Changeset 3219 for trunk

Timestamp:

12/03/08 07:58:25 (12 months ago)

Author:

fumiakiy

Message:

Merging the latest of fireball branch to trunk. svn merge -r3095:3215 http://code.sixapart.com/svn/movabletype/branches/fireball . (two conflicts resolved; MT.pm, mt.php and mt-check.cgi merged manually.)

Location:

trunk

Files:

• default_templates/about_this_page.mtml (modified) (2 diffs)
• default_templates/commenter_confirm.mtml (modified) (1 diff)
• default_templates/current_author_monthly_archive_list.mtml (modified) (1 diff)
• lib/MT.pm (modified) (14 diffs)
• lib/MT/App.pm (modified) (6 diffs)
• lib/MT/App/ActivityFeeds.pm (modified) (2 diffs)
• lib/MT/App/Comments.pm (modified) (6 diffs)
• lib/MT/App/Search.pm (modified) (1 diff)
• lib/MT/ArchiveType/Author.pm (modified) (2 diffs)
• lib/MT/ArchiveType/Category.pm (modified) (2 diffs)
• lib/MT/ArchiveType/Individual.pm (modified) (2 diffs)
• lib/MT/Bootstrap.pm (modified) (2 diffs)
• lib/MT/CMS/Blog.pm (modified) (1 diff)
• lib/MT/CMS/Dashboard.pm (modified) (2 diffs)
• lib/MT/CMS/Entry.pm (modified) (2 diffs)
• lib/MT/CMS/Search.pm (modified) (1 diff)
• lib/MT/CMS/Tools.pm (modified) (1 diff)
• lib/MT/CMS/User.pm (modified) (3 diffs)
• lib/MT/DefaultTemplates.pm (modified) (3 diffs)
• lib/MT/ImportExport.pm (modified) (7 diffs)
• lib/MT/L10N/ja.pm (modified) (1 diff)
• lib/MT/Sanitize.pm (modified) (1 diff)
• lib/MT/Template/ContextHandlers.pm (modified) (12 diffs)
• lib/MT/Util.pm (modified) (1 diff)
• php/lib/MTUtil.php (modified) (1 diff)
• php/lib/archive_lib.php (modified) (19 diffs)
• php/lib/function.mtcommentauthorlink.php (modified) (4 diffs)
• php/lib/function.mtcommentreplytolink.php (modified) (1 diff)
• php/lib/function.mtentryauthorlink.php (modified) (4 diffs)
• php/lib/modifier.sanitize.php (modified) (1 diff)
• php/lib/sanitize_lib.php (modified) (1 prop)
• php/mt.php (modified) (2 diffs)
• plugins/Cloner/cloner.pl (modified) (2 diffs)
• search_templates/comments.tmpl (modified) (2 diffs)
• search_templates/default.tmpl (modified) (7 diffs)
• search_templates/results_feed.tmpl (modified) (1 diff)
• search_templates/results_feed_rss2.tmpl (modified) (1 diff)
• t/08-util.t (modified) (3 diffs)
• t/11-sanitize.t (modified) (2 diffs)
• t/driver-tests.pl (modified) (18 diffs)
• tmpl/cms/dialog/comment_reply.tmpl (modified) (1 diff)
• tmpl/cms/edit_asset.tmpl (modified) (1 diff)
• tmpl/cms/edit_author.tmpl (modified) (1 diff)
• tmpl/cms/edit_commenter.tmpl (modified) (1 diff)
• tmpl/cms/edit_entry.tmpl (modified) (2 diffs)
• tmpl/cms/edit_role.tmpl (modified) (1 diff)
• tmpl/cms/include/asset_table.tmpl (modified) (1 diff)
• tmpl/cms/include/comment_detail.tmpl (modified) (1 diff)
• tmpl/cms/include/entry_table.tmpl (modified) (1 diff)
• tmpl/cms/include/header.tmpl (modified) (1 diff)
• tmpl/cms/include/import_start.tmpl (modified) (1 diff)
• tmpl/cms/include/list_associations/page_title.tmpl (modified) (1 diff)
• tmpl/cms/include/list_associations/table_role_view.tmpl (modified) (2 diffs)
• tmpl/cms/include/list_associations/table_user_view.tmpl (modified) (1 diff)
• tmpl/cms/include/listing_panel.tmpl (modified) (1 diff)
• tmpl/cms/include/log_table.tmpl (modified) (1 diff)
• tmpl/cms/include/template_table.tmpl (modified) (3 diffs)
• tmpl/cms/include/users_content_nav.tmpl (modified) (3 diffs)
• tmpl/cms/list_comment.tmpl (modified) (1 diff)
• tmpl/cms/list_ping.tmpl (modified) (1 diff)
• tmpl/cms/list_role.tmpl (modified) (1 diff)
• tmpl/cms/list_template.tmpl (modified) (1 diff)
• tmpl/cms/popup/rebuild_confirm.tmpl (modified) (1 diff)
• tmpl/cms/popup/rebuilt.tmpl (modified) (1 diff)
• tmpl/cms/rebuilding.tmpl (modified) (1 diff)
• tmpl/cms/widget/blog_stats_entry.tmpl (modified) (2 diffs)
• tmpl/cms/widget/blog_stats_recent_entries.tmpl (modified) (1 diff)
• tmpl/cms/widget/blog_stats_tag_cloud.tmpl (modified) (1 diff)
• tmpl/cms/widget/this_is_you.tmpl (modified) (1 diff)
• tmpl/comment/profile.tmpl (modified) (1 diff)

trunk/default_templates/about_this_page.mtml

@@ -46 +46 @@
 <mt:If name="author_archive">
     <mt:If name="datebased_archive">
-        <p class="first"><__trans phrase="This page is an archive of recent entries written by <strong>[_1]</strong> in <strong>[_2]</strong>." params="<$mt:AuthorDisplayName$>%%<$mt:ArchiveDate format="%B %Y"$>"></p>
+        <p class="first"><__trans phrase="This page is an archive of recent entries written by <strong>[_1]</strong> in <strong>[_2]</strong>." params="<$mt:AuthorDisplayName encode_html="1"$>%%<$mt:ArchiveDate format="%B %Y"$>"></p>
         <mt:ArchivePrevious>
         <p><__trans phrase="<a href="[_1]">[_2]</a> is the previous archive." params="<$mt:ArchiveLink$>%%<$mt:ArchiveTitle$>"></p>
@@ -54 +54 @@
         </mt:ArchiveNext>
     <mt:Else>
-        <p class="first"><__trans phrase="This page is an archive of recent entries written by <strong>[_1]</strong>." params="<$mt:AuthorDisplayName$>"></p>
+        <p class="first"><__trans phrase="This page is an archive of recent entries written by <strong>[_1]</strong>." params="<$mt:AuthorDisplayName encode_html="1"$>"></p>
     </mt:If>
 </mt:If>

trunk/default_templates/commenter_confirm.mtml

@@ -12 +12 @@
 
 <__trans phrase="Sincerely,">
-<mt:If tag="AuthorDisplayName"><$mt:AuthorDisplayName$><mt:Else>Movable Type</mt:If>
+<mt:If tag="AuthorDisplayName"><$mt:AuthorDisplayName encode_html="1"$><mt:Else>Movable Type</mt:If>
 
 <$mt:Include module="<__trans phrase="Mail Footer">"$>

trunk/default_templates/current_author_monthly_archive_list.mtml

@@ -3 +3 @@
         <mt:ArchiveListHeader>
 <div class="widget-archive-current-author-monthly widget-archive widget">
-    <h3 class="widget-header"><__trans phrase="[_1]: Monthly Archives" params="<$mt:AuthorDisplayName$>"></h3>
+    <h3 class="widget-header"><__trans phrase="[_1]: Monthly Archives" params="<$mt:AuthorDisplayName encode_html="1"$>"></h3>
     <div class="widget-content">
         <ul>

trunk/lib/MT.pm

@@ -30 +30 @@
     $plugins_installed = 0;
 
-    ( $VERSION, $SCHEMA_VERSION ) = ( '4.21', '4.0068' );
+    ( $VERSION, $SCHEMA_VERSION ) = ( '4.23', '4.0068' );
     ( $PRODUCT_NAME, $PRODUCT_CODE, $PRODUCT_VERSION, $VERSION_ID, $PORTAL_URL ) = (
         '__PRODUCT_NAME__', 'MT',
-        '4.21', '4.21',
+        '4.23', '4.23',
         '__PORTAL_URL__'
     );
@@ -2159 +2159 @@
                 my $label = $c->label || $pack->{label};
                 $label = $label->() if ref($label) eq 'CODE';
+                # if the component did not declare a label,
+                # it isn't wanting to be visible on the app footer.
+                next if $label eq $c->{plugin_sig};
                 push @packs_installed, {
                     label => $label,
@@ -2873 +2876 @@
 =back
 
-=head2 $mt->init
+=head2 $mt->init(%params)
 
 Initializes the Movable Type instance, including registration of basic
@@ -2879 +2882 @@
 and C<init_plugins> methods.
 
+=head2 $mt->init_core()
+
+A method that the base MT class uses to initialize all the 'core'
+functionality of Movable Type. If you want to subclass MT and extensively
+modify it's core behavior, this method can be overridden to do that.
+The L<MT::Core> module is a L<MT::Component> that defines the core
+features of MT, and this method loads that component. Non-core components
+are loaded by the L<init_addons> method.
+
+=head2 $mt->init_paths()
+
+Establishes some key file paths for the MT environment. Assigns
+C<$MT_DIR>, C<$APP_DIR> and C<$CFG_FILE> package variables.
+
+=head2 $mt->init_permissions()
+
+Loads the L<MT::Permission> class and runs the
+MT::Permission->init_permissions method to establish system permissions.
+
+=head2 $mt->init_schema()
+
+Completes the initialization of the Movable Type schema following the
+loading of plugins. After this method runs, any MT object class may
+safely be used.
+
 =head2 MT->instance
 
@@ -2885 +2913 @@
 MT->new() is now an alias to instance_of.
 
+=head2 MT->app
+
+An alias for the 'instance' method.
+
 =head2 $class->instance_of
 
@@ -2897 +2929 @@
 Assigns the active MT instance object. This value is returned when
 C<MT-E<gt>instance> is invoked.
+
+=head2 MT->run_app( $pkg, $params )
+
+Instantiates and runs a MT application (identified by C<$pkg>), passing
+the C<$params> hashref as the parameters to the constructor method. This
+method is a self-contained version found in L<MT::Bootstrap> and will
+eventually be the manner in which MT applications are run (eliminating
+the need for the bootstrap module). The MT::import module calls this
+method when the MT module is used with an 'App' parameter. So, you can
+write a mt.cgi script that looks like this:
+
+    #!/usr/bin/perl
+    use strict;
+    use lib $ENV{MT_HOME} ? "$ENV{MT_HOME}/lib" : 'lib';
+    use MT App => 'MT::App::CMS';
 
 =head2 $mt->find_config($params)
@@ -2907 +2954 @@
 =head2 $mt->init_config($params)
 
-Reads the MT configuration settingss from the MT configuration file
-and settings from database (L<MT::Config>).
+Reads the MT configuration settingss from the MT configuration file.
 
 The C<$params> parameter is a reference to the hash of settings passed to
 the MT constructor.
 
-=head2 $mt->init_plugins
+=head2 $mt->init_config_from_db($param)
+
+Reads any MT configuration settings from the MT database (L<MT::Config>).
+
+The C<$params> parameter is a reference to the hash of settings passed to
+the MT constructor.
+
+=head2 $mt->init_addons(%param)
+
+Loads any discoverable addons that are available. This is called from
+the C<init> method, after C<init_config> method has loaded the
+configuration settings, but prior to making a database connection.
+
+=head2 $mt->init_plugins(%param)
 
 Loads any discoverable plugins that are available. This is called from
@@ -2919 +2978 @@
 configuration settings.
 
-=head2 $mt->init_tasks
+=head2 $mt->init_callbacks()
+
+Installs any MT callbacks. This is called from the C<init> method very,
+early; prior to loading any addons or plugins.
+
+=head2 $mt->init_tasks()
 
 Registers the standard set of periodic tasks that Movable Type provides
@@ -2929 +2993 @@
 through L<MT::TaskMgr> to run any registered tasks that are pending
 execution. See L<MT::TaskMgr> for further documentation.
+
+=head2 MT->find_addons( $type )
+
+Returns an array of all 'addons' that are found within the MT 'addons'
+directory of the given C<$type>. What is returned is an array reference
+of hash data. Each hash will contain these elements: 'label' (the name
+of the addon), 'id' (the unique identifier of the addon), 'envelope'
+(the subpath of the addon, relative to the MT home directory), and 'path'
+(the full path to the addon subdirectory).
 
 =head2 MT->unplug
@@ -3242 +3315 @@
 C<callback_error> routine.
 
+=head2 MT->handler_to_coderef($handler[, $delayed])
+
+Translates a registry handler signature into a Perl coderef. Handlers
+are in one of the following forms:
+
+    $<COMPONENTID>::<PERL_PACKAGE>::<SUBROUTINE>
+
+    <PERL_PACKAGE>::<SUBROUTINE>
+
+    <PERL_PACKAGE>-><SUBROUTINE>
+
+    sub { ... }
+
+When invoked with a '-E<gt>' operator, the subroutine is invoked as
+a package method.
+
+When the handler is a string that starts with 'sub {', it is eval'd
+to compile it, and the resulting coderef is returned.
+
+The coderef that is returned can be passed any parameters you wish.
+
+When the coderef is invoked, any component that was identified in
+the handler signature becomes the active component when running the
+code (this affects how strings are translated, and the search paths
+for templates that are loaded).
+
+If the C<$delayed> parameter is given, a special coderef is constructed
+that will delay the 'require' of the identified Perl package until
+the coderef is actually invoked.
+
+=head2 MT->registry( @path )
+
+Queries the Movable Type registry data structure for a given resource
+path. The MT registry is a collection of hash structures that contain
+resources MT and/or plugins can utilize.
+
+When this method is invoked, it actually issues a registry request
+against each component registered with MT, then merges the resulting
+hashes and returns them. See L<MT::Component> for further details.
+
+=head2 MT->component( $id )
+
+Returns a loaded L<MT::Component> based on the requested C<$id> parameter.
+For example:
+
+    # Returns the MT 'core' component
+    MT->component('core');
+
+=head2 MT->model( $id )
+
+Returns a Perl package name for the MT object type identified by C<$id>.
+For example:
+
+    # Assigns (by default) 'MT::Blog' to $blog_class
+    my $blog_class = MT->model('blog');
+
+It is a recommended practice to utilize the model method to derive the
+implementation package name, instead of hardcoding Perl package names.
+
+=head2 MT->models( $id )
+
+Returns a list of object types that are registered as sub-types. For
+instance, the MT 'asset' object type has several sub-types associated
+with it:
+
+    my @types = MT->models('asset');
+    # @types now contains ('asset', 'asset.image', 'asset.video', etc.)
+
 =head2 MT->product_code
 
@@ -3258 +3399 @@
 and C<version_number> methods as they report the API version information.
 
+=head2 MT->VERSION
+
+Returns the API version of MT. When using the MT module with the version
+requirement, this method will also load the suitable API 'compatibility'
+module, if available. For instance, if your plugin declares:
+
+    use MT 4;
+
+Then, once MT 5 is available, that statement will cause the C<VERSION> method
+to attempt to load a module named "MT::Compat::v4". This module would contain
+compatibility support for MT 4-based plugins.
+
 =head2 MT->version_id
 
@@ -3272 +3425 @@
 Returns the version of the MT database schema.
 
+=head2 $mt->id
+
+Provides an identifier for the application, one that relates to the
+'application' paths of the MT registry. This method may be overridden
+for any subclass of MT to provide the appropriate identifier. By
+default, the base 'id' method will return an id taken from the
+Perl package name, by stripping off any 'MT::App::' prefix, and lowercasing
+the remaining string.
+
 =head2 MT->version_slug
 
@@ -3296 +3458 @@
 An alias to L<MT::WeblogPublisher::rebuild_indexes>. See
 L<MT::WeblogPublisher> for documentation of this method.
+
+=head2 $mt->rebuild_archives
+
+An alias to L<MT::WeblogPublisher::rebuild_archives>. See
+L<MT::WeblogPublisher> for documentation of this method.
+
+=head2 $app->template_paths
+
+Returns an array of directory paths where application templates exist.
+
+=head2 $app->find_file(\@paths, $filename)
+
+Returns the path and filename for a file found in any of the given paths.
+If the file cannot be found, it returns undef.
+
+=head2 $app->load_tmpl($file[, @params])
+
+Loads a L<MT::Template> template using the filename specified. See the
+documentation for the C<build_page> method to learn about how templates
+are located. The optional C<@params> are passed to the L<MT::Template>
+constructor.
+
+=head2 $app->set_default_tmpl_params($tmpl)
+
+Assigns standard parameters to the given L<MT::Template> C<$tmpl> object.
+Refer to the L<STANDARD APPLICATION TEMPLATE PARAMETERS> section for a
+complete list of these parameters.
+
+=head2 $app->charset( [$charset] )
+
+Gets or sets the application's character set based on the "PublishCharset"
+configuration setting or the encoding of the active language
+(C<$app-E<gt>current_language>).
+
+=head2 $app->build_page($tmpl_name, \%param)
+
+Builds an application page to be sent to the client; the page name is specified
+in C<$tmpl_name>, which should be the name of a template containing valid
+L<MT::Template> markup. C<\%param> is a hash ref whose keys and values will
+be passed to L<MT::Template::param> for use in the template.
+
+On success, returns a scalar containing the page to be sent to the client. On
+failure, returns C<undef>, and the error message can be obtained from
+C<$app-E<gt>errstr>.
+
+=head3 How does build_page find a template?
+
+The C<build_page> function looks in several places for an app
+template. Two configuration directives can modify these search paths,
+and application and plugin code can also affect them.
+
+The I<TemplatePath> config directive is an absolute path to the directory
+where MT's core application templates live. It defaults to the I<mt_dir>
+plus an additional path segment of 'tmpl'.
+
+The optional I<AltTemplatePath> config directive is a path (absolute
+or relative) to a directory where some 'override templates' may
+live. An override template takes the place of one of MT's core
+application templates, and is used interchangeably with the core
+template. This allows power users to customize the look and feel of
+the MT application. If I<AltTemplatePath> is relative, its base path
+is the value of the Movable Type configuration file.
+
+Next, any application built on the C<MT::App> foundation can define
+its own I<template_dir> parameter, which identifies a subdirectory of
+TemplatePath (or AltTemplatePath) where that application's templates
+can be found. I<template_dir> defaults to C<cms>. Most templates will
+be found in this directory, but sometimes the template search will
+fall through to the parent directory, where a default error template
+is found, for example. I<template_dir> should rightly have been named
+I<application_template_dir>, since it is application-specific.
+
+Finally, a plugin can specify its I<plugin_template_path>, which
+locates a directory where the templates for that plugin's own
+interface are found. If the I<plugin_template_path> is relative, it
+may be relative to either the I<app_dir>, or the I<mt_dir>; the former
+takes precedence if it exists. (for a definition of I<app_dir> and
+I<mt_dir>, see L<MT>)
+
+Given these values, the order of search is as follows:
+
+=over 4
+
+=item * I<plugin_template_path>
+
+=item * I<AltTemplatePath>
+
+=item * I<AltTemplatePath>F</>I<template_dir>
+
+=item * I<TemplatePath>/I<template_dir>
+
+=item * I<TemplatePath>
+
+=back
+
+If a template with the given name is not found in any of these
+locations, an ugly error is thrown to the user.
+
+=head2 $app->build_page_in_mem($tmpl, \%param)
+
+Used internally by the L<build_page> method to render the output
+of a L<MT::Template> object (the first parameter) using the parameter
+data (the second parameter). It additionally calls the L<process_mt_template>
+method (to process any E<lt>MT_ACTIONE<gt> and E<lt>MT_X:YE<gt> marker tags)
+and then L<translate_templatized> (to process any E<lt>MT_TRANSE<gt> tags).
+
+=head2 $app->process_mt_template($str)
+
+Processes the E<lt>__action<gt> tags that are present in C<$str>. These tags
+are in the following format:
+
+    <__action mode="mode_name" parameter="value">
+
+The mode parameter is required (and must be the first attribute). The
+following attributes are appended as regular query parameters.
+
+The MT_ACTION tag is a preferred way to specify application links rather
+than using this syntax:
+
+    <mt:var name="script_url">?__mode=mode_name&parameter=value
+
+C<process_mt_templates> also strips the C<$str> variable of any tags in
+the format of C<E<lt>MT_\w+:\w+E<gt>>. These are 'marker' tags that are
+used to identify specific portions of the template page and used in
+conjunction with the transformer callback helper methods C<tmpl_prepend>,
+C<tmpl_append>, C<tmpl_replace>, C<tmpl_select>.
 
 =head2 $mt->build_email($file, $param)
@@ -3310 +3598 @@
 entry that is scheduled for publishing. The return value is the timestamp
 in UTC time in the format "YYYY-MM-DDTHH:MM:SSZ".
+
+=head2 $mt->commenter_authenticator($id)
+
+Returns a specific comment authenication option using the identifier
+C<$id> parameter.
+
+=head2 $mt->commenter_authenticators()
+
+Returns the available comment authentication identifiers that are
+installed in the MT registry.
+
+=head2 $mt->core_commenter_authenticators()
+
+A method that returns the MT-supplied comment authentication registry
+data.
+
+=head2 $mt->init_commenter_authenticators()
+
+Initializes the list of installed MT comment authentication options,
+drawing from the MT registry.
+
+=head2 $mt->captcha_provider($id)
+
+Returns a specific CAPTCHA provider configuration using the identifier
+C<$id> parameter. This is a convenience method that accesses the CAPTCHA
+providers installed into the MT registry.
+
+=head2 $mt->captcha_providers()
+
+Returns the available CAPTCHA providers. This is a convenience method
+that accesses the MT registry for available CAPTCHA providers (it also
+invokes the 'condition' key for each provider to filter the list).
+
+=head2 $mt->core_captcha_providers()
+
+A method that returns the MT-supplied CAPTCHA provider registry data.
+
+=head2 $mt->init_captcha_providers()
+
+Initializes the list of installed CAPTCHA providers, drawing from
+the MT registry.
+
+=head2 $mt->effective_captcha_provider()
+
+Returns the Perl package name for the configured CAPTCHA provider.
+
+=head2 $app->static_path()
+
+Returns the application's static web path.
+
+=head2 $app->static_file_path()
+
+Returns the application's static file path.
+
+=head2 MT::core_upload_file_to_sync
+
+A MT callback handler routine that forwards to the L<upload_file_to_sync>
+method.
+
+=head2 MT->upload_file_to_sync(%param)
+
+A routine that will make record of a file that is to be transmitted
+to one or more servers (typically via rsync). This method runs when
+the C<SyncTarget> MT configuration setting is configured. Normally
+published files are automatically processed for syncing operations,
+but this routine is used for files that are created through other
+means, such as uploading an asset.
+
+=head2 MT->help_url( [ $suffix ] )
+
+Returns a help URL for the application. This method is used to construct
+the URL directing users to online documentation. If called without any
+parameters, it returns the base URL for providing help. If a parameter is
+given, the URL is appended with the given subpath. The base URL by default
+is 'http://www.movabletype.org/documentation/'. This string is passed
+through MT's localization modules, so it can be changed on a per-language
+basis. The C<$suffix> parameter, however, is always appended to this base URL.
+
+=head2 MT->get_timer
+
+Returns an instance of L<MT::Util::ReqTimer> for use in timing MT's
+operations.
+
+=head2 MT->log_times
+
+Used as part of Movable Type's performance logging framework. This method
+is called internally, once at the startup of Movable Type, and once as it
+is shutting down.
+
+=head2 MT->time_this($string, $code)
+
+Utility method to time a particular routine. This will log the execution
+time of the C<$code> coderef with the identifying phrase C<$string> using
+MT's performance logging framework.
+
+=head2 MT::refresh_cache($cb)
+
+A callback handler that invalidates the cache of MT's caching driver.
+See L<MT::Cache::Negotiate>.
+
+=head2 MT->register_refresh_cache_event($callback)
+
+Registers a callback that will cause the MT cache to invalidate itself.
+See L<MT::Cache::Negotiate>.
 
 =head1 ERROR HANDLING

trunk/lib/MT/App.pm

@@ -1974 +1974 @@
 
         $url = $q->param('url');
-        if ( $url && !is_url($url) ) {
+        if ( $url && (!is_url($url) || ($url =~ m/[<>]/)) ) {
             return $app->error( $app->translate("URL is invalid.") );
         }
@@ -1987 +1987 @@
         return $app->error( $app->translate("User requires username.") );
     }
+    if ( $name =~ m/([<>])/) {
+        return $app->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Username"), encode_html( $1 ) ) );
+    }
 
     my $existing = MT::Author->exist( { name => $name } );
@@ -1996 +1999 @@
     unless ($nickname) {
         return $app->error( $app->translate("User requires display name.") );
+    }
+    if ( $nickname =~ m/([<>])/) {
+        return $app->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Display Name"), encode_html( $1 ) ) );
     }
 
@@ -2004 +2010 @@
             return $app->error(
                 $app->translate("Email Address is invalid.") );
+        }
+
+        if ( $email =~ m/([<>])/) {
+            return $app->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Email Address"), encode_html( $1 ) ) );
         }
     }
@@ -2399 +2409 @@
     my $url     = $app->uri;
     my $blog_id = $app->param('blog_id');
+
     if ( ref $param ne 'HASH' ) {
-
         # old scalar signature
         $param = { error => $param };
     }
 
-    if ( $MT::DebugMode && $@ ) {
-        $param->{error} = '<pre>' . encode_html( $param->{error} ) . '</pre>';
+    my $error = $param->{error};
+
+    if ( $MT::DebugMode ) {
+        if ( $@ ) {
+            # Use 'pre' tag to wrap Perl error
+            $error = '<pre>' . encode_html( $error ) . '</pre>';
+        }
     }
     else {
-        $param->{error} = encode_html( $param->{error} );
-        $param->{error}
+        if ($error =~ m/^(.+?)( at .+? line \d+)(.*)$/s) {
+            # Hide any module path info from perl error message
+            # Information could be revealing info about where MT app
+            # resides on server, and what version is being used, which
+            # may be helpful forensics to an attacker.
+            $error = $1;
+        }
+        $error = encode_html( $error );
+        $error
             =~ s!(https?://\S+)!<a href="$1" target="_blank">$1</a>!g;
     }
-    $tmpl = $app->load_tmpl('error.tmpl')
-        or return "Can't load error template; got error '"
-        . encode_html( $app->errstr )
-        . "'. Giving up. Original error was <pre>$param->{error}</pre>";
+
+    $tmpl = $app->load_tmpl('error.tmpl');
+    if (!$tmpl) {
+        $error = '<pre>' . $error . '</pre>' unless $error =~ m/<pre>/;
+        return "Can't load error template; got error '"
+            . encode_html( $app->errstr )
+            . "'. Giving up. Original error was: $error";
+    }
     my $type = $app->param('__type') || '';
     if ( $type eq 'dialog' ) {
@@ -2428 +2454 @@
         $param->{value}  ||= $app->{value}  || $app->translate("Go Back");
     }
+    local $param->{error} = $error;
     $tmpl->param($param);
     my $out = $tmpl->output;
     if ( !defined $out ) {
+        $error = '<pre>' . $error . '</pre>' unless $error =~ m/<pre>/;
         return
               "Can't build error template; got error '"
             . encode_html( $tmpl->errstr )
-            . "'. Giving up. Original error was <pre>$param->{error}</pre>";
+            . "'. Giving up. Original error was: $error";
     }
     return $app->l10n_filter($out);

trunk/lib/MT/App/ActivityFeeds.pm

@@ -11 +11 @@
 use MT::Author qw(AUTHOR);
 use MT::Util qw(perl_sha1_digest_hex ts2epoch epoch2ts ts2iso iso2ts
-    encode_html);
+    encode_html encode_url);
 use HTTP::Date qw(time2isoz str2time time2str);
 
@@ -260 +260 @@
     my $str = qq();
     for my $key ( $app->param ) {
-        $str .= "&$key=" . $app->param($key);
+        $str .= "&" . encode_url($key) . "=" . encode_url($app->param($key));
     }
     $str =~ s/^&(.+)$/?$1/;

trunk/lib/MT/App/Comments.pm

@@ -1750 +1750 @@
     my ( $sess_obj, $commenter ) = $app->get_commenter_session();
     if ($commenter) {
+        $app->user($commenter);
         $app->{session} = $sess_obj;
 
@@ -1776 +1777 @@
             hint     => $commenter->hint,
             url      => $commenter->url,
+            blog_id  => $blog_id,
             $entry_id ? ( entry_url => $url ) : ( return_url => $url ),
         };
@@ -1799 +1801 @@
     my %param
         = map { $_ => scalar( $q->param($_) ) }
-        qw( name nickname email password pass_verify hint url entry_url return_url external_auth);
+        qw( name nickname email password pass_verify hint url entry_url return_url external_auth blog_id );
+    $param{blog_id} =~ s/\D//g if defined $param{blog_id};
 
     $param{ 'auth_mode_' . $cmntr->auth_type } = 1;
@@ -1805 +1808 @@
     $app->user($cmntr);
     $app->{session} = $sess_obj;
+
     my $original = $cmntr->clone();
 
@@ -1811 +1815 @@
 
     unless ( $param{external_auth} ) {
-        unless ( $param{nickname} && $param{email} && $param{hint} ) {
+        my $nickname = $param{nickname};
+        unless ( $nickname && $param{email} && $param{hint} ) {
             $param{error} = $app->translate(
                 'All required fields must have valid values.');
             return $app->build_page( 'profile.tmpl', \%param );
         }
+        if ( $nickname =~ m/([<>])/) {
+            $param{error} = $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Display Name"), encode_html( $1 ) );
+            return $app->build_page( 'profile.tmpl', \%param );
+        }
         if ( $param{password} ne $param{pass_verify} ) {
             $param{error} = $app->translate('Passwords do not match.');
@@ -1821 +1830 @@
         }
     }
-    if ( $param{email} && !is_valid_email( $param{email} ) ) {
+    my $email = $param{email};
+    if ( $email && !is_valid_email( $email ) ) {
         $param{error} = $app->translate('Email Address is invalid.');
         return $app->build_page( 'profile.tmpl', \%param );
     }
-    if ( $param{url} && !is_url( $param{url} ) ) {
+    if ( $email && $email =~ m/([<>])/) {
+        $param{error} = $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Email Address"), encode_html( $1 ) );
+        return $app->build_page( 'profile.tmpl', \%param );
+    }
+    if ( $param{url} && (!is_url( $param{url} ) || ($param{url} =~ m/[<>]/) ) ) {
         $param{error} = $app->translate('URL is invalid.');
         return $app->build_page( 'profile.tmpl', \%param );

trunk/lib/MT/App/Search.pm

@@ -84 +84 @@
 
     my $q = $app->param;
+
+    # These parameters are strictly numeric; invalid request if they
+    # are given and are not
+    foreach my $param ( qw( blog_id limit offset SearchMaxResults ) ) {
+        my $val = $q->param($param);
+        next unless defined $val && ($val ne '');
+        return $app->errtrans( 'Invalid [_1] parameter.', $param )
+            if $val !~ m/^\d+$/;
+    }
+    foreach my $param ( qw( IncludeBlogs ExcludeBlogs ) ) {
+        my $val = $q->param($param);
+        next unless defined $val && ($val ne '');
+        return $app->errtrans( 'Invalid [_1] parameter.', $param )
+            if $val !~ m/^(\d+,?)+$/;
+    }
 
     my $params = $app->registry( $app->mode, 'params' );

trunk/lib/MT/ArchiveType/Author.pm

@@ -9 +9 @@
 use strict;
 use base qw( MT::ArchiveType );
+
+use MT::Util qw( remove_html encode_html );
 
 sub name {
@@ -50 +52 @@
     my ($ctx) = @_;
     my $a = $ctx->stash('author');
-    $a ? $a->nickname || MT->translate( '(Display Name not set)' ) : '';
+    encode_html( remove_html( $a ? $a->nickname || MT->translate( '(Display Name not set)' ) : '' ) );
 }
 

trunk/lib/MT/ArchiveType/Category.pm

@@ -9 +9 @@
 use strict;
 use base qw( MT::ArchiveType );
+
+use MT::Util qw( remove_html encode_html );
 
 sub name {
@@ -50 +52 @@
     my ($ctx) = @_;
     my $c = $ctx->stash('category');
-    $c ? $c->label : '';
+    encode_html( remove_html( $c ? $c->label : '' ) );
 }
 

trunk/lib/MT/ArchiveType/Individual.pm

@@ -9 +9 @@
 use strict;
 use base qw( MT::ArchiveType );
+
+use MT::Util qw( remove_html encode_html );
 
 sub name {
@@ -53 +55 @@
 sub archive_title {
     my $obj = shift;
-    $_[1]->title;
+    encode_html( remove_html( $_[1]->title ) );
 }
 

trunk/lib/MT/Bootstrap.pm

@@ -90 +90 @@
                 eval {
                     # line __LINE__ __FILE__
+                    if (!$MT::DebugMode && ($err =~ m/^(.+?)( at .+? line \d+)(.*)$/s)) {
+                        $err = $1;
+                    }
                     my %param = ( error => $err );
                     if ($err =~ m/Bad ObjectDriver/) {
@@ -130 +133 @@
                     }
                 }
-                print "Content-Type: text/plain; charset=$charset\n\n";
-                print $app ? $app->translate("Got an error: [_1]", $app->translate($err)) : "Got an error: $err\n";
             }
+            if (!$MT::DebugMode && ($err =~ m/^(.+?)( at .+? line \d+)(.*)$/s)) {
+                $err = $1;
+            }
+            print "Content-Type: text/plain; charset=$charset\n\n";
+            print $app
+              ? $app->translate( "Got an error: [_1]", $err )
+              : "Got an error: $err";
         }
     }

trunk/lib/MT/CMS/Blog.pm

@@ -1008 +1008 @@
             or return $app->error($app->translate('Can\'t load entry #[_1].', $entry_id));
         $param{build_type_name} =
-          $app->translate( "[_1] '[_2]'", $entry->class_label, $entry->title );
+          $app->translate( "[_1] '[_2]'", $entry->class_label, MT::Util::encode_html($entry->title) );
         $param{is_entry} = 1;
         $param{entry_id} = $entry_id;

trunk/lib/MT/CMS/Dashboard.pm

@@ -2 +2 @@
 
 use strict;
-use MT::Util qw( epoch2ts );
+use MT::Util qw( epoch2ts encode_html );
 
 sub dashboard {
@@ -137 +137 @@
         $param->{last_post_id}      = $last_post->id;
         $param->{last_post_blog_id} = $last_post->blog_id;
-        $param->{last_post_blog_name} = $last_post->blog->name;
+        $param->{last_post_blog_name} = encode_html($last_post->blog->name);
         $param->{last_post_ts}      = $last_post->authored_on;
     }

trunk/lib/MT/CMS/Entry.pm

@@ -189 +189 @@
     my $cats = $q->param('category_ids');
     if ( defined $cats ) {
-        if ( my @cats = split /,/, $cats ) {
+        if ( my @cats = grep { $_ =~ /^\d+/ } split /,/, $cats ) {
             $cat_id = $cats[0];
             %places = map { $_ => 1 } @cats;
@@ -1930 +1930 @@
     my $script = qq!javascript:d=document;w=window;t='';if(d.selection)t=d.selection.createRange().text;else{if(d.getSelection)t=d.getSelection();else{if(w.getSelection)t=w.getSelection()}}void(w.open('$uri&title='+encodeURIComponent(d.title)+'&text='+encodeURIComponent(d.location.href)+encodeURIComponent('<br/><br/>')+encodeURIComponent(t),'_blank','scrollbars=yes,status=yes,resizable=yes,location=yes'))!;
     # Translate the phrase here to avoid ActivePerl DLL bug.
-    $app->translate('<a href="[_1]">QuickPost to [_2]</a> - Drag this link to your browser\'s toolbar then click it when you are on a site you want to blog about.', encode_html($script), $blog->name);
+    $app->translate('<a href="[_1]">QuickPost to [_2]</a> - Drag this link to your browser\'s toolbar then click it when you are on a site you want to blog about.', encode_html($script), encode_html($blog->name));
 }
 

trunk/lib/MT/CMS/Search.pm

@@ -394 +394 @@
     my %param = %$list_pref;
     my $limit = $q->param('limit') || 125;    # FIXME: mt.cfg setting?
+    $limit =~ s/\D//g;
     my $matches;
     $date_col = $api->{date_column} || 'created_on';

trunk/lib/MT/CMS/Tools.pm

@@ -622 +622 @@
     my @tsnow    = gmtime(time);
     my $metadata = {
-        backup_by => $app->user->name . '(ID: ' . $app->user->id . ')',
+        backup_by => MT::Util::encode_xml($app->user->name, 1) . '(ID: ' . $app->user->id . ')',
         backup_on => sprintf(
             "%04d-%02d-%02dT%02d:%02d:%02d",

trunk/lib/MT/CMS/User.pm

@@ -1566 +1566 @@
         return $eh->error( $app->translate("User requires username") )
           if ( !$name );
+
+        if ( $name =~ m/([<>])/) {
+            return $eh->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Username"), encode_html( $1 ) ) );
+        }
     }
 
@@ -1576 +1580 @@
         return $eh->error( $app->translate("User requires display name") )
           if ( !length( $nickname ) );
+
+        if ( $nickname =~ m/([<>])/) {
+            return $eh->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Display Name"), encode_html( $1 ) ) );
+        }
     }
 
@@ -1614 +1622 @@
           if ( !$app->param('hint') );
     }
+    my $email = $app->param('email');
     return $eh->error(
         MT->translate("Email Address is required for password recovery") )
-      unless $app->param('email');
+      unless $email;
+    if ( $email =~ m/([<>])/) {
+        return $eh->error( $app->translate("[_1] contains an invalid character: [_2]", $app->translate("Email Address"), encode_html( $1 ) ) );
+    }
+
     if ( $app->param('url') ) {
         my $url = $app->param('url');
-        return $eh->error( MT->translate("Website URL is invalid") )
-          unless is_url($url);
+        return $eh->error( MT->translate("URL is invalid.") )
+          if !is_url($url) || ($url =~ m/[<>]/);
     }
     1;

trunk/lib/MT/DefaultTemplates.pm

@@ -332 +332 @@
             foreach my $tmpl_id (keys %{ $tmpl_hash->{$tmpl_set} }) {
                 next if $tmpl_id eq 'plugin';
-
                 my $p = $tmpl_hash->{plugin} || $tmpl_hash->{$tmpl_set}{plugin};
                 my $base_path = $def_tmpl->{base_path} || $tmpl_hash->{$tmpl_set}{base_path};
@@ -359 +358 @@
                 $tmpl->{key} = $tmpl_id;
                 $tmpl->{identifier} = $tmpl_id;
-
-                # load template if it hasn't been loaded already
-                if (!exists $tmpl->{text}) {
-                    local (*FIN, $/);
-                    my $filename = $tmpl->{filename} || ($tmpl_id . '.mtml');
-                    my $file = File::Spec->catfile($base_path, $filename);
-                    if ((-e $file) && (-r $file)) {
-                        open FIN, "<$file"; my $data = <FIN>; close FIN;
-                        $tmpl->{text} = $data;
-                    } else {
-                        $tmpl->{text} = '';
-                    }
-                }
 
                 if ( exists $tmpl->{widgets} ) {
@@ -385 +371 @@
                     }
                     $tmpl->{widgets} = \@widgets if @widgets;
+                } else {
+                    # load template if it hasn't been loaded already
+                    if (!exists $tmpl->{text}) {
+                        local (*FIN, $/);
+                        my $filename = $tmpl->{filename} || ($tmpl_id . '.mtml');
+                        my $file = File::Spec->catfile($base_path, $filename);
+                        if ((-e $file) && (-r $file)) {
+                            open FIN, "<$file"; my $data = <FIN>; close FIN;
+                            $tmpl->{text} = $data;
+                        } else {
+                            $tmpl->{text} = '';
+                        }
+                    }
                 }
 
                 my $local_global_tmpls = $tmpl->{global} ? \%global_tmpls : \%tmpls;
-                if (exists $local_global_tmpls->{$tmpl_id}) {
+                my $tmpl_key = $type . ":" . $tmpl_id;
+                if (exists $local_global_tmpls->{$tmpl_key}) {
                     # allow components/plugins to override core
                     # templates
-                    $local_global_tmpls->{$tmpl_id} = $tmpl if $p && ($p->id ne 'core');
+                    $local_global_tmpls->{$tmpl_key} = $tmpl if $p && ($p->id ne 'core');
                 }
                 else {
-                    $local_global_tmpls->{$tmpl_id} = $tmpl;
+                    $local_global_tmpls->{$tmpl_key} = $tmpl;
                 }
             }

trunk/lib/MT/ImportExport.pm

@@ -14 +14 @@
 use base qw( MT::ErrorHandler );
 use MT::I18N qw( first_n_text const encode_text );
+use MT::Util qw( encode_html );
 
 use vars qw( $SEP $SUB_SEP );
@@ -136 +137 @@
                                     $author->password('(none)');
                                 }
-                                $cb->(MT->translate("Creating new user ('[_1]')...", $val));
+                                $cb->(MT->translate("Creating new user ('[_1]')...", encode_html($val)));
                                 if ($author->save) {
                                     $cb->(MT->translate("ok") . "\n");
@@ -173 +174 @@
                                     $cat->author_id($entry->author_id);
                                     $cat->parent(0);
-                                    $cb->(MT->translate("Creating new category ('[_1]')...", $val));
+                                    $cb->(MT->translate("Creating new category ('[_1]')...", encode_html($val)));
                                     if ($cat->save) {
                                         $cb->(MT->translate("ok") . "\n");
@@ -239 +240 @@
                             next ENTRY_BLOCK;
                         } else {
-                            $cb->(MT->translate("Importing into existing entry [_1] ('[_2]')", $entry->id, $entry->title) . "\n");
+                            $cb->(MT->translate("Importing into existing entry [_1] ('[_2]')", $entry->id, encode_html($entry->title)) . "\n");
                         }
                     }
@@ -371 +372 @@
                     ## Save entry.
                     unless ($no_save) {
-                        $cb->(MT->translate("Saving entry ('[_1]')...", $entry->title));
+                        $cb->(MT->translate("Saving entry ('[_1]')...", encode_html($entry->title)));
                         if ($entry->save) {
                             $cb->(MT->translate("ok (ID [_1])", $entry->id) . "\n");
@@ -427 +428 @@
                     for my $comment (@comments) {
                         $comment->entry_id($entry->id);
-                        $cb->(MT->translate("Creating new comment (from '[_1]')...", $comment->author));
+                        $cb->(MT->translate("Creating new comment (from '[_1]')...", encode_html($comment->author)));
                         if ($comment->save) {
                             $cb->(MT->translate("ok (ID [_1])", $comment->id) . "\n");
@@ -444 +445 @@
                         for my $ping (@pings) {
                             $ping->tb_id($tb->id);
-                            $cb->(MT->translate("Creating new ping ('[_1]')...", $ping->title));
+                            $cb->(MT->translate("Creating new ping ('[_1]')...", encode_html($ping->title)));
                             if ($ping->save) {
                                 $cb->(MT->translate("ok (ID [_1])", $ping->id) . "\n");

trunk/lib/MT/L10N/ja.pm

@@ -815 +815 @@
         'User requires username.' => 'ナヌザヌ名はå¿
 é ˆã§ã™ã€‚',
+        '[_1] contains an invalid character: [_2]' => '[_1]に䞍正な文字( [_2] )が含たれおいたす。',
         'A user with the same name already exists.' => '同名のナヌザヌがすでに存圚したす。',
         'User requires display name.' => '衚瀺名はå¿

trunk/lib/MT/Sanitize.pm

@@ -107 +107 @@
                                 $dec_val =~ s/&#x0*3[Aa](?:=;|[^a-fA-F0-9])/:/;
 
-                                if ((my $prot) = $dec_val =~ m/^(.+?):/) {
+                                if ((my $prot) = $dec_val =~ m/^([\s\S]+?):/) {
                                     next if $prot =~ m/[\r\n\t]/;
                                     $prot =~ s/\s+//gs;

trunk/lib/MT/Template/ContextHandlers.pm

@@ -1703 +1703 @@
     my $show_actions = exists $args->{show_actions} ? $args->{show_actions} : 1;
     my $return_args = $ctx->var('return_args') || '';
+    $return_args = encode_html( $return_args );
     $return_args = qq{\n        <input type="hidden" name="return_args" value="$return_args" />} if $return_args;
     my $blog_id = $ctx->var('blog_id') || '';
@@ -1987 +1988 @@
     my $header_class = $tabbed ? 'widget-header-tabs' : '';
     my $return_args = $app->make_return_args;
+    $return_args = encode_html( $return_args );
     my $cgi = $app->uri;
     if ($hosted_widget && (!$insides !~ m/<form\s/i)) {
@@ -9163 +9165 @@
     my $type = $args->{type} || '';
 
-    my $displayname = $a->nickname || '';
+    my $displayname = encode_html( remove_html( $a->nickname || '' ) );
     my $show_email = $args->{show_email} ? 1 : 0;
     my $show_url = 1 unless exists $args->{show_url} && !$args->{show_url};
@@ -9179 +9181 @@
             # Add vcard properties to link if requested (with hcard="1")
             my $hcard = $args->{show_hcard} ? ' class="fn url"' : '';
-            return sprintf qq(<a%s href="%s"%s>%s</a>), $hcard, $a->url, $target, $displayname;
+            return sprintf qq(<a%s href="%s"%s>%s</a>), $hcard, encode_html( $a->url ), $target, $displayname;
         }
     } elsif ($type eq 'email') {
@@ -9185 +9187 @@
             # Add vcard properties to email if requested (with hcard="1")
             my $hcard = $args->{show_hcard} ? ' class="fn email"' : '';
-            my $str = "mailto:" . $a->email;
+            my $str = "mailto:" . encode_html( $a->email );
             $str = spam_protect($str) if $args->{'spam_protect'};
             return sprintf qq(<a%s href="%s">%s</a>), $hcard, $str, $displayname;
@@ -10808 +10810 @@
     $name ||= $args->{default_name};
     $name ||= MT->translate("Anonymous");
+    $name = encode_html( remove_html( $name ) );
     my $show_email = $args->{show_email} ? 1 : 0;
     my $show_url = 1 unless exists $args->{show_url} && !$args->{show_url};
@@ -10818 +10821 @@
 
     if ( $cmntr ) {
+        $name = encode_html( remove_html( $cmntr->nickname ) ) if $cmntr->nickname;
         if ($cmntr->url) {
             return sprintf(qq(<a title="%s" href="%s"%s>%s</a>),
-                           $cmntr->url, $cmntr->url, $target, $name); 
+                           encode_html( $cmntr->url ), encode_html( $cmntr->url ), $target, $name); 
         }
         return $name;
@@ -10829 +10833 @@
         $name = remove_html($name);
         my $url = remove_html($c->url);
-        $url =~ s/>/&gt;/g;
         if ($c->id && !$args->{no_redirect} && !$args->{nofollowfy}) {
             return sprintf(qq(<a title="%s" href="%s%s?__mode=red;id=%d"%s>%s</a>),
-                           $url, $cgi_path, $comment_script, $c->id, $target, $name);
+                           encode_html( $url ), $cgi_path, $comment_script, $c->id, $target, $name);
         } else {
             # In the case of preview, show URL directly without a redirect
@@ -10840 +10843 @@
     } elsif ($show_email && $c->email && MT::Util::is_valid_email($c->email)) {
         my $email = remove_html($c->email);
-        my $str = "mailto:" . $email;
+        my $str = "mailto:" . encode_html( $email );
         $str = spam_protect($str) if $args->{'spam_protect'};
         return sprintf qq(<a href="%s">%s</a>), $str, $name;
@@ -11239 +11242 @@
 
     my $label = $args->{label} || $args->{text} || MT->translate('Reply');
-    my $comment_author = MT::Util::encode_js($comment->author);
+    my $comment_author = MT::Util::encode_html( MT::Util::encode_js($comment->author) );
     my $onclick = sprintf( $args->{onclick} || "mtReplyCommentOnClick(%d, '%s')", $comment->id, $comment_author);
 
@@ -12580 +12583 @@
 =item * Category
 
-The label of the category.
+The label of the category. Note that any HTML tags present in the label
+will be removed.
 
 =item * Daily
@@ -12596 +12600 @@
 =item * Individual
 
-The title of the entry.
+The title of the entry. Note that any HTML tags present in the label will
+be removed.
+
+= item * Author
+
+The display name of the author. Note that any HTML tags present in the
+display name will be removed.
 
 =back

trunk/lib/MT/Util.pm

@@ -641 +641 @@
 sub remove_html {
     my($text) = @_;
-    return $text if !defined $text;  # suppress warnings
-    return $text if $text =~ m/^<\!\[CDATA\[/i; 
-    $text =~ s!<[^>]+>!!gs;
-    $text =~ s!<!&lt;!gs;
-    $text;
+    return '' if !defined $text;  # suppress warnings
+    $text =~ s/(<\!\[CDATA\[(.*?)\]\]>)|(<[^>]+>)/
+        defined $1 ? $1 : ''
+        /geisx;
+    $text =~ s/<(?!\!\[CDATA\[)/&lt;/gis;
+    return $text;
 }
 

trunk/php/lib/MTUtil.php

@@ -1530 +1530 @@
             if ($filter == '__default__') {
                 $filter = 'convert_breaks';
+            } elseif ($filter == '__sanitize__') {
+                $filter = 'sanitize';
             }
             if ($filter == 'convert_breaks') {

trunk/php/lib/archive_lib.php

@@ -97 +97 @@
 
     function get_title($args, $ctx) {
-        return $ctx->tag('EntryTitle', $args);
+        return encode_html( strip_tags( $ctx->tag('EntryTitle', $args) ) );
     }
 
@@ -113 +113 @@
         return 'Individual';
     }
-    
+
     function &get_archive_list($ctx, $args) {
         return $ctx->mt->db->get_archive_list($args);
@@ -291 +291 @@
             $format or $format = "%Y";
         }
-        
+
         return $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
     }
@@ -486 +486 @@
             }
         }
-        return $author_name;
-    }
-    
+        return encode_html( strip_tags( $author_name ) );
+    }
+
     function get_archive_name() {
         return 'Author';
@@ -793 +793 @@
         }
 
-        return $author_name.$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
-    }
-    
+        return encode_html( strip_tags( $author_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
+    }
+
     function get_archive_name() {
         return 'Author-Yearly';
@@ -877 +878 @@
         $format = $args['format'];
         $format or $format = "%B %Y";
-        return $author_name.$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
-    }
-    
+        return encode_html( strip_tags( $author_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
+    }
+
     function get_archive_name() {
         return 'Author-Monthly';
@@ -902 +904 @@
         $year_ext = $mt->db->apply_extract_date('year', 'entry_authored_on');
         $month_ext = $mt->db->apply_extract_date('month', 'entry_authored_on');
-        $ctx = $mt->context(); 
+        $ctx = $mt->context();
         $index = $ctx->stash('index_archive');
 
@@ -981 +983 @@
         $format = $args['format'];
         $format or $format = "%x";
-        return $author_name.$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
-    }
-    
+        return encode_html( strip_tags( $author_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
+    }
+
     function get_archive_name() {
         return 'Author-Daily';
@@ -1088 +1091 @@
         $format = $args['format'];
         $format or $format = "%x";
-        return $author_name
-            .$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx)
-            .' - '.$ctx->_hdlr_date(array('ts' => $end, 'format' => $format), $ctx);
-    }
-    
+        return encode_html( strip_tags( $author_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx)
+            . ' - ' . $ctx->_hdlr_date(array('ts' => $end, 'format' => $format), $ctx);
+    }
+
     function get_archive_name() {
         return 'Author-Weekly';
@@ -1191 +1194 @@
     function &get_archive_list($ctx, $args) {
         global $mt;
-        list($results, $hi, $low) = 
+        list($results, $hi, $low) =
             $this->get_archive_list_data($args);
         if(is_array($results)) {
@@ -1355 +1358 @@
     function get_title($args, $ctx) {
         $cat_name = parent::get_category_name($ctx);
-        $stamp = $ctx->stash('current_timestamp'); 
+        $stamp = $ctx->stash('current_timestamp');
         list($start) = start_end_year($stamp, $ctx->stash('blog'));
         $format = $args['format'];
@@ -1367 +1370 @@
             $format or $format = "%Y";
         }
-        return $cat_name.$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
+        return encode_html( strip_tags( $cat_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
     }
 
@@ -1410 +1414 @@
             if (isset($cat)){
                 $cat_filter = " and placement_category_id=".$cat['category_id'];
-        
+
             }
         #}
@@ -1464 +1468 @@
         $format = $args['format'];
         $format or $format = "%B %Y";
-        return $cat_name.$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
+        return encode_html( strip_tags( $cat_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
     }
 
@@ -1508 +1513 @@
             if(isset($cat)) {
                 $cat_filter = " and placement_category_id=".$cat['category_id'];
-        
+
             }
         #}
@@ -1566 +1571 @@
         $format = $args['format'];
         $format or $format = "%x";
-        return $cat_name.$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
+        return encode_html( strip_tags( $cat_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx);
     }
 
@@ -1611 +1617 @@
             if(isset($cat)) {
                 $cat_filter = " and placement_category_id=".$cat['category_id'];
-        
+
             }
         #}
@@ -1671 +1677 @@
         $format = $args['format'];
         $format or $format = "%x";
-        return $cat_name
-            .$ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx)
-            ." - ".$ctx->_hdlr_date(array('ts' => $end, 'format' => $format), $ctx);
+        return encode_html( strip_tags( $cat_name ) )
+            . $ctx->_hdlr_date(array('ts' => $start, 'format' => $format), $ctx)
+            . " - " . $ctx->_hdlr_date(array('ts' => $end, 'format' => $format), $ctx);
     }
 
@@ -1719 +1725 @@
             if(isset($cat)) {
                 $cat_filter = " and placement_category_id=".$cat['category_id'];
-        
+
             }
         #}

trunk/php/lib/function.mtcommentauthorlink.php

@@ -13 +13 @@
         $name = $args['default_name'];
     $name or $name = $mt->translate("Anonymous");
+    require_once "MTUtil.php";
+    $name = encode_html( $name );
     $email = $comment['comment_email'];
     $url = $comment['comment_url'];
@@ -33 +35 @@
 
     if ( $cmntr ) {
-        $name = isset($cmntr['author_nickname']) ? $cmntr['author_nickname'] : $name;
+        $name = isset($cmntr['author_nickname']) ? encode_html( $cmntr['author_nickname'] ) : $name;
         if ($cmntr['author_url'])
-            return sprintf('<a title="%s" href="%s"%s>%s</a>', $cmntr['author_url'], $cmntr['author_url'], $target, $name);
+            return sprintf('<a title="%s" href="%s"%s>%s</a>', encode_html( $cmntr['author_url'] ), encode_html( $cmntr['author_url'] ), $target, $name);
         return $name;
     } elseif ($show_url && $url) {
@@ -42 +44 @@
         $comment_script = $ctx->mt->config('CommentScript');
         $name = strip_tags($name);
-        $url = strip_tags($url);
-        $url = preg_replace('/>/', '&gt;', $url);
+        $url = encode_html( strip_tags($url) );
         if ($comment['comment_id'] && !isset($args['no_redirect']) && !isset($args['nofollowfy']))
             return sprintf('<a title="%s" href="%s%s?__mode=red;id=%d"%s>%s</a>', $url, $cgi_path, $comment_script, $comment['comment_id'], $target, $name);
@@ -49 +50 @@
             return sprintf('<a title="%s" href="%s"%s>%s</a>', $url, $url, $target, $name);
     } elseif ($show_email && $email && is_valid_email($email)) {
-        $email = strip_tags($email);
+        $email = encode_html( strip_tags($email) );
         $str = 'mailto:' . $email;
         if ($args['spam_protect']) {

trunk/php/lib/function.mtcommentreplytolink.php

@@ -20 +20 @@
     $comment_author = $comment['comment_author'];
     require_once("MTUtil.php");
-    $comment_author = encode_js($comment_author);
+    $comment_author = encode_html(encode_js($comment_author));
 
     $onclick = sprintf($onclick, $comment['comment_id'], $comment_author);

trunk/php/lib/function.mtentryauthorlink.php

@@ -11 +11 @@
 
     $type = $args['type'];
-    $displayname = $entry['author_nickname'];
+    $displayname = encode_html( $entry['author_nickname'] );
     if (isset($args['show_email']))
         $show_email = $args['show_email'];
@@ -21 +21 @@
         $show_url = 1;
 
+    require_once("MTUtil.php");
     # Open the link in a new window if requested (with new_window="1").
     $target = $args['new_window'] ? ' target="_blank"' : '';
@@ -32 +33 @@
     if ($type == 'url') {
         if ($entry['author_url'] && ($displayname != '')) {
-            return sprintf('<a href="%s"%s>%s</a>', $entry['author_url'], $target, $displayname);
+            return sprintf('<a href="%s"%s>%s</a>', encode_html( $entry['author_url'] ), $target, $displayname);
         }
     } elseif ($type == 'email') {
         if ($entry['author_email'] && ($displayname != '')) {
-            $str = "mailto:" . $entry['author_email'];
+            $str = "mailto:" . encode_html( $entry['author_email'] );
             if ($args['spam_protect'])
                 $str = spam_protect($str);
@@ -50 +51 @@
     return $displayname;
 }
-?>

trunk/php/lib/modifier.sanitize.php

@@ -6 +6 @@
 # $Id$
 
-function smarty_modifier_sanitize($text, $spec) {
+function smarty_modifier_sanitize($text, $spec = '1') {
     if ($spec == '1') {
         global $mt;

trunk/php/mt.php

@@ -6 +6 @@
 # $Id: mt.php 2703 2008-07-03 22:19:49Z bchoate $
 
-define('VERSION', '4.21');
-define('VERSION_ID', '4.21');
-define('PRODUCT_VERSION', '4.21');
+define('VERSION', '4.23');
+define('VERSION_ID', '4.23');
+define('PRODUCT_VERSION', '4.23');
 
 $PRODUCT_NAME = '__PRODUCT_NAME__';
@@ -107 +107 @@
 
         foreach ($plugin_paths as $path) {
-            if ($dh = opendir($path)) {
+            if ($dh = @opendir($path)) {
                  while (($file = readdir($dh)) !== false) {
                      if ($file == "." || $file == "..")

trunk/plugins/Cloner/cloner.pl

@@ -14 +14 @@
 use MT 4;
 use base 'MT::Plugin';
+use MT::Util qw( encode_html );
 our $VERSION = '2.0';
 
@@ -63 +64 @@
     my $blog = MT::Blog->load($blog_id)
         or return $app->error($plugin->translate("Invalid blog_id"));
-    require MT::Util;
-    my $blog_name = MT::Util::encode_html($blog->name);
+    # double escape to survive decode_html in translate_templatized
+    my $blog_name = encode_html(encode_html($blog->name, 1), 1);
 
     # Set up and commence app output

trunk/search_templates/comments.tmpl

@@ -24 +24 @@
 
 <div id="banner">
-<h1><a href="<$MTBlogURL$>" accesskey="1"><$MTBlogName$></a></h1>
-<h2><$MTBlogDescription$></h2>
+<h1><a href="<$MTBlogURL$>" accesskey="1"><$MTBlogName encode_html="1"$></a></h1>
+<h2><$MTBlogDescription encode_html="1"$></h2>
 </div>
 
@@ -55 +55 @@
 
 <MTSearchResults>
-<h3><a href="<$MTEntryPermalink$>"><$MTEntryTitle$></a></h3>
-<p><$MTEntryExcerpt$> <$MTEntryEditLink$></p>
-<p class="posted"><MT_TRANS phrase="Posted in [_1] on [_2]" params="<$MTBlogName$>%%<$MTEntryDate$>"></p>
+<h3><a href="<$MTEntryPermalink$>"><$MTEntryTitle encode_html="1"$></a></h3>
+<p><$MTEntryExcerpt encode_html="1"$> <$MTEntryEditLink$></p>
+<p class="posted"><MT_TRANS phrase="Posted in [_1] on [_2]" params="<$MTBlogName encode_html="1" encode_html="1"$>%%<$MTEntryDate$>"></p>
 </MTSearchResults>
 

trunk/search_templates/default.tmpl

@@ -57 +57 @@
                               <h3 class="search-results-header">
                               <MTIfStraightSearch>
-                                  <MT_TRANS phrase="Matching entries from [_1]" params="<$MTBlogName$>">
+                                  <MT_TRANS phrase="Matching entries from [_1]" params="<$MTBlogName encode_html="1" encode_html="1"$>">
                               </MTIfStraightSearch>
                               <MTIfTagSearch>
-                                  <MT_TRANS phrase="Entries from [_1] tagged with '[_2]'" params="<$MTBlogName$>%%<$MTSearchString$>">
+                                  <MT_TRANS phrase="Entries from [_1] tagged with '[_2]'" params="<$MTBlogName encode_html="1" encode_html="1"$>%%<$MTSearchString encode_html="1"$>">
                                   </MTIfTagSearch>
                               </h3>
@@ -66 +66 @@
                           </MTBlogResultHeader>
                       
-                              <h3><a href="<$MTEntryPermalink$>"><$MTEntryTitle$></a></h3>
-                              <p><$MTEntryExcerpt$> <$MTEntryEditLink$></p>
+                              <h3><a href="<$MTEntryPermalink$>"><$MTEntryTitle encode_html="1"$></a></h3>
+                              <p><$MTEntryExcerpt encode_html="1"$> <$MTEntryEditLink$></p>
                               <MTIfTagSearch>
                                   <div class="entry-tags">
@@ -73 +73 @@
                                       <ul class="entry-tags-list">
                                           <MTEntryTags>
-                                              <li class="entry-tag"><a href="<$MTTagSearchLink$>&amp;IncludeBlogs=<$MTSearchIncludeBlogs$>" rel="tag"><$MTTagName$></a></li>
+                                              <li class="entry-tag"><a href="<$MTTagSearchLink$>&amp;IncludeBlogs=<$MTSearchIncludeBlogs$>" rel="tag"><$MTTagName encode_html="1"$></a></li>
                                           </MTEntryTags>
                                       </ul>
@@ -80 +80 @@
                       
                               <p class="entry-footer">
-                                  <span class="post-footers"><MT_TRANS phrase="Posted <MTIfNonEmpty tag="EntryAuthorDisplayName">by [_1] </MTIfNonEmpty>on [_2]" params="<$MTEntryAuthorDisplayName$>%%<$MTEntryDate$>"></span>
+                                  <span class="post-footers"><MT_TRANS phrase="Posted <MTIfNonEmpty tag="EntryAuthorDisplayName">by [_1] </MTIfNonEmpty>on [_2]" params="<$MTEntryAuthorDisplayName encode_html="1"$>%%<$MTEntryDate$>"></span>
                               </p>
                       
@@ -97 +97 @@
                           <h3 class="search-results-header">
                               <MTIfStraightSearch>
-                                  <MT_TRANS phrase="Entries matching '[_1]'" params="<$MTSearchString$>">
+                                  <MT_TRANS phrase="Entries matching '[_1]'" params="<$MTSearchString encode_html="1"$>">
                               </MTIfStraightSearch>
                               <MTIfTagSearch>
-                                  <MT_TRANS phrase="Entries tagged with '[_1]'" params="<$MTSearchString$>">
+                                  <MT_TRANS phrase="Entries tagged with '[_1]'" params="<$MTSearchString encode_html="1"$>">
                               </MTIfTagSearch>
                           </h3>
-                          <p><MT_TRANS phrase="No pages were found containing '[_1]'." params="<$MTSearchString$>"></p>
+                          <p><MT_TRANS phrase="No pages were found containing '[_1]'." params="<$MTSearchString encode_html="1"$>"></p>
                       </MTNoSearchResults>
                       
@@ -133 +133 @@
                    <MTIfTagSearch>
                        <MTSetVar name="search_feed_param" value="tag">
-                       <MTSetVarBlock name="search_feed_description"><MT_TRANS phrase="If you use an RSS reader, you can subscribe to a feed of all future entries tagged '[_1]'." params="<$MTSearchString$>"></MTSetVarBlock>
+                       <MTSetVarBlock name="search_feed_description"><MT_TRANS phrase="If you use an RSS reader, you can subscribe to a feed of all future entries tagged '[_1]'." params="<$MTSearchString encode_html="1"$>"></MTSetVarBlock>
                     <MTElse>    
                        <MTSetVar name="search_feed_param" value="search">
-                       <MTSetVarBlock name="search_feed_description"><MT_TRANS phrase="If you use an RSS reader, you can subscribe to a feed of all future entries matching '[_1]'." params="<$MTSearchString$>"></MTSetVarBlock>
+                       <MTSetVarBlock name="search_feed_description"><MT_TRANS phrase="If you use an RSS reader, you can subscribe to a feed of all future entries matching '[_1]'." params="<$MTSearchString encode_html="1"$>"></MTSetVarBlock>
                    </MTElse>    
                    </MTIfTagSearch>
@@ -166 +166 @@
                                  <ul class="module-list">
                                  <MTTags>
-                                     <li class="module-list-item taglevel<$MTTagRank$>"><a href="<$MTTagSearchLink$>" title="<$MTTagCount$>"><$MTTagName$></a></li>
+                                     <li class="module-list-item taglevel<$MTTagRank$>"><a href="<$MTTagSearchLink$>" title="<$MTTagCount$>"><$MTTagName encode_html="1"$></a></li>
                                  </MTTags>
                                  </ul>

trunk/search_templates/results_feed.tmpl

@@ -3 +3 @@
     xmlns="http://www.w3.org/2005/Atom" 
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
-    <title><MT_TRANS phrase="Search Results for [_1]" params="<$MTSearchString remove_html="1" encode_xml="1"$>"></title>
+    <title><MT_TRANS phrase="Search Results for [_1]" params="<$MTSearchString remove_html="1" encode_html="1" encode_xml="1"$>"></title>
     <id>tag:<$MTCGIHost exclude_port="1" encode_xml="1"$>,<$MTDate format="%Y"$>:<$MTCGIRelativeURL encode_xml="1"$>/feed/<$MTSearchString remove_html="1" encode_xml="1"$></id>
     <link rel="self" type="application/atom+xml" href="<$MTCGIPath$><$MTSearchScript$>?search=<$MTSearchString$>&amp;Template=<$MTSearchTemplateID$>&amp;IncludeBlogs=<$MTSearchIncludeBlogs$>" />

trunk/search_templates/results_feed_rss2.tmpl

@@ -2 +2 @@
 <rss version="2.0" xmlns:openSearch="http://a9.com/-/spec/opensearchrss/1.0/">
 <channel>
-<title><MT_TRANS phrase="Search Results for [_1]" params="<$MTSearchString remove_html="1" encode_xml="1"$>"></title>
+<title><MT_TRANS phrase="Search Results for [_1]" params="<$MTSearchString remove_html="1" encode_html="1" encode_xml="1"$>"></title>
 <link><$MTCGIPath$><$MTSearchScript$>?search=<$MTSearchString$>&amp;Template=<$MTSearchTemplateID$>&amp;IncludeBlogs=<$MTSearchIncludeBlogs$></link>
 <language>en-us</language>

trunk/t/08-util.t

@@ -7 +7 @@
 use MT::Util qw( encode_html decode_html wday_from_ts format_ts dirify
                  convert_high_ascii encode_xml decode_xml substr_wref
-                 trim ltrim rtrim );
+                 trim ltrim rtrim remove_html );
 use MT::I18N qw( encode_text );
 use strict;
@@ -14 +14 @@
 $mt->config('NoHTMLEntities', 1);
 
-BEGIN { plan tests => 92 };
+BEGIN { plan tests => 96 };
 
 ok(substr_wref("Sabado", 0, 3), "Sab"); #1
@@ -134 +134 @@
 ok(trim(' sunday monday '), 'sunday monday'); #92
 
+ok(remove_html('<![CDATA[foo]]>'), '<![CDATA[foo]]>', "remove html preserves CDATA");
+ok(remove_html('<![CDATA[]]><script>alert("foo")</script><![CDATA[]]>'), '<![CDATA[]]>alert("foo")<![CDATA[]]>', "remove html prevents abuse");
+ok(remove_html('<![CDATA[one]]><script>alert("foo")</script><![CDATA[two]]>'), '<![CDATA[one]]>alert("foo")<![CDATA[two]]>', "remove html prevents abuse, saves plain text");
+ok(remove_html('<![CDATA[<foo>]]><script>alert("foo")</script><![CDATA[two]]>'), '<![CDATA[&lt;foo>]]>alert("foo")<![CDATA[two]]>', "remove html prevents abuse, saves plain text, escapes inner < characters");
 
 =pod

trunk/t/11-sanitize.t

@@ -7 +7 @@
 use lib 'extlib';
 
-use Test::More tests => 53;
+use Test::More tests => 54;
 
 use MT;
@@ -106 +106 @@
 ### this one breaks...
 is(MT::Sanitize->sanitize('<? /* ?> */ readfile("/etc/passwd") ?>'), ' */ readfile("/etc/passwd") ?>', 'php cloaking attempt');
+
+is(MT::Sanitize->sanitize("<a href='
+javascript:alert(123)'>boo</a>", 'a href'), '<a>boo</a>', '<a>boo</a>'); 

trunk/t/driver-tests.pl

@@ -67 +67 @@
           status => 1, },
         { class => 'Bar',
+          __wait => 1,
           id => 1,
           foo_id => 2,
@@ -72 +73 @@
           status => 0, },
         { class => 'Bar',
+          __wait => 1,
           id => 2,
           foo_id => 2,
@@ -77 +79 @@
           status => 1, },
         { class => 'Bar',
+          __wait => 1,
           id => 3,
           foo_id => 1,
@@ -85 +88 @@
     for my $data (@obj_data) {
         my $class = delete $data->{class};
+        my $wait = delete $data->{__wait};
         my $obj = $class->new;
         $obj->set_values($data);
+        sleep($wait) if $wait;
         $obj->save();
     }
@@ -194 +199 @@
     ($status, $id) = $agb->();
     ok(!$status, 'avg_group_by only had two results');
+}
+
+sub max_group_by : Tests(7) {
+    my $mgb = Bar->max_group_by(undef, {
+        join => Foo->join_on(undef,
+            {
+                'id' => \'=bar_foo_id',
+            }),
+        group => ['foo_id'],
+        max => 'created_on',
+    });
+    my ($created_on, $foo_id) = $mgb->();
+    my $f1 = Foo->load(1);
+    my $b3 = Bar->load(3);
+    is($foo_id, $f1->id, 'max_group_by had a second result');
+    #is($created_on, $b3->created_on, 'max_group_by had a second result');
+
+    my $f2 = Foo->load(2);
+    my $b2 = Bar->load(2);
+    ($created_on, $foo_id) = $mgb->();
+    is($foo_id, $f2->id, 'max_group_by had a first result');
+    #is($created_on, $b2->created_on, 'max_group_by had a first result');
+
+    ($created_on, $foo_id) = $mgb->();
+    ok(!$created_on, 'max_group_by only had two results');
+
+    my $mgb2 = Bar->max_group_by(undef, {
+        join => Foo->join_on(undef,
+            { 'id' => \'=bar_foo_id' },
+            { limit => 1 },
+        ),
+        group => ['foo_id'],
+        max => 'created_on',
+    });
+    ($created_on, $foo_id) = $mgb2->();
+    is($foo_id, $f1->id, 'max_group_by with limit had a first result');
+    #is($created_on, $b3->created_on, 'max_group_by with limit had a first result');
+
+    ($created_on, $foo_id) = $mgb2->();
+    ok(!$created_on, 'max_group_by with limit only had one result');
+
+    my $mgb3 = Bar->max_group_by(undef, {
+        join => Foo->join_on(undef,
+            { 'id' => \'=bar_foo_id' },
+            { limit => 1, offset => 1 },
+        ),
+        group => ['foo_id'],
+        max => 'created_on',
+    });
+    ($created_on, $foo_id) = $mgb3->();
+    is($foo_id, $f2->id, 'max_group_by with limit and offset had a first result');
+    #is($created_on, $b2->created_on, 'max_group_by with limit and offset had a first result');
+
+    ($created_on, $foo_id) = $mgb3->();
+    ok(!$created_on, 'max_group_by with limit and offset only had one result');
 }
 
@@ -253 +313 @@
 
         { __class => 'Bar',
+          __wait   => 1,
           name    => 'Silverlight',
           status  => 2,
           foo_id  => 3,             },
         { __class => 'Bar',
+          __wait   => 1,
           name    => 'IronPython',
           status  => 3,
           foo_id  => 3,            },
         { __class => 'Bar',
+          __wait   => 1,
           name    => 'IronRuby',
           status  => 0,
@@ -415 +478 @@
     );
     is_deeply(\@a_foos, [], 'No Foo has Bars with status=2 and status=0 (alias)');
-} 
+}
 
 sub conjunctions : Tests(4) {
@@ -454 +517 @@
 }
 
+sub early_ending_iterators: Tests(4) {
+    my $self = shift;
+    $self->make_pc_data();
+    
+    my ($iter, $tmp, @tmp);
+    my @foo = map { Foo->load($_) } (1..5);
+
+    ## Load using descending sort (newest)
+    $iter = Foo->load_iter(undef,
+        { join => [ 'Bar', 'foo_id',
+                    undef,
+                    { sort => 'created_on',
+                      direction => 'descend',
+                      unique => 1 } ] });
+    $tmp = $iter->();
+    is_object($tmp, $foo[0], '(early ending iterator) Foo associated with the newest Bar is Foo #1');
+    eval { $iter->end(); };
+    is($@, q(), 'Iterator can be ended #1');
+
+    ## Load using ascending sort (oldest)
+    $iter = Foo->load_iter(undef,
+        { join => [ 'Bar', 'foo_id',
+                    undef,
+                    { sort => 'created_on',
+                      direction => 'ascend',
+                      unique => 1 } ] });
+    $tmp = $iter->();
+    is_object($tmp, $foo[2], '(early ending iterator) Foo associated with the oldest Bar is Foo #3');
+    eval { $iter->end(); };
+    is($@, q(), 'Iterator can be ended #2');
+}
+
 sub clean_db : Test(teardown) {
     MT::Test->reset_table_for(qw( Foo Bar ));
@@ -462 +557 @@
 use MT::Test;
 
-Test::Class->runtests('Test::GroupBy', 'Test::Search', +126);
+Test::Class->runtests('Test::GroupBy', 'Test::Search', +137);
 
 my($foo, @foo, @bar);
@@ -647 +742 @@
 is_object($tmp, $foo[0], 'Second oldest Foo is Foo #1');
 
+## This should load only the first Foo object (because limit is 1).
+@tmp = Foo->load(undef, {
+    direction => 'descend',
+    sort => 'created_on',
+    fetchonly => ['id'],
+    limit => 1 });
+is($tmp[0]->id, $foo[0]->id, 'The newest Foo is Foo #1 (fetchonly)');
+
+## Should load the first Foo object (ascend with offset of 1).
+@tmp = Foo->load(undef, {
+    direction => 'ascend',
+    sort => 'created_on',
+    fetchonly => ['id'],
+    limit => 1,
+    offset => 1 });
+is($tmp[0]->id, $foo[0]->id, 'Second oldest Foo is Foo #1 (fetchonly)');
+
 ## Now test join loads.
 ## First we need to create a couple of Bar objects.
@@ -691 +803 @@
 are_objects(\@tmp, \@foo, 'unique Foos associated with Bars, oldest first');
 
+## Use load_iter and do the same thing.
+@tmp = ();
+$iter = Foo->load_iter(undef,
+    { join => [ 'Bar', 'foo_id',
+                undef,
+                { sort => 'created_on',
+                  direction => 'descend',
+                  unique => 1 } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, \@foo, 'unique Foos associated with Bars, oldest first, by load_iter');
+
 ## Load all Foo objects in order of most recently
 ## created Bar object. No uniqueness requirement.
@@ -699 +824 @@
                   direction => 'descend', } ] });
 are_objects(\@tmp, [ @foo, $foo[1] ], 'Foos associated with Bars, oldest first');
+
+## Use load_iter and do the same thing.
+@tmp = ();
+$iter = Foo->load_iter(undef,
+    { join => [ 'Bar', 'foo_id',
+                undef,
+                { sort => 'created_on',
+                  direction => 'descend', } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, [ @foo, $foo[1] ], 'Foos associated with Bars, oldest first, by load_iter');
 
 ## Load last 1 Foo object in order of most recently
@@ -711 +848 @@
 are_objects(\@tmp, [ $foo[0] ], 'Foos associated with oldest Bar');
 
+## Use load_iter to do the same thing.
+@tmp = ();
+$iter = Foo->load_iter(undef,
+    { join => [ 'Bar', 'foo_id',
+                undef,
+                { sort => 'created_on',
+                  direction => 'descend',
+                  unique => 1,
+                  limit => 1, } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, [ $foo[0] ], 'Foos associated with oldest Bar, by load_iter');
+
 ## Load all Foo objects where Bar.name = 'bar0'
 @tmp = Foo->load(undef,
@@ -720 +871 @@
 are_objects(\@tmp, [ $foo[1] ], 'Foos associated with Bars named bar0');
 
+## Use load_iter and do the same thing.
+@tmp = ();
+$iter = Foo->load_iter(undef,
+    { join => [ 'Bar', 'foo_id',
+                { name => 'bar0' },
+                { sort => 'created_on',
+                  direction => 'descend',
+                  unique => 1, } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, [ $foo[1] ], 'Foos associated with Bars named bar0, by load_iter');
+
 ## foo[1] is older than foo[0] because we overrode the timestamp,
 ## so this should load foo[0]
@@ -727 +891 @@
 are_objects(\@tmp, [ $foo[0] ], 'One Foo associated with Bars of status=0');
 
+## and load_iter
+@tmp = ();
+$iter = Foo->load_iter(undef,
+    { sort => 'created_on', direction => 'descend', limit => 1,
+    join => [ 'Bar', 'foo_id', { status => 0 }, { unique => 1 } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, [ $foo[0] ], 'One Foo associated with Bars of status=0, by load_iter');
+
 ## This is the same join as the last one, but without the limit--so
 ## we should get both Foo objects this time, in descending order.
@@ -734 +908 @@
 are_objects(\@tmp, \@foo, 'All Foos associated with Bars of status=0');
 
+## and load_iter.
+@tmp = ();
+$iter = Foo->load_iter(undef,
+    { sort => 'created_on', direction => 'descend',
+      join => [ 'Bar', 'foo_id', { status => 0 }, { unique => 1 } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, \@foo, 'All Foos associated with Bars of status=0, by load_iter');
+
 ## Filter join results by providing a value for 'status'; only Foo[0]
 ## has a 'status' == 2, so only that record should be returned.
@@ -741 +925 @@
 are_objects(\@tmp, [ $foo[0] ], 'Foos of status=2 associated with Bars of status=0');
 
+## and load_iter.
+@tmp = ();
+$iter = Foo->load_iter({ status => 2 },
+    { sort => 'created_on', direction => 'descend',
+      join => [ 'Bar', 'foo_id', { status => 0 }, { unique => 1 } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, [ $foo[0] ], 'Foos of status=2 associated with Bars of status=0, by load_iter');
+
 # Join across a column.
 @tmp = Foo->load({},
@@ -751 +945 @@
       join => [ 'Bar', undef, { foo_id => \'= foo_id', status => 0 }, { unique => 1 } ] });
 are_objects(\@tmp, [ $foo[0] ], 'Foos of status=2 loaded by explicit join across columns');
+
+# and load_iter.
+@tmp = ();
+$iter = Foo->load_iter({},
+    { sort => 'created_on', direction => 'descend',
+      join => [ 'Bar', undef, { foo_id => \'= foo_id', status => 0 }, { unique => 1 } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, \@foo, 'Foos loaded by explicit join across columns, by load_iter');
+
+@tmp = ();
+$iter = Foo->load_iter({ status => 2 },
+    { sort => 'created_on', direction => 'descend',
+      join => [ 'Bar', undef, { foo_id => \'= foo_id', status => 0 }, { unique => 1 } ] });
+while ( my $obj = $iter->() ) {
+    push @tmp, $obj;
+}
+are_objects(\@tmp, [ $foo[0] ], 'Foos of status=2 loaded by explicit join across columns, by load_iter');
 
 ## TEST EXISTS METHOD

trunk/tmpl/cms/dialog/comment_reply.tmpl

@@ -22 +22 @@
     <input type="hidden" name="return_url" value="<mt:if name="return_url"><mt:var name="return_url" escape="html"><mt:else><mt:var name="mt_url">?__mode=list_comments&amp;blog_id=<mt:var name="blog_id" escape="url"></mt:if>" />
     <div id="comment">
-        <p class="comment-meta"><__trans phrase="On [_1], [_2] commented on [_3]" params="<span class="comment-date"><$mt:var name="comment_created_on"$></span>%%<span class="commenter-name"><$mt:var name="commenter_name" escape="html"$></span>%%<span class="entry-title"><$mt:var name="entry_title" escape="html"$></span>"></p>
+        <p class="comment-meta"><__trans phrase="On [_1], [_2] commented on [_3]" params="<span class="comment-date"><$mt:var name="comment_created_on"$></span>%%<span class="commenter-name"><$mt:var name="commenter_name" escape="html"$></span>%%<span class="entry-title"><$mt:var name="entry_title" escape="html" escape="html"$></span>"></p>
         <div class="comment-body">
             <$mt:var name="comment_text"$>

trunk/tmpl/cms/edit_asset.tmpl

@@ -24 +24 @@
         label="<__trans phrase="Stats">">
         <ul class="object-stats">
-            <li><__trans phrase="[_1] - Created by [_2]" params="<$mt:date ts="$created_on_ts" relative="1" _default="$created_on_formatted"$>%%<$mt:var name="created_by" escape="html"$>"></li>
+            <li><__trans phrase="[_1] - Created by [_2]" params="<$mt:date ts="$created_on_ts" relative="1" _default="$created_on_formatted"$>%%<$mt:var name="created_by" escape="html" escape="html"$>"></li>
         <mt:if name="modified_by">
-            <li><__trans phrase="[_1] - Modified by [_2]" params="<$mt:date ts="$modified_on_ts" relative="1" _default="$modified_on_formatted"$>%%<$mt:var name="modified_by" escape="html"$>"></li>
+            <li><__trans phrase="[_1] - Modified by [_2]" params="<$mt:date ts="$modified_on_ts" relative="1" _default="$modified_on_formatted"$>%%<$mt:var name="modified_by" escape="html" escape="html"$>"></li>
         </mt:if>
         </ul>

trunk/tmpl/cms/edit_author.tmpl

@@ -78 +78 @@
 }
 function passwordResetConfirm() {
-    if (confirm('<__trans phrase="_WARNING_PASSWORD_RESET_SINGLE" params="<mt:var name="name" escape="js">%%<mt:var name="email" escape="js">">')) {
+    var username = '<mt:var name="name" escape="js">';
+    var email = '<mt:var name="email" escape="js">';
+    if (confirm('<__trans phrase="_WARNING_PASSWORD_RESET_SINGLE" params="'+username+'%%'+email+'">')) {
         document.forms['recover'].submit();
     }

trunk/tmpl/cms/edit_commenter.tmpl

@@ -29 +29 @@
         label="<__trans phrase="Useful links">">
         <ul>
-            <li><a href="<mt:var name="script_url">?__mode=list_comments&amp;blog_id=<mt:var name="blog_id" escape="url">&amp;filter_key=_comments_by_user&amp;filter_val=<mt:var name="id" escape="url">"><__trans phrase="Comments from [_1]" params="<mt:var name="nickname" escape="html">"></a></li>
+            <li><a href="<mt:var name="script_url">?__mode=list_comments&amp;blog_id=<mt:var name="blog_id" escape="url">&amp;filter_key=_comments_by_user&amp;filter_val=<mt:var name="id" escape="url">"><__trans phrase="Comments from [_1]" params="<mt:var name="nickname" escape="html" escape="html">"></a></li>
         </ul>
     </mtapp:widget>

trunk/tmpl/cms/edit_entry.tmpl

@@ -353 +353 @@
             <mt:unless name="new_object">
             <ul>
-                <li><__trans phrase="[_1] - Created by [_2]" params="<$mt:date ts="$created_on_ts" relative="1" _default="$created_on_formatted"$>%%<$mt:var name="created_by" escape="html"$>"></li>
+                <li><__trans phrase="[_1] - Created by [_2]" params="<$mt:date ts="$created_on_ts" relative="1" _default="$created_on_formatted"$>%%<$mt:var name="created_by" escape="html" escape="html"$>"></li>
             <mt:if name="status_publish">
-                <li><__trans phrase="[_1] - Published by [_2]" params="<$MTDate ts="$authored_on_ts" relative="1" _default="$authored_on_formatted"$>%%<$mt:var name="author_name" escape="html"$>"></li>
+                <li><__trans phrase="[_1] - Published by [_2]" params="<$MTDate ts="$authored_on_ts" relative="1" _default="$authored_on_formatted"$>%%<$mt:var name="author_name" escape="html" escape="html"$>"></li>
             </mt:if>
             <mt:if name="modified_by">
-                <li><__trans phrase="[_1] - Edited by [_2]" params="<$MTDate ts="$modified_on_ts" relative="1" _default="$modified_on_formatted"$>%%<$mt:var name="modified_by" escape="html"$>"></li>
+                <li><__trans phrase="[_1] - Edited by [_2]" params="<$MTDate ts="$modified_on_ts" relative="1" _default="$modified_on_formatted"$>%%<$mt:var name="modified_by" escape="html" escape="html"$>"></li>
             </mt:if>
             </ul>
@@ -898 +898 @@
 
 function listPreviousPings () {
-    window.open('<TMPL_VAR NAME=SCRIPT_URL>?__mode=pinged_urls&entry_id=<TMPL_VAR NAME=ID>&blog_id=<TMPL_VAR NAME=BLOG_ID>', 'urls', 'width=400,height=400,resizable=yes,scrollbars=yes');
+    window.open('<mt:var name="script_url">?__mode=pinged_urls&entry_id=<mt:var name="id" escape="html">&blog_id=<mt:var name="blog_id" escape="html">', 'urls', 'width=400,height=400,resizable=yes,scrollbars=yes');
 }
 /* ]]> */

trunk/tmpl/cms/edit_role.tmpl

@@ -257 +257 @@
                 label="<__trans phrase="Created by">"
                 hint="">
-                <p><mt:if name="created_by"><mt:var name="created_by"><mt:else><em><__trans phrase="System"></em></mt:if></p>
+                <p><mt:if name="created_by"><mt:var name="created_by" escape="html"><mt:else><em><__trans phrase="System"></em></mt:if></p>
             </mtapp:setting>
         </mt:if>

trunk/tmpl/cms/include/asset_table.tmpl

@@ -72 +72 @@
     </mt:if>
                 </td>
-                <td class="as-created-by"><mt:if name="created_by"><mt:var name="created_by"><mt:else><em><__trans phrase="System"></em></mt:if></td>
+                <td class="as-created-by"><mt:if name="created_by"><mt:var name="created_by" escape="html"><mt:else><em><__trans phrase="System"></em></mt:if></td>
                 <td><span title="<mt:var name="created_on_formatted">"><mt:if name="created_on_relative"><mt:if name="dates_relative"><mt:var name="created_on_relative"><mt:else><mt:var name="created_on_formatted"></mt:if><mt:else><mt:var name="created_on_formatted"></mt:if></span></td>
                 <td class="si status-view"><mt:if name="url"><a href="<mt:var name="url">" target="view_uploaded" title="<__trans phrase="View">"><img src="<mt:var name="static_uri">images/spacer.gif" alt="<__trans phrase="View">" width="13" height="9" /></a><mt:else>&nbsp;</mt:if></td>

trunk/tmpl/cms/include/comment_detail.tmpl

@@ -6 +6 @@
                             <$mt:CommentAuthorIdentity$>
         <mt:IfCommentParent>
-                            <__trans phrase="[_1] replied to <a href="[_2]">comment from [_3]</a>" params="<span class="vcard author"><$mt:CommentAuthorLink$></span>%%<mt:CommentParent><$mt:CommentLink$></mt:CommentParent>%%<mt:CommentParent><$mt:CommentAuthor$></mt:CommentParent>">
+                            <__trans phrase="[_1] replied to <a href="[_2]">comment from [_3]</a>" params="<span class="vcard author"><$mt:CommentAuthorLink escape="html"$></span>%%<mt:CommentParent><$mt:CommentLink$></mt:CommentParent>%%<mt:CommentParent><$mt:CommentAuthor escape="html"$></mt:CommentParent>">
         <mt:Else>
-                            <span class="vcard author"><$mt:CommentAuthorLink$></span>
+                            <span class="vcard author"><$mt:CommentAuthorLink escape="html"$></span>
         </mt:IfCommentParent>
                             | <a href="<$mt:CommentLink$>"><abbr class="published" title="<$mt:CommentDate format_name="iso8601"$>"><$mt:CommentDate$></abbr></a>

trunk/tmpl/cms/include/entry_table.tmpl

@@ -169 +169 @@
             <mt:if name="is_editable">
                     <input type="hidden" name="author_id_<$mt:var name="id"$>" value="<$mt:var name="row_author_id"$>" id="entry_author_id_<$mt:var name="id"$>">
-                    <a href="javascript:void(0)" onclick="return openDialog(this.form, 'dialog_select_author', 'blog_id=<$mt:var name="blog_id"$>&amp;multi=0&amp;idfield=entry_author_id_<$mt:var name="id"$>&amp;namefield=entry_author_name_<$mt:var name="id"$>')"><span id="entry_author_name_<$mt:var name="id"$>"><$mt:var name="row_author_name"$></span></a>
-            <mt:else>
-                    <$mt:var name="author_name"$>
+                    <a href="javascript:void(0)" onclick="return openDialog(this.form, 'dialog_select_author', 'blog_id=<$mt:var name="blog_id"$>&amp;multi=0&amp;idfield=entry_author_id_<$mt:var name="id"$>&amp;namefield=entry_author_name_<$mt:var name="id"$>')"><span id="entry_author_name_<$mt:var name="id"$>"><$mt:var name="row_author_name" escape="html"$></span></a>
+            <mt:else>
+                    <$mt:var name="author_name" escape="html"$>
             </mt:if>
                 </td>

trunk/tmpl/cms/include/header.tmpl

@@ -92 +92 @@
     </mt:unless>
             <li id="help" class="help"><a href="javascript:void(0)" onclick="openManual('<mt:var name="template_filename" escape="js">')"><__trans phrase="Help"></a></li>
-            <li id="user"><a href="<$mt:var name="mt_url"$>?__mode=view&amp;_type=author&amp;id=<$mt:var name="author_id"$>"><__trans phrase="Hi [_1]," params="<$mt:var name="author_name"$>"></a></li>
+            <li id="user"><a href="<$mt:var name="mt_url"$>?__mode=view&amp;_type=author&amp;id=<$mt:var name="author_id" escape="html" escape="html"$>"><__trans phrase="Hi [_1]," params="<$mt:var name="author_name" escape="html" escape="html"$>"></a></li>
         <mt:if name="can_logout">
             <li id="logout"><a href="<$mt:var name="mt_url"$>?__mode=logout"><__trans phrase="Logout"></a></li>

trunk/tmpl/cms/include/import_start.tmpl

@@ -12 +12 @@
 
 <pre><__trans phrase="Importing entries into blog" params="<mt:var name="blog_name" escape="html">">
-<mt:if name="import_as_me"><__trans phrase="Importing entries as user '[_1]'" params="<mt:var name="author_name">"><mt:else><__trans phrase="Creating new users for each user found in the blog"></mt:if>
+<mt:if name="import_as_me"><__trans phrase="Importing entries as user '[_1]'" params="<mt:var name="author_name" escape="html" escape="html">"><mt:else><__trans phrase="Creating new users for each user found in the blog"></mt:if>
 

trunk/tmpl/cms/include/list_associations/page_title.tmpl

@@ -1 +1 @@
     <mt:if name="user_view">
-        <mt:setvarblock name="page_title"><__trans phrase="Permissions for [_1]" params="<mt:var name="edit_name" escape="html">"></mt:setvarblock>
+        <mt:setvarblock name="page_title"><__trans phrase="Permissions for [_1]" params="<mt:var name="edit_name" escape="html" escape="html">"></mt:setvarblock>
     </mt:if>
     <mt:if name="usergroup_view">

trunk/tmpl/cms/include/list_associations/table_role_view.tmpl

@@ -2 +2 @@
     <td>
     <mt:if name="is_administrator">
-        <a href="<$mt:var name="script_url"$>?__mode=list_associations&amp;role_id=<$mt:var name="role_id"$>"><$mt:var name="role_name" escape="html"$>
+        <a href="<$mt:var name="script_url"$>?__mode=list_associations&amp;role_id=<$mt:var name="role_id" escape="html"$>"><$mt:var name="role_name" escape="html"$>
     <mt:else>
         <$mt:var name="role_name" escape="html"$>
@@ -11 +11 @@
     <td>
         <mt:if name="is_administrator">
-            <a href="<mt:var name="script_url">?__mode=list_associations&amp;author_id=<mt:var name="user_id">" class="icon-right icon-user"><$mt:var name="user_name" escape="html"$></a>
+            <a href="<mt:var name="script_url">?__mode=list_associations&amp;author_id=<mt:var name="user_id" escape="html">" class="icon-right icon-user"><$mt:var name="user_name" escape="html"$></a>
         <mt:else>
             <span class="icon-right icon-user"><$mt:var name="user_name" escape="html"$></span>

trunk/tmpl/cms/include/list_associations/table_user_view.tmpl

@@ -1 +1 @@
 <mt:if name="user_id">
     <mt:if name="is_administrator">
-        <a href="<mt:var name="script_url">?__mode=list_associations&amp;author_id=<mt:var name="user_id">" class="icon-right icon-user"><$mt:var name="user_name" escape="html"$></a>
+        <a href="<mt:var name="script_url">?__mode=list_associations&amp;author_id=<mt:var name="user_id" escape="html">" class="icon-right icon-user"><$mt:var name="user_name" escape="html"$></a>
     <mt:else>
         <span class="icon-right icon-user"><$mt:var name="user_name" escape="html"$></span>

trunk/tmpl/cms/include/listing_panel.tmpl

@@ -62 +62 @@
                             <tr id="<mt:var name="panel_type">-<mt:var name="id">" class="<mt:if name="__odd__">odd<mt:else>even</mt:if>">
                                 <td class="cb"><input type="<mt:if name="panel_multi">checkbox<mt:else>radio</mt:if>" class="select" name="<mt:var name="panel_type">-cb" value="<mt:var name="id">" <mt:if name="disabled">disabled="disabled"</mt:if> /></td>
-                                <td class="panel-label"><label><mt:var name="label"></label></td>
+                                <td class="panel-label"><label><mt:var name="label" escape="html"></label></td>
                                 <td class="panel-description">
-                                    <mt:if name="link"><span class="view-site-link"><a href="<mt:var name="link" escape="html">" target="_blank"><img src="<mt:var name="static_uri">images/spacer.gif" title="<__trans phrase="Go to [_1]" params="<mt:var name="label" escape="html">">" width="13" height="9" alt="" /></a></span></mt:if>
-                                    <mt:if name="link"><span class="float_desc"></mt:if><mt:var name="description"><mt:if name="link"></span></mt:if>
+<mt:Ignore><!-- No, the duplicate escape modifiers below is not a typo. --></mt:Ignore>
+                                    <mt:if name="link"><span class="view-site-link"><a href="<mt:var name="link" escape="html">" target="_blank"><img src="<mt:var name="static_uri">images/spacer.gif" title="<__trans phrase="Go to [_1]" params="<mt:var name="label" escape="html" escape="html">">" width="13" height="9" alt="" /></a></span></mt:if>
+                                    <mt:if name="link"><span class="float_desc"></mt:if><mt:var name="description" escape="html"><mt:if name="link"></span></mt:if>
                                 </td>
                             </tr>

trunk/tmpl/cms/include/log_table.tmpl

@@ -23 +23 @@
             <td class="weblog"><a href="<$mt:var name="script_url"$>?__mode=view_log&amp;blog_id=<$mt:var name="blog_id"$>"><$mt:var name="weblog_name" escape="html"$></a></td>
     </mt:if>
-            <td class="action-by"><mt:if name="username"><$mt:var name="username"$><mt:else><__trans phrase="[_1]" params="<$mt:var name="log_ip"$>"></mt:if></td>
+            <td class="action-by"><mt:if name="username"><$mt:var name="username" escape="html"$><mt:else><__trans phrase="[_1]" params="<$mt:var name="log_ip"$>"></mt:if></td>
             <td class="date"><mt:if name="is_last"><a name="last"></a></mt:if><span title="<$mt:var name="created_on_formatted"$>"><mt:if name="created_on_relative"><mt:if name="dates_relative"><$mt:var name="created_on_relative"$><mt:else><$mt:var name="created_on_formatted"$></mt:if><mt:else><$mt:var name="created_on_formatted"$></mt:if></span></td>
         </tr>

trunk/tmpl/cms/include/template_table.tmpl

@@ -31 +31 @@
     <mt:else if name="template_type" eq="archive">
         <a href="javascript:void(0)"
-            onclick="doForMarkedInThisWindow(getByID('<$mt:var name="template_type" default="template"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">', 'id', 'publish_archive_templates', {}, '<__trans phrase="to publish" escape="js">'); return false;"
+            onclick="doForMarkedInThisWindow(getByID('<$mt:var name="template_type" default="template" escape="html"$>-listing-form'), '<__trans phrase="template" escape="js">', '<__trans phrase="templates" escape="js">', 'id', 'publish_archive_templates', {}, '<__trans phrase="to publish" escape="js">'); return false;"
             accesskey="a"
             title="<__trans phrase="Publish selected templates (a)">"
@@ -74 +74 @@
         <tbody>
     </mt:if>
-            <tr class="<mt:if name="__odd__">odd<mt:else>even</mt:if> template-<$mt:var name="template_type" default="template"$>">
+            <tr class="<mt:if name="__odd__">odd<mt:else>even</mt:if> template-<$mt:var name="template_type" default="template" escape="html"$>">
                 <td class="cb"><input type="checkbox" name="id" class="select" value="<mt:var name="id">" /></td>
                 <td class="template-name"><a href="<mt:var name="script_url">?__mode=view&amp;_type=template&amp;id=<mt:var name="id">&amp;blog_id=<mt:var name="blog_id">"><mt:var name="name" escape="html"></a></td>
@@ -139 +139 @@
 <mt:else>
     <mt:if name="blog_id">
-    <div id="<$mt:var name="template_type" default="template"$>-listing" class="listing zero-state-listing zero-state">
+    <div id="<$mt:var name="template_type" default="template" escape="html"$>-listing" class="listing zero-state-listing zero-state">
         <div class="listing-header">
             <$mt:var name="listing_header"$>

trunk/tmpl/cms/include/users_content_nav.tmpl

@@ -2 +2 @@
 <mt:if name="USER_VIEW">
     <mt:unless name="EDIT_AUTHOR_ID" eq="PSEUDO">
-    <li><a href="<mt:var name="SCRIPT_URL">?__mode=view&amp;_type=author&amp;id=<mt:var name="EDIT_AUTHOR_ID">"><b><__trans phrase="Profile"></b></a></li>
+    <li><a href="<mt:var name="SCRIPT_URL">?__mode=view&amp;_type=author&amp;id=<mt:var name="EDIT_AUTHOR_ID" escape="html">"><b><__trans phrase="Profile"></b></a></li>
     </mt:unless>
-    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;author_id=<mt:var name="EDIT_AUTHOR_ID">"><b><__trans phrase="Permissions"></b></a></li>
+    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;author_id=<mt:var name="EDIT_AUTHOR_ID" escape="html">"><b><__trans phrase="Permissions"></b></a></li>
 </mt:if>
 
 <mt:if name="edit_author">
-    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=view&amp;_type=author<mt:if name="id">&amp;id=<mt:var name="id"></mt:if>"><b><__trans phrase="Profile"></b></a></li>
+    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=view&amp;_type=author<mt:if name="id">&amp;id=<mt:var name="id" escape="html"></mt:if>"><b><__trans phrase="Profile"></b></a></li>
     <mt:unless name="new_object">
-        <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;author_id=<mt:var name="id">"><b><__trans phrase="Permissions"></b></a></li>
+        <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;author_id=<mt:var name="id" escape="html">"><b><__trans phrase="Permissions"></b></a></li>
     </mt:unless>
 </mt:if>
 
 <mt:if name="ROLE_VIEW">
-    <li><a href="<mt:var name="SCRIPT_URL">?__mode=edit_role&amp;id=<mt:var name="ROLE_ID">"><b><__trans phrase="Details"></b></a></li>
-    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;role_id=<mt:var name="ROLE_ID">"><b><__trans phrase="Users"></b></a></li>
+    <li><a href="<mt:var name="SCRIPT_URL">?__mode=edit_role&amp;id=<mt:var name="ROLE_ID" escape="html">"><b><__trans phrase="Details"></b></a></li>
+    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;role_id=<mt:var name="ROLE_ID" escape="html">"><b><__trans phrase="Users"></b></a></li>
 </mt:if>
 
 <mt:if name="edit_role">
-    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=edit_role&amp;id=<mt:var name="ID">"><b><__trans phrase="Details"></b></a></li>
-    <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;role_id=<mt:var name="ID">"><b><__trans phrase="Users"></b></a></li>
+    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=edit_role&amp;id=<mt:var name="ID" escape="html">"><b><__trans phrase="Details"></b></a></li>
+    <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;role_id=<mt:var name="ID" escape="html">"><b><__trans phrase="Users"></b></a></li>
 </mt:if>
 
@@ -27 +27 @@
     <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_authors"><b><__trans phrase="Users"></b></a></li>
     <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_roles"><b><__trans phrase="Roles"></b></a></li>
-    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;blog_id=<mt:var name="BLOG_ID">"><b><__trans phrase="Permissions"></b></a></li>
+    <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;blog_id=<mt:var name="BLOG_ID" escape="html">"><b><__trans phrase="Permissions"></b></a></li>
 </mt:if>
 
@@ -34 +34 @@
     <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_authors"><b><__trans phrase="Users"></b></a></li>
     <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_roles"><b><__trans phrase="Roles"></b></a></li>
-    <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;blog_id=<mt:var name="BLOG_ID">"><b><__trans phrase="Permissions"></b></a></li>
+    <li><a href="<mt:var name="SCRIPT_URL">?__mode=list_associations&amp;blog_id=<mt:var name="BLOG_ID" escape="html">"><b><__trans phrase="Permissions"></b></a></li>
 </mt:if>
 
 <mt:if name="list_role">
     <mt:if name="EDIT_AUTHOR_ID">
-        <li><a href="<mt:var name="SCRIPT_URL">?__mode=view&amp;_type=author&amp;id=<mt:var name="EDIT_AUTHOR_ID">"><b><__trans phrase="Profile"></b></a></li>
-        <li class="active"><a href="<mt:var name="SCRIPT_URL">?__mode=list_roles&amp;author_id=<mt:var name="EDIT_AUTHOR_ID">"><b><__trans phrase="Roles"></b></a></li>
+        <li><a href="<mt:var name="SCRIPT_URL">?__mode=view&amp;_type=author&amp;id=<mt:var name="EDIT_AUTHOR_ID" escape="html">"><b><__trans phrase