-			convert queries to object oriented calls.
-		 ---
-		--- Fixed a XSS vuln in user-info.php (when page is in level 5) ---
-		--- Created include file minimum-class-definitions.php ---
-		--- Added minimum-class-definitions.php to capture data and web service pages ---
-		--- Added web services to various menus ---
-	
-
-Date: 06/13/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.10: ---
-	
-		--- Fix format error in user agent impersonation page ---
-		--- 
-			Change project name to 
-			OWASP Mutillidae II: Web Pwn in Mass Production. 
-			How clever.
-		 ---
-		--- Added advanced HTML injection example contributed by Jon Watkins ---
-	
-
-Date: 5/18/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.9: ---
-	
-		--- 
-			Updated SQL Injection hints with more examples and
-			URL encoded payloads
-		 ---
-		--- 
-			Added more cross site scripting opportunities
-			and comments to the user info page. XSS is now
-			possible when no records are found during the database
-			lookup.
-		 ---
-		--- 
-			Updated the cross site scripting hints with more examples and
-			URL encoded payload
-		 ---
-		--- 
-			Updated the HTML injection hints with more examples and
-			URL encoded payload
-		 ---
-	
-
-Date: 5/18/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.8: ---
-	
-		--- 
-			Corrected bug in DNS Lookup
-		 ---
-		--- Upgraded hints in SQL injection hints ---
-		--- 
-			Converted pen test lookup tool query from 
-			procedural to object oriented code
-		 ---
-		--- Fixed minor formatting bug in pen test tool lookup ---
-		--- Patched multiple bugs in pen-test-tool-lookup-ajax.php ---
-		--- 
-			Converted queries in pen-test-tool-lookup-ajax.php to 
-			object oriented code
-		 ---
-		--- Corrected bugs in add to your blog ---
-		--- Correct code formatting in add to your blog ---
-		--- Added includes directory to robots.txt ---
-		--- Patched bug in user-poll.php ---
-	
-
-Date: 5/10/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.7: ---
-	
-		--- 
-			Added exploit examples to the SQL injection hints
-			which shows how to upload a web shell via SQL 
-			injection.
-		 ---
-		--- Altered database error handler for Samurai WTF ---
-	
-
-Date: 5/6/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.6: ---
-	
-		--- 
-			Added hints and examples to the unvalidated forwards
-			and redirects hints.
-		 ---
-	
-
-Date: 5/6/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.5: ---
-	
-		--- 
-			Fixed bug in the set up database script that would cause
-			error when redirecting back to a page which had no 
-			parameters in the URL.
-		 ---
-		--- Added example code and additional hints to the IDOR hints ---
-		--- Added more JS injection hints and sample injections for the password
-		generator page ---
-		--- Added XSS and HTMLi hints to the password generator page ---
-		--- Added more code examples to the authentication bypass page ---
-	
-
-Date: 5/5/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.4: ---
-	
-		--- 
-			Added multiple examples to the HTML injection hints
-			including advanced code.
-		 ---
-		--- 
-			Added code examples to the cross site scripting
-			hints.
-		 ---
-		--- 
-			Fixed bug in capture data page that caused
-			issues if the capture data page was used outside
-			of the index.php frame (which is supported).
-		 ---
-		--- 
-			Fixed bug in DNS lookup page that caused some minor
-			formatting errors
-		 ---
-		--- Improved formatting on captured data page ---
-		--- Fixed some bugs in the examples in Mutillidae test scripts ---
-		--- Added code examples to cross site request forgery hints ---
-		--- Added lots of file paths from Mubixs post exploit documentation
-		to the LFI hints
-		 ---
-	
-
-Date: 5/3/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.3: ---
-	
-		--- 
-			Fixed bug in index.php that prevented Mutillidae from
-			working in Samurai WTF
-		 ---
-		--- 
-			Fixed bugs in pages that prevented the hints from showing
-			in Samuari WTF
-		 ---
-		--- Reported by John Nicholson ---
-	
-
-Date: 4/27/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.2: ---
-	
-		--- Added Document viewer to XSS menu ---
-		--- Added new XSS sub-category: XSS via HTML attribute ---
-		--- Fixed bug in database-offline.php ---
-		--- Fixed bug in set-up-database.php ---
-		--- Fixed bug in constants.php ---
-	
-
-Date: 4/27/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.1: ---
-	
-		--- Added growl notification for login, security level changes,
-		logout, and enforce SSL changes. ---
-		--- Fixed bug in login sequence ---
-	
-
-Date: 3/30/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.5.0: ---
-	
-		--- Added additional level 1 hints for SQL injection ---
-		--- Added growl pop up notifications ---
-		--- Added growl notification when hint level changes ---
-		--- Removed and replaced hints system with dynamic hints system ---
-		--- Created include files for hints level 1 ---
-		--- Moved level 2 hint includes into subdirectory under includes ---
-		--- Removed hard coded hints from all pages ---
-		--- Made hint system modular so that each vulnerability
-			has its own hint rather than hints being spammed
-			to page as a block.
-		 ---
-		--- Added the gritter jQuery plugin to project to provide growl ---
-		--- Improved commenting on index.php ---
-		--- 
-			Added constant define('__ROOT__', dirname(__FILE__));
-			to the index.php page in order to allow paths to be absolutely
-			specified rather than using relative paths. Relative paths
-			are required because mutillidae is designed to run on multiple 
-			versions of Windows, Linux, and Mac. However some systems such
-			as Linux Lamp have trouble "knowing" where the relative path
-			should lead so detecting the document root then prepending should
-			address issues on these systems. Interestingly only certain
-			Linux systems are affected. Samurai, Backtrack and other systems
-			do not have the issue.
-		 ---
-		--- Swithced paths from relative to absolute using constant __ROOT__
-		as in require_once (__ROOT__.'/owasp-esapi-php/src/ESAPI.php');
-		 ---
-		--- 
-			Altered some include_once and require_once statements to be one or
-			the other at the most appropriate times. include_once is a warning only.
-		 ---
-		--- Added a default "No Hints Found" hint that will display if no hints found ---
-		--- 
-			Added User-Agent Impersonation to the security misconfiguration menu on the 
-			sites main menu
-		 ---
-		--- 
-			Added frame source injection vulnerability to the hints system. This
-			vulnerability was quietly added in a previous version but not advertised.
-		 ---
-		--- Fixed two bugs in Document Viewer ---
-		--- 
-			Updated the victim redirection page URL in the framer.php page to
-			http://sourceforge.net/projects/mutillidae/
-		 ---
-		--- Reformatted the HTML 5 Web Storage Hints to be easier to read ---
-		--- Added hint about ssl downgrade attack to login.php ---
-		--- Patched bug in password-generator.php ---
-		--- Corrected some grammer in some hints ---
-		--- Removed unneeded code from pen test lookup tools ajax page ---
-		--- Fixed minor bug in php-errors.php ---
-		--- 
-			Added PHP MyAdmin to the project. Weeeeeeeeeeeeee. Its at
-			http://localhost/mutillidae/index.php?page=phpmyadmin.php
-		 ---
-		--- Added links to phpmyadmin to menus and home page ---
-		--- Consolodated some code in register.php ---
-		--- Added robots.txt to security misconfiguration menu ---
-		--- Patched bug on robots.txt that prevented hints from showing ---
-		--- Added phpmyadmin directory to robots.txt ---
-		--- Added phpMyAdmin.php to secret admin pages ---
-		--- Added several information disclosure pages to the menu ---
-		--- Created new version of the Security Misconfiguration menu ---
-		--- Added more hints to set-background-color.php ---
-		--- Added XSS tutorial to the source-viewer.php page ---
-		--- Added LFI and RFI hints to source and text file viewer pages ---
-		--- Added SQL injection hints to sqlmap targets page ---
-		--- Added SQL Map "How To" hints to the sql injection hints ---
-		--- Added sql-injection-tutorial to sqlmap targets page ---
-		--- Updated vulnerabilities.php ---
-		--- 
-			Added a prototype of a future feature of OWASP Mutillidae II; embedding
-			video hints
-		 ---
-		--- 
-			Added user-agent-impersonation.php to vuln listing and
-			hints system
-		 ---
-		--- 
-			Added the following new hints: Frame Source Injection,
-			HTML 5 Web Storage Theft and Manipulation,Robots.txt,
-			Secret Administrative Pages,User Agent Impersonation
-		 ---
-		--- Converted remaing blog queries to object oriented code ---
-		--- Added feature request to home page ---
-		--- Removed redundent links from menu ---
-		--- Added parameter addition vulnerabilty to view user privileges ---
-	
-
-Date: 3/24/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.10: ---
-	
-		--- 
-			Altered comments on the XML Validator page to 
-			fix a bug present in Firefox 3.0. FF3 is obsolete
-			but still used in some security training courses.
-		 ---
-		--- 
-			Suppressed errors during creation of HTML5
-			web storage items in order to support older
-			browsers which have not implemented window.localStorage
-			and window.sessionStorage.
-		 ---
-		--- 
-			Created a title for the Help Me! buttons to show
-			which page the button will help with
-		 ---
-		--- 
-			Improved home page layout, added help links
-		 ---
-		--- 
-			Added link to email support to home page
-		 ---
-		--- Improved formatting of the footer ---
-	
-
-Date: 3/24/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.9: ---
-	
-		--- 
-			Added border=none formatting to images and anchors
-			to support old Firefox used in some versions of
-			Samurai used in courses.
-		 ---
-		--- 
-			Improved formatting, wording, and instructions
-			of the "database offline" page
-			to make it more clear to the user what action to
-			take.
-		 ---
-		--- 
-			Added an automatic redirect to the "database offline" page
-			when the user opts out of seeing the messages.
-		 ---
-		--- 
-			Altered the "database offline" page to be more resiliant to 
-			installations on Samurai WTF. If the default password of
-			blank does not work, the system will try the password
-			"samural" regardless of the error message returned.
-		 ---
-		--- 
-			Improved layout of side menu
-		 ---
-		--- 
-			Added more help links to home page
-		 ---
-		--- 
-			Reformatted Home page to make links less crowded
-		 ---
-	
-
-Date: 2/21/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.8: ---
-	
-		--- 
-			MAMP user reported fatal error in which 
-			method getPrevious of the Execption class
-			is undefined. The issue could be that MAMP comes with PHP
-			5.2.x while Exception:getPrevious() requires PHP
-			5.3.0 or greater. Added a check on the Exception:getPrevious()
-			method to only use the method if it exists.
-		 ---
-	
-
-Date: 2/21/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.7: ---
-	
-		--- Improved spacing on home page to make hints look better when they are activated ---
-		--- BUG FIX: Undefined index in XML validator page ---
-		--- BUG FIX: Undefined index in User Information page ---
-		--- BUG FIX: Fixed XSS in security level 5 in User Information page ---
-		--- BUG FIX: Undefined index in DNS Lookup page ---
-		--- Added additional bubble hint to the User Information page ---
-		--- 
-			Refactored code on DNS Lookup to make it easier to understand
-			how to remediate for developers
-		 ---
-		--- 
-			Added large amount of information to SQL query error messaged by
-			serializing the MySQLi object upon error executing a query in the 
-			MySQLHandler class. This will make is easier for users to see what errors
-			caused issues.
-		 ---
-		--- 
-			Upon SQL error the query injected is output to help users figure
-			out the correct SQL injection
-		 ---
-		--- BUG FIX: Corrected bug in insert query error handling ---
-		--- 
-			Split off logging of insert of new blog record so that an error
-			in logging wont stop the injection from working. This makes it easier
-			to get injections to work for new users.
-		 ---
-		--- 
-			Tested and verified that the add to your blog page is a good target for the 
-			Beef Framework
-		--- 
-		--- 
-			Added BeeF Framework Targets to the menu under cross site scripting sub menu
-			to give users a list of pages known to work well with beef hooks. There is a 
-			new menu called Beef Framework Targets.
-		 ---
-		--- 
-			Tested project on XAMPP 1.8.1
-		 ---
-		--- Converted lookup pen test tools to use the object oriented SQL queries ---
-		--- BUG FIX: pen test tools ajax version that prevented lookup function from working ---
-		--- BUG FIX: pen test tools both versions that gave undefined index error ---
-		--- Added Remote File Inclusion and Local File Inclusion to the Arbitrary File
-		Inclusion page.
-		 ---
-		--- Added hints on how to perform remote and local file inclusion to the arbitrary
-		file inclusion page.
-		 ---
-		--- Added new links on main menu for remote file inclusion and local file inclusion ---
-		--- Added new page popup hints to the arbitrary file inclusion page. ---
-		--- BUG FIX: Client information handler threw error if operating system was not
-		detected. This has been fixed.
-		 ---
-		--- Replaced the operating system detection code with new code from
-		http://www.killersites.com/community/index.php?/topic/2562-php-to-detect-browser-and-operating-system/.
-		This is in method public function getOperatingSystem() in the client information handler.
-		 ---
-		--- BUG FIX: Repeater page had two undefined index notices on first visit ---
-		--- BUG FIX: Fixed for undefined variable notices in page view-user-privilege-level.php ---
-		--- Updated vulnerabilities listing ---
-	
-
-Date: 2/12/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.6: ---
-	
-		--- 
-			BUG FIX: Tim Tomes discovered another bug in 
-			the back button
-			that caused a notification error that the referer was not
-			declared on the first visit after a fresh install.
-		 ---
-		--- 
-			BUG FIX: Fixed several bugs in the capture data page 
-			found by Gustav/toffe1996 which
-			were due to old code left after upgrades, repeated code (again from
-			previous upgrades), and double encoding data destined for 
-			an insert query.
-		 ---
-		--- 
-			Added link to the capture data page to the captured
-			data page
-		 ---
-		--- 
-			Converted query on captured data page to object oriented
-			query
-		 ---
-	
-
-Date: 2/10/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.5: ---
-	
-		--- BUG FIX: Tim Tomes discovered a bug in the back button
-		that caused a notification error that a variable was not
-		declared 
-		if the project is in security level 1. The bug did not appear 
-		in security level 0 or 5.
-		 ---
-	
-
-Date: 2/8/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.4: ---
-	
-		--- 
-			BUG FIX: In security level 5 the pages in the documentation 
-			folder would not display due to a misconfigured security
-			control
-		 ---
-		--- BUG FIX:
-			On page XSS � Reflected � Text File Viewer, Nicholas Watkins noted
-			that XSS was possible on security level 5 (secure) with:
-			%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
-			in the file field.
-			
-			This attack takes advantage that the injection causes an error from
-			PHP itself outside of the PHP code's control. When PHP shows the error
-			it includes the filename which in this injection happens to be valid
-			JavaScript inside a script tag.
-		
-			The browser executes the JavaScript when viewing the error.
-		 ---
-		--- Removed outdated sqlmap help file ---
-		--- Changed layout of home page ---
-		--- Removed several unused icons from images folder ---
-		--- 
-			Removed the test and examples directories from the OWASP
-			ESAPI folder. This reduced project size by ~500 KB.
-		 ---
-		--- Refactored code for page Text File Viewer ---
-		--- 
-			Added method tampering vulnerability to security level 0 
-			and 1 in page Text File Viewer
-		 ---
-		--- Added updated XSS defenses for security level 5 in page Text File Viewer ---
-		--- Updated vulnerabilities listing ---
-		--- 
-			Updated logging on page Text File Viewer to prevent failed logging
-			attempt from stopping execution of the page.
-		 ---
-		--- Capture data page now uses object oriented SQL queries ---
-		--- Depreciated notes.php ---
-		--- Added link to the vulnerabilities page to the home page ---
-		--- Added link to the vulnerabilities page to the usage instructions page --- 
- 	
-
-Date: 1/31/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.3: ---
-	
-		--- 
-			Added login.php page to the sqlmap targets in the menu
-		 ---
-		--- 
-			Modified several links to open in new windows/tabs rather than taking over
-			main screen
-		 ---
-		--- Reduced some unneeded styles ---
-		--- Added links for Firefox add-ons to home page ---
-		--- Added link for sqlmap to home page ---
-		--- 
-			Added new page with SQLMap practice targets, link
-			to video, and new hints section
-		 ---
-	
-
-Date: 1/26/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.2: ---
-	
-		--- 
-			Fixed bug in usage instructions and rewrote the instructions.
-			Several new features have been implemented.
-		 ---
-	
-
-Date: 1/21/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.1: ---
-	
-		--- 
-			Added method tampering vulnerability to 
-			register.php
-		 ---
-		--- Updated the vulnerabilities.php page ---
-		--- Added large amounts of help texts to various pages ---
-		--- 
-			Added Method Tampering to menu with two pages under this
-			vulnerability
-		 ---
-		--- Added Poll Question to HTMLi and XSS menus ---
-		--- Added several pages to several new menu entries ---
-	
-
-Date: 1/13/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.4.0: ---
-	
-		--- 
-			Installed popup help text on the images and links of the 
-			home page.
-		 ---
-		--- Added help button example to home page ---
-		--- 
-			Reconfigured home page to try to help user
-			understand what to do
-		 ---
-		--- Added colorbox jquery plugin to project ---
-		--- Created jquery-init.inc to hold jquery initialization scripts ---
-		--- 
-			Created new class SQLQueryHandler and began experimenting with 
-			collecting all queries into this class in preparation for 
-			using other brands of databases
-		 ---
-		--- 
-			Created the pop up help context page to act as an AJAX
-			backend to the HELP ME buttons being added to the site
-		 ---
-		--- 
-			Added new tables and data to the database to support the 
-			new HELP ME buttons for each page
-		 ---
-		--- Reduced code for back buttons ---
-		--- 
-			Created include file for back button to avoid spamming code on
-			all the pages
-		 ---
-		--- Created the HELP ME button on each page to tell the user what to try ---
-		--- Added arbitrary-file-inclusion.php to the XSS header menu ---
-		--- Updated the vulnerabilities listing ---
-		--- 
-			Patched defect in browser-info.php that would return Warnings
-			if the system is not connected to the Internet.
-		 ---
-		--- 
-			Added browser-info.php to the HTMLi injection via HTTP headers
-			menu
-		 ---
-		--- Added large number of pages to the HTMLi menu ---
-		--- Added captured-data.php to menu under insert based sql injection ---
-		--- 
-			Added new page describing a new vulnerability SSL downgrade. The 
-			SSL Misconfiguration page has been added to the A9 menu
-		 ---
-		--- 
-			Bug Fix: Repaired link http://localhost/mutillidae/index.php?page=view-someones-blog.php
-			in add blog page. Changed to relative link ./index.php?page=view-someones-blog.php to fix link
-			when Mutillidae is running on remote server. Also fixed equivalent link from view blog
-			page back to add blog page.
-		 ---
-		--- Moved insert blog entry query to object oriented class ---
-		--- Added more hints to the XML entity injection page ---
-		--- Added new type of cross site scripting injection; via XML injection ---
-		--- Bug fix in formatting on vulnerabilities.php page ---
-	
-
-Date: 1/11/2013 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.14: ---
-	
-		--- 
-		    public function encodeCharacter($input)
-		    /* Altered by JD 1/11/2013 to repair error message
-		     * which appears because the parent class of this
-		     * class declares the same function with a different
-		     * signature.
-		     * 
-		     * Strict Standards: Declaration of Base64Codec::encodeCharacter() should
-		     * be compatible with Codec::encodeCharacter($immune, $c) in
-		     * /opt/lampp/htdocs/mutillidae/owasp-esapi-php/src/codecs/Base64Codec.php
-		     *  on line 130 
-		     */
-		 ---
-		--- 
-			Added try-catch to 
-			$LogHandler-&gt;writeToLog("Attempt to log in by user: " . $username);
-			in process login attempt page to prevent error with log handler.
-		--- 
-		--- 
-			Added color coding to user account level displayed in the menu
-			at the top of the page
-		 ---
-	
-
-Date: 12/08/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.13: ---
-	
-		--- 
-			Added validation for valid XML characters in level
-			5 of the XML External Entity Injection page in 
-			order to detect and block attacks based on
-			alternate encodings of XML. Thanks to  
-			Nicolas Gr�goire (@Agarri_FR) for 
-			providing working injections.
-		 ---
-	
-
-Date: 12/07/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.12: ---
-	
-		--- 
-			Repaired bug in XML External Entity Injection page
-			/index.php?page=xml-validator.php found by 
-			Nicolas Gr�goire (@Agarri_FR).
-		 ---
-		--- 
-			Improved error message formatting on
-			XML External Entity Injection page
-		 --- 		
-	
-
-Date: 12/06/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.11: ---
-	
-		--- Improved formating on User Information page ---
-		--- Added border radius styling to all fieldsets ---
-		--- Improved formatting on the error handler messages ---
-		--- Updated main title on home page ---
-		--- Redesigned home page layout ---
-		--- Introduced a new type of vulnerability: XML External Entity Injection ---
-		--- 
-			New page added at /index.php?page=xml-validator.php to implement the
-			XML External Entity Injection vulnerability
-		 ---
-		--- Added hints to XML External Entity Injection page ---
-		--- Updated vulnerabilities.php page ---
-		--- 
-			Added XML External Entity Injection page to header menu at path
-			"OWASP Top 10" -- "Other Injection" -- "XML External Entity Injection" 
-			-- XML Validator
-		 ---
-	
-
-Date: 10/26/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.10: ---
-	
-		--- Added more hints into the user-agent impersonation page ---
-		--- Moved header, footer, log-visit, and config.inc into "includes" directory ---
-		--- Added additional link for captured data page to capture data page. ---
-		--- Updated link for Latest Version of Mutillidae ---
-		--- 
-			Added new challenge level to CBC bit flipping. Level 1 presents a new challenge
-			to solve
-		 ---
-		--- 
-			Added a new field to the CBC bit flipping. The field has no bearing on winning
-			the challenge but provides some theatrics as it changes if the first four bytes of the 
-			IV are modified.
-		 ---
-	
-
-Date: 10/18/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.9: ---
-	
-		--- Moved the change log file into the documentation folder ---
-		--- 
-			Added the JavaScript Object Notation (JSON) pages to the SQL injection
-			menu as well as the HTML-5 menu
-		 ---
-		--- Fixed bug on capture data page where SQL Injection protection was
-		in the wrong place ---
-		--- Added new global style for success messages ---
-		--- Corrected CSS errors on Add to your Blog and View Blogs ---
-		--- 
-			Added new challenge page named user-agent-impersonation.php
-			The goal is to impersonate an iPad fairly closely. Added
-			browser fingerprint elements that can be changed by User-Agent
-			Switcher and some elements that have to be changed in the 
-			browser configuration.
-		 ---
-	
-
-Date: 09/26/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.8 (KY ISSA Conference Version): ---
-	
-		--- 
-			Added JavaScript validation to the user-info.php page. 
-			This validation is activated
-			in security level 1 and security level 5. The user can
-			bypass in various ways including proxy and disabling JS.
-		 ---
-		--- 
-			Added the page visited to the logging script that logs when
-			a user visits each page. This makes the logs more realistic.
-		 ---
-		--- 
-			Added the various commands needed when performing command
-			injection to open up telnet on a Windows XP host. This applies
-			to command injection performed on the "DNS Lookup" page. The 
-			file with the example commands is located in 
-			/documentation/mutillidae-test-scripts.txt
-		 ---
-		--- 
-			Added the various commands needed when performing command
-			injection to open up Windows Remote Desktop Connection
-			(Windows Terminal Services) on a Windows XP SP3 host. This applies
-			to command injection performed on the "DNS Lookup" page. The 
-			file with the example commands is located in 
-			/documentation/mutillidae-test-scripts.txt
-		 ---
-		--- 
-			Since the "CurrentBrowser" attribute is not well-supported in 
-			browsers, the html-5 web storage page will now set an attribute 
-			called AuthorizationLevel to act as a target
-		 ---
-		--- 
-			Refactored the pen test tools lookup page
-		 ---
-		--- 
-			Add new page for attacking AJAX called pen-test-lookup-tool-ajax.php
-			The page makes AJAX requests to fetch information about the tool
-			selected. This allows the user to attempt to hack an AJAX driven
-			request which fetches JSON data.
-		 ---
-		--- Added user-info.php page to the "JavaScript Security" menu ---
-		--- Added new menu for HTML-5/AJAX/JSON related pages and content ---
-		--- Added hint about mutiilidae test scripts file to the home page ---
-		--- 
-			Improved the log file functionality so that if the page variable is
-			blank such as in an AJAX request, the page will be fetched from 
-			the super global variables.
-		 ---
-	
-
-Date: 09/15/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.7 (Samurai 2.0 Version): ---
-	
-		--- Improved detection of incorrect database settings on the set-up-database script. ---
-		--- 
-			Added code to make it easier to install on Samurai WTF. The MySQLHandler-&gt;openConnection()
-			method will automatically try the password "samurai" if the configured password
-			fails.
-		 ---
-		--- 
-			Created installation video for updating OWASP Mutillidae II Mutillidae on Samurai WTF 2.0
-			on the webpwnized YouTube Channel.
-		 ---
-		--- Cleaned up code in MySQLHandler.php ---
-		--- 
-			Added code to set up database page to detect if user fixed errors.
-			If the user came from the database error page but we do not have database errors anymore,
-	 		send them to the home page.
-	 	 ---
-	 	--- Changed font on the database error page ---
-	 	--- Imporved error handling for database errors in index.php ---
-	
-
-Date: 09/15/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.6 (Samurai 2.0 Version): ---
-	
-		--- Introduced a bug. Oops. This version superceded by 2.3.7 upon release. ---
-	
-
-Date: 09/03/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.5: ---
-	
-		--- Added more hints on the secret-administrative-pages.php ---
-		--- Added OWASP Mutillidae II to Sourceforge Subversion (SVN): https://mutillidae.svn.sourceforge.net/svnroot/mutillidae ---
-		--- Added cross-site-scripting tutorial to the page arbitrary-file-inclusion.php ---
-		--- Updated the vulnerabilities.php page with a few dozen more hints about vulns ---
-		--- Updated comments on config.inc. The file is not used in this project anymore. ---
-		--- Added more hints to credits.php ---
-		--- Added cross-site-scripting tutorial to the page document-viewer.php ---
-		--- Oops. Fixed page title on page secret-administrative-pages.php ---
-		--- Added new page for directory browsing under A6 - Security Misconfiguration menu ---
-	
-
-Date: 08/13/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.4: ---
-	
-		--- Added documentation around database configuration area in MySQLHandler.php ---
-		--- Cleaned up some code in header.php ---
-		--- Added Enforce SSL functionality for use with SSLStrip. This gives the user a way to force
-			Mutillidae to redirect any HTTP requests to HTTPS
-		 ---
-		--- Squeezed menu to better fit on low resolution screens ---
-		--- Added a new button on the side menu for Enforce/Drop SSL ---
-		--- Added a new button on the top menu bar for Enforce/Drop SSL --- 
-	
-
-Date: 08/13/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.3 (OWASP Broken Web Apps Edition): ---
-	
-		--- Added additional messages to set up database script to help user diagnoise issues ---
-		--- Cleaned up code in the set up database script ---
-		--- 
-			Altered set up database to allow user to choose the name of the database to be whatever they
-			like. This is configured in MySQLHandler.php
-		 ---
-		--- 
-			Set up database script will now output the database name, MYSQL server name, and the username
-			at different points in the set up to help the user diagnose configuraton issues
-		 ---
-		--- Color coded messages in set up database script to help user identify trouble spots ---
-		--- Made the database configuration variables static public class properties ---
-		--- static public $mMySQLDatabaseHost = "localhost"; ---
-		--- static public $mMySQLDatabaseUsername = "root"; ---
-		--- static public $mMySQLDatabasePassword = ""; ---
-		--- static public $mMySQLDatabaseName = "OWASP Mutillidae II"; ---
-		--- Added database server host name to output of database-offline to help diagnostics ---
-	
-
-Date: 08/10/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.2 (Codename: Mutillidae): ---
-	
-		--- 
-			Added large amount of code to help users who have database issues of some type or users unfamiliar with
-			MySQL
-		 ---
-    	--- 
-    		Made change to bubble hint hanlder to return error message if hint retrieval fails rather than allow
-    		page to fail
-    	 ---
-    	--- Added new page database-offline.php to handle database error ---
-    	--- Added database error detection to setup scripts ---
-    	--- 
-    		Changed how the database connection occurs. The MySQLHandler splits the connection 
-	    	to the database server and OWASP10 database into separate steps to help the user have a better
-	    	chance of detecting issues. This allows the index.php page to connect later in the process as well.
-    	 ---
-    	--- Improved database connection in log handler ---
-    	--- Changed database configuration to static properties ---
-    	--- Added method connectToDefaultDatabase() to SQL Handler class ---
-	
-
-Date: 07/27/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.1 (Codename: Mutillidae): ---
-	
-    	--- Updated vulnerabilities listing ---
-    	--- Added an entirely new attack on a new page: view-user-privilege-level.php ---
-    	--- Added view-user-privilege-level.php to main menu under broken session management ---
-	
-
-Date: 07/26/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.3.0 (Codename: Mutillidae): ---
-	
-		--- Updated project to work with newest XAMPP and LAMP stacks. Last update to 
-		stack compatibility was in 2010 for Apache 2.2.x ---
-		--- Mutillidae now works on XAMPP 1.8: Apache 2.4.2, MySQL 5.5.25a, PHP 5.4.4 ---
-    	--- Corrected error on document viewer ---
-    	--- Added new page repeater.php with new vulnerability buffer overflow ---
-    	--- Added new bubble hint for buffer overflow ---
-    	--- Added new bubble hint HTMLandXSSInjectionPoint ---
-    	--- Added new vulnerability class for parameter addition ---
-    	--- Added new hints about parameters addition and buffer overflows ---
-    	--- Split the A1 menu into SQL injection and non-SQL injection
-    	because the section was too large to fit on screen. ---
-    	--- Updated vulnerabilities listing ---
-	
-
-Date: 07/18/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.2.3 (Codename: Mutillidae): ---
-	
-		--- 
-			Made main title and icon smaller to make more room for small displays
-		 ---
-		--- Patched bug calling bubble handler on index.php ---
-		--- Added new vulnerability: frame source injection ---
-		--- Added new page: document-viewer.php ---
-		--- 
-			Added document viewer link to HTTP parameter pollution menu and 
-			frame source injection menu
-		 ---
-		--- Added document viewer to XSS reflected menu ---
-		--- Added new page robots-txt.php ---
-		--- Applied new styles to buttons, inputs, textarea, hints, tutorials, etc. ---
-		--- Fixed layout issue in credits.php ---
-		--- Fixed bug in register.php ---
-		--- opendb.inc and closedb.inc deleted from project ---
-		--- Imporved code on password generator page ---
-	
-
-Date: 07/16/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.2.2 (Codename: Mutillidae): ---
-	
-		--- 
-			Improved error handling and error exception bubbling in the MySQL class to make it 
-			easier to diagnose errors in the bubble hint handler.
-		 ---
-		--- Imporved bubble handler code via refactoring ---
-		--- Patched a bug in the show/hide bubble hints ---
-		--- Converted add-to-your-blog to object oriented MySQLHandler ---
-		--- Corrected minor error handling bug in browser-info.php ---
-		--- Added logging to add to your blog to create more opportunity to poison logs ---
-		--- Added Method switching vulnerability to user poll ---
-		--- Cleaned up code in user poll ---
-		--- Fixed cross site scripting vulnerability in user poll when in secure mode (ironic) ---
-		--- Added logging to user poll ---
-	
-
-Date: 06/15/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II 2.2.0 (Codename: Mutillidae): ---
-	
-		--- Added balloon tips to help users using jQuery ballons ---
-		--- Added jQuery to Mutillidae ---
-		--- Added large amounts of hints to html-5 web storage page ---
-		--- Added notes and demos from AIDE conference talk to pen test lookup tools page ---
-		--- Added notes and demos from AIDE conference talk to html-5 storage page ---
-		--- Added notes and demos from AIDE conference talk to all pages with cross site scripting (click hints to see) ---
-		--- Made show hints code more efficient ---
-		--- Fixed the width of the command injection level-2 hints ---
-		--- Added more comments to index.php ---
-		--- 
-			Made it so the "hints" cookie shows all the time rather than only if the user changes the hint
-			level
-		 ---
-		--- Made is easier for user to hack the hints cookie to make hints appears when hints should not appear ---
-		--- Regression tested the hints functionality since most of it changed ---
-		--- 
-			Syncronized bubble-hints handler with security levels. The bubble hint can change with the security
-			level. This provides a foundation for the future.
-		 ---
-		--- Created the MySQLHandler class ---
-		--- Converted bubble hint handler to use MySQLHandler class ---
-		--- Improved command injection hints on the DNS lookup page ---
-		--- Cleaned up some code on the DNS lookup page ---
-		--- 
-			Converted log file to using the MySQLHandler class instead of the connection previously
-			passed on each call to log. This will make logging more simple and faster.
-		 ---
-		--- Added getSecurityLevel() method to logging class and the MySQLHandler class ---
-		--- Made hints routine run faster ---
-		--- Improved the vulnerabilities listing in vulnerabilities.php ---
-		--- Improved code on add to your blog ---
-		--- Switched add to blog page to use object oriented sql handler ---
-		--- Added toggle-hints to the core controls menu ---
-		--- Added "show popup hints" options to menu ---
-		--- 
-			Tried to move object storage to session so objects are only generated once per session then
-			persisted for the remainder of the session. This greatly imporves performance of objects
-			plus allows the objects to be persistent (remember things).
-			
-			Didnt work. PHP cannot persist objects.
-		 ---
-		--- Cleaned up code on arbitrary file inclusion page ---
-		--- Standardized the bubble hint code to make it easy to add new hints ---
-		--- Added browser-info.php to the JavaScript injection menu ---
-		--- Fixed a bug in the hints formatting on the browser-info.php page ---
-		--- Corrected mistakes in the vulnerabilities listing page ---
-		--- Simplified main menu bar under title at top of each page ---
-		--- Added logging to the authorization required error page ---
-		--- Added logging to the capture data page to log the captured data ---
-		--- Converted the capture data page to use OOP SQL handler ---
-		--- Added source viewer page to the menu for Failure to Restrict URL access ---
-		--- Fixed formatting issue on text file viewer ---
-		--- Fixed some old formatting issues in user info php left over from Mutillidae 1.0 ---
-		--- Fixed code clarity in user info ---
-		--- Converted user info to use MySQL handler class ---
-	
-
-Date: 05/14/2012 Author: Jeremy Druin ---
-
-	--- Change Log for OWASP Mutillidae II (Codename: Mutillidae) 2.1.20: ---
-	
-		--- Changed some color schemes ---
-		--- 
-			Bug fix: The html5 key validation on the on the html5 page was too restrictive. The validator 
-			was throwing errors even when the input was ok. This validation checks for any non-alphanumeric
-			characters and prints an error if non-alphanumeric characters are found. This error message contains the bad key
-			the user input. Since the site fails to output encode this error message, it is possible to perform DOM injection.
-		 ---
-		--- Add the html5-storage.php to the vulnerabilities listing. ---
-		--- Bug Fix: Fixed a bug in pen-test-tool-lookup.php for security level 5 in which the page would throw
-			an error upon submitting the tool to look up.
-		 ---
-	
-
-Date: 05/13/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.19: ---
-	
-		--- 
-			Fixed broken link to https://addons.mozilla.org/en-US/firefox/collections/jdruin/pro-web-developer-qa-pack/ (Mozilla Add Ons)
-			on the "Resources" sub-menu.
-		 ---
-		--- 
-			Added "validation" to the html5 storage page for the "key" field. This validation checks for any non-alphanumeric
-			characters and prints an error if non-alphanumeric characters are found. This error message contains the bad key
-			the user input. Since the site fails to output encode this error message, it is possible to perform DOM injection.
-		 ---
-		--- 
-			Added a large number of HTML 5 based exploits to the Mutillidae-Test-Scripts.txt file. Approximately 100 lines
-			of new demonstration code has been added.
-		 ---
-		--- 
-			On the setup or reset database page, if no errors were detected, the page now sends
-			the user back to the page that requested the database be reset. A popup box
-			gives the user the option to stay on the page.
-		 ---
-	
-
-Date: 03/15/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.18: ---
-	
-		--- The setup datebase page now clears HTML 5 Local and Session Storage ---
-		--- Fixed alignment issues with icons on the captured-data page. ---
-		--- 
-			Partially protected capture-data.php page so that the page can capture
-			values that cause SQL injection. Other fields are left unprotected so
-			users can practice sending SQL injections.
-		 ---
-		--- Added timestamp to records captured in the captured-data.txt text file ---
-		--- 
-			Added script to home page to add a value to HTML 5 storage when user visit the site.
-			This will give users a web storage target to go after even if they dont visit the 
-			HTML 5 storage page.
-		 ---
-		--- 
-			Coverted log-visit.php from using the hitlog table to using the 
-			LogHandler class. This will help consolodate code into a single
-			point of failure for the logging process. All the code has been removed
-			from log-visit.php except a call to the LogHandler.
-		 --- 
-		--- Adjusted top horizontal menu padding to move buttons closer together ---
-		--- 
-			Added two new buttons to the top horizontal menu to allow user to get
-			to the view log page and the view captured data page easier.
-		 ---
-		--- 
-			Removed the gethostbyaddr() function from the LogHandler to prevent the 
-			long timeouts associated with the function when the DNS server is not
-			available. If PHP changes so that the function has a timeout setting
-			it will be brought back.
-		 ---
-		--- 
-			Changed delete icon from jpeg to a transparent PNG so the icon can be put inline
-			to the table headers to save space.
-		 ---
-		--- Added delete log button to the show log page. ---
-		--- Rearranged the buttons on the show logs page, added new icons, and cleaned up the code ---
-		--- Added new information output about numner of records found to view logs page ---
-		--- Made the buttons on the captured data page smaller to free up some space. ---
-	
-
-Date: 03/08/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.17: ---
-	
-		--- 
-			Added new menu items for DOM injection and Cookie injection.
-		 ---
-		--- Added a delete captured data button to the captured data page ---
-		--- 
-			Added new sub-menus to the cross site scripting menu for persistent
-			and reflected cross site scripting. The pages to which the links point
-			are existing pages but the new menus will help new users locate targets
-			for these types of cross site scripting.
-		 ---
-		--- Added large number of proven scripts to the Mutillidae-Test-Scripts.txt file ---
-		--- Added link on View Blog Entries back to Add to Your Blog ---
-		--- Added link on Add Blog Entries back to View Blogs ---
-		--- Fixed typo on HTML 5 storage page ---
-		--- Added delete buttons to the HTML 5 web storage page to help testing ---
-	
-
-Date: 03/01/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.16: ---
-	
-		--- 
-			Additional hints added to HTML5 Web Storage page to overwrite 
-			current web storage
-		 ---
-		--- 
-			Additional hints added to HTML5 Web Storage page concerning reading
-			current web storage. Added code examples for document.write and
-			using Firebug command line.
-		 ---
-		--- 
-			Added several new items to the Easter Egg file Mutillidae-Test-Scripts.txt
-		 ---
-		--- 
-			New vulnerability added. The HTML5 Storage page now has cross site
-			scripting via DOM injection. The "storage key" field is vulnerable.
-		 ---
-		--- Added hints about DOM injection to the HTML5 Storage page. ---
-		--- Added hints to the capture-data.php page about cross site scripting ---
-		--- Updated the vulnerabilities listing ---
-	
-
-Date: 02/11/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.15: ---
-	
-		--- 
-			Upgraded the "JavaScript Validation" for the dns-lookup.php page. The 
-			JavaScript validation is only activated in security level 1. The new
-			validation checks for cross-site scripting characters in addition to
-			OS command injection characters.
-			
-			The validations are trivial to defeat by disabling JS in the browser 
-			or using an interception proxy to bypass the validation.
-		 ---
-		--- 
-			In security level 1, on page add-to-your-blog.php the CSRF token
-			is now generated. The token is predictable although perhaps not
-			obvious. The intention is for students to use Burp-Suite 
-			sequencer to discover the pattern and inject the next token in
-			the sequence (or to subtract each token from the last token).
-		 ---
-		--- 
-			The CSRF token generator for the add-to-your-blog.php page is 
-			now using the OWASP Randomizer to generate random tokens
-			in security level 5. The previous generator used mt_random()
-			which was not really random.
-			
-			These new tokens have an entropy of around 132 bits.
-		 ---
-	
-
-Date: 01/30/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.14: ---
-	
-		--- 
-			Made menu smaller width. Menu is 10% of screen now. This should
-			help when using mutillidae on a classroom projector showing at 
-			1024 x 768.
-		 ---
-		--- Made Banner 2.5% less tall. Gotta make some room people. ---
-		--- Fixed formatting bug in dns-lookup.php that made hints look funny ---
-		--- 
-			Added lots of new advanced examples to the Easter Egg file called Mutillidae-Test-Scripts.txt.
-			The file is located in the documentation folder.
-		 ---
-		--- 
-			Password Generator (password-generator.php): Fixed bug by removing brackets
-			from possible characters that will be used to make password.
-		 ---
-		--- 
-			Added new field to accounts: Boolean is_admin. 
-		 ---
-		--- 
-			Added concept of administrative users and regular users
-		 ---
-		--- 
-			Added new vulnerability. There are secret pages that can be brute forced using
-			a brute forcing tool like DirBuster or Burp-Intruder. Using Burp-Intruder
-			try cycling through the "page" parameter with common names for secret pages.
-			For example, try secret.php.
-		 ---
-		--- Fixed typo on page not found page ---
-		--- Created authorization required page ---
-		--- Added "Secret" Administrative Pages to menu under A8 - Failure to Restrict URL Access ---
-		--- Made menu item for Robots.txt more obvious ---
-		--- Fixed typo on vulnerabilties documentation ---
-		--- "Logged in user" now says "logged in admin" if the logged in user is an admin
-		--- Updated accounts created as targets ---
-		--- Improved output formatting on phpinfo.php page ---
-		--- 
-			Altered phpinfo.php so that admins can see page in any level but regular users
-			can only see page in security levels 0 and 1.
-		 ---
-	
-
-Date: 01/10/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.13: ---
-	
-		--- Added Mutillidae YouTube channel link to menu ---
-		--- Fixed some menu links so they open in new window ---
-		--- 
-			Added a hint to the framer.php page telling the user to try to
-			change the security level.
-		 ---
-		--- 
-			Added a new page called anti-framing-protection.inc. The page
-			shows developers how to implement old-style javascript frame busting code.
-			This isn''t used for new browsers because x-frame-options has supplanted the
-			frame busting code, but there are still many old browsers running
-			in kiosks and such.
-		 ---
-		--- Added more documentation in the Easter Egg file Mutillidae test scripts ---
-		--- Added Kevin Johnson as honorary default user ---
-		--- Added more values to default database to make SQL injection more interesting ---
-		--- Reduced the size of the header thickness to make more room ---
-		--- Greatly improved SQL Injection tutorial or at least typed a lot more stuff ---
-		--- 
-			Upgraded the Easter Egg file with more tips and tricks; mainly on
-			SQL injection
-		 ---
-	
-
-Date: 01/09/2012 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.12: ---
-	
-		--- 
-			Changed sort order for captured-data.php to descending by date so last capture 
-			floats to top
-		 ---
-		--- Added a refresh button to the captured-data.php page ---
-		--- Added all the latest pen-testing scripts to the easter egg file Mutillidae-Test-Scripts.txt ---
-		--- Improved the hints on the HTML5 Storage page ---
-		--- Oops. Fixed bug in HTML5 storage PHP page. ---
-		--- Upgraded code in process-login-attempt.php pointed out by Josep Duran ---
-		--- 
-			Fixed a bug on add-to-your-blog.php in the CSRF code which would not allow a
-			new blog to be saved. Bug found by by Josep Duran.
-		 ---
-		--- Made the table output on add-to-your-blog.php look nicer. ---
-		--- Got rid of unneeded commented out code on set-background-color.php ---
-		--- Improved output readability on dns-lookup.php ---
-		--- Improved output readability on set-background-color.php ---
-	
-
-Date: 12/27/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.11: ---
-	
-		--- 
-			Added more tools to pen-test-tool-lookup.php.
-		 ---
-		--- 
-			Added lots of HTML5 attacks to the easter egg file Mutillidae-Test-Scripts.txt
-		 ---
-		--- 
-			Added new page capture.php which captures any information sent to the page
-			in GET or POST parameters and saves them to a database table. Can be used
-			to capture cookies, session storage, local storage, or other data. The page is 
-			designed to reflect the capture cookie page used in the SANS 542 Web Application
-			Pen Testing course currently taught by Kevin Johnson of SecureIdeas.
-			
-			This page is designed to capture any parameters sent and store them in a file 
-			and a database table. It loops through the POST and GET parameters and records 
-			them to a file named captured-data.txt. On Windows system, the file should be 
-			found at C:/xampp/htdocs/mutillidae/captured-data.txt. The page also tries to 
-			store the captured data in a database table named captured_data. There is 
-			another page named captured-data.php that attempts to list the contents of 
-			this table.
-		 ---
-		--- 
-			Added new page captured-data.php which displays data captured by page
-			capture.php. In true Mutillidae fashion, this page is as vulnerable as
-			all the others. Try hacking the hacker by sending SQL injections and XSS
-			to the capture.php.
-		 ---
-		--- 
-			Changed includes for database configuration to require_once so that
-			some pages can stand alone or work with index.php
-		 ---
-		--- Added a new table to the database called captured_data ---
-		--- Added better comments to index.php ---
-		--- Added data capture pages to menu under "Other" ---
-		--- 
-			Added detailed tutorials to the HTML5 storage page and the pen-test-tools.php
-			page showing how to pen-test and exploit HTML5 storage and perform JSON
-			injections. To see the new hints sections browse to the pages and click
-			the hints button. The hints show at the bottom of the page.
-			The HINTS button is on the menu at the top of the screen.
-		 ---
-	
-
-Date: 12/17/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.10: ---
-	
-		--- 
-			Added menu item for the BACK buttons that are on all the pages. They are
-			injectable to cause XSS. The menu item is located under OWASP Top 10 --&gt;
-			A2 - Cross Site Scripting (XSS) --&gt; Via HTTP Headers --&gt; Those BACK Buttons.
-			Any page will do. I just picked one at random.
-		 ---
-		--- 
-			Corrected some errors in the HTML5 storage hints. You have to enable HINTS level 1
-			to see the hints. The HINTS button is on the menu at the top of the screen.
-		 ---
-		--- 
-			Renamed setupreset.php to set-up-database.php
-		 ---
-		--- Fixed a nasty bug in view someones blog where the dropdown was missing names of bloggers ---
-		--- Fixed a minor formatting bug in html5-storage.php ---
-		--- Adjusted the graphics on the home page ---
-		--- 
-			Added a new page pen-test-tool-lookup.php. This page is vulnerable to JSON injection.
-			A large tutorial was added as well showing how to perform JavaScript XSS injection
-			into the JSON data so that the XSS executes.
-			To see the tutorial, click the HINTS button. As an exercise, the user is encouraged
-			to perform a JSON string injection and an HTML injection after learning how to
-			perform the XSS injection. The JSON has been carefully designed to make it relatively
-			easier to get the JSON injection to work. JSON injection can be somewhat tricky 
-			if a user has not tried it before and/or does not use JSON in web applications.
-			The HINTS button is on the menu at the top of the screen.
-			The page is also vulnerable to SQL injection, HTML injection, 
-			and JSON string injection in addition to XSS.
-		 ---
-		--- 
-			The next step will be to add defenses to pen-test-tool-lookup.php. There will
-			be a level 1 defense and a level 5 defense. The level 1 will just be
-			JavaScript validation. Level 5 defense will be more robust and
-			hopefully difficult to defeat. This will be release 2.1.11 or later.
-		 ---
-	
-
-Date: 12/16/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.9: ---
-	
-		--- 
-			Added a large cross site request forgery tutorial. To access the tutorial, the HINTS
-			have to be on level 2.
-		 ---
-		--- 
-			Adding better formatting to the Cross Site Scripting Tutorial
-		 ---
-		--- 
-			Updated the menu to point the user to two pages which are vulnerale to CSRF
-		 ---
-	
-
-Date: 12/15/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.8: ---
-	
-		--- 
-			Bug fix: The links on the front home page were absolute instead of
-			relative. This was not an issue in XAMPP installations but caused
-			an issue when installed on Samurai because Samurai uses
-			http://mutillidae as Mutillidae's URL while XAMPP just uses
-			http://localhost. The links should have been relative anyway.
-		 ---
-	
-
-Date: 11/26/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.7: ---
-	
-		--- 
-			Added a new page for HTML5 storage. The page is meant to show how to both use 
-			and attack HTML5 storage. The page supports Local and Session storage types.
-			The user can attack the storage in two contexts. They can act as if they want 
-			to read to contents of their own browsers session storage to see if the 
-			developer put authorization tokens or other items into the storage.
-			They can also try to use XSS to steal the session storage. In this use-case
-			the user would be acting as if they wanted to read someone elses storage.
-			A large number of hints has been added to the page. The page name is 
-			"html5-storage.php" and can be accessed from the Cross Site Scripting menu
-			and information leakage menu. In security level zero, the page has no defenses.
-			In level 1, the page will use trivial JavaScript validation. In security level 5,
-			the page will refuse to put the secrets in client side storage.
-		 ---
-	
-
-Date: 11/13/2011 Author: Jeremy Druin / Kenny Kurtz ---
-
-	--- Change Log for Mutillidae 2.1.6: ---
-	
-		--- 
-			Enhanced the .htaccess file to automatically disable magic quotes on systems 
-			which enable them by default (such as some OSX versions of PHP)
-		 ---
-		--- 
-			Fixed some bugs in the phpinfo.php file that made the page display weird.
-		 ---
-		--- 
-			Enhanced the hidden PHPINFO page so that it would work if the user
-			browsed to http://localhost/mutillidae/index.php?page=phpinfo.php
-			or to http://localhost/mutillidae/phpinfo.php. This example assumes
-			Mutillidae is running on localhost.
-		 ---
-		--- 
-			Fixed a bug in index.php that kept the log-visit page from being included.
-		 ---
-		--- 
-			Fixed a bug in log-visit.php that kept the page from working.
-		 ---
-		--- 
-			Fixed installation instructions format for IE 8 not in compatibility mode.
-		 --- 
-	
-
-Date: 11/10/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.5: ---
-	
-		--- Added vuln to login sequence. Now a cookie is created with username. Students should try to XSS 
-		the cookie and see what happens. Also try a response splitting attack because a cookie is an HTTP 
-		header.
-		 ---
-		--- Created new twitter feed to make Mutillidae announcements
-		 and other web vulnerability tweaks. @webpwnized
-		 ---
-		--- 
-			Fixed installation instructions format for IE 8 not in compatibility mode
-		 --- 
-	
-
-Date: 10/14/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.4: ---
-	
-		--- Moved usage instructions and php errors from the home page to their own pages. ---
-		--- In insecure mode, changed the method of the user-info.php page to GET in order to make it easier
-			to use sqlmap against Mutillidae. sqlmap supports POST but it is easier to use with
-			GET.
-		 ---
-		--- Added hints about sqlmap to sql injection tutorial and to the easter egg file ---
-		--- Added a credit card table as a target in the database ---
-		--- Confirmed that the view-blog table can be attacked with sqlmap. The answer is in the Easter Egg file. ---
-		--- Updated the SQL injection tutorial file ---
-	
-
-Date: 10/13/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.3: ---
-	
-		--- 
-			Fix a bug. If the user was on the home page, without having clicked any
-			link to this point (such as when using a bookmark), then the user clicked the 
-			"change security level", the page would redirect to page not found.
-		 ---
-		--- Increased the slide time for the ddsmoothmenu to make it slow down a little bit ---
-		--- Added a NEW vulnerability. Many sites have crazy pages that show server settings, expose
-			admin functionality, allow configuration, or other features a user should not be able to 
-			see. The problem is not the pages themselves so much as the fact that developers think
-			no one will guess the name and browse to them. Shoulder surfing, guessing, brute-forcing, etc
-			can be used to find these pages. Mutillidae now has such a page. It is in the 
-			"Server Misconfiguration" category. See secret-administrative-pages.php for hints.
-		 ---
-		--- Augmented the installation instructions ---
-		--- Added link to ihackcharities to front page ---
-	
-
-Date: 09/25/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.2: ---
-	
-		--- 
-			Added a new security level. Now there is security level 1. The only difference
-			in this release between level 0 and level 1 is that level 1 has JS validation.
-			The JS validation has been in place for a while to allow but was activated in
-			level 0. Since level 0 is supposed to be very easy, the decision was made
-			to create level 1 and move JS validation to level 1. The JS validation is
-			trivial to bypass. Simply disable JS or use a proxy such as Tamper Data,
-			Paros, Burp, WebScarab, or others.
-		 ---
-		--- Page homenotes.php has been merged with home.php. ---
-		--- Page home.html has been renamed home.php ---
-		--- Added protection for SQL injection to add to your blog.php output of the 
-			current users blog entries. Prior to this patch, you could SQL inject 
-			in security level 5 by putting your injection in the current users
-			login name because the query uses the current users login name as the input
-			to the query.
-		 ---
-		--- Improved the DNS lookup page to add JS validation in security level 1 mode. ---
-		--- Changed padding for BACK button to use styles rather than HTML BR tags. ---
-		--- Changed the password generator password length to 15 to set a better
-			example. ---
-		--- Some refactoring on user-info.php and login.php to clean up code ---
-	
-
-Date: 09/16/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.1.1: ---
-	
-		--- 
-			Added CSRF Protection to page add to your blog. This only works in secure
-			mode.
-		 ---
-		--- Added more scripts to the easter egg file (Mutillidae Test Scripts) ---
-		--- Bug fix: The setupandreset.php errors were not printing out. ---
-		--- Stupid bug fix: Removed the "open DB" that was firing before the database was actually created. ---
-		--- Created output on page setupandreset.php to show what happened ---
-		--- Added try/catch and more error handling to setupandreset.php ---
-	
-
-Date: 08/31/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.1.0: ---
-	
-		--- 
-			Fixed error on page add to your blog. Input user was not escaped or encoded in secure mode.
-		 ---
-		--- 
-			Major change. The MYSQL connection has been changed from procedure mysql_ functions to using
-			object oriented instances from the class mysqli. mysqli became available in PHP 5.3.0
-			and is brand new to Mutillidae. There is a high chance of error. Please let me
-			know if there are bugs found. This new class gives us many new abilities
-			including the ability to call stored procedures without using concatenation. This 
-			change affects the entire project and changes the capabilities of the project
-			which is why the minor version was updated.
-			
-			All of the database code has been ripped out and replaced from the ground up. Next will
-			be to add stored procedures and views to the database. When SQL injection is done on
-			meta data, there will be many more targets. Users will be able to steal the source code
-			from views and procs during pen tests along with dumping tables.
-		 ---
-		--- Added row number to output on add to your blog ---
-		--- Added logging for successful and failed login attempts. ---
-		--- Fixed bug in closing bold tag tokenizer on add to your blog ---
-		--- 
-			Updated page arbitrary-file-inclusion.php. 
-			Now you can practice making arbitrary system files load. The fun never ends.
-		 ---
-		--- 
-			Added SQL injection defenses to closedb.inc. This may not make much sense unless
-		you know that closedb.inc logs to the hitlog table. Part of what it logs is user agent
-		and referer which are controls by the user.
-		 ---
-		--- Create new page log-visit.php which logs each request to the server. This page
-		could be used to poison the log with XSS or SQL inject the database.
-		 ---
-		--- Fix bug on dns-lookup.php that allowed the log to be injected even in secure mode. ---
-		--- Add new page vulnerabilities.php that document the vulnearbilities on each page to help
-		users know what to try ---
-		--- Renamed home.htm to home.html for compliance with convention ---
-		--- Reconfigured index.php to open database as late as possible ---
-		--- Refactored opendb.inc to use standard error handling like rest of site. Page
-		size is much smaller as a result ---
-		--- Added a new XSS vulnerability to page user-info.php. This can be exploited by inputing scripts
-		into the username field. ---
-		--- Added row count output to the show-log.php page ---
-		--- Fixed back button so it doesnt span entire width of the page ---
-		--- Added error output to page register.php. In insecure mode, the user can get a lot
-		of information about the insert. In secure mode, we keep that to ourselves. ---				 
-	
-
-Date: 08/19/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.13: ---
-	
-		--- 
-			Added a new page called password-generator that allowed the user to practice HTML injection,
-			cross site scripting, and JavaScript injection. The page is primarily intended
-			to practice the JS injection in as easy a way as possible.
-		 ---
-	
-
-Date: 07/24/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.12: ---
-	
-		--- 
-			Changed the label of the link to "Cross Site Framing" to "Click-Jacking"			
-		 ---
-		--- 
-			Created a new page to frame the Mutillidae site so we can practice
-			Cross-Site Framing. Added a menu item under 
-			Other --&gt; Information Leakage --&gt; Cross-Site Framing.
-			In secure mode, Mutillidae does not allow itself to be framed by
-			third party sites. Enjoy.
-		 ---
-		--- 
-			Created a new menu path for "Missing HTTPOnly Attribute" because
-			it doesn't really fit directly into a XSS exploit. It is a 
-			misconfiguration that leads to an exploit.
-		--- 
-			Created a new page to talk about the site footer displaying the
-			user agent string. The new page includes hints.
-		 ---
-		--- Refactored footer.php to remove database closing code. This code is in index.php now. ---
-		--- 
-		Added new vulnerability for remote file inclusion. 
-		Access via "A4 - Insecure Direct Object References" --&gt; "Arbitrary File Incusion".
-		Enjoy!
-		 ---
-	
-
-Date: 07/17/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.11: ---
-	
-		--- 
-			Oops! Fixed a bug in the secure code which (ironically) did not 
-			stop the command injection as long as the attacker chained the attack
-			with a validly formed IPV4 address. I forgot to put the starts-with
-			and ends-with symbols on the RegEx.
-		 ---
-		--- 
-			Added IPV6 pattern as a valid pattern on page dns-lookup.php. The 
-			page will accept IPV6, IPV4, or Domain Name.
-		 ---
-		--- Made some cosmetic improvements to the dns-lookup.php page ---
-		--- 
-			Added a whole new batch of fun. Mutillidae now supports (and defends)
-			against Cascading Style Injection. Enjoy.
-		 ---
-	
-
-Date: 07/09/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.10: ---
-	
-		--- Added new vulnerability HTTP Parameter Pollution on page user-poll.php ---
-		--- 
-			Added defense for JavaScript injection in the "Back" buttons.
-			In secure mode, Mutillidae will encode the HTTP Referer header using
-			JavaScript encoding
-		 ---
-	
-
-Date: 06/21/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.9.1: ---
-	
-		--- Added new menu items under SQLi for SQLi Insert Injection ---
-		--- Added new menu item for documentation ---
-		--- Moved constants into constants.php file ---
-		--- Patched tabbing in home.htm ---
-		--- Added additional instructions on supressing PHP errors with XamppLite. Thanks to Miguel 
-		Wherner for the tip. ---
-		--- Added more hints to command injection page ---
-		--- Updated the Easter egg file ---
-		--- Added "Bookmark This Site" button to the resources tab in the menu ---
-		--- Added lots more default users ---
-		--- 
-			Added a stored procedure for users to attempt to extract the source
-			code using SQL injection
-		 ---
-		--- Added a stored procedure to support logins so we can start
-		to put real security into this thing. ---
-		--- Added new article "How to Access Mutillidae over Virtual Box Host Only Network" ---
-		--- Introduced a new vulnerability: JavaScript Injection ---		
-	
-
-Date: 06/15/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.8: ---
-	
-		--- 
-			Added more comments to the code to explain how defenses work ---
-		--- 
-		Added support for the &lt;u&gt;&lt;/u&gt; tag to the blog. In secure mode Mutillidae will allow this tag
-		but still safely encode output and stop XSS. ---
-		--- 
-		Added JavaScript filtering to prevent single quotes from being entered in blog entries. This give practice 
-		bypassing JavaScript "security" and helps the user understand JavaScript cannot provide security.
-		 ---
-		--- 
-			Added lots of JS filtering to login.php. Nearly all characters are filtered. Users are encouraged
-			to understand that JavaScript and filtering are useless for security.
-		 --- 
-		--- Added autofocus to login.php and add-to-blog.php ---
-		--- 
-			Added more "allowed dangerous HTML tags" to the blog. Until now only the bold HTML tag was supported. Also
-			the output was not HTML5 compliant. For example, if the user entered a bold tag, then a bold tag was output
-			however the bold tag is depreciated. Styles must be used. So Mutillidae allows the user to input
-			a bold tag but will correctly encode this as a sytle upon output. The italic tag is now supported
-			as a dangerous input which is safely output without fear of Cross Site Scripting. These defenses
-			only operate in secure mode of course. In insecure mode, the site allows any input and simply outputs
-			whatever is input without any encoding.
-		 ---
-		--- 
-			Changed menu for OWASP A1 - Injection to differentiate between SQL, HTML, and Command Injection. This should make
-			it more clear which pages exhibit vulnerabilities with the specific injecton sub-types. Also added new link for 
-			Blind SQL Injection.
-		 ---
-		--- 
-			Changed menu for OWASP A2 - Cross Site Scripting to differentiate between XSS coming in via user supplied fields 
-			(GET/POST) and values within HTTP Request Headers.
-		 ---
-		--- 
-			Added tutorials feature.
-		 ---
-		--- Added SQL Injection Totorial ---
-		--- Added Cross Site Scripting tutorial ---
-		--- Added Command Injection tutorial ---		
-		--- 
-			Added new feature. Hints can now be at different levels. Each time the user clicks Hints, the level increases by 1 until rolling over.
-		 ---
-		--- Removed the installation instructions from the home page. A new page for instructions is created and linked from the menu.
-		--- 
-			Augmented the installation instructions to include running from Samurai, creating a custom ISO, installing 
-			to XAMPP, and running in virutal machines.
-		 ---
-		--- Reformatted install instructions and main home page to be compliant with HTML 5 ---
-	
-
-Date: 05/20/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.7: ---
-	
-		--- 
-			Added a new page rene-magritte.php to explore click-jacking.
-			
-			In secure mode, Mutillidae will send the X-FRAME-OPTIONS: DENY
-			header. In modern browsers, this will cause the browser to throw an
-			error rather than allow the page rene-magritte.php to be framed.
-		 ---
-		--- 
-			Added a resources link to the main menu. Links are to information
-			or tools that can help with testing Mutillidae.
-		 ---
-		--- 
-			Added new class LogHandler to take over logging. Previously
-			logging statements has to be copied to each spot that logging
-			was needed. With the new class, logging requires only one
-			line of code and the logger automatically logs based on the 
-			current security level. If in insecure mode, no attempt
-			to stop XSS or SQLi is made.
-			
-			With the new class, many less lines of code are needed and many
-			more places log. With more places logging, there is a much better
-			chance of finding a log exploit and taking advantage (insecure mode).
-			
-			Logging added to pages: add-to-your-blog, dns-lookup, text-file-viewer,
-			source-viewer.php, register.php, redirectandlog.php, and user-info.php
-		 ---
-		--- 
-			Added more default users to initial setup to give more targets.
-		 ---
-	
-
-Date: 05/10/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.6: ---
-	
-		--- 
-			Added a new security vulnerability and counteracting secure code.
-			The "business requirements" for the add-new-blog-entry page 
-			now require users to be able to enter a bold tag
-			in their blog.
-
-			In secure mode, Mutillidae allows this functionality while still 
-			protecting the users from mallicous injection input.
-		 ---
-		--- 
-			A new secret page has been added. There are lots of test scripts
-			that the developers used to hack Mutillidae inside. It will be very hard
-			to guess the name of the file but there are plenty of vulns
-			that will allow users to locate and open the file.
-		 ---
-	
-
-Date: 04/22/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.6: ---
-	
-		--- 
-			Added a new security vulnerability and counteracting secure code.
-			Cookies are unprotected in insecure mode, but in secure mode, the
-			cookies will have the HTTPOnly attribute applied to them.
-			
-			In reality this vulnerability was always in Mutillidae since ignoring
-			the issue opens the vulnerability (the ability for scripts to access the
-			cookie values). The change is acknowleging this issue and adding the 
-			defense. 
-			
-			Once we get an SSL certificate installed, the next logical step will be to 
-			add the "Secure" attribute to cookies in secure mode, but to not
-			add this attribute in insecure mode. 
-		 ---
-		--- 
-			Added the X-FRAME-OPTIONS: DENY click-jacking defense in secure mode.
-			In insecure mode, the site does nothing and ignores the issue entirely.
-			This defense only works in newer browsers and javascript framebusters are
-			needed to help older browsers.
-		 ---
-		--- Added insecure comments vulnerability and defense. Some developers use 
-			HTML or JavaScript comments instead of using the frameworks comments 
-			(ASP.NET, Java, PHP, Etc.)
-		 ---
-		--- Rearranged instructions on home page to emphasize the PHP.ini 
-			configuration changes that are needed to get rid of errors.
-		 ---
-		--- Rewrote opendb.inc to have error trapping and custom
-			error handling. If there is an error, there will be some diagnistic
-			information available.
-		 ---
-	
-
-Date: 04/14/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.5: ---
-	
-		--- 
-			browser-info.php - Patched a bug which disabled entire page if the 
-			whois server is not reachable. Now only that one line will be disabled.
-			Also replaced Windows style file path slashes with Unix style. Either 
-			slash will work in Windows but Linux only accepts the Unix style
-			path else throws an error.
-		 ---
-	
-
-Date: 04/13/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.4: ---
-	
-		--- 
-			user-info.php - Added XSS defenses to the output so that users cannot poison 
-			their username, password or signature to cause XSS.
-			This only works in secure code.
-		 ---
-		--- 
-			register.php - Added XSS defenses to the output so that users cannot poison 
-			their username to cause XSS. This only works in secure code.
-		 ---
-		--- 
-			header.php - Added link to this changelog. Changed style of upper header to 
-			allow more space for logged in user text. In very small screens, the text was 
-			overlapping. Also, the size of the mascot image was reduced to give the user 
-			more screen space.
-		 ---
-		--- change-log.php - Added new XSS vulnerability for users to try.
-	
-
-Date: 03/30/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.3: ---
-	
-		--- index.php - Added PHP version detection and altered forms caching defenses and 
-			server header information defenses to use header_remove() only if the version
-			of PHP is at 5.3 or above. Made version string variable that contains whatever
-			version string is for Mutillidae plus "nice" output. Samurai is going through
-			a PHP version change to 5.3 right now and XAMPP just went through the same change.
-			This code is meant to bridge users caught between versions.
-		 ---
-		--- 
-			header.php - Made version output simpler. header.php only outputs the header
-			string.
-		 ---
-		--- 
-			footer.php - Added PHP version to footer output in insecure mode. In secure mode, server version is not shown.
-		 ---
-	
-
-Date: 03/25/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.2 Beta:<br>
-	<br>
-	Whole site ---
-	
-		--- Made local relative links without leading dot ---
-		--- Installed on Samurai 0.95 for testing. Found that Samurai doesnt like the leading dot in local file paths. Those were removed from the index.php page. ---
-		--- Made version a variable in index.php to make updating version string easier ---
-		--- Added new forms caching information leakage vulnerability ---
-		--- Added new vulnerability for X-Powered-By and discussed removing the Server HTTP header in comments ---
-	
-
-Date: 03/23/2011 Author: Jeremy Druin ---
-
-
-	--- Change Log for Mutillidae 2.0.1 Beta:<br>
-	<br>
-	Whole site ---
-	
-		--- Replaced root relative links with local relative links to allow more freedom in root folder name ---
-		--- Added email address for Jeremy ---
-		--- Added change log to site ---
-		--- Added Toggle Hints into core menu but link disappears in secure mode ---
-		--- Added new failure to restrict URL access vuln ---
-	
-
-Date: 03/23/2011 Author: Jeremy Druin ---
-
-	--- Change Log for Mutillidae 2.0 Beta:<br>
-	<br>
-	Whole site ---
-	
-		--- Site implements the OWASP ESAPI API for PHP including showing how to 
-		instantiate classes and call methods for output encoding. ---
-		--- Site now allows user to switch between secure and insecure mode to 
-		allow the user to employ an attack then try the same attack against more 
-		secure code ---
-		--- All code for both modes of operation are available for inspection 
-		and include large amounts of explanation comments for both the insecure 
-		and secure sections. Code is commented in such a way to help developers 
-		understand the security concepts as opposed to only seeing the PHP 
-		implementation ---
-		--- Added custom error handling to site which reacts differently 
-		depending on security mode ---
-		--- Site has larger hint sections with more hints included ---
-		--- Added menuing system for easier navigation ---
-		--- Added toolbar at top of each page for critical functions (hints, 
-		security mode, home page, etc.) ---
-		--- Converted styles to CSS ---
-		--- Collected images into single folder ---
-		--- Added links to helpful tools and sites with more information: OWASP, 
-		Toad for PHP, Eclipse PDT, Samurai WTF, and Backtrack 4 R2 ---
-		--- Released new web interface design and navigation for each page ---
-		--- Installed TRY/CATCH handling in all pages ---
-	
-	--- add-to-your-blog.php  ---
-	
-		--- additional reflected XSS vuln added ---
-		--- SQLi vector added ---
-		--- additional stored XSS vuln added ---
-		--- demonstrates output encoding ---
-		--- demonstrates SQLi prevention ---
-		--- non-input box attack vector added ---
-	
-	--- browser-info.php ---
-	
-		--- demonstrates safer JavaScript ---
-		--- created ClientInformationHandler class to gather client information ---
-		--- demonstrates output encoding ---
-		--- added JavaScript attack vector using innerHTML ---
-	
-	--- credits.php ---
-	
-		--- added Insecure Direct Object Reference defenses ---
-	
-	--- dns-lookup.php ---
-	
-		--- In secure mode, added strong server-side validation for page. Page 
-		allows both ip based and DNS name based attacks and includes defenses 
-		for both. ---
-	
-	--- footer.php ---
-	
-		--- added new attack vector to allow refelected XSS via HTTP headers ---
-		--- added defenses for input coming from HTTP headers ---
-		--- added comments encouraging developers to treat ALL input as evil and 
-		not just the input boxes they created ---
-	
-	--- header.php ---
-	
-		--- Replaced menu with mouseover navagation and updated menu with new 
-		attacks ---
-		--- Added new stored cross site scripting attacks and defenses ---
-		--- Added code to allow site to ignore user created cookies in secure 
-		mode and react to user created cookies in insecure mode ---
-	
-	--- home.html ---
-	
-		--- Added instructions ---
-		--- Added warning about PHP.ini files that come with new XAMPP/PHP 
-		versions 5.3 and 6.0 (future) ---
-	
-	--- homenotes.php ---
-	
-		--- Created newly formatted hints section ---
-	
-	--- index.php ---
-	
-		--- Created new processing framework ---
-		--- Added the ability to use session storage ---
-		--- Installed initialization code ---
-	
-	--- login.php ---
-	
-		--- added HTML maxlength to allow practice of circumventing trivial and 
-		useless HTML based defenses ---
-		--- Added detection of whether user is currently logged in with new 
-		funcitonality. Site will auto-detect when users are logged in and change 
-		links appropriately ---
-		--- Added new reflected XSS vector ---
-	
-	--- process-commands.php ---
-	
-		--- new file which collects all "do" commands together ---
-		--- installed several new attack vectors and defenses based on the "do" 
-		commands ---
-	
-	--- redirectandlog.php ---
-	
-		--- Created new HTTP parameter pollution attack ---
-		--- Installed advanced mapping defences with validation ---
-		--- Installed strong validation defenses ---
-	
-	--- register.php ---
-	
-		--- installed SQLi and XSS defenses ---
-		--- reformatted page with new design and error feedback ---
-	
-	--- show-log.php ---
-	
-		--- installed DOS defenses ---
-		--- added DOS attack vector ---
-		--- installed tabular output ---
-		--- added defenses for injection attacks and XSS ---
-		--- added attack vector against log ---
-	
-	--- source-viewer.php/text-viewer.php ---
-	
-		--- Added/augmented attack vectors ---
-		--- Added new attack vectors to allow loading of local server files ---
-		--- Filename injection (Insecure Direct Object Reference) ---
-		--- SQL Injection, (Fix: Use Schematized Stored Procedures) ---
-		--- Cross Site Scripting, (Fix: Encode all output) ---
-		--- Cross Site Request Forgery, (Fix: Tokenize transactions) ---
-		--- Insecure Direct Object Reference, (Fix: Tokenize Object References) ---
-		--- Denial of Service, (Fix: Truncate Log Queries) ---
-		--- Loading of Local Files, (Fix: Tokenize Object Reference - Filename 
-		references in this case) ---
-		--- Improper Error Handling, (Fix: Employ custom error handler) ---
-		--- SQL Exception, (Fix: Employ custom error handler) ---
-		--- HTTP Parameter Pollution (Fix: Scope request variables) ---
-		--- Added mapping defenses ---
-	
-	--- user-info.php ---
-	
-		--- added SQL and XSS defenses ---
-		--- added tabular output ---
-	
-	--- view-someones-blog.php ---
-	
-		--- installed SQLi and XSS defenses ---
-		--- installed trivial and useless "tokens" to allow user to bypass HTML 
-		code which intends to confuse instead of defend. ---
-	
-
diff --git a/documentation/usage-instructions.php b/documentation/usage-instructions.php
index 45705cb..0cb5898 100644
--- a/documentation/usage-instructions.php
+++ b/documentation/usage-instructions.php
@@ -80,9 +80,8 @@
 			<span class="label">Home:</span> Takes user to Home page<br/>
 			<span class="label">Login/Register:</span> Takes user to Login page<br/>
 			<span class="label">Toggle Hints:</span> Shows or hides the Hints on vulnerable pages<br/>
-			<span class="label">Show Popup Hints:</span> Shows the popup hints over vulnerable areas of pages<br/>
 			<span class="label">Toggle Security:</span> Changes the security level between insecure, client-side security and secure<br/>
-			<span class="label">Enforce SSL:</span> When enforced, Mutillidae automatically redirects all HTTP requests to HTTPS<br/>
+			<span class="label">Enforce TLS:</span> When enforced, Mutillidae automatically redirects all HTTP requests to HTTPS<br/>
 			<span class="label">Reset DB:</span> Drops and rebuilds all database tables and resets the project<br/>
 			<span class="label">View Log:</span> Takes the user to view the log<br/>
 			<span class="label">View Captured Data:</span> Takes the user to the view the captured data<br/>
@@ -136,12 +135,6 @@
 			description of the vulnerabilities on the page for which the user should try exploits.
 			Use this button to get a quick list of issues. Use the Hints to see more details.
 			<br/><br/><br/>
-			<span class="report-header">Bubble Hints</span>
-			<br/><br/>
-			If the 
-			"Bubble Hints" are enabled (top menu bar), some of the vulnerable locations will have bubble
-			hints pop up when the user hovers the mouse over the vulnerable field or area. 
-			<br/><br/><br/>
 			<span class="report-header">Just give me the exploit</span>
 			<br/><br/>
 			Hints will typically provide some exploits. 
diff --git a/documentation/vulnerabilities.php b/documentation/vulnerabilities.php
index 19e67f0..7ada905 100755
--- a/documentation/vulnerabilities.php
+++ b/documentation/vulnerabilities.php
@@ -560,7 +560,7 @@
 <div style="padding-left: 40px;">
 	<ul>
 		<li>
-			Discusses SSL downgrade attack due to a vulnerability in the site globally.
+			Discusses TLS downgrade attack due to a vulnerability in the site globally.
 			No known vulnerabilities on the page itself.
 		</li>
 	</ul>
diff --git a/echo.php b/echo.php
index 76da7e5..b938201 100755
--- a/echo.php
+++ b/echo.php
@@ -50,33 +50,17 @@
 				$lMessageText = $lMessage; 		//allow XSS by not encoding output	    		
 	    	}//end if
 	    	
-		}// end if $lFormSubmitted    	
-    	
-		try{
-    		$lOSCommandInjectionPointBallonTip = $BubbleHintHandler->getHint("OSCommandInjectionPoint");
-       		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-		} catch (Exception $e) {
-			echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-		}// end try
-    		    	    	
+		}// end if $lFormSubmitted
+
 	}catch(Exception $e){
-		echo $CustomErrorHandler->FormatError($e, "Error setting up configuration on page echo.php");
-	}// end try	
+        echo $CustomErrorHandler->FormatError($e, "Error setting up configuration on page html5-storage.php");
+    }// end try	
 ?>
 
 <div class="page-title"><span style="font-size: 18pt;">Echo</span>, <span style="font-size: 16pt;">Echo</span>, <span style="font-size: 14pt;">Echo</span>...</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
 <?php include_once (__ROOT__.'/includes/hints/hints-menu-wrapper.inc'); ?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[OSCommandInjectionPoint]').attr("title", "<?php echo $lOSCommandInjectionPointBallonTip; ?>");
-		$('[OSCommandInjectionPoint]').balloon();
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
     
 <!-- BEGIN HTML OUTPUT  -->
 <script type="text/javascript">
@@ -125,7 +109,7 @@
 			<td>
 				<input 	type="text" id="idMessageInput" name="message" size="20" 
 						autofocus="autofocus"
-						OSCommandInjectionPoint="1"
+						
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="20" required="required"');
@@ -149,7 +133,7 @@
 /* Output results of shell command sent to operating system */
 if ($lFormSubmitted){
 	    try{
-	        echo '<div class="report-header" ReflectedXSSExecutionPoint="1">Results for '.$lMessageText.'</div>';
+	        echo '<div class="report-header">Results for '.$lMessageText.'</div>';
 	        
 	        if ($lProtectAgainstCommandInjection) {
 	            echo '<pre class="report-header" style="text-align:left;">'.$lMessage.'</pre>';
diff --git a/edit-account-profile.php b/edit-account-profile.php
index 019173c..c79b86a 100755
--- a/edit-account-profile.php
+++ b/edit-account-profile.php
@@ -202,25 +202,6 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 //-->
 </script>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lHTMLandXSSandSQLInjectionPointBalloonTip = $BubbleHintHandler->getHint("HTMLandXSSandSQLInjectionPoint");
-   		$lSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("SQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[HTMLandXSSandSQLInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSandSQLInjectionPointBalloonTip; ?>");
-		$('[HTMLandXSSandSQLInjectionPoint]').balloon();
-		$('[SQLInjectionPoint]').attr("title", "<?php echo $lSQLInjectionPointBallonTip; ?>");
-		$('[SQLInjectionPoint]').balloon();	
-	});
-</script>
-
 <span>
 	<a style="text-decoration: none; cursor: pointer;" href="./webservices/rest/ws-user-account.php">
 		<img style="vertical-align: middle;" src="./images/ajax_logo-75-79.jpg" height="75px" width="78px" />
@@ -242,7 +223,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Username</td>
 				<td>
-					<input HTMLandXSSandSQLInjectionPoint="1" type="text" name="username" size="15" autofocus="autofocus"
+					<input type="text" name="username" size="15" autofocus="autofocus"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="15" required="required"');
@@ -255,7 +236,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Password</td>
 				<td>
-					<input SQLInjectionPoint="1" type="password" name="password" size="15" 
+					<input type="password" name="password" size="15" 
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="15" required="required"');
@@ -270,7 +251,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Confirm Password</td>
 				<td>
-					<input SQLInjectionPoint="1" type="password" name="confirm_password" size="15"
+					<input type="password" name="confirm_password" size="15"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="15" required="required"');
@@ -283,7 +264,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Signature</td>
 				<td>
-					<textarea HTMLandXSSandSQLInjectionPoint="1" rows="3" cols="50" name="my_signature"
+					<textarea rows="3" cols="50" name="my_signature"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="100" required="required"');
diff --git a/home.php b/home.php
index baf18c6..5209fca 100755
--- a/home.php
+++ b/home.php
@@ -35,65 +35,51 @@
 			</a>
 		</td>
 		<td>
-			<a href="documentation/change-log.txt" target="_blank">
-				<img alt="See the latest vulnerabilities in Mutillidae" align="middle" src="./images/new-icon-48-48.png" />
-				What's New? Click Here
-			</a>
+			<?php include_once './includes/help-button.inc';?>
 		</td>
 	</tr>
 	<tr><td>&nbsp;</td></tr>
 	<tr>
-		<td>
-			<?php include_once './includes/help-button.inc';?>
-		</td>
 		<td>
 			<a href="./index.php?page=./documentation/vulnerabilities.php">
 				<img alt="Help" align="middle" src="./images/siren-48-48.png" />
 				Listing of vulnerabilities
 			</a>
 		</td>
-	</tr>
-	<tr><td>&nbsp;</td></tr>
-	<tr>
 		<td>
 			<a href="http://www.youtube.com/user/webpwnized" target="_blank">
 			<img align="middle" alt="Webpwnized YouTube Channel" src="./images/youtube-play-icon-40-40.png" />
 				Video Tutorials
 			</a>
 		</td>
+	</tr>
+	<tr><td>&nbsp;</td></tr>
+	<tr>
+
 		<td>
 			<a href="https://twitter.com/webpwnized" target="_blank">
 				<img align="middle" alt="Webpwnized Twitter Channel" src="./images/twitter-bird-48-48.png" />
 				Release Announcements
 			</a>
 		</td>
-	</tr>
-	<tr><td>&nbsp;</td></tr>
-	<tr>
 		<td class="label" title="Latest Version">
 			<img alt="Latest Version" align="middle" src="./images/installation-icon-48-48.png" />
 			<a title="Latest Version" href="https://github.com/webpwnized/mutillidae" target="_blank">Latest Version</a>
 		</td>
+	</tr>
+	<tr><td>&nbsp;</td></tr>
+	<tr>
 		<td>
 			<a href="documentation/mutillidae-test-scripts.txt" target="_blank">
 				<img alt="Helpful hints and scripts" align="middle" src="./images/help-icon-48-48.png" />
 				Helpful hints and scripts
 			</a>
 		</td>
-	</tr>
-	<tr><td>&nbsp;</td></tr>
-	<tr>
 		<td>
 			<a href="https://github.com/webpwnized/mutillidae" target="_blank">
 				<img align="middle" alt="Feature Requests" src="./images/tools-icon-48-48.png" />
 				<a href="https://addons.mozilla.org/en-US/firefox/collections/jdruin/pro-web-developer-qa-pack/" target="_blank">Some Useful Firefox Add-ons</a>
 			</a>
 		</td>
-		<td>
-			<a href="" onclick="alert('The email account is webpwnized. Its a gmail account.');">
-				<img alt="Help" align="middle" src="./images/mail-icon-48-48.png" />
-				Bug Report Email Address 
-			</a>
-		</td>
 	</tr>
 </table>
diff --git a/html5-storage.php b/html5-storage.php
index 88e0293..c28b955 100755
--- a/html5-storage.php
+++ b/html5-storage.php
@@ -29,22 +29,6 @@
 		echo "<script type=\"text/javascript\" src=\"javascript/html5-secrets.js\"></script>";		
 	}// end if
 ?>
-		   	
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lDOMXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("DOMXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[DOMXSSExecutionPoint]').attr("title", "<?php echo $lDOMXSSExecutionPointBallonTip; ?>");
-		$('[DOMXSSExecutionPoint]').balloon();
-	});
-</script>
 
 <div class="page-title">HTML 5 Storage</div>
 
@@ -234,7 +218,7 @@ class="button"
 		</tr>
 		<tr><td>&nbsp;</td></tr>
 		<tfoot id="idSessionStorageTableFooter">
-			<tr><th colspan="5"><span id="idAddItemMessageSpan" DOMXSSExecutionPoint="1"></span></th></tr>
+			<tr><th colspan="5"><span id="idAddItemMessageSpan"></span></th></tr>
 			<tr><td>&nbsp;</td></tr>
 		</tfoot>
 	</table>
diff --git a/includes/anti-framing-protection.inc b/includes/anti-framing-protection.inc
deleted file mode 100755
index 26b926e..0000000
--- a/includes/anti-framing-protection.inc
+++ /dev/null
@@ -1,14 +0,0 @@
-<?php
-   	/* ------------------------------------------
-    * ANTI-CLICK-JACKING (Older Browsers)
-    * ------------------------------------------ */
-  	/* To prevent click-jacking and IE6 key-log-via-framing issue
-  	 * we can instruct the browser that it should not frame our site. 
- 	 * Unfortuneately only the latest browsers support this option.
-	 * There are javascript frame-buster options that work reasonably well
-	 * although the arms race continues. Use the x-frame-options as the
-	 * primary defense and include the javascript frame-buster to help
-	 * with older browsers.
-	 */
-	echo "<script type=\"text/javascript\">if(top != self) top.location.replace(location);</script>";
-?>
\ No newline at end of file
diff --git a/includes/back-button.inc b/includes/back-button.inc
index 7a5e0c2..87f0ed3 100755
--- a/includes/back-button.inc
+++ b/includes/back-button.inc
@@ -38,24 +38,9 @@
    	}// end if
 ?>
 
-<?php 
-	try{
-   		$lHTMLEventReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("HTMLEventReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[HTMLEventReflectedXSSExecutionPoint]').attr("title", "<?php echo $lHTMLEventReflectedXSSExecutionPointBallonTip; ?>");
-		$('[HTMLEventReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
 <div style="margin: 5px;">
-	<span style="font-weight: bold; margin-right: 50px;" HTMLEventReflectedXSSExecutionPoint="1">
-	<a 	onclick="document.location.href='<?php echo $lHTTPReferer; ?>';">
+	<span style="font-weight: bold; margin-right: 50px;">
+	<a id="back-button-anchor">
 		<img	src="./images/back-button-64-64.png" 
 				alt="Go Back" 
 				align="middle" 
@@ -65,4 +50,12 @@
 	</a>
 	</span>
 	<?php include_once('./includes/help-button.inc');?>	
-</div>
\ No newline at end of file
+</div>
+<script nonce="<?php echo $CSPNonce; ?>">
+    document.addEventListener('DOMContentLoaded', function () {
+        document.getElementById('back-button-anchor').addEventListener('click', 
+            function(){
+                document.location.href='<?php echo $lHTTPReferer; ?>';            
+            });
+    });
+</script>
\ No newline at end of file
diff --git a/includes/constants.php b/includes/constants.php
index f607ecd..269c9a6 100755
--- a/includes/constants.php
+++ b/includes/constants.php
@@ -3,7 +3,7 @@
 	/* ------------------------------------------
 	 * @VERSION
 	 * ------------------------------------------*/
-	$C_VERSION = "2.7.15";
+	$C_VERSION = "2.8.1";
 	$C_VERSION_STRING = "Version: " . $C_VERSION;
 	$C_MAX_HINT_LEVEL = 1;
 	
diff --git a/includes/create-html-5-web-storage-target.inc b/includes/create-html-5-web-storage-target.inc
deleted file mode 100755
index db78ad2..0000000
--- a/includes/create-html-5-web-storage-target.inc
+++ /dev/null
@@ -1,26 +0,0 @@
-<?php
-	echo "<script type=\"text/javascript\">
-			try{
-				//if(!window.localStorage.length){
-					window.localStorage.setItem(\"SelfDestructSequence1\",\"Destruct sequence 1, code 1-1A\");
-					window.localStorage.setItem(\"SelfDestructSequence2\",\"Destruct sequence 2, code 1-1A-2B\");
-					window.localStorage.setItem(\"SelfDestructSequence3\",\"Destruct sequence 3, code 1B-2B-3\");
-					window.localStorage.setItem(\"MessageOfTheDay\",\"Go Cats!\");
-					window.localStorage.setItem(\"SecureMessage\",\"Shh. Do not tell anyone.\");
-					window.localStorage.setItem(\"FYI\",\"A couple of keys are not showing in this list. Why?\");
-				//}//end if
-				//if(!window.sessionStorage.length){
-					window.sessionStorage.setItem(\"AuthorizationLevel\", \"0\");
-					window.sessionStorage.setItem(\"ChuckNorrisJoke1\",\"When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris\");
-					window.sessionStorage.setItem(\"ChuckNorrisJoke2\",\"Death once had a near-Chuck Norris experience\");
-					window.sessionStorage.setItem(\"ChuckNorrisJoke3\",\"He counted to infinity; twice\");
-					window.sessionStorage.setItem(\"ChuckNorrisJoke4\",\"Chuck Norris can slam a revolving door\");
-					window.sessionStorage.setItem(\"ChuckNorrisJoke5\",\"Chuck Norris can cut through a hot knife with butter\");
-					window.sessionStorage.setItem(\"SecureKey\", \"You cannot see me on the HTML5 Storage page. I wonder why?\");
-				//}//end if
-			}catch(e){
-				//alert(e);
-				/* Do nothing. Older browsers do not support HTML5 web storage */
-			};
-		</script>";
-?>
\ No newline at end of file
diff --git a/includes/footer.php b/includes/footer.php
index 518cadb..3e8fca3 100755
--- a/includes/footer.php
+++ b/includes/footer.php
@@ -1,66 +1,13 @@
-			<!-- End Content -->
-		</blockquote>
-			</td>
-		</tr>
-	</table>
-
-<?php 
-		   	switch ($_SESSION["security-level"]){
-		   		case "0": // This code is insecure
-		   		case "1": // This code is insecure
-		   			// DO NOTHING
-		   			$lUserAgentString = $_SERVER['HTTP_USER_AGENT'];
-					$lPHPVersion = "PHP Version: " . phpversion();
-		   		break;
-			    
-		   		case "2":
-		   		case "3":
-		   		case "4":
-		   		case "5": // This code is fairly secure
-		  			/* 
-		  			 * All information coming to the server in HTTP requests is under the 
-		  			 * complete control of the user. This includes any information normally
-		  			 * being thought of as "sent by the browser". HTTP requests are simply
-		  			 * streams of strings formatting according to HTTP specifications. Anyone
-		  			 * can format a string properly. A browser is not required. Try reading the RFC
-		  			 * for HTTP to see how to construct the strings. Check out user-agent switchers
-		  			 * like the add-on for Firefox to change only the user-agent string without
-		  			 * having to create the entire header. Try Tamper Data to get control of all
-		  			 * the HTTP headers in the request. Try netcat to create your own HTTP header 
-		  			 * from scratch. When you get really comfortable. Try sending HTTP requests 
-		  			 * via Telnet.
-		  			 * 
-		  			 * This code is secure because we escape all output according to context. This
-		  			 * information is being output to HTML so we HTML encode the information. If we
-		  			 * were outputing into JavaScript we would not use HTML encoding. We would use
-		  			 * JavaScript string encoding. There are 5 contexts to be particuarly careful about.
-		  			 * HTML, HTML attributes, JavaScript, CSS, and URL query parameters.
-		  			 */
-		   			$lUserAgentString = $Encoder->encodeForHTML($_SERVER['HTTP_USER_AGENT']);
-					$lPHPVersion = "PHP Version: Not Available (Secure mode doesn't blab the server version)";
-		   		break;
-		   	}// end switch
-?>
-		   	
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
-	<div style="border: 1px solid black;">
-		<div ReflectedXSSExecutionPoint="1" class="footer">Browser: <?php echo $lUserAgentString; ?></div>
-		<div class="footer"><?php echo $lPHPVersion; ?></div>
-	</div>
-</body>
+				<!-- End Content -->
+    			</td>
+    		</tr>
+    		<tr class="main-table-frame-dark">
+    			<td colspan="2">
+    				Browser: <?php echo $lUserAgentString; ?>
+    				<br/>
+    				<?php echo $lPHPVersion; ?>
+    			</td>
+    		</tr>
+    	</table>
+    </body>
 </html>
\ No newline at end of file
diff --git a/includes/header.php b/includes/header.php
index 1ce20f8..7906c79 100755
--- a/includes/header.php
+++ b/includes/header.php
@@ -3,11 +3,11 @@
 
 		switch ($_SESSION["security-level"]){
 	   		case "0": // This code is insecure
-				$logged_in_user = $_SESSION['logged_in_user'];
-	   		break;
 	   		case "1": // This code is insecure
 	   			// DO NOTHING: This is equivalent to using client side security		
 				$logged_in_user = $_SESSION['logged_in_user'];
+				$lUserAgentString = $_SERVER['HTTP_USER_AGENT'];
+				$lPHPVersion = "PHP Version: " . phpversion();
 	   		break;
 		    
 	   		case "2":
@@ -17,6 +17,8 @@
 	   			// encode the entire message following OWASP standards
 	   			// this is HTML encoding because we are outputting data into HTML
 				$logged_in_user = $Encoder->encodeForHTML($_SESSION['logged_in_user']);
+				$lUserAgentString = $Encoder->encodeForHTML($_SERVER['HTTP_USER_AGENT']);
+				$lPHPVersion = "PHP Version: Not Available (Secure mode doesn't blab the server version)";
 			break;
 	   	}// end switch		
 
@@ -31,7 +33,7 @@
 		$lAuthenticationStatusMessage = 
 			'Logged In ' . 
 			$lUserAuthorizationLevelText . ": " . 
-			'<span style="color:#990000;font-weight:bold;">'.$logged_in_user.'</span>'.
+			'<span class="logged-in-user">'.$logged_in_user.'</span>'.
 			'<a href="index.php?page=edit-account-profile.php&uid='.$lUserID.'">
             <img src="images/edit-icon-20-20.png" /></a>';
 	} else {
@@ -40,15 +42,9 @@
 	}// end if($_SESSION['loggedin'] == "True")
 
 	if ($_SESSION["EnforceSSL"] == "True"){
-		$lEnforceSSLLabel = "Drop SSL";
-	}else {
-		$lEnforceSSLLabel = "Enforce SSL";
-	}//end if
-
-	if ($BubbleHintHandler->hintsAreDispayed() == 1){
-		$lPopupHintsLabel = "Hide Popup Hints";
+		$lEnforceSSLLabel = "Drop TLS";
 	}else {
-		$lPopupHintsLabel = "Show Popup Hints";
+		$lEnforceSSLLabel = "Enforce TLS";
 	}//end if	
 	
 	$lHintsMessage = "Hints: ".$_SESSION["hints-enabled"];
@@ -70,133 +66,106 @@
 	
 	$lSecurityLevelMessage = "Security Level: ".$_SESSION["security-level"]." (".$lSecurityLevelDescription.")";
 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lCookieTamperingAffectedAreaBallonTip = $BubbleHintHandler->getHint("CookieTamperingAffectedArea"); 
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
 <html>
 <head>
-	<link rel="shortcut icon" href="./images/favicon.ico" type="image/x-icon" />	
-	<link rel="stylesheet" type="text/css" href="./styles/global-styles.css" />
-	<link rel="stylesheet" type="text/css" href="./styles/ddsmoothmenu/ddsmoothmenu.css" />
-	<link rel="stylesheet" type="text/css" href="./styles/ddsmoothmenu/ddsmoothmenu-v.css" />
-
-	<script type="text/javascript" src="./javascript/ddsmoothmenu/ddsmoothmenu.js"></script>
-	<script type="text/javascript" src="./javascript/ddsmoothmenu/jquery.min.js"></script>
-	<script type="text/javascript">
-		ddsmoothmenu.init({
-			mainmenuid: "smoothmenu1", //menu DIV id
-			orientation: 'v', //Horizontal or vertical menu: Set to "h" or "v"
-			classname: 'ddsmoothmenu', //class added to menu's outer DIV
-			//customtheme: ["#cccc44", "#cccccc"],
-			contentsource: "markup" //"markup" or ["container_id", "path_to_menu_file"]
-		});
-	</script>
-	<script type="text/javascript">
-		$(function() {
-			$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-			$('[ReflectedXSSExecutionPoint]').balloon();
-			$('[CookieTamperingAffectedArea]').attr("title", "<?php echo $lCookieTamperingAffectedAreaBallonTip; ?>");
-			$('[CookieTamperingAffectedArea]').balloon();
-		});
-	</script>
+	<link rel="shortcut icon" href="./images/favicon.ico" type="image/x-icon" />
+	
+	<link rel="stylesheet" type="text/css" href="styles/global-styles.css" />
+	<link rel="stylesheet" type="text/css" href="styles/ddsmoothmenu/ddsmoothmenu.css" />
+	<link rel="stylesheet" type="text/css" href="styles/ddsmoothmenu/ddsmoothmenu-v.css" />
+	<link rel="stylesheet" type="text/css" href="javascript/jQuery/colorbox/colorbox.css" />
+	<link rel="stylesheet" type="text/css" href="styles/gritter/jquery.gritter.css" />
+	
+	<script src="javascript/jQuery/jquery.js"></script>
+	<script src="javascript/jQuery/colorbox/jquery.colorbox-min.js"></script>
+	<script src="javascript/ddsmoothmenu/ddsmoothmenu.js"></script>
+	<script src="javascript/gritter/jquery.gritter.min.js"></script>
+	<script src="javascript/hints/hints-menu.js"></script>
+	<script src="javascript/inline-initializers/jquery-init.js"></script>
+	<script src="javascript/inline-initializers/ddsmoothmenu-init.js"></script>
+	<script src="javascript/inline-initializers/populate-web-storage.js"></script>
+	<script src="javascript/inline-initializers/gritter-init.js"></script>
+	<script src="javascript/inline-initializers/hints-menu-init.js"></script>
+	
 </head>
 <body>
-<table class="main-table-frame" border="1px" cellspacing="0px" cellpadding="0px">
-	<tr>
-		<td bgcolor="#ccccff" align="center" colspan="7">
-			<table width="100%">
-				<tr>
-					<td style="text-align:center;">
-						<span style="text-align:center; font-weight: bold; font-size:30px; text-align: center;">
-						<img style="vertical-align: middle; margin-right: 10px;" border="0px" align="top" src="images/coykillericon-50-38.png"/>
-							OWASP Mutillidae II: Keep Calm and Pwn On
-						</span>
-					</td>
-				</tr>		
-			</table>
+<table class="main-table-frame">
+	<tr class="main-table-frame-dark">
+		<td class="main-table-frame-first-bar" colspan="2">
+			<img src="images/coykillericon-50-38.png"/>
+			OWASP Mutillidae II: Keep Calm and Pwn On
 		</td>
 	</tr>
-	<tr>
-		<td bgcolor="#ccccff" align="center" colspan="7">
+	<tr class="main-table-frame-dark">
+		<td class="main-table-frame-second-bar" colspan="2">
 			<?php /* Note: $C_VERSION_STRING in index.php */ ?>
 			<span class="version-header"><?php echo $C_VERSION_STRING;?></span>
-			<span id="idSecurityLevelHeading" class="version-header" style="margin-left: 20px;"><?php echo $lSecurityLevelMessage; ?></span>
-			<span id="idHintsStatusHeading" CookieTamperingAffectedArea="1" class="version-header" style="margin-left: 20px;"><?php echo $lHintsMessage; ?></span>
-			<span id="idSystemInformationHeading" ReflectedXSSExecutionPoint="1" class="version-header" style="margin-left: 20px;"><?php echo $lAuthenticationStatusMessage ?></span>
+			<span class="version-header"><?php echo $lSecurityLevelMessage; ?></span>
+			<span class="version-header"><?php echo $lHintsMessage; ?></span>
+			<span class="version-header"><?php echo $lAuthenticationStatusMessage ?></span>
 		</td>
 	</tr>
-	<tr>
-		<td colspan="2" class="header-menu-table">
-			<table class="header-menu-table">
-				<tr>
-					<td><a href="index.php?page=home.php&popUpNotificationCode=HPH0">Home</a></td>
-					<td>|</td>
-					<td>
-						<?php
-							if ($_SESSION['loggedin'] == 'True'){
-								echo '<a href="index.php?do=logout">Logout</a>';
-							} else {
-								echo '<a href="index.php?page=login.php">Login/Register</a>';
-							}// end if
-						?>		
-					</td>
-					<td>|</td>
-					<?php 
-						if ($_SESSION['security-level'] == 0){
-							echo '<td><a href="index.php?do=toggle-hints&page='.$lPage.'">Toggle Hints</a></td><td>|</td>';
-						}// end if
-					?>
-					<td><a href="index.php?do=toggle-bubble-hints&page=<?php echo $lPage?>"><?php echo $lPopupHintsLabel; ?></a></td>
-					<td>|</td>
-					<td><a href="index.php?do=toggle-security&page=<?php echo $lPage?>">Toggle Security</a></td>
-					<td>|</td>
-					<td><a href="index.php?do=toggle-enforce-ssl&page=<?php echo $lPage?>"><?php echo $lEnforceSSLLabel; ?></a></td>
-					<td>|</td>
-					<td><a href="set-up-database.php">Reset DB</a></td>
-					<td>|</td>
-					<td><a href="index.php?page=show-log.php">View Log</a></td>
-					<td>|</td>
-					<td><a href="index.php?page=captured-data.php">View Captured Data</a></td>
-				</tr>
-			</table>	
+	<tr class="main-table-frame-third-bar">
+		<td class="main-table-frame-third-bar" colspan="2">
+			<a href="index.php?page=home.php&popUpNotificationCode=HPH0">Home</a>
+			|
+			<?php
+				if ($_SESSION['loggedin'] == 'True'){
+					echo '<a href="index.php?do=logout">Logout</a>';
+				} else {
+					echo '<a href="index.php?page=login.php">Login/Register</a>';
+				}// end if
+			?>
+			|
+			<?php 
+				if ($_SESSION['security-level'] == 0){
+					echo '<a href="index.php?do=toggle-hints&page='.$lPage.'">Toggle Hints</a>|';
+				}// end if
+			?>
+			<a href="index.php?do=toggle-security&page=<?php echo $lPage?>">Toggle Security</a>
+			|
+			<a href="index.php?do=toggle-enforce-ssl&page=<?php echo $lPage?>"><?php echo $lEnforceSSLLabel; ?></a>
+			|
+			<a href="set-up-database.php">Reset DB</a>
+			|
+			<a href="index.php?page=show-log.php">View Log</a>
+			|
+			<a href="index.php?page=captured-data.php">View Captured Data</a>
 		</td>
 	</tr>
 	<tr>
-		<td style="vertical-align:top;text-align:left;background-color:#ccccff;width:125pt;">
+		<td class="main-table-frame-left">
 			<?php require_once 'main-menu.php'; ?>
 			<div>&nbsp;</div>
-			<div class="label" style="text-align: center;">
+			<div>
 				<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
 					<input type="hidden" name="cmd" value="_s-xclick">
 					<input type="hidden" name="hosted_button_id" value="45R3YEXENU97S">
-					<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
-					<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
+					<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif" name="submit" alt="Donate Today!">
+					<img alt="" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
 				</form>
-				<span style="color: blue;">Want to Help?</span>
+				Want to Help?
 			</div>
 			<div>&nbsp;</div>
-			<div class="label" style="text-align: center;">
-				<a href="http://www.youtube.com/user/webpwnized" style="white-space:nowrap;" target="_blank">
-					<img align="middle" alt="Webpwnized YouTube Channel" src="./images/youtube-play-icon-40-40.png" />
+			<div>
+				<a href="http://www.youtube.com/user/webpwnized" target="_blank">
+					<img alt="Webpwnized YouTube Channel" src="./images/youtube-play-icon-40-40.png" />
 					<br/>
 					Video Tutorials
 				</a>
 			</div>
 			<div>&nbsp;</div>
-			<div class="label" style="text-align: center;">
+			<div>
 				<a href="https://twitter.com/webpwnized" target="_blank">
-					<img align="middle" alt="Webpwnized Twitter Channel" src="./images/twitter-bird-48-48.png" />
+					<img alt="Webpwnized Twitter Channel" src="./images/twitter-bird-48-48.png" />
 					<br/>
 					Announcements
 				</a>
 			</div>		
 			<div>&nbsp;</div>
-			<div class="label" style="text-align: center;">
+			<div>
 				<a 
 					href="https://www.sans.org/reading-room/whitepapers/application/introduction-owasp-mutillidae-ii-web-pen-test-training-environment-34380" 
 					target="_blank"
@@ -209,6 +178,5 @@ classname: 'ddsmoothmenu', //class added to menu's outer DIV
 			</div>
 			<div>&nbsp;</div>
 		</td>
-		<td valign="top">
-			<blockquote>
+		<td class="main-table-frame-right">
 			<!-- Begin Content -->
diff --git a/includes/hints/hints-menu-wrapper.inc b/includes/hints/hints-menu-wrapper.inc
index 5129cff..093b1eb 100755
--- a/includes/hints/hints-menu-wrapper.inc
+++ b/includes/hints/hints-menu-wrapper.inc
@@ -1,6 +1,5 @@
 <?php
 	if ($_SESSION["showhints"] > 0) {
-		require_once 'hints-menu.js.inc';
 		$lDisplayHintStyle = "block";
 	}else{
 		$lDisplayHintStyle = "none";
@@ -10,9 +9,6 @@
 <div  	class="hint-wrapper-header" 
 		id="idHintWrapperHeader"
 		title="Click to open this section"
-		onclick="toggleBody(this, window.document.getElementById('idHintWrapperBody'), window.document.getElementById('idHintWrapperHeaderImage'));"
-		onmouseover="this.style.backgroundColor='#cccccc';this.style.color='#ffffff';"
-		onmouseout="this.style.backgroundColor='#FFFFFF';this.style.color='#000000';"
 		style="display: <?php echo $lDisplayHintStyle; ?>";
 >
 	<img id="idHintWrapperHeaderImage" align="left" style="padding-right: 5px;" alt="Expand Hints" src="./images/down_arrow_16_16.png" />
diff --git a/includes/hints/hints-menu.js.inc b/includes/hints/hints-menu.js.inc
deleted file mode 100755
index 2ba7095..0000000
--- a/includes/hints/hints-menu.js.inc
+++ /dev/null
@@ -1,60 +0,0 @@
-<script>
-	var gLastPHeaderOpened = null;
-	var gLastPBodyOpened = null;
-	var gLastPImageOpened = null;
-
-	var sectionClosing = function(/*HTML-ELEMENT*/ pBody){
-		return (pBody.style.display == "");
-	};
-
-	var openBody = function(
-		/*HTML-ELEMENT*/ pHeader,
-		/*HTML-ELEMENT*/ pBody, 
-		/*HTML-IMG-ELEMENT*/ pImage
-	){	
-		pBody.style.display = "";
-		pImage.src = "./images/up_arrow_16_16.png";
-		pHeader.title = "Click to close this section";
-
-		/* Try to remember this hint is open */
-		gLastPHeaderOpened = pHeader;
-		gLastPBodyOpened = pBody;
-		gLastPImageOpened = pImage;			
-	};//end if
-
-	var closeBody = function(
-			/*HTML-ELEMENT*/ pHeader,
-			/*HTML-ELEMENT*/ pBody, 
-			/*HTML-IMG-ELEMENT*/ pImage
-		){	
-			pBody.style.display = "none";
-			pImage.src = "./images/down_arrow_16_16.png";
-			pHeader.title = "Click to open this section";
-		};//end if
-
-	var closeCurrentlyOpenBody = function(
-			/*HTML-ELEMENT*/ pHeader,
-			/*HTML-ELEMENT*/ pBody, 
-			/*HTML-IMG-ELEMENT*/ pImage
-		){	
-		/* Try to close currently open hint */
-		if (pHeader && pHeader.id != "idHintWrapperHeader"){
-			closeBody(pHeader,pBody,pImage);
-		};// end if
-	};//end if
-
-	var toggleBody = function(
-		/*HTML-ELEMENT*/ pHeader,
-		/*HTML-ELEMENT*/ pBody, 
-		/*HTML-IMG-ELEMENT*/ pImage
-	){
-		if(sectionClosing(pBody)){
-			closeBody(pHeader,pBody,pImage);			
-		}else{
-			closeCurrentlyOpenBody(gLastPHeaderOpened,gLastPBodyOpened,gLastPImageOpened);
-			openBody(pHeader,pBody,pImage);
-		};// end if sectionClosing()
-
-	};// end function toggleBody
-
-</script>
\ No newline at end of file
diff --git a/includes/jquery-init.inc b/includes/jquery-init.inc
deleted file mode 100755
index e32a67b..0000000
--- a/includes/jquery-init.inc
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-	echo '<script type="text/javascript" src="javascript/jQuery/jquery.js"></script>';
-	echo '<script type="text/javascript" src="./javascript/jQuery/jquery.balloon.js"></script>';
-	echo '<script src="javascript/jQuery/colorbox/jquery.colorbox-min.js"></script>';
-	echo '<link rel="stylesheet" href="javascript/jQuery/colorbox/colorbox.css" />';
-	echo "
-	<script>
-		$(document).ready(function () {
-			$('a.colorbox').colorbox({width:'700px',opacity:'0.60'});
-		});
-	</script>
-	";
-?>
\ No newline at end of file
diff --git a/includes/main-menu.php b/includes/main-menu.php
index 2caede7..eb666f7 100755
--- a/includes/main-menu.php
+++ b/includes/main-menu.php
@@ -7,11 +7,11 @@
 
 <div id="smoothmenu1" class="ddsmoothmenu">	
 	<ul>
-		<li style="border-color: #ffffff;border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">OWASP 2017</a>
 			<ul>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A1 - Injection (SQL)</a>
+					<a href="">A1 - Injection (SQL)</a>
 					<ul>
 						<li>
 							<a href="">SQLi - Extract Data</a>
@@ -71,7 +71,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A1 - Injection (Other)</a>
+					<a href="">A1 - Injection (Other)</a>
 					<ul>
 						<li>
 							<a href="">Application Log Injection</a>
@@ -79,6 +79,7 @@
 								<li><a href="index.php?page=add-to-your-blog.php">Add to your blog</a></li>
 								<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 								<li><a href="index.php?page=echo.php">Echo Message</a></li>
+								<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 								<li><a href="index.php?page=document-viewer.php&PathToDocument=documentation/how-to-access-Mutillidae-over-Virtual-Box-network.php">Document Viewer</a></li>
 								<li><a href="index.php?page=capture-data.php">Capture Data Page</a></li>
 								<li><a href="index.php?page=login.php">Login</a></li>
@@ -108,6 +109,7 @@
 								<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 								<li><a href="./webservices/soap/ws-lookup-dns-record.php">DNS Lookup (SOAP Web Service)</a></li>
 								<li><a href="index.php?page=echo.php">Echo Message</a></li>
+								<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 							</ul>
 						</li>
 						<li>
@@ -124,6 +126,7 @@
 								<li><a href="index.php?page=browser-info.php">Browser Info</a></li>
 								<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 								<li><a href="index.php?page=echo.php">Echo Message</a></li>
+								<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 								<li><a href="index.php?page=pen-test-tool-lookup.php">Pen Test Tool Lookup</a></li>
 								<li><a href="index.php?page=text-file-viewer.php">Text File Viewer</a></li>
 								<li><a href="index.php?page=user-info.php">User Info (SQL)</a></li>
@@ -226,7 +229,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">
+					<a href="">
 						A2 - Broken Authentication and Session Management
 					</a>
 					<ul>
@@ -257,7 +260,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A3 - Sensitive Data Exposure</a>
+					<a href="">A3 - Sensitive Data Exposure</a>
 					<ul>
 						<li>
 							<a href="">Information Disclosure</a>
@@ -296,7 +299,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A4 - XML External Entities</a>
+					<a href="">A4 - XML External Entities</a>
 					<ul>
 						<li>
 							<a href="">XML External Entity Injection</a>
@@ -307,7 +310,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A5 - Broken Access Control</a>
+					<a href="">A5 - Broken Access Control</a>
 					<ul>
 						<li>
 							<a href="">Insecure Direct Object References</a>
@@ -332,7 +335,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A6 - Security Misconfiguration</a>
+					<a href="">A6 - Security Misconfiguration</a>
 					<ul>
 						<li><a href="index.php?page=directory-browsing.php">Directory Browsing</a></li>
 						<li>
@@ -344,6 +347,7 @@
 								<li><a href="index.php?page=user-poll.php">Poll Question</a></li>
 								<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 								<li><a href="index.php?page=echo.php">Echo Message</a></li>
+								<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 							</ul>
 						</li>
 						<li><a href="index.php?page=user-agent-impersonation.php">User-Agent Impersonation</a></li>
@@ -358,13 +362,14 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A7 - Cross Site Scripting (XSS)</a>
+					<a href="">A7 - Cross Site Scripting (XSS)</a>
 					<ul>
 						<li>
 							<a href="">Reflected (First Order)</a>
 							<ul>
 								<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 								<li><a href="index.php?page=echo.php">Echo Message</a></li>
+								<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 								<li><a href="index.php?page=pen-test-tool-lookup.php">Pen Test Tool Lookup</a></li>
 								<li><a href="index.php?page=text-file-viewer.php">Text File Viewer</a></li>
 								<li><a href="index.php?page=user-info.php">User Info (SQL)</a></li>
@@ -418,6 +423,7 @@
 								<li><a href="index.php?page=text-file-viewer.php">Text File Viewer</a></li>
 								<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 								<li><a href="index.php?page=echo.php">Echo Message</a></li>
+								<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 								<li><a href="index.php?page=user-info.php">User Info (SQL)</a></li>
 								<li><a href="index.php?page=user-info-xpath.php">User Info (XPath)</a></li>
 								<li><a href="index.php">Missing HTTPOnly Attribute</a></li>
@@ -491,6 +497,7 @@
 								<li><a href="index.php?page=show-log.php">Show Log</a><li>
 								<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 								<li><a href="index.php?page=echo.php">Echo Message</a></li>
+								<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 								<li><a href="index.php?page=pen-test-tool-lookup.php">Pen Test Tool Lookup</a></li>
 								<li><a href="index.php?page=text-file-viewer.php">Text File Viewer</a></li>
 								<li><a href="index.php?page=user-info.php">User Info (SQL)</a></li>
@@ -509,10 +516,10 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A8 - Insecure Deserialization</a>
+					<a href="">A8 - Insecure Deserialization</a>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A9 - Using Components with Known Vulnerabilities</a>
+					<a href="">A9 - Using Components with Known Vulnerabilities</a>
 					<ul>
 						<li><a href="index.php?page=phpmyadmin.php">PHP MyAdmin Console</a></li>
 						<li><a href="index.php?page=phpinfo.php">PHP Info Page</a></li>
@@ -521,17 +528,17 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" target="_blank">A10 - Insufficient Logging and Monitoring</a>
+					<a href="">A10 - Insufficient Logging and Monitoring</a>
 				</li>
 			</ul>
 		</li>
 	</ul>
 	<ul>
-		<li style="border-color: #ffffff;border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">OWASP 2013</a>
 			<ul>
 				<li>
-					<a href="https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)" target="_blank">A8 - Cross Site Request Forgery (CSRF)</a>
+					<a href="">A8 - Cross Site Request Forgery (CSRF)</a>
 					<ul>
 						<li><a href="index.php?page=add-to-your-blog.php">Add to your blog</a></li>
 						<li><a href="index.php?page=register.php">Register User</a></li>
@@ -539,7 +546,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards" target="_blank">A10 - Unvalidated Redirects and Forwards</a>
+					<a href="">A10 - Unvalidated Redirects and Forwards</a>
 					<ul>
 						<li><a href="?page=credits.php">Credits</a></li>
 						<?php if (isset($_COOKIE["uid"]) && $_COOKIE["uid"]==1) { ?>		
@@ -553,11 +560,11 @@
 		</li>
 	</ul>
 	<ul>
-		<li style="border-color: #ffffff;border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">OWASP 2010</a>
 			<ul>
 				<li>
-					<a href="http://www.owasp.org/index.php/Top_10_2010-A7" target="_blank">A7 - Insecure Cryptographic Storage</a>
+					<a href="">A7 - Insecure Cryptographic Storage</a>
 					<ul>
 						<li><a href="index.php?page=user-info.php">User Info (SQL)</a></li>
 						<li><a href="index.php?page=user-info-xpath.php">User Info (XPath)</a></li>
@@ -566,7 +573,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="http://www.owasp.org/index.php/Top_10_2010-A8" target="_blank">A8 - Failure to Restrict URL Access</a>
+					<a href="">A8 - Failure to Restrict URL Access</a>
 					<ul>
 						<li><a href="index.php?page=edit-account-profile.php<?php echo $lUserIDString; ?>">Edit User Profile</a></li>
 						<li><a href="index.php?page=phpmyadmin.php">PHP MyAdmin Console</a></li>
@@ -578,7 +585,7 @@
 					</ul>
 				</li>
 				<li>
-					<a href="http://www.owasp.org/index.php/Top_10_2010-A9" target="_blank">A9 - Insufficient Transport Layer Protection</a>
+					<a href="">A9 - Insufficient Transport Layer Protection</a>
 					<ul>
 						<li><a href="index.php?page=ssl-misconfiguration.php">SSL Misconfiguration</a></li>
 						<li><a href="index.php?page=login.php">Login</a></li>
@@ -590,18 +597,18 @@
 		</li>
 	</ul>	
 	<ul>
-		<li style="border-color: #ffffff;border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">OWASP 2007</a>
 			<ul>
 				<li>
-					<a href="http://www.owasp.org/index.php/Top_10_2007-A3" target="_blank">A3 - Malicious File Execution</a>
+					<a href="">A3 - Malicious File Execution</a>
 					<ul>
-						<li><a href="?page=text-file-viewer.php">Text File Viewer</a></li>
-						<li><a href="?page=source-viewer.php">Source Viewer</a></li>
+						<li><a href="index.php?page=text-file-viewer.php">Text File Viewer</a></li>
+						<li><a href="index.php?page=source-viewer.php">Source Viewer</a></li>
 					</ul>		
 				</li>
 				<li>
-					<a href="http://www.owasp.org/index.php/Top_10_2007-A6" target="_blank">A6 - Information Leakage</a>
+					<a href="">A6 - Information Leakage</a>
 					<ul>
 						<li><a href="index.php?page=edit-account-profile.php<?php echo $lUserIDString; ?>">Edit User Profile</a></li>
 						<li><a href="index.php">Cache-Control</a></li>
@@ -617,7 +624,7 @@
 					</ul>		
 				</li>
 				<li>
-					<a href="http://www.owasp.org/index.php/Top_10_2007-A6" target="_blank">A6 - Improper Error Handling</a>
+					<a href="">A6 - Improper Error Handling</a>
 					<ul>
 						<li><a href="index.php?page=user-info.php">User Info (SQL)</a></li>
 						<li><a href="index.php?page=user-info-xpath.php">User Info (XPath)</a></li>
@@ -633,7 +640,7 @@
 		</li>
 	</ul>	
 	<ul>
-		<li style="border-color: #ffffff; border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">Web Services</a>
 			<ul>
 				<li>
@@ -684,7 +691,7 @@
 				</li>						
 			</ul>
 		</li>
-		<li style="border-color: #ffffff; border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">HTML 5</a>
 			<ul>
 				<li>
@@ -708,7 +715,7 @@
 				</li>
 			</ul>
 		</li>
-		<li style="border-color: #ffffff; border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">Others</a>
 			<ul>			
 				<li>
@@ -746,6 +753,7 @@
 						<li><a href="index.php?page=html5-storage.php">HTML5 Web Storage</a></li>
 						<li><a href="index.php?page=dns-lookup.php">DNS Lookup</a></li>
 						<li><a href="index.php?page=echo.php">Echo Message</a></li>
+						<li><a href="index.php?page=content-security-policy.php">Content Security Policy (CSP)</a></li>
 						<li><a href="index.php?page=repeater.php">Repeater</a></li>
 					</ul>		
 				</li>
@@ -761,14 +769,13 @@
 				</li>
 			</ul>
 		</li>
-		<li style="border-color: #ffffff;border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">Documentation</a>
 			<ul>
 				<li><a href="index.php?page=documentation/installation.php">Installation Instructions (Linux)</a></li>
 				<li><a href="documentation/mutillidae-installation-on-xampp-win7.pdf" target="_blank">Installation Instructions (Windows)</a></li>
 				<li><a href="index.php?page=documentation/usage-instructions.php">Usage Instructions</a></li>
 				<li><a href="index.php?page=documentation/vulnerabilities.php">Listing of Vulnerabilities</a></li>
-				<li><a href="documentation/change-log.txt" target="_blank">Change Log</a></li>
 				<li><a href="index.php?page=credits.php">Credits</a></li>
 				<li>
 					<a href="https://www.sans.org/reading-room/whitepapers/application/introduction-owasp-mutillidae-ii-web-pen-test-training-environment-34380" target="_blank">
@@ -777,7 +784,7 @@
 				</li>
 			</ul>
 		</li>
-		<li style="border-color: #ffffff;border-style: solid;border-width: 1px;">
+		<li>
 			<a href="">Resources</a>
 			<ul>
 				<li>
diff --git a/includes/pop-up-status-notification.inc b/includes/pop-up-status-notification.inc
deleted file mode 100755
index 16bfbb1..0000000
--- a/includes/pop-up-status-notification.inc
+++ /dev/null
@@ -1,33 +0,0 @@
-<?php 
-	switch ($_GET["popUpNotificationCode"]){
-		case "HPH0": $lhintsPopUpNotificationMessage = "<b>Feeling Lost?</b> Toggle <b><u>Hints</u></b> or <b><u>Popup Hints</u></b> to activate dynamic help systems.";break;
-		case "L1H0": $lhintsPopUpNotificationMessage = "Hints Disabled";break;
-		case "L1H1": $lhintsPopUpNotificationMessage = "Hints enabled. Please find a \"Hints and Videos\" section added to the top of each applicable page.";break;
-		case "SUD0": $lhintsPopUpNotificationMessage = "Dropping and rebuilding database";break;
-		case "SUD1": $lhintsPopUpNotificationMessage = "Database has been rebuilt";break;
-		case "AU1": $lhintsPopUpNotificationMessage = "User Authenticated";break;
-		case "LOU1": $lhintsPopUpNotificationMessage = "User Logged Out";break;
-		case "SSLE1": $lhintsPopUpNotificationMessage = "SSL Enforced";break;
-		case "SSLO1": $lhintsPopUpNotificationMessage = "SSL Optional";break;
-		case "SL0": $lhintsPopUpNotificationMessage = "Security level set to 0. Hack Away.";break;
-		case "SL1": $lhintsPopUpNotificationMessage = "Security level set to 1. Try Slightly Harder.";break;
-		case "SL5": $lhintsPopUpNotificationMessage = "Security level set to 5. Good Luck.";break;
-		case "BHD1": $lhintsPopUpNotificationMessage = "Bubble Hints Disabled";break;
-		case "BHE1": $lhintsPopUpNotificationMessage = "Bubble Hints Enabled";break;
-		case "LFD1": $lhintsPopUpNotificationMessage = "Logs Deleted";break;
-		case "LFR1": $lhintsPopUpNotificationMessage = "Logs Refreshed";break;
-	}// end switch
-?>
-
-<link rel="stylesheet" type="text/css" href="styles/gritter/jquery.gritter.css" />
-<script type="text/javascript" src="javascript/gritter/jquery.gritter.min.js"></script>
-<script>
-$.gritter.add({
-    // (string | mandatory) the heading of the notification
-    title: 'Status Update',
-    // (string | mandatory) the text inside the notification
-    text: '<?php echo $lhintsPopUpNotificationMessage ?>',
-    // time until fade begins
-    time: 5000
-});
-</script>
\ No newline at end of file
diff --git a/includes/process-commands.php b/includes/process-commands.php
index 600a958..6f2775a 100755
--- a/includes/process-commands.php
+++ b/includes/process-commands.php
@@ -39,20 +39,6 @@ function logMessage($lMessage){
 			exit();
     	break;//case "toggle-enforce-ssl"
 	        	
-    	case "toggle-bubble-hints":
-    		if ($BubbleHintHandler->hintsAreDispayed()){
-    			$BubbleHintHandler->hideHints();
-    			$lhintsPopUpNotificationCode="BHD1";
-    		}else{
-    			$BubbleHintHandler->showHints();
-    			$lhintsPopUpNotificationCode="BHE1";
-    		}//end if
-		    
-    		header("Location: ".$_SERVER['SCRIPT_NAME'].'?popUpNotificationCode='.$lhintsPopUpNotificationCode.'&'.str_ireplace('do=toggle-bubble-hints&', '', $_SERVER['QUERY_STRING']), true, 302);
-			exit();
-    		
-			break;//case "toggle-bubble-hints"
-	    
     	case "logout":
     	    logMessage("Logout user: {$_SESSION['logged_in_user']} ({$_SESSION['uid']})");
 		    $_SESSION["loggedin"] = "False";
@@ -103,9 +89,7 @@ function logMessage($lMessage){
 			}//end switch
 			
 			/* Redirect the user back to the same page they clicked the "Toggle Hints" button
-			 * The index.php page will take care of using this new hint-level value to 
-			 * syncronize the page-hints and balloon tip hints. The "exit()" function makes
-			 * sure we do not accidentally write any "body" lines.
+			 * The "exit()" function makes sure we do not accidentally write any "body" lines.
 			 */
 		    header("Location: ".$_SERVER['SCRIPT_NAME'].'?popUpNotificationCode='.$lhintsPopUpNotificationCode.'&'.str_ireplace('do=toggle-hints&', '', $_SERVER['QUERY_STRING']), true, 302);
 			exit();
@@ -144,7 +128,6 @@ function logMessage($lMessage){
 			// change how much information errors barf onto the page.
 		    $CustomErrorHandler->setSecurityLevel($lSecurityLevel);
 		    $LogHandler->setSecurityLevel($lSecurityLevel);
-		    $BubbleHintHandler->setSecurityLevel($lSecurityLevel);
 		   	$MySQLHandler->setSecurityLevel($lSecurityLevel);		    
 		   	$SQLQueryHandler->setSecurityLevel($lSecurityLevel);
 		   	$RemoteFileHandler->setSecurityLevel($lSecurityLevel);
diff --git a/index.php b/index.php
index 6f09d43..e6431c4 100755
--- a/index.php
+++ b/index.php
@@ -13,7 +13,6 @@
 	require_once (__ROOT__.'/classes/SQLQueryHandler.php');
 	require_once (__ROOT__.'/classes/CustomErrorHandler.php');
 	require_once (__ROOT__.'/classes/LogHandler.php');
-	require_once (__ROOT__.'/classes/BubbleHintHandler.php');
 	require_once (__ROOT__.'/classes/RemoteFileHandler.php');
 	require_once (__ROOT__.'/classes/RequiredSoftwareHandler.php');
 	
@@ -234,23 +233,6 @@ function handleException($exception){
 	$SQLQueryHandler = &$_SESSION["Objects"]["SQLQueryHandler"];
 	*/
 	$SQLQueryHandler = new SQLQueryHandler(__ROOT__.'/owasp-esapi-php/src/', $_SESSION["security-level"]);
-	
-	/* ------------------------------------------
- 	* initialize balloon-hint handler
- 	* ------------------------------------------ */
-	/*
-   	if (!is_object($_SESSION["Objects"]["BubbleHintHandler"])){
-		$_SESSION["Objects"]["BubbleHintHandler"] = new BubbleHintHandler(__ROOT__.'/owasp-esapi-php/src/', $_SESSION["security-level"]);
-	}// end if
-	
-	// Set up an alias by reference so object can be referenced in memory without copying
-	$BubbleHintHandler = &$_SESSION["Objects"]["BubbleHintHandler"];
-	*/
-	$BubbleHintHandler = new BubbleHintHandler(__ROOT__.'/owasp-esapi-php/src/', $_SESSION["security-level"]);
-	
-	if ($_SESSION["showhints"] != $BubbleHintHandler->getHintLevel()){
-		$BubbleHintHandler->setHintLevel($_SESSION["showhints"]);
-	}//end if
 
 	/* ------------------------------------------
  	* initialize remote file handler
@@ -409,8 +391,6 @@ function handleException($exception){
    	
 	switch ($_SESSION["security-level"]){
    		case "0": // This code is insecure
-   			$lIncludeFrameBustingJavaScript = FALSE;
-   			
    			/* Built-in user-agent defenses */
    			header("X-XSS-Protection: 0", TRUE);
    			
@@ -420,9 +400,6 @@ function handleException($exception){
    		break;
    		
    		case "1":
-   		    /* Cross-frame scripting and click-jacking */
-   		    $lIncludeFrameBustingJavaScript = TRUE;
-   		    
    		    /* Built-in user-agent defenses */
    		    header("X-XSS-Protection: 0", TRUE);
    		    
@@ -446,7 +423,6 @@ function handleException($exception){
   			 * with older browsers.
   			 */
    			header('X-FRAME-OPTIONS: DENY', TRUE);
-   			$lIncludeFrameBustingJavaScript = TRUE;
    			
    			/* Cache-control */
    			/*
@@ -510,7 +486,7 @@ function handleException($exception){
 	/* ------------------------------------------
     * END Security Headers (Modern Browsers)
     * ------------------------------------------ */
-	 
+   	
    	/* ------------------------------------------
    	 * Set the HTTP content-type of this page
    	 * ------------------------------------------ */
@@ -605,7 +581,23 @@ function handleException($exception){
 	/* ------------------------------------------
 	* END SIMULATE "SECRET" PAGES
 	* ------------------------------------------ */
-
+    
+	/* ------------------------------------------
+     * Set Content Security Policy (CSP) if needed
+     * ------------------------------------------ */
+    if ($lPage == "content-security-policy.php"){
+        $CSPNonce = bin2hex(openssl_random_pseudo_bytes(64));
+        $lCSP = "Content-Security-Policy: " .
+                "script-src 'self' 'nonce-{$CSPNonce}' mutillidae.local;" .
+                "style-src 'unsafe-inline' 'self' mutillidae.local;" .
+                "img-src 'self' mutillidae.local www.paypalobjects.com;" .
+                "default-src 'self'";
+        header($lCSP, TRUE);
+    }// end if
+    /* ------------------------------------------
+     * END Content Security Policy (CSP)
+     * ------------------------------------------ */
+    
 	/* ------------------------------------------
 	* BEGIN OUTPUT RESPONSE
 	* ------------------------------------------ */
@@ -616,9 +608,7 @@ function handleException($exception){
 		require_once(__ROOT__."/home.php");
 	}else{
 		/* All Other Pages */
-
-		/* Note: PHP uses lazy evaluation so if file_exists then PHP wont execute remote_file_exists */
-		if (file_exists($lPage) || $RemoteFileHandler->remoteSiteIsReachable($lPage)){
+	    if (file_exists($lPage) || $RemoteFileHandler->remoteSiteIsReachable($lPage)){
 			require_once ($lPage);
 		}else{
 			if(!$RemoteFileHandler->curlIsInstalled()){
@@ -642,21 +632,4 @@ function handleException($exception){
    	* ------------------------------------------ */
    	$MySQLHandler->closeDatabaseConnection();
 
-	/* ------------------------------------------
-	* Anti-framing protection (Older Browsers)
-	* ------------------------------------------ */
-	if ($lIncludeFrameBustingJavaScript){
-		include_once (__ROOT__."/includes/anti-framing-protection.inc");	
-	}// end if    
-    
-	/* ------------------------------------------
-	* Add javascript includes
-	* ------------------------------------------ */
-   	include_once (__ROOT__."/includes/create-html-5-web-storage-target.inc");	
-   	require_once (__ROOT__."/includes/jquery-init.inc");
-   	
-   	if (isset($_GET["popUpNotificationCode"])){
-   		include_once (__ROOT__."/includes/pop-up-status-notification.inc");
-   	}// end if
-
 ?>
\ No newline at end of file
diff --git a/javascript/ddsmoothmenu/readme.txt b/javascript/ddsmoothmenu/readme.txt
deleted file mode 100755
index 56b592f..0000000
--- a/javascript/ddsmoothmenu/readme.txt
+++ /dev/null
@@ -1 +0,0 @@
-http://www.dynamicdrive.com/dynamicindex1/ddsmoothmenu.htm
\ No newline at end of file
diff --git a/javascript/hints/hints-menu.js b/javascript/hints/hints-menu.js
new file mode 100644
index 0000000..bac1123
--- /dev/null
+++ b/javascript/hints/hints-menu.js
@@ -0,0 +1,32 @@
+var sectionClosing = function(pHintsBody){
+	if (typeof pHintsBody != "undefined") {
+		return (pHintsBody.style.display == "");
+	}else{
+		return true;
+	};
+};
+
+var openBody = function(pHintsHeader, pHintsBody, pHintsImage){	
+	pHintsBody.style.display = "";
+	pHintsImage.src = "./images/up_arrow_16_16.png";
+	pHintsHeader.title = "Click to close this section";
+};//end if
+
+var closeBody = function(pHintsHeader, pHintsBody, pHintsImage){
+	pHintsBody.style.display = "none";
+	pHintsImage.src = "./images/down_arrow_16_16.png";
+	pHintsHeader.title = "Click to open this section";
+};//end if
+
+var toggleBody = function(){
+
+	var lHintsHeader = window.document.getElementById("idHintWrapperHeader");
+	var lHintsBody = window.document.getElementById('idHintWrapperBody');
+	var lHintsImage = window.document.getElementById('idHintWrapperHeaderImage');
+
+	if(sectionClosing(lHintsBody)){
+		closeBody(lHintsHeader, lHintsBody, lHintsImage);			
+	}else{
+		openBody(lHintsHeader, lHintsBody, lHintsImage);
+	};// end if sectionClosing()
+};// end function toggleBody
diff --git a/javascript/inline-initializers/ddsmoothmenu-init.js b/javascript/inline-initializers/ddsmoothmenu-init.js
new file mode 100644
index 0000000..2e9ddb5
--- /dev/null
+++ b/javascript/inline-initializers/ddsmoothmenu-init.js
@@ -0,0 +1,9 @@
+$(function() {
+	ddsmoothmenu.init({
+		mainmenuid: "smoothmenu1", //menu DIV id
+		orientation: 'v', //Horizontal or vertical menu: Set to "h" or "v"
+		classname: 'ddsmoothmenu', //class added to menu's outer DIV
+		//customtheme: ["#cccc44", "#cccccc"],
+		contentsource: "markup" //"markup" or ["container_id", "path_to_menu_file"]
+	});
+});
diff --git a/javascript/inline-initializers/gritter-init.js b/javascript/inline-initializers/gritter-init.js
new file mode 100644
index 0000000..4244f7e
--- /dev/null
+++ b/javascript/inline-initializers/gritter-init.js
@@ -0,0 +1,34 @@
+$(function() {
+	var l_message = "";
+	var l_query_string = window.location.search;
+	const l_url_params = new URLSearchParams(l_query_string);
+	const l_status_code = l_url_params.get('popUpNotificationCode');
+	
+	if (l_status_code){
+		switch (l_status_code){
+			case "HPH0": l_message = "Feeling Lost? Toggle Hints or Popup Hints to activate dynamic help systems.";break;
+			case "L1H0": l_message = "Hints Disabled";break;
+			case "L1H1": l_message = 'Hints enabled. Please find a "Hints and Videos" section added to the top of each applicable page.';break;
+			case "SUD0": l_message = "Dropping and rebuilding database";break;
+			case "SUD1": l_message = "Database has been rebuilt";break;
+			case "AU1": l_message = "User Authenticated";break;
+			case "LOU1": l_message = "User Logged Out";break;
+			case "SSLE1": l_message = "SSL Enforced";break;
+			case "SSLO1": l_message = "SSL Optional";break;
+			case "SL0": l_message = "Security level set to 0. Hack Away.";break;
+			case "SL1": l_message = "Security level set to 1. Try Slightly Harder.";break;
+			case "SL5": l_message = "Security level set to 5. Good Luck.";break;
+			case "BHD1": l_message = "Bubble Hints Disabled";break;
+			case "BHE1": l_message = "Bubble Hints Enabled";break;
+			case "LFD1": l_message = "Logs Deleted";break;
+			case "LFR1": l_message = "Logs Refreshed";break;
+		}// end switch
+	
+		$.gritter.add({
+		    title: 'Status Update',
+		    text: l_message,
+		    time: 5000
+		});
+	}// end if l_status_code
+});
+
diff --git a/javascript/inline-initializers/hints-menu-init.js b/javascript/inline-initializers/hints-menu-init.js
new file mode 100644
index 0000000..e48b534
--- /dev/null
+++ b/javascript/inline-initializers/hints-menu-init.js
@@ -0,0 +1,13 @@
+$(function() {
+	window.document.getElementById("idHintWrapperHeader").addEventListener('click', toggleBody);
+	
+	window.document.getElementById("idHintWrapperHeader").addEventListener('mouseover', function(){
+		this.style.backgroundColor='#cccccc';
+		this.style.color='#ffffff';
+	});
+	
+	window.document.getElementById("idHintWrapperHeader").addEventListener('mouseout', function(){
+		this.style.backgroundColor='#FFFFFF';
+		this.style.color='#000000';
+	});
+});
\ No newline at end of file
diff --git a/javascript/inline-initializers/jquery-init.js b/javascript/inline-initializers/jquery-init.js
new file mode 100644
index 0000000..b3955f9
--- /dev/null
+++ b/javascript/inline-initializers/jquery-init.js
@@ -0,0 +1,5 @@
+$(function() {
+	$(document).ready(function () {
+		$('a.colorbox').colorbox({width:'700px',opacity:'0.60'});
+	});
+});
diff --git a/javascript/inline-initializers/populate-web-storage.js b/javascript/inline-initializers/populate-web-storage.js
new file mode 100644
index 0000000..2073f31
--- /dev/null
+++ b/javascript/inline-initializers/populate-web-storage.js
@@ -0,0 +1,22 @@
+$(function() {
+	try{
+		window.localStorage.setItem("SelfDestructSequence1","Destruct sequence 1, code 1-1A");
+		window.localStorage.setItem("SelfDestructSequence2","Destruct sequence 2, code 1-1A-2B");
+		window.localStorage.setItem("SelfDestructSequence3","Destruct sequence 3, code 1B-2B-3");
+		window.localStorage.setItem("MessageOfTheDay","Go Cats!");
+		window.localStorage.setItem("SecureMessage","Shh. Do not tell anyone.");
+		window.localStorage.setItem("FYI","A couple of keys are not showing in this list. Why?");
+		
+		window.sessionStorage.setItem("AuthorizationLevel", "0");
+		window.sessionStorage.setItem("ChuckNorrisJoke1","When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris");
+		window.sessionStorage.setItem("ChuckNorrisJoke2","Death once had a near-Chuck Norris experience");
+		window.sessionStorage.setItem("ChuckNorrisJoke3","Chuck Norris counted to infinity; twice");
+		window.sessionStorage.setItem("ChuckNorrisJoke4","Chuck Norris can slam a revolving door");
+		window.sessionStorage.setItem("ChuckNorrisJoke5","Chuck Norris can cut through a hot knife with butter");
+		window.sessionStorage.setItem("SecureKey", "You cannot see me on the HTML5 Storage page. I wonder why?");
+	}catch(e){
+		//alert(e);
+		/* Do nothing. Older browsers do not support HTML5 web storage */
+	};
+});
+
diff --git a/javascript/jQuery/jquery.balloon.js b/javascript/jQuery/jquery.balloon.js
deleted file mode 100755
index 9dd5aec..0000000
--- a/javascript/jQuery/jquery.balloon.js
+++ /dev/null
@@ -1,280 +0,0 @@
-/**
- * Hover balloon on elements without css and images.
- *
- * Copyright (c) 2011 Hayato Takenaka
- * Dual licensed under the MIT and GPL licenses:
- * http://www.opensource.org/licenses/mit-license.php
- * http://www.gnu.org/licenses/gpl.html
- * @author: Hayato Takenaka (http://urin.take-uma.net)
- * @version: 0.3.0 - 2012/02/25
-**/
-;(function($) {
-	//-----------------------------------------------------------------------------
-	// Private
-	//-----------------------------------------------------------------------------
-	// Helper for meta programming
-	var Meta = {};
-	Meta.pos  = $.extend(["top", "bottom", "left", "right"], {camel: ["Top", "Bottom", "Left", "Right"]});
-	Meta.size = $.extend(["height", "width"], {camel: ["Height", "Width"]});
-	Meta.getRelativeNames = function(position) {
-		var idx = {
-			pos: {
-				o: position,                                          // origin
-				f: (position % 2 == 0) ? position + 1 : position - 1, // faced
-				p1: (position % 2 == 0) ? position : position - 1,
-				p2: (position % 2 == 0) ? position + 1 : position,
-				c1: (position < 2) ? 2 : 0,
-				c2: (position < 2) ? 3 : 1
-			},
-			size: {
-				p: (position < 2) ? 0 : 1, // parallel
-				c: (position < 2) ? 1 : 0  // cross
-			}
-		};
-		var names = {};
-		for(var m1 in idx) {
-			if(!names[m1]) names[m1] = {};
-			for(var m2 in idx[m1]) {
-				names[m1][m2] = Meta[m1][idx[m1][m2]];
-				if(!names.camel) names.camel = {};
-				if(!names.camel[m1]) names.camel[m1] = {};
-				names.camel[m1][m2] = Meta[m1].camel[idx[m1][m2]];
-			}
-		}
-		names.isTopLeft = (names.pos.o == names.pos.p1);
-		return names;
-	};
-
-	// Helper class to handle position and size as numerical pixels.
-	function NumericalBoxElement() { this.initialize.apply(this, arguments); }
-	(function() {
-		// Method factories
-		var Methods = {
-			setBorder: function(pos, isVertical) {
-				return function(value) {
-					this.$.css("border-" + pos.toLowerCase() + "-width", value + "px");
-					this["border" + pos] = value;
-					return (this.isActive) ? digitalize(this, isVertical) : this;
-				};
-			},
-			setPosition: function(pos, isVertical) {
-				return function(value) {
-					this.$.css(pos.toLowerCase(), value + "px");
-					this[pos.toLowerCase()] = value;
-					return (this.isActive) ? digitalize(this, isVertical) : this;
-				};
-			}
-		};
-
-		NumericalBoxElement.prototype = {
-			initialize: function($element) {
-				this.$ = $element;
-				$.extend(true, this, this.$.offset(), {center: {}, inner: {center: {}}});
-				for(var i = 0; i < Meta.pos.length; i++) {
-					this["border" + Meta.pos.camel[i]] = parseInt(this.$.css("border-" + Meta.pos[i] + "-width")) || 0;
-				}
-				this.active();
-			},
-			active: function() { this.isActive = true; digitalize(this); return this; },
-			inactive: function() { this.isActive = false; return this; }
-		};
-		for(var i = 0; i < Meta.pos.length; i++) {
-			NumericalBoxElement.prototype["setBorder" + Meta.pos.camel[i]] = Methods.setBorder(Meta.pos.camel[i], (i < 2));
-			if(i % 2 == 0)
-				NumericalBoxElement.prototype["set" + Meta.pos.camel[i]] = Methods.setPosition(Meta.pos.camel[i], (i < 2));
-		}
-
-		function digitalize(box, isVertical) {
-			if(isVertical == undefined) { digitalize(box, true); return digitalize(box, false); }
-			var m = Meta.getRelativeNames((isVertical) ? 0 : 2);
-			box[m.size.p] = box.$["outer" + m.camel.size.p]();
-			box[m.pos.f] = box[m.pos.o] + box[m.size.p];
-			box.center[m.pos.o] = box[m.pos.o] + box[m.size.p] / 2;
-			box.inner[m.pos.o] = box[m.pos.o] + box["border" + m.camel.pos.o];
-			box.inner[m.size.p] = box.$["inner" + m.camel.size.p]();
-			box.inner[m.pos.f] = box.inner[m.pos.o] + box.inner[m.size.p];
-			box.inner.center[m.pos.o] = box.inner[m.pos.f] + box.inner[m.size.p] / 2;
-			return box;
-		}
-	})();
-
-	// Adjust position of balloon body
-	function makeupBalloon($target, $balloon, options) {
-		$balloon.stop(true, true);
-		var outerTip, innerTip,
-			initTipStyle = {position: "absolute", height: "0", width: "0", border: "solid 0 transparent"},
-			target = new NumericalBoxElement($target),
-			balloon = new NumericalBoxElement($balloon);
-		balloon.setTop(-options.offsetY
-			+ ((options.position && options.position.indexOf("top") >= 0) ? target.top - balloon.height
-			: ((options.position && options.position.indexOf("bottom") >= 0) ? target.bottom
-			: target.center.top - balloon.height / 2)));
-		balloon.setLeft(options.offsetX
-			+ ((options.position && options.position.indexOf("left") >= 0) ? target.left - balloon.width
-			: ((options.position && options.position.indexOf("right") >= 0) ? target.right
-			: target.center.left - balloon.width / 2)));
-		if(options.tipSize > 0) {
-			// Add hidden balloon tips into balloon body.
-			if($balloon.data("outerTip")) { $balloon.data("outerTip").remove(); $balloon.removeData("outerTip"); }
-			if($balloon.data("innerTip")) { $balloon.data("innerTip").remove(); $balloon.removeData("innerTip"); }
-			outerTip = new NumericalBoxElement($("<div>").css(initTipStyle).appendTo($balloon));
-			innerTip = new NumericalBoxElement($("<div>").css(initTipStyle).appendTo($balloon));
-			// Make tip triangle, adjust position of tips.
-			var m;
-			for(var i = 0; i < Meta.pos.length; i++) {
-				m = Meta.getRelativeNames(i);
-				if(balloon.center[m.pos.c1] >= target[m.pos.c1] &&
-					balloon.center[m.pos.c1] <= target[m.pos.c2]) {
-					if(i % 2 == 0) {
-						if(balloon[m.pos.o] >= target[m.pos.o] && balloon[m.pos.f] >= target[m.pos.f]) break;
-					} else {
-						if(balloon[m.pos.o] <= target[m.pos.o] && balloon[m.pos.f] <= target[m.pos.f]) break;
-					}
-				}
-				m = null;
-			}
-			if(m) {
-				balloon["set" + m.camel.pos.p1]
-					(balloon[m.pos.p1] + ((m.isTopLeft) ? 1 : -1) * (options.tipSize - balloon["border" + m.camel.pos.o]));
-				makeTip(balloon, outerTip, m, options.tipSize, $balloon.css("border-" + m.pos.o + "-color"));
-				makeTip(balloon, innerTip, m, options.tipSize - 2 * balloon["border" + m.camel.pos.o], $balloon.css("background-color"));
-				$balloon.data("outerTip", outerTip.$).data("innerTip", innerTip.$);
-			} else {
-				$.each([outerTip.$, innerTip.$], function() { this.remove(); });
-			}
-		}
-		// Make up balloon tip.
-		function makeTip(balloon, tip, m, tipSize, color) {
-			var len = Math.round(tipSize / 1.7320508);
-			tip.inactive()
-				["setBorder" + m.camel.pos.f](tipSize)
-				["setBorder" + m.camel.pos.c1](len)
-				["setBorder" + m.camel.pos.c2](len)
-				["set" + m.camel.pos.p1]((m.isTopLeft) ? -tipSize : balloon.inner[m.size.p])
-				["set" + m.camel.pos.c1](balloon.inner[m.size.c] / 2 - len)
-				.active()
-				.$.css("border-" + m.pos.f + "-color", color);
-		}
-	}
-
-	// True if the event comes from the target or balloon.
-	function isValidTargetEvent($target, e) {
-		var b = $target.data("balloon") && $target.data("balloon").get(0);
-		return !(b && (b == e.relatedTarget || $.contains(b, e.relatedTarget)));
-	}
-
-	//-----------------------------------------------------------------------------
-	// Public
-	//-----------------------------------------------------------------------------
-	$.fn.balloon = function(options) {
-		options = $.extend(true, {}, $.balloon.defaults, options);
-		return this.one("mouseenter", function(e) {
-			var $target = $(this), t = this;
-			var $balloon = $target.unbind("mouseenter", arguments.callee)
-				.showBalloon(options).mouseenter(function(e) {
-					isValidTargetEvent($target, e) && $target.showBalloon();
-				}).data("balloon");
-			if($balloon) {
-				$balloon.mouseleave(function(e) {
-					if(t == e.relatedTarget || $.contains(t, e.relatedTarget)) return;
-					$target.hideBalloon();
-				}).mouseenter(function(e) { $target.showBalloon(); });
-			}
-		}).mouseleave(function(e) {
-			var $target = $(this);
-			isValidTargetEvent($target, e) && $target.hideBalloon();
-		});
-	};
-
-	$.fn.showBalloon = function(options) {
-		var $target, $balloon, offTimer;
-		if(!$.balloon.defaults.css) $.balloon.defaults.css = {};
-		if(options || !this.data("options"))
-			this.data("options", $.extend(true, {}, $.balloon.defaults, options));
-		options = this.data("options");
-		return this.each(function() {
-			$target = $(this);
-			(offTimer = $target.data("offTimer")) && clearTimeout(offTimer);
-			var contents = $.isFunction(options.contents)
-				? options.contents()
-				: (options.contents || $target.attr("title"));
-			var isNew = !($balloon = $target.data("balloon"));
-			if(isNew) $balloon = $("<div>").append(contents);
-			if(!options.url && (!$balloon || $balloon.html() == "")) return;
-			if(!isNew && contents && contents != $balloon.html()) $balloon.empty().append(contents);
-			$target.removeAttr("title");
-			if(options.url) {
-				$balloon.load($.isFunction(options.url) ? options.url(this) : options.url, function(res, sts, xhr) {
-					if(options.ajaxComplete) options.ajaxComplete(res, sts, xhr);
-					makeupBalloon($target, $balloon, options);
-				});
-			}
-			if(isNew) {
-				$balloon
-					.addClass(options.classname)
-					.css(options.css)
-					.css({visibility: "hidden", position: "absolute"})
-					.appendTo("body");
-				$target.data("balloon", $balloon);
-				makeupBalloon($target, $balloon, options);
-				$balloon.hide().css("visibility", "visible");
-			} else {
-				makeupBalloon($target, $balloon, options);
-			}
-			$target.data("onTimer", setTimeout(function() {
-				if(options.showAnimation) {
-					options.showAnimation.apply($balloon.stop(true, true), [options.showDuration]);
-				} else {
-					$balloon.show(options.showDuration, function() {
-						if(this.style.removeAttribute) { this.style.removeAttribute("filter"); }
-					});
-				}
-			}, options.delay));
-		});
-	};
-
-	$.fn.hideBalloon = function() {
-		var options = this.data("options"), onTimer, offTimer;
-		return this.each(function() {
-			var $target = $(this);
-			(onTimer = $target.data("onTimer")) && clearTimeout(onTimer);
-			(offTimer = $target.data("offTimer")) && clearTimeout(offTimer);
-			$target.data("offTimer", setTimeout(function() {
-				var $balloon = $target.data("balloon");
-				if(options.hideAnimation) {
-					$balloon && options.hideAnimation.apply($balloon.stop(true, true), [options.hideDuration]);
-				} else {
-					$balloon && $balloon.stop(true, true).hide(options.hideDuration);
-				}
-			},
-			options.minLifetime));
-		});
-	};
-
-	$.balloon = {
-		defaults: {
-			contents: null, url: null, ajaxComplete: null, classname: null,
-			position: "top", offsetX: 0, offsetY: 0, tipSize: 12,
-			delay: 0, minLifetime: 200,
-			showDuration: 100, showAnimation: null,
-			hideDuration:  80, hideAnimation: function(d) { this.fadeOut(d); },
-			css: {
-				minWidth       : "20px",
-				padding        : "5px",
-				borderRadius   : "6px",
-				border         : "solid 1px #777",
-				boxShadow      : "4px 4px 4px #555",
-				//color          : "#666",
-				backgroundColor: "#efefef",
-				//opacity        : ($.support.opacity) ? "0.85" : null,
-				zIndex         : "32767",
-				textAlign      : "left",
-				/* Defaults altered and added by Jeremy Druin */
-				opacity        : ($.support.opacity) ? "1.0" : null,
-				maxWidth		: "500px",
-				fontWeight:"bold",
-				color:"#000000"
-			}
-		}
-	};
-})(jQuery);
diff --git a/javascript/on-page-scripts/content-security-policy.js b/javascript/on-page-scripts/content-security-policy.js
new file mode 100644
index 0000000..bfc7225
--- /dev/null
+++ b/javascript/on-page-scripts/content-security-policy.js
@@ -0,0 +1,25 @@
+var onSubmitOfForm = function(/* HTMLForm */ theForm){
+
+	var lOSCommandInjectionPattern = /[;&|<>]/;
+	var lCrossSiteScriptingPattern = /[<>=()]/;
+		
+	if(theForm.message.value.search(lOSCommandInjectionPattern) > -1){
+		alert("Malicious characters are not allowed.\n\nDon\'t listen to security people. Everyone knows if we just filter dangerous characters, injection is not possible.\n\nWe use JavaScript defenses combined with filtering technology.\n\nBoth are such great defenses that you are stopped in your tracks.");
+		return false;
+	}else if(theForm.message.value.search(lCrossSiteScriptingPattern) > -1){
+		alert("Characters used in cross-site scripting are not allowed.\n\nDon\'t listen to security people. Everyone knows if we just filter dangerous characters, injection is not possible.\n\nWe use JavaScript defenses combined with filtering technology.\n\nBoth are such great defenses that you are stopped in your tracks.");
+		return false;			
+	}else{
+		return true;
+	}// end if
+
+};// end JavaScript function onSubmitOfForm()
+
+$(function() {
+    document.addEventListener('DOMContentLoaded', function () {
+        document.getElementById('back-button-anchor').addEventListener('click', 
+            function(){
+                document.location.href='<?php echo $lHTTPReferer; ?>';            
+            });
+    });
+});
\ No newline at end of file
diff --git a/login.php b/login.php
index 2c76797..143cd20 100755
--- a/login.php
+++ b/login.php
@@ -72,26 +72,6 @@ function onSubmitOfLoginForm(/*HTMLFormElement*/ theForm){
 //-->
 </script>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("SQLInjectionPoint");
-   		
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[SQLInjectionPoint]').attr("title", "<?php echo $lSQLInjectionPointBallonTip; ?>");
-		$('[SQLInjectionPoint]').balloon();		
-	});
-</script>
-
 <div class="page-title">Login</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -115,7 +95,7 @@ function onSubmitOfLoginForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Username</td>
 				<td>
-					<input	SQLInjectionPoint="1" type="text" name="username" size="20"
+					<input	type="text" name="username" size="20"
 							autofocus="autofocus"
 					<?php
 						if ($lEnableHTMLControls) {
@@ -128,7 +108,7 @@ function onSubmitOfLoginForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Password</td>
 				<td>
-					<input SQLInjectionPoint="1" type="password" name="password" size="20"
+					<input type="password" name="password" size="20"
 					<?php
 						if ($lEnableHTMLControls) {
 							echo('minlength="1" maxlength="15" required="required"');
@@ -156,7 +136,7 @@ function onSubmitOfLoginForm(/*HTMLFormElement*/ theForm){
 <div id="id-log-out-div" style="text-align: center; display: none;">
 	<table>
 		<tr>
-			<td ReflectedXSSExecutionPoint="1" colspan="2" class="hint-header">You are logged in as <?php echo $_SESSION['logged_in_user']; ?></td>
+			<td colspan="2" class="hint-header">You are logged in as <?php echo $_SESSION['logged_in_user']; ?></td>
 		</tr>
 		<tr><td></td></tr>
 		<tr><td></td></tr>
diff --git a/password-generator.php b/password-generator.php
index 157b50c..42b0d4b 100755
--- a/password-generator.php
+++ b/password-generator.php
@@ -40,21 +40,6 @@
     	}// end try
 ?>
 
-<?php 
-	try{
-   		$lHTMLEventReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("HTMLEventReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[HTMLEventReflectedXSSExecutionPoint]').attr("title", "<?php echo $lHTMLEventReflectedXSSExecutionPointBallonTip; ?>");
-		$('[HTMLEventReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
 <script>
 	function onSubmitOfGeneratorForm(/*HTMLFormElement*/ theForm){
 		try{
@@ -98,7 +83,7 @@ function onSubmitOfGeneratorForm(/*HTMLFormElement*/ theForm){
 			</tr>
 			<tr><td></td></tr>
 			<tr style="text-align: center;">
-				<td id="idUsernameInput" HTMLEventReflectedXSSExecutionPoint="1" class="label"></td>
+				<td id="idUsernameInput" class="label"></td>
 			</tr>
 			<tr id="idPasswordTableRow" style="display: none;">
 				<td class="label" id="idPasswordInput"></td>
diff --git a/pen-test-tool-lookup-ajax.php b/pen-test-tool-lookup-ajax.php
index e81bebb..81987ab 100755
--- a/pen-test-tool-lookup-ajax.php
+++ b/pen-test-tool-lookup-ajax.php
@@ -70,21 +70,6 @@
 	}// end try
 ?>
 
-<?php 
-	try{
-   		$lJSONInjectionPointBallonTip = $BubbleHintHandler->getHint("JSONInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[JSONInjectionPoint]').attr("title", "<?php echo $lJSONInjectionPointBallonTip; ?>");
-		$('[JSONInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Pen Test Tool Lookup (AJAX Version)</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -234,7 +219,7 @@
 			<tr>
 				<td class="label" style="text-align: right;">Pen Test Tool</td>
 				<td>
-					<select id="idToolSelect" JSONInjectionPoint="1" name="ToolID" autofocus="autofocus">
+					<select id="idToolSelect" name="ToolID" autofocus="autofocus">
 						<option value="0923ac83-8b50-4eda-ad81-f1aac6168c5c" selected="selected">Please Choose Tool</option>
 						<option value="c84326e4-7487-41d3-91fd-88280828c756">Show All</option>
 						<?php echo $lPenTestToolsOptions; ?>
diff --git a/pen-test-tool-lookup.php b/pen-test-tool-lookup.php
index 069938c..a3efeeb 100755
--- a/pen-test-tool-lookup.php
+++ b/pen-test-tool-lookup.php
@@ -120,21 +120,6 @@
 	}//end if isset()	
 ?>
 
-<?php 
-	try{
-   		$lJSONInjectionPointBallonTip = $BubbleHintHandler->getHint("JSONInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[JSONInjectionPoint]').attr("title", "<?php echo $lJSONInjectionPointBallonTip; ?>");
-		$('[JSONInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Pen Test Tool Lookup</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -268,7 +253,7 @@
 			<tr>
 				<td class="label" style="text-align: right;">Pen Test Tool</td>
 				<td>
-					<select id="idToolSelect" JSONInjectionPoint="1" name="ToolID" autofocus="autofocus">
+					<select id="idToolSelect" name="ToolID" autofocus="autofocus">
 						<option value="0923ac83-8b50-4eda-ad81-f1aac6168c5c" selected="selected">Please Choose Tool</option>
 						<option value="c84326e4-7487-41d3-91fd-88280828c756">Show All</option>
 						<?php echo $lPenTestToolsOptions; ?>
diff --git a/register.php b/register.php
index 2103d56..0c6d39d 100755
--- a/register.php
+++ b/register.php
@@ -135,25 +135,6 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 //-->
 </script>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lHTMLandXSSandSQLInjectionPointBalloonTip = $BubbleHintHandler->getHint("HTMLandXSSandSQLInjectionPoint");
-   		$lSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("SQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[HTMLandXSSandSQLInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSandSQLInjectionPointBalloonTip; ?>");
-		$('[HTMLandXSSandSQLInjectionPoint]').balloon();
-		$('[SQLInjectionPoint]').attr("title", "<?php echo $lSQLInjectionPointBallonTip; ?>");
-		$('[SQLInjectionPoint]').balloon();	
-	});
-</script>
-
 <span>
 	<a style="text-decoration: none; cursor: pointer;" href="./webservices/rest/ws-user-account.php">
 		<img style="vertical-align: middle;" src="./images/ajax_logo-75-79.jpg" height="75px" width="78px" />
@@ -175,7 +156,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Username</td>
 				<td>
-					<input HTMLandXSSandSQLInjectionPoint="1" type="text" name="username" size="15" autofocus="autofocus"
+					<input type="text" name="username" size="15" autofocus="autofocus"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="15" required="required"');
@@ -187,7 +168,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Password</td>
 				<td>
-					<input SQLInjectionPoint="1" type="password" name="password" size="15" 
+					<input type="password" name="password" size="15" 
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="15" required="required"');
@@ -201,7 +182,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Confirm Password</td>
 				<td>
-					<input SQLInjectionPoint="1" type="password" name="confirm_password" size="15"
+					<input type="password" name="confirm_password" size="15"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="15" required="required"');
@@ -213,7 +194,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label">Signature</td>
 				<td>
-					<textarea HTMLandXSSandSQLInjectionPoint="1" rows="3" cols="50" name="my_signature"
+					<textarea rows="3" cols="50" name="my_signature"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="100" required="required"');
diff --git a/repeater.php b/repeater.php
index f1b9a4d..7993680 100755
--- a/repeater.php
+++ b/repeater.php
@@ -136,28 +136,6 @@ function onSubmitOfRepeaterForm(/*HTMLFormElement*/ theForm){
 //-->
 </script>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lBufferOverflowInjectionPointBalloonTip = $BubbleHintHandler->getHint("BufferOverflowInjectionPoint");
-		$lHTMLandXSSInjectionPointBalloonTip = $BubbleHintHandler->getHint("HTMLandXSSInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[BufferOverflowInjectionPoint]').attr("title", "<?php echo $lBufferOverflowInjectionPointBalloonTip; ?>");
-		$('[BufferOverflowInjectionPoint]').balloon();		
-		$('[HTMLandXSSInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSInjectionPointBalloonTip; ?>");
-		$('[HTMLandXSSInjectionPoint]').balloon();		
-	});
-</script>
-
 <div class="page-title">Repeater</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -185,7 +163,7 @@ function onSubmitOfRepeaterForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label" style="text-align: left;">String to repeat</td>
 				<td style="text-align: left;">
-					<input HTMLandXSSInjectionPoint="1" type="text" name="string_to_repeat" size="40" autofocus="autofocus"
+					<input type="text" name="string_to_repeat" size="40" autofocus="autofocus"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="40" required="required"');
@@ -197,7 +175,7 @@ function onSubmitOfRepeaterForm(/*HTMLFormElement*/ theForm){
 			<tr>
 				<td class="label" style="text-align: left;">Number of times to repeat</td>
 				<td style="text-align: left;">
-					<input BufferOverflowInjectionPoint="1" type="text" name="times_to_repeat_string" size="30"
+					<input type="text" name="times_to_repeat_string" size="30"
 						<?php
 							if ($lEnableHTMLControls) {
 								echo('minlength="1" maxlength="30" required="required"');
@@ -221,7 +199,7 @@ function onSubmitOfRepeaterForm(/*HTMLFormElement*/ theForm){
 	<table>
 		<tr><td></td></tr>
 		<tr>
-			<td ReflectedXSSExecutionPoint="1" colspan="2" class="hint-header"><?php echo $lBuffer; ?></td>
+			<td colspan="2" class="hint-header"><?php echo $lBuffer; ?></td>
 		</tr>
 		<tr><td></td></tr>
 	</table>	
diff --git a/robots-txt.php b/robots-txt.php
index 84012a1..791e741 100755
--- a/robots-txt.php
+++ b/robots-txt.php
@@ -18,8 +18,6 @@
     }// end try;
 ?>
 
-<!-- Bubble hints code -->
-
 <div class="page-title">Robots.txt</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
diff --git a/set-background-color.php b/set-background-color.php
index 17b4144..8ddd8f5 100755
--- a/set-background-color.php
+++ b/set-background-color.php
@@ -50,25 +50,6 @@
 	}// end if (isset($_POST)) 
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lCSSInjectionPointBallonTip = $BubbleHintHandler->getHint("CSSInjectionPoint");
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[CSSInjectionPoint]').attr("title", "<?php echo $lCSSInjectionPointBallonTip; ?>");
-		$('[CSSInjectionPoint]').balloon();
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
 <script type="text/javascript">
 	var onSubmitOfForm = function(/* HTMLForm */ theForm){
 
@@ -122,7 +103,7 @@
 		<tr>
 			<td class="label">Background Color</td>
 			<td>
-				<input CSSInjectionPoint="1" type="text" name="background_color" id="id_background_color" size="6" autofocus="autofocus"
+				<input type="text" name="background_color" id="id_background_color" size="6" autofocus="autofocus"
 					<?php
 						if ($lEnableHTMLControls) {
 							echo('minlength="6" maxlength="6" required="required"');
@@ -139,7 +120,7 @@
 		</tr>
 		<tr><td>&nbsp;</td></tr>
 		<tr>
-			<td ReflectedXSSExecutionPoint="1" class="informative-message" colspan="2" style="text-align: center;">
+			<td class="informative-message" colspan="2" style="text-align: center;">
 				The current background color is <?php echo $lBackgroundColorText; ?>
 			</td>
 		</tr>
diff --git a/set-up-database.php b/set-up-database.php
index 875b9ea..8033468 100755
--- a/set-up-database.php
+++ b/set-up-database.php
@@ -1,7 +1,7 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
 <html>
 	<head>
-		<link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />
+		<link rel="shortcut icon" href="./images/favicon.ico" type="image/x-icon" />
 		<link rel="stylesheet" type="text/css" href="./styles/global-styles.css" />
 	</head>
 	<body>
@@ -399,6 +399,15 @@ function format($pMessage, $pLevel ) {
 			('conference-room-lookup.php', 59, 1),
 			('conference-room-lookup.php', 63, 1),
 			('conference-room-lookup.php', 64, 1),
+			('content-security-policy.php', 11, 3),
+			('content-security-policy.php', 55, 3),
+			('content-security-policy.php', 12, 1),
+			('content-security-policy.php', 13, 1),
+			('content-security-policy.php', 20, 1),
+			('content-security-policy.php', 30, 1),
+			('content-security-policy.php', 48, 1),
+			('content-security-policy.php', 56, 1),
+			('content-security-policy.php', 59, 1),
 			('credits.php', 19, 1),
 			('credits.php', 56, 1),
 			('credits.php', 59, 1),
@@ -807,84 +816,6 @@ function format($pMessage, $pLevel ) {
 		(54, '<span class=\"label\">Insufficent Transport Layer Protection</span>: This page is vulnerable to interception with wireshark or tcpdump.'),
 	    (63, '<span class=\"label\">LDAP Injection</span>: This page is vulnerable to LDAP injection.')";
 	
-	
-	$lQueryResult = $MySQLHandler->executeQuery($lQueryString);
-	if (!$lQueryResult) {
-		$lErrorDetected = TRUE;
-	}else{
-		echo "<div class=\"database-success-message\">Executed query 'INSERT INTO TABLE' with result ".$lQueryResult."</div>";
-	}// end if
-		
-	$lQueryString = 
-			'CREATE TABLE balloon_tips('.
-				'tip_key VARCHAR(64) NOT NULL, '.
-				'hint_level INT, '.
-				'tip TEXT, '.
-				'PRIMARY KEY(tip_key, hint_level)'.
-			')';
-	$lQueryResult = $MySQLHandler->executeQuery($lQueryString);
-	if (!$lQueryResult) {
-		$lErrorDetected = TRUE;
-	}else{
-		echo format("Executed query 'CREATE TABLE' with result ".$lQueryResult,"S");
-	}// end if
-
-	$lQueryString ="INSERT INTO `balloon_tips` (`tip_key`, `hint_level`, `tip`) VALUES
-			('ParameterPollutionInjectionPoint', 0, 'User input is not evaluated for duplicate parameters'),
-			('ParameterPollutionInjectionPoint', 1, 'If user input contains the same variable more than once, the system will only accept one of the values. This can be used to trick the system into accepting a correct value and a mallicious value but only counting the mallicious value.'),
-			('ParameterPollutionInjectionPoint', 2, 'Send two copies of the same parameter. Note carefully if the system uses the first, second, or both values. Some systems will concatenate the values together. If the system uses the first value, inject the value you want the system to count first.'),
-			('CSSInjectionPoint', 0, 'User input is incorporated into the style sheet returned from the server'),
-			('CSSInjectionPoint', 1, 'User input is incorporated into the style sheet returned from the server without being properly encoded. This allows an attacker to inject cross-site scripts or HTML into the input and break out of the style-sheet context. Arbitrary Javascript and HTML can be injected.'),
-			('CSSInjectionPoint', 2, 'Locate the input parameter that is incorporated into the style sheet. Determine what chracters are needed to properly complete the style so it is sytactically correct. Inject this closing statement along with a Javascript or HTML to be executed.'),
-			('JSONInjectionPoint', 0, 'User input is incorporated into the JSON returned from the server'),
-			('JSONInjectionPoint', 1, 'User input is incorporated into the JSON returned from the server without being properly encoded. This allows an attacker to inject JSON into the input and break out of the JSON context. Arbitrary Javascript can be injected.'),
-			('JSONInjectionPoint', 2, 'Locate the input parameter that is incorporated into the JSON. Determine what chracters are needed to properly complete the JSON so it is sytactically correct. Inject this closing statement along with a Javascript to be executed.'),
-			('DOMXSSExecutionPoint', 0, 'This location contains dynamic output modified by the DOM'),
-			('DOMXSSExecutionPoint', 1, 'Lack of output encoding controls often result in cross-site scripting when user input is incorporated into the DOM'),
-			('DOMXSSExecutionPoint', 2, 'This output is vulnerable to cross-site scripting because user-input is incorporated into the DOM without properly encoding the user input first. Determine which input field contributes output here and inject HTML or scripts'),
-			('ArbitraryRedirectionPoint', 0, 'Arbitrary redirection is a type of insecure direct object reference'),
-			('ArbitraryRedirectionPoint', 1, 'See if a URL can be injected in place of the intended URL'),
-			('ArbitraryRedirectionPoint', 2, 'Try injecting a URL into the parameter which contains the page to which the site thinks the user should be redirected to. It may be neccesary to use a complete URL including the protocol.'),
-			('SQLInjectionPoint', 0, 'SQL Injection may occur on any page interacting with a database'),
-			('SQLInjectionPoint', 1, 'Try injecting single-quotes and other special control characters'),
-			('SQLInjectionPoint', 2, 'Try injecting single-quotes and other special control characters to produce an error if possible. Note any queries in the error to assist in injecting a complete query. Try using SQLMAP to inject queries.'),
-			('CookieTamperingAffectedArea', 0, 'Cookies may store system state information'),
-			('CookieTamperingAffectedArea', 1, 'Inspect the value of the cookies with a Firefox add-on like Cookie-Manager or a non-transparent proxy like Burp or Zap'),
-			('CookieTamperingAffectedArea', 2, 'Change the value of the cookies to see what affect is produced on the site. Also watch how the values of the cookies change after using different site features.'),
-			('JavascriptInjectionPoint', 0, 'This location does not use Javascript string encoding'),
-			('JavascriptInjectionPoint', 1, 'This location is vulnerable to Javascript string injection. The first step is to determine which parameter is output here'),
-			('JavascriptInjectionPoint', 2, 'Locate the input parameter that is output to this location and inject raw Javascript commands. Use the view-source to see if the syntax of the injection is correct'),
-			('LocalFileInclusionVulnerability', 0, 'Perhaps a file other than the one intended could be included in this page'),
-			('LocalFileInclusionVulnerability', 1, 'This page is vulnerable a local file inclusion vulnerability because it does not strongly validate that only explicitly named-pages are allowed.'),
-			('LocalFileInclusionVulnerability', 2, 'Identify the input parameter that accepts the filename to be included then change that parameter to a system file such as /etc/passwd or C:\\boot.ini'),
-			('RemoteFileInclusionVulnerability', 0, 'Perhaps a remote URI could be included in this page. Note that on newer PHP servers the configuration parameters \"allow_url_fopen\" and \"allow_url_include\" must be set to \"On\"'),
-			('RemoteFileInclusionVulnerability', 1, 'This page is vulnerable a remote file inclusion vulnerability because it does not strongly validate that only explicitly named-pages are allowed. Note that on newer PHP servers the configuration parameters \"allow_url_fopen\" and \"allow_url_include\" must be set to \"On\".'),
-			('RemoteFileInclusionVulnerability', 2, 'Identify the input parameter that accepts the filename to be included then change that parameter to a system file such as http://www.google.com. Note that on newer PHP servers the configuration parameters \"allow_url_fopen\" and \"allow_url_include\" must be set to \"On\".'),
-			('HTMLandXSSandSQLInjectionPoint', 0, 'Inputs are usually a good place to start testing for cross-site scripting, HTML injection and SQL injection'),
-			('HTMLandXSSandSQLInjectionPoint', 1, 'This input is vulnerable to multiple types of injection including cross-site scripting, HTML injection and SQL injection'),
-			('HTMLandXSSandSQLInjectionPoint', 2, 'To get started with cross-site scripting and HTML injection, inject a Javascript or HTML code then view-source on the resulting page to see if the script syntax is correct. For SQL injection, start by injecting a single-quote to produce an error.'),
-			('HTMLandXSSInjectionPoint', 0, 'Inputs are usually a good place to start testing for cross-site scripting and HTML injection'),
-			('HTMLandXSSInjectionPoint', 1, 'This input is vulnerable to multiple types of injection including cross-site scripting and HTML injection'),
-			('HTMLandXSSInjectionPoint', 2, 'To get started with cross-site scripting and HTML injection, inject a Javascript or HTML code then view-source on the resulting page to see if the script syntax is correct.'),
-			('BufferOverflowInjectionPoint', 0, 'Inputs are usually a good place to start testing for buffer overflows.'),
-			('BufferOverflowInjectionPoint', 1, 'This input is vulnerable to overflowing a memory buffer. Given this is an interpreted web application, the buffer is just a variable rather than a stack- or heap- overflow.'),
-			('BufferOverflowInjectionPoint', 2, 'To trigger a buffer overflow, cause the system to store a large number of characters in a string variable or inject a large number that overflows the data type assigned. PHP documentation states that 134,217,728 characters can be held in a string including the null terminator. String buffer overflows using str_repeat() are tricky because if the number of characters to repeat is too large, PHP sees the number as NaN and wont throw an overflow error.'),
-			('OSCommandInjectionPoint', 0, 'Inputs are usually a good place to start testing for command injection'),
-			('OSCommandInjectionPoint', 1, 'This input is vulnerable to multiple types of injection'),
-			('OSCommandInjectionPoint', 2, 'This input is vulnerable to command injection plus may provide an injection point for reflected cross-site scripting. Try stating with \"127.0.0.1 && dir\".'),
-			('XSRFVulnerabilityArea', 0, 'HTML forms are vulnerable to cross-site request forgery by default although sensitive forms may be protected'),
-			('XSRFVulnerabilityArea', 1, 'This form is vulnerable to cross-site request forgery. Knowing the form action and inputs is the first step.'),
-			('XSRFVulnerabilityArea', 2, 'Use this form to commit cross-site request forgery. Capture a legitimate request in Burp/Zap then create a cross-site script that sends the equivilent request when a user executes the cross-site script.'),
-			('ReflectedXSSExecutionPoint', 0, 'This location contains dynamic output'),
-			('ReflectedXSSExecutionPoint', 1, 'Lack of output encoding controls often result in cross-site scripting'),
-			('ReflectedXSSExecutionPoint', 2, 'This output is vulnerable to cross-site scripting. Determine which input field contributes output here and inject scripts'),
-			('HTMLEventReflectedXSSExecutionPoint', 0, 'This location contains dynamic output'),
-			('HTMLEventReflectedXSSExecutionPoint', 1, 'Lack of output encoding controls often result in cross-site scripting; in this case via HTML Event injection.'),
-			('HTMLEventReflectedXSSExecutionPoint', 2, 'This output is vulnerable to cross-site scripting because the input is not encoded prior to be used as a value in an HTML event. Determine which input field contributes output here and inject scripts.'),
-			('PathRelativeStylesheetInjectionArea', 0, 'This area is vulnerable to Path Relaive Stylesheet Injection'),
-			('PathRelativeStylesheetInjectionArea', 1, 'Lack of output encoding controls often result in cross-site scripting; in this case via Path Relaive Stylesheet Injection.'),
-			('PathRelativeStylesheetInjectionArea', 2, 'This output is vulnerable to path relative stylesheet injection because the input is not encoded prior to be used as a value in an HTML text element. Determine which input field contributes output here and inject CSS.')
-			;";
 	$lQueryResult = $MySQLHandler->executeQuery($lQueryString);
 	if (!$lQueryResult) {
 		$lErrorDetected = TRUE;
diff --git a/show-log.php b/show-log.php
index d3ee672..c961b1a 100755
--- a/show-log.php
+++ b/show-log.php
@@ -42,22 +42,6 @@
 	$lQueryResult = $SQLQueryHandler->getHitLogEntries();
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Log</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -128,8 +112,8 @@
 				echo "<tr>
 						<td>{$lHostname}</td>
 						<td>{$lClientIPAddress}</td>
-						<td ReflectedXSSExecutionPoint=\"1\">{$lBrowser}</td>
-						<td ReflectedXSSExecutionPoint=\"1\">{$lReferer}</td>
+						<td>{$lBrowser}</td>
+						<td>{$lReferer}</td>
 						<td>{$lDate}</td>
 					</tr>\n";
 			}//end while $row
diff --git a/site-footer-xss-discussion.php b/site-footer-xss-discussion.php
index 19a188f..b674c13 100755
--- a/site-footer-xss-discussion.php
+++ b/site-footer-xss-discussion.php
@@ -48,22 +48,6 @@
     }// end try;
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Browser Version Site Footer</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -77,7 +61,7 @@
 	<tr><td>&nbsp;</td></tr>
 	<tr>
 		<td class="label">Browser Version: </td>
-		<td ReflectedXSSExecutionPoint="1"><?php echo $lClientUserAgentString; ?></td>
+		<td><?php echo $lClientUserAgentString; ?></td>
 	</tr>
 	<tr><td>&nbsp;</td></tr>
 	<tr><td>&nbsp;</td></tr>
diff --git a/source-viewer.php b/source-viewer.php
index 1d101fa..0a9b4cb 100755
--- a/source-viewer.php
+++ b/source-viewer.php
@@ -54,25 +54,6 @@
 	}// end if
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lHTMLandXSSandSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("HTMLandXSSandSQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[HTMLandXSSandSQLInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSandSQLInjectionPointBallonTip; ?>");
-		$('[HTMLandXSSandSQLInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Source Code Viewer</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -97,7 +78,7 @@
 			<td class="label">Source File Name</td>
 			<td>
 				<input type="hidden" name="page" value="<?php echo $_REQUEST['page']?>">
-				<select name="phpfile" id="id_file_select" HTMLandXSSandSQLInjectionPoint="1" autofocus="autofocus" <?php echo $lHTMLControlAttributes ?>>
+				<select name="phpfile" id="id_file_select" autofocus="autofocus" <?php echo $lHTMLControlAttributes ?>>
 				<?php 
 					$_SESSION['source-viewer-files-array'] = "";						
 					if(!$lValidateAndTokenize){
@@ -232,7 +213,7 @@
 		   	
 		   	// try to display the file
 		   	try {
-	   			echo '<span ReflectedXSSExecutionPoint=\"1\" class="label">File: '.$lFilename.'</span>';
+	   			echo '<span class="label">File: '.$lFilename.'</span>';
 	   			echo '<pre>';
 				highlight_file($lFilename);
 				echo '</pre>';
diff --git a/styles/ddsmoothmenu/ddsmoothmenu.css b/styles/ddsmoothmenu/ddsmoothmenu.css
index bdef56b..3b5d5b5 100755
--- a/styles/ddsmoothmenu/ddsmoothmenu.css
+++ b/styles/ddsmoothmenu/ddsmoothmenu.css
@@ -6,8 +6,8 @@
 
 .ddsmoothmenu ul{
 	z-index:100;
-	margin: 0;
-	padding: 0;
+	margin: 0px;
+	padding: 0px;
 	list-style-type: none;
 }
 
@@ -16,6 +16,7 @@
 	position: relative;
 	display: inline;
 	float: left;
+	border-bottom: 1px solid white;
 }
 
 /*Top level menu link items style*/
@@ -25,9 +26,8 @@
 	color: white;
 	padding: 8px 10px;
 	border-right: 1px solid #778;
-	color: #2d2b2b;
 	text-decoration: none;
-	width: 130px;
+	width: 125px;
 }
 
 * html .ddsmoothmenu ul li a{ /*IE6 hack to get sub menu links to behave correctly*/
@@ -91,7 +91,7 @@ float: none;
 
 .rightarrowclass{
 	position: absolute;
-	top: 6px;
+	top: 10px;
 	right: 5px;
 }
 
diff --git a/styles/ddsmoothmenu/readme.txt b/styles/ddsmoothmenu/readme.txt
deleted file mode 100755
index 56b592f..0000000
--- a/styles/ddsmoothmenu/readme.txt
+++ /dev/null
@@ -1 +0,0 @@
-http://www.dynamicdrive.com/dynamicindex1/ddsmoothmenu.htm
\ No newline at end of file
diff --git a/styles/global-styles.css b/styles/global-styles.css
index 7999541..9bb72e8 100755
--- a/styles/global-styles.css
+++ b/styles/global-styles.css
@@ -59,13 +59,6 @@ div.page-title,span.page-title{
 	border-radius: 5px;
 }
 
-div.footer{
-	font-size: 12pt;
-	font-weight: bold;
-	text-align: center;
-	background-color: #ccccff;
-}
-
 *.label{
 	font-weight: bold;
 }
@@ -125,22 +118,6 @@ div.help-text-header{
 	border-radius: 5px;
 }
 
-/* ------------------------------------------------- */
-/* Special Header Page Styles */
-/* ------------------------------------------------- */
-
-span.version-header {
-	position: relative;
-	left: 0px;
-	font-weight: bold;
-}
-
-span.logged-in-user-header {
-	position: absolute;
-	right: 20px;
-	font-weight: bold;
-}
-
 /* ------------------------------------------------- */
 /* Tutorials */
 /* ------------------------------------------------- */
@@ -225,8 +202,6 @@ table{
 
 table tr td.label{
 	font-weight: bold;
-	/*color: white;*/
-	/*background-color: #000099;*/
 }
 
 table tr td{
@@ -238,62 +213,69 @@ table tr td{
 /* ---------------------------------------------------- */
 
 table.main-table-frame{
-	border-width: 1px;
-	border-color: #000000;
-	border-style: solid;
-	width:100%;
 	border-collapse: collapse;
 	border-spacing: 0px;
+	padding: 0px;
+	width:100%;
 }
 
-/* ---------------------------------------------------- */
-/* Horizontal Menu Table on the Sites Main Header Frame */
-/* ---------------------------------------------------- */
-td.header-menu-table{
-	background-color: #414141;
+tr.main-table-frame-dark{
+	background-color: #55557720;
+	text-align: center;
+	font-weight: bold;
 }
 
-table.header-menu-table{
-	/*width: 80%;*/
-	border-collapse: collapse;
-	border-spacing: 0px;
-	padding: 0px;
-	margin: auto;
+td.main-table-frame-first-bar{
+	font-size: 30px;
 }
 
-table.header-menu-table tr{
-	
+td.main-table-frame-second-bar{
+	font-size: 16px;
 }
 
-table.header-menu-table tr td{
-	text-align: center;
-	background-color: #414141;
-	color: #000000;
-	font: bold 12px Verdana;
-	padding: 0px;
+span.version-header {
+	margin-left: 20px;
 }
 
-table.header-menu-table tr td a{
-	text-decoration: none;
-	display: block;
-	padding-right: 5px;
-	padding-left: 5px;
-	padding-top: 5px;
-	padding-bottom: 5px;
+tr.main-table-frame-third-bar{
+	background-color: #414141;
+	text-align: center;
+	font-size: 14px;
+	color: white;
+	font-weight: bold;
+	font-style: Verdana;
 }
 
-table.header-menu-table tr td a:link, table.header-menu-table tr td a:visited{
+td.main-table-frame-third-bar a, a:active, a:visited{
 	color: white;
 }
 
-table.header-menu-table tr td a.selected{
-	background: black; 
-	color: white;
+td.main-table-frame-third-bar a:hover{
+	color: black;
+	background-color: white;
 }
 
-table.header-menu-table tr td a:hover{
-	background: black;
-	color: white;
+span.logged-in-user{
+	color: #990000;
+}
+
+td.main-table-frame-left{
+	vertical-align: top;
+	background-color: #55557720;
+	width:100pt;
+}
+
+td.main-table-frame-left div{
+	color: blue;
+	font-weight: bold;
+	text-align: center;
+}
+
+td.main-table-frame-right{
+	vertical-align: top;
+	padding-left: 30px;
+	padding-right: 30px;
+	padding-top: 10px;
 }
 
 /* ----------------------------------------------------------------- */
diff --git a/styling-frame.php b/styling-frame.php
index 72e6874..cbf4a60 100755
--- a/styling-frame.php
+++ b/styling-frame.php
@@ -45,20 +45,8 @@
 		echo $CustomErrorHandler->FormatError($e, $lQueryString);
 	};// end try;
 
-	try{
-   		$lPathRelativeStylesheetInjectionAreaBallonTip = $BubbleHintHandler->getHint("PathRelativeStylesheetInjectionArea");
- 	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
 ?>
 
-<script type="text/javascript">
-	$(function() {
-		$('[PathRelativeStylesheetInjectionArea]').attr("title", "<?php echo $lPathRelativeStylesheetInjectionAreaBallonTip; ?>");
-		$('[PathRelativeStylesheetInjectionArea]').balloon();
-	});
-</script>
-
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
 <?php include_once (__ROOT__.'/includes/hints/hints-menu-wrapper.inc'); ?>
 <!-- Note: To encourage IE into compatibility mode add the following
diff --git a/text-file-viewer.php b/text-file-viewer.php
index ddb09d8..5368d48 100755
--- a/text-file-viewer.php
+++ b/text-file-viewer.php
@@ -49,25 +49,6 @@
 	}// end try
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lHTMLandXSSandSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("HTMLandXSSandSQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[HTMLandXSSandSQLInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSandSQLInjectionPointBallonTip; ?>");
-		$('[HTMLandXSSandSQLInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">Hacker Files of Old</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -91,7 +72,7 @@
 		<tr>
 			<td class="label">Text File Name</td>
 			<td>
-				<select size="1" name="textfile" id="id_textfile_select" HTMLandXSSandSQLInjectionPoint="1" autofocus="autofocus" <?php echo $lHTMLControlAttributes ?>>
+				<select size="1" name="textfile" id="id_textfile_select" autofocus="autofocus" <?php echo $lHTMLControlAttributes ?>>
 					<option value="<?php if ($lUseTokenization){echo 1;}else{echo 'http://www.textfiles.com/hacking/auditool.txt';}?>">Intrusion Detection in Computers by Victor H. Marshall (January 29, 1991)</option>
 					<option value="<?php if ($lUseTokenization){echo 2;}else{echo 'http://www.textfiles.com/hacking/atms';}?>">An Overview of ATMs and Information on the Encoding System</option>
 					<option value="<?php if ($lUseTokenization){echo 3;}else{echo 'http://www.textfiles.com/hacking/backdoor.txt';}?>">How to Hold Onto UNIX Root Once You Have It</option>
@@ -234,7 +215,7 @@
 			try{				
 			    // open file handle
 				$handle = fopen($lURL, "r");
-	   			echo '<span ReflectedXSSExecutionPoint=\"1\" class="label">File: '.$lTextFileDescription.'</span>';
+	   			echo '<span class="label">File: '.$lTextFileDescription.'</span>';
 	   			echo '<pre>';
 	   			echo stream_get_contents($handle);
 				echo '</pre>';
diff --git a/upload-file.php b/upload-file.php
index d2ac069..bfbf6f4 100755
--- a/upload-file.php
+++ b/upload-file.php
@@ -119,22 +119,6 @@
 	}// end try	
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lHTMLandXSSandSQLInjectionPointBalloonTip = $BubbleHintHandler->getHint("HTMLandXSSandSQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[HTMLandXSSandSQLInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSandSQLInjectionPointBalloonTip; ?>");
-		$('[HTMLandXSSandSQLInjectionPoint]').balloon();
-	});
-</script>
-
 <script type="text/javascript">
 	var onSubmitOfForm = function(/* HTMLForm */ theForm){
 
@@ -207,7 +191,7 @@
 				    <!-- MAX_FILE_SIZE must precede the file input field -->
 				    <input type="hidden" name="MAX_FILE_SIZE" id="id_max_file_size" value="<?php echo $lAllowedFileSize; ?>" />
 					<label for="filename-text" class="label">Filename</label>
-					<input type="text" HTMLandXSSandSQLInjectionPoint="1" style="background-color:#ffffff;color:#000000;font-family:courier" disabled="disabled" name="filename-text" id="idFilenameText" size="50" />
+					<input type="text" style="background-color:#ffffff;color:#000000;font-family:courier" disabled="disabled" name="filename-text" id="idFilenameText" size="50" />
 					<img src="./images/upload-32-32.png" align="middle" onclick="idFilename.click();" />
 					<input type="file" id="idFilename" name="filename" style="display: none;" onchange="idFilenameText.value=this.value" />
 				</td>
diff --git a/user-agent-impersonation.php b/user-agent-impersonation.php
index 3081b11..1b0ab7e 100755
--- a/user-agent-impersonation.php
+++ b/user-agent-impersonation.php
@@ -40,22 +40,6 @@
     }// end try;
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lJavaScriptInjectionPointBallonTip = $BubbleHintHandler->getHint("JavaScriptInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[JavaScriptInjectionPoint]').attr("title", "<?php echo $lJavaScriptInjectionPointBallonTip; ?>");
-		$('[JavaScriptInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">User-Agent Impersonation</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -67,17 +51,17 @@
 	<table style="width:80%;" class="results-table">
 		<tr><td colspan="3" id="id_result"></td></tr>
 	   	<tr><td colspan="3">&nbsp;</td></tr>
-		<tr><th class="report-label">User Agent</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_user_agent_td"></td></tr>
-		<tr><th class="report-label">App Code Name</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_browser_codename_td"></td></tr>
-		<tr><th class="report-label">App Name</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_browser_td"></td></tr>
-		<tr><th class="report-label">Browser Version</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_browser_version_td"></td></tr>
-		<tr><th class="report-label">Platform</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_platform_td"></td></tr>
-		<tr><th class="report-label">Vendor</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_browser_vendor_td"></td></tr>
-		<tr><th class="report-label">Vendor Sub</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_browser_vendor_sub_td"></td></tr>
-		<tr><th class="report-label">Build ID</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_build_id_td"></td></tr>
-		<tr><th class="report-label">O/S CPU</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_oscpu_td"></td></tr>
-		<tr><th class="report-label">Product</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_product_td"></td></tr>
-		<tr><th class="report-label">Product Sub</th><td class="report-data" JavaScriptInjectionPoint="1" id="id_product_sub_td"></td></tr>
+		<tr><th class="report-label">User Agent</th><td class="report-data" id="id_user_agent_td"></td></tr>
+		<tr><th class="report-label">App Code Name</th><td class="report-data" id="id_browser_codename_td"></td></tr>
+		<tr><th class="report-label">App Name</th><td class="report-data" id="id_browser_td"></td></tr>
+		<tr><th class="report-label">Browser Version</th><td class="report-data" id="id_browser_version_td"></td></tr>
+		<tr><th class="report-label">Platform</th><td class="report-data" id="id_platform_td"></td></tr>
+		<tr><th class="report-label">Vendor</th><td class="report-data" id="id_browser_vendor_td"></td></tr>
+		<tr><th class="report-label">Vendor Sub</th><td class="report-data" id="id_browser_vendor_sub_td"></td></tr>
+		<tr><th class="report-label">Build ID</th><td class="report-data" id="id_build_id_td"></td></tr>
+		<tr><th class="report-label">O/S CPU</th><td class="report-data" id="id_oscpu_td"></td></tr>
+		<tr><th class="report-label">Product</th><td class="report-data" id="id_product_td"></td></tr>
+		<tr><th class="report-label">Product Sub</th><td class="report-data" id="id_product_sub_td"></td></tr>
 	</table>
 </fieldset>
 
diff --git a/user-info-xpath.php b/user-info-xpath.php
index c69a34d..e8fe0e5 100755
--- a/user-info-xpath.php
+++ b/user-info-xpath.php
@@ -98,24 +98,6 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 	}// end function onSubmitOfForm(/*HTMLFormElement*/ theForm)
 	
 </script>
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("SQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[SQLInjectionPoint]').attr("title", "<?php echo $lSQLInjectionPointBallonTip; ?>");
-		$('[SQLInjectionPoint]').balloon();
-	});
-</script>
 
 <div class="page-title">User Lookup (XPath)</div>
 
@@ -156,7 +138,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 		<tr>
 			<td class="label">Name</td>
 			<td>
-				<input SQLInjectionPoint="1" type="text" name="username" size="20" autofocus="autofocus" 
+				<input type="text" name="username" size="20" autofocus="autofocus" 
 					<?php
 						if ($lEnableHTMLControls) {
 							echo('minlength="1" maxlength="20" required="required"');
@@ -168,7 +150,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 		<tr>
 			<td class="label">Password</td>
 			<td>
-				<input SQLInjectionPoint="1" type="password" name="password" size="20"
+				<input type="password" name="password" size="20"
 					<?php
 						if ($lEnableHTMLControls) {
 							echo('minlength="1" maxlength="20" required="required"');
@@ -225,7 +207,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 
 			echo '<br />
 				  <div class="report-header">
-						Results for <span ReflectedXSSExecutionPoint="1" style="color:#770000;">'
+						Results for <span style="color:#770000;">'
 					.$lHTMLUsername.
 				'</span></div>';		
 			
diff --git a/user-info.php b/user-info.php
index 53bc778..6b20be7 100755
--- a/user-info.php
+++ b/user-info.php
@@ -85,24 +85,6 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 	}// end function onSubmitOfForm(/*HTMLFormElement*/ theForm)
 	
 </script>
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("SQLInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[SQLInjectionPoint]').attr("title", "<?php echo $lSQLInjectionPointBallonTip; ?>");
-		$('[SQLInjectionPoint]').balloon();
-	});
-</script>
 
 <div class="page-title">User Lookup (SQL)</div>
 
@@ -143,7 +125,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 		<tr>
 			<td class="label">Name</td>
 			<td>
-				<input SQLInjectionPoint="1" type="text" name="username" size="20" autofocus="autofocus" 
+				<input type="text" name="username" size="20" autofocus="autofocus" 
 					<?php
 						if ($lEnableHTMLControls) {
 							echo('minlength="1" maxlength="20" required="required"');
@@ -155,7 +137,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 		<tr>
 			<td class="label">Password</td>
 			<td>
-				<input SQLInjectionPoint="1" type="password" name="password" size="20"
+				<input type="password" name="password" size="20"
 					<?php
 						if ($lEnableHTMLControls) {
 							echo('minlength="1" maxlength="20" required="required"');
@@ -205,7 +187,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 			}// end if
 
 			echo '	<div class="report-header">
-						Results for &quot;<span ReflectedXSSExecutionPoint="1" style="color:#770000;">'
+						Results for &quot;<span style="color:#770000;">'
 						.$lUsername.
 						'</span>&quot;.'.$lRecordsFound.' records found.
 					</div>';
@@ -229,9 +211,9 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 						$lSignature = $Encoder->encodeForHTML($row->mysignature);			
 					}// end if
 					
-					echo "<span style=\"font-weight:bold;\">Username=</span><span ReflectedXSSExecutionPoint=\"1\">{$lUsername}</span><br/>";
-					echo "<span style=\"font-weight:bold;\">Password=</span><span ReflectedXSSExecutionPoint=\"1\">{$lPassword}</span><br/>";
-					echo "<span style=\"font-weight:bold;\">Signature=</span><span ReflectedXSSExecutionPoint=\"1\">{$lSignature}</span><br/><br/>";
+					echo "<span style=\"font-weight:bold;\">Username=</span><span>{$lUsername}</span><br/>";
+					echo "<span style=\"font-weight:bold;\">Password=</span><span>{$lPassword}</span><br/>";
+					echo "<span style=\"font-weight:bold;\">Signature=</span><span>{$lSignature}</span><br/><br/>";
 				}// end while
 	
 			} else {
diff --git a/user-poll.php b/user-poll.php
index 4eb9a50..48aaf53 100755
--- a/user-poll.php
+++ b/user-poll.php
@@ -137,25 +137,6 @@ function isParameterPollutionDetected(/*String*/ $pQueryString){
    	}//end if lFormSubmitted
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lParameterPollutionInjectionPointBallonTip = $BubbleHintHandler->getHint("ParameterPollutionInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[ParameterPollutionInjectionPoint]').attr("title", "<?php echo $lParameterPollutionInjectionPointBallonTip; ?>");
-		$('[ParameterPollutionInjectionPoint]').balloon();
-	});
-</script>
-
 <div class="page-title">User Poll</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -200,7 +181,7 @@ function isParameterPollutionDetected(/*String*/ $pQueryString){
 			</tr>
 			<tr>
 				<td class="label">
-					Your Initials:<input type="text" name="initials" <?php echo $lHTMLControlAttributes ?> ParameterPollutionInjectionPoint="1" value="<?php echo $lUserInitials; ?>"/>
+					Your Initials:<input type="text" name="initials" <?php echo $lHTMLControlAttributes ?> value="<?php echo $lUserInitials; ?>"/>
 				</td>
 			</tr>
 			<tr><td></td></tr>
@@ -212,7 +193,7 @@ function isParameterPollutionDetected(/*String*/ $pQueryString){
 			<tr><td></td></tr>
 			<tr><td></td></tr>
 			<tr>
-				<td class="report-header" ReflectedXSSExecutionPoint="1">
+				<td class="report-header">
 				<?php echo $lUserChoiceMessage; ?>
 				</td>
 			</tr>
@@ -255,7 +236,7 @@ function isParameterPollutionDetected(/*String*/ $pQueryString){
 				}// end if
 								
 				echo "<tr>
-						<th class=\"report-label\" ReflectedXSSExecutionPoint=\"1\">{$lToolName}</th>
+						<th class=\"report-label\">{$lToolName}</th>
 						<td class=\"report-data\">{$lToolCount}</td>
 					</tr>\n";
 			}//end while $row
diff --git a/view-someones-blog.php b/view-someones-blog.php
index 9498372..d3aa85f 100755
--- a/view-someones-blog.php
+++ b/view-someones-blog.php
@@ -66,26 +66,6 @@
    	}// end if
 ?>
 
-
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lSQLInjectionPointBallonTip = $BubbleHintHandler->getHint("SQLInjectionPoint");   		
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try	
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[SQLInjectionPoint]').attr("title", "<?php echo $lSQLInjectionPointBallonTip; ?>");
-		$('[SQLInjectionPoint]').balloon();		
-	});
-</script>
-
 <div class="page-title">View Blogs</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -113,7 +93,7 @@
 			<tr><td></td></tr>
 			<tr>
 				<td>
-					<select name="author" id="id_author_select" SQLInjectionPoint="1" autofocus="autofocus" <?php echo $lHTMLControlAttributes ?>>
+					<select name="author" id="id_author_select" autofocus="autofocus" <?php echo $lHTMLControlAttributes ?>>
 						<option value="53241E83-76EC-4920-AD6D-503DD2A6BA68">&nbsp;&nbsp;&nbsp;Please Choose Author&nbsp;&nbsp;&nbsp;</option>
 						<option value="6C57C4B5-B341-4539-977B-7ACB9D42985A">Show All</option>
 						<?php
@@ -225,9 +205,9 @@
 										
 					echo "<tr>
 						<td>{$lRowNumber}</td>
-						<td ReflectedXSSExecutionPoint=\"1\">{$lBloggerName}</td>
+						<td>{$lBloggerName}</td>
 						<td>{$lDate}</td>
-						<td ReflectedXSSExecutionPoint=\"1\">{$lComment}</td>
+						<td>{$lComment}</td>
 					</tr>\n";
 				}//end while $row
 				echo "</table>";		
diff --git a/view-user-privilege-level.php b/view-user-privilege-level.php
index bcaf17f..e1fcdd4 100755
--- a/view-user-privilege-level.php
+++ b/view-user-privilege-level.php
@@ -138,28 +138,6 @@ function __xor($lHexString1, $lHexString2) {
 	}// end try	
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-   		$lBufferOverflowInjectionPointBalloonTip = $BubbleHintHandler->getHint("BufferOverflowInjectionPoint");
-		$lHTMLandXSSInjectionPointBalloonTip = $BubbleHintHandler->getHint("HTMLandXSSInjectionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-		$('[BufferOverflowInjectionPoint]').attr("title", "<?php echo $lBufferOverflowInjectionPointBalloonTip; ?>");
-		$('[BufferOverflowInjectionPoint]').balloon();		
-		$('[HTMLandXSSInjectionPoint]').attr("title", "<?php echo $lHTMLandXSSInjectionPointBalloonTip; ?>");
-		$('[HTMLandXSSInjectionPoint]').balloon();		
-	});
-</script>
-
 <div class="page-title">View User Privilege Level</div>
 
 <?php include_once (__ROOT__.'/includes/back-button.inc');?>
@@ -208,7 +186,7 @@ function __xor($lHexString1, $lHexString2) {
 	<table>
 		<tr><td></td></tr>
 		<tr>
-			<td ReflectedXSSExecutionPoint="1" colspan="2" class="hint-header"><?php echo $lBuffer; ?></td>
+			<td colspan="2" class="hint-header"><?php echo $lBuffer; ?></td>
 		</tr>
 		<tr><td></td></tr>
 	</table>	
diff --git a/xml-validator.php b/xml-validator.php
index 717bbe5..2f6402d 100755
--- a/xml-validator.php
+++ b/xml-validator.php
@@ -92,22 +92,6 @@ function HandleXmlError($errno, $errstr, $errfile, $errline){
    	}// end try;
 ?>
 
-<!-- Bubble hints code -->
-<?php 
-	try{
-   		$lReflectedXSSExecutionPointBallonTip = $BubbleHintHandler->getHint("ReflectedXSSExecutionPoint");
-	} catch (Exception $e) {
-		echo $CustomErrorHandler->FormatError($e, "Error attempting to execute query to fetch bubble hints.");
-	}// end try
-?>
-
-<script type="text/javascript">
-	$(function() {
-		$('[ReflectedXSSExecutionPoint]').attr("title", "<?php echo $lReflectedXSSExecutionPointBallonTip; ?>");
-		$('[ReflectedXSSExecutionPoint]').balloon();
-	});
-</script>
-
 <script type="text/javascript">
 	<?php 
 	if($lEnableJavaScriptValidation){
@@ -191,7 +175,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 
 				echo "<fieldset>";
 				echo "<legend>XML Submitted</legend>";
-				echo "<div width='600px' ReflectedXSSExecutionPoint=\"1\" class=\"important-code\">" . $Encoder->encodeForXML($lXML) . "</div>";
+				echo "<div width='600px' class=\"important-code\">" . $Encoder->encodeForXML($lXML) . "</div>";
 				echo "</fieldset>";
 				echo "<div>&nbsp;</div>";
 				
@@ -206,7 +190,7 @@ function onSubmitOfForm(/*HTMLFormElement*/ theForm){
 
 					echo "<fieldset>";
 					echo "<legend>Text Content Parsed From XML</legend>";
-					echo "<div width='600px' ReflectedXSSExecutionPoint=\"1\">" . $lDOMDocument->textContent . "</div>";
+					echo "<div width='600px'>" . $lDOMDocument->textContent . "</div>";
 					echo "</fieldset>";
 					echo "<div>&nbsp;</div>";