Index: /trunk/xpressme_integration_kit/wp-content/plugins/xpressme/include/functions_for_wp_old.php
===================================================================
--- /trunk/xpressme_integration_kit/wp-content/plugins/xpressme/include/functions_for_wp_old.php	(revision 717)
+++ /trunk/xpressme_integration_kit/wp-content/plugins/xpressme/include/functions_for_wp_old.php	(revision 718)
@@ -344,3 +344,209 @@
 	}
 endif;	// Under WP2.7
+
+// Under WP2.8
+if (version_compare($xoops_config->wp_version,'2.8', '<')) :
+	function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
+		$string = (string) $string;
+
+		if ( 0 === strlen( $string ) ) {
+			return '';
+		}
+
+		// Don't bother if there are no specialchars - saves some processing
+		if ( !preg_match( '/[&<>"\']/', $string ) ) {
+			return $string;
+		}
+
+		// Account for the previous behaviour of the function when the $quote_style is not an accepted value
+		if ( empty( $quote_style ) ) {
+			$quote_style = ENT_NOQUOTES;
+		} elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) {
+			$quote_style = ENT_QUOTES;
+		}
+
+		// Store the site charset as a static to avoid multiple calls to wp_load_alloptions()
+		if ( !$charset ) {
+			static $_charset;
+			if ( !isset( $_charset ) ) {
+				$alloptions = wp_load_alloptions();
+				$_charset = isset( $alloptions['blog_charset'] ) ? $alloptions['blog_charset'] : '';
+			}
+			$charset = $_charset;
+		}
+		if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ) ) ) {
+			$charset = 'UTF-8';
+		}
+
+		$_quote_style = $quote_style;
+
+		if ( $quote_style === 'double' ) {
+			$quote_style = ENT_COMPAT;
+			$_quote_style = ENT_COMPAT;
+		} elseif ( $quote_style === 'single' ) {
+			$quote_style = ENT_NOQUOTES;
+		}
+
+		// Handle double encoding ourselves
+		if ( !$double_encode ) {
+			$string = wp_specialchars_decode( $string, $_quote_style );
+
+			/* Critical */
+			// The previous line decodes &amp;phrase; into &phrase;  We must guarantee that &phrase; is valid before proceeding.
+			$string = wp_kses_normalize_entities($string);
+
+			// Now proceed with custom double-encoding silliness
+			$string = preg_replace( '/&(#?x?[0-9a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string );
+		}
+
+		$string = @htmlspecialchars( $string, $quote_style, $charset );
+
+		// Handle double encoding ourselves
+		if ( !$double_encode ) {
+			$string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string );
+		}
+
+		// Backwards compatibility
+		if ( 'single' === $_quote_style ) {
+			$string = str_replace( "'", '&#039;', $string );
+		}
+
+		return $string;
+	}
+	
+	/**
+	 * Checks for invalid UTF8 in a string.
+	 *
+	 * @since 2.8
+	 *
+	 * @param string $string The text which is to be checked.
+	 * @param boolean $strip Optional. Whether to attempt to strip out invalid UTF8. Default is false.
+	 * @return string The checked text.
+	 */
+	function wp_check_invalid_utf8( $string, $strip = false ) {
+		$string = (string) $string;
+
+		if ( 0 === strlen( $string ) ) {
+			return '';
+		}
+
+		// Store the site charset as a static to avoid multiple calls to get_option()
+		static $is_utf8;
+		if ( !isset( $is_utf8 ) ) {
+			$is_utf8 = in_array( get_option( 'blog_charset' ), array( 'utf8', 'utf-8', 'UTF8', 'UTF-8' ) );
+		}
+		if ( !$is_utf8 ) {
+			return $string;
+		}
+
+		// Check for support for utf8 in the installed PCRE library once and store the result in a static
+		static $utf8_pcre;
+		if ( !isset( $utf8_pcre ) ) {
+			$utf8_pcre = @preg_match( '/^./u', 'a' );
+		}
+		// We can't demand utf8 in the PCRE installation, so just return the string in those cases
+		if ( !$utf8_pcre ) {
+			return $string;
+		}
+
+		// preg_match fails when it encounters invalid UTF8 in $string
+		if ( 1 === @preg_match( '/^./us', $string ) ) {
+			return $string;
+		}
+
+		// Attempt to strip the bad chars if requested (not recommended)
+		if ( $strip && function_exists( 'iconv' ) ) {
+			return iconv( 'utf-8', 'utf-8', $string );
+		}
+
+		return '';
+	}
+
+	/**
+	 * Perform a deep string replace operation to ensure the values in $search are no longer present
+	 *
+	 * Repeats the replacement operation until it no longer replaces anything so as to remove "nested" values
+	 * e.g. $subject = '%0%0%0DDD', $search ='%0D', $result ='' rather than the '%0%0DD' that
+	 * str_replace would return
+	 *
+	 * @since 2.8.1
+	 * @access private
+	 *
+	 * @param string|array $search
+	 * @param string $subject
+	 * @return string The processed string
+	 */
+	function _deep_replace( $search, $subject ) {
+		$found = true;
+		$subject = (string) $subject;
+		while ( $found ) {
+			$found = false;
+			foreach ( (array) $search as $val ) {
+				while ( strpos( $subject, $val ) !== false ) {
+					$found = true;
+					$subject = str_replace( $val, '', $subject );
+				}
+			}
+		}
+
+		return $subject;
+	}
+
+	
+	/* @since 2.8.0
+	 * @uses wp_kses_bad_protocol() To only permit protocols in the URL set
+	 *		via $protocols or the common ones set in the function.
+	 *
+	 * @param string $url The URL to be cleaned.
+	 * @param array $protocols Optional. An array of acceptable protocols.
+	 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet' if not set.
+	 * @param string $_context Private. Use esc_url_raw() for database usage.
+	 * @return string The cleaned $url after the 'clean_url' filter is applied.
+	 */
+	function esc_url( $url, $protocols = null, $_context = 'display' ) {
+		$original_url = $url;
+
+		if ( '' == $url )
+			return $url;
+		$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
+		$strip = array('%0d', '%0a', '%0D', '%0A');
+		$url = _deep_replace($strip, $url);
+		$url = str_replace(';//', '://', $url);
+		/* If the URL doesn't appear to contain a scheme, we
+		 * presume it needs http:// appended (unless a relative
+		 * link starting with / or a php file).
+		 */
+		if ( strpos($url, ':') === false &&
+			substr( $url, 0, 1 ) != '/' && substr( $url, 0, 1 ) != '#' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) )
+			$url = 'http://' . $url;
+
+		// Replace ampersands and single quotes only when displaying.
+		if ( 'display' == $_context ) {
+			$url = wp_kses_normalize_entities( $url );
+			$url = str_replace( '&amp;', '&#038;', $url );
+			$url = str_replace( "'", '&#039;', $url );
+		}
+
+		if ( !is_array($protocols) )
+			$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
+		if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
+			return '';
+
+		return apply_filters('clean_url', $url, $original_url, $_context);
+	}
+	/**
+	 * Escaping for HTML attributes.
+	 *
+	 * @since 2.8.0
+	 *
+	 * @param string $text
+	 * @return string
+	 */
+	function esc_attr( $text ) {
+		$safe_text = wp_check_invalid_utf8( $text );
+		$safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
+		return apply_filters( 'attribute_escape', $safe_text, $text );
+	}
+
+endif;	// Under WP2.8
 ?>
Index: /trunk/xpressme_integration_kit/wp-content/plugins/xpressme/include/xpress_upgrade.php
===================================================================
--- /trunk/xpressme_integration_kit/wp-content/plugins/xpressme/include/xpress_upgrade.php	(revision 717)
+++ /trunk/xpressme_integration_kit/wp-content/plugins/xpressme/include/xpress_upgrade.php	(revision 718)
@@ -202,6 +202,4 @@
 function upgrade_page()
 {
-	if ( ! current_user_can('update_plugins') )
-	wp_die(__('You do not have sufficient permissions to update XPressME Integration Kit for this site.', 'xpressme'));
 	$action = isset($_GET['action']) ? $_GET['action'] : 'upgrade-xpress';
 	$upgrade_error = false;