Index: wp-login.php
===================================================================
--- wp-login.php	(.../2.1)	(revision 5900)
+++ wp-login.php	(.../2.1.3)	(revision 5900)
@@ -286,7 +286,7 @@
 	$user_pass = '';
 	$using_cookie = FALSE;
 
-	if ( !isset( $_REQUEST['redirect_to'] ) )
+	if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() )
 		$redirect_to = 'wp-admin/';
 	else
 		$redirect_to = $_REQUEST['redirect_to'];
Index: wp-comments-post.php
===================================================================
--- wp-comments-post.php	(.../2.1)	(revision 5900)
+++ wp-comments-post.php	(.../2.1.3)	(revision 5900)
@@ -25,14 +25,20 @@
 
 // If the user is logged in
 $user = wp_get_current_user();
-if ( $user->ID ) :
+if ( $user->ID ) {
 	$comment_author       = $wpdb->escape($user->display_name);
 	$comment_author_email = $wpdb->escape($user->user_email);
 	$comment_author_url   = $wpdb->escape($user->user_url);
-else :
+	if ( current_user_can('unfiltered_html') ) {
+		if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
+			kses_remove_filters(); // start with a clean slate
+			kses_init_filters(); // set up the filters
+		}
+	}
+} else {
 	if ( get_option('comment_registration') )
 		wp_die( __('Sorry, you must be logged in to post a comment.') );
-endif;
+}
 
 $comment_type = '';
 
Index: wp-includes/default-filters.php
===================================================================
--- wp-includes/default-filters.php	(.../2.1)	(revision 5900)
+++ wp-includes/default-filters.php	(.../2.1.3)	(revision 5900)
@@ -31,6 +31,8 @@
 add_filter('pre_comment_author_email', 'wp_filter_kses');
 add_filter('pre_comment_author_url', 'wp_filter_kses');
 
+add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
+
 // Default filters for these functions
 add_filter('comment_author', 'wptexturize');
 add_filter('comment_author', 'convert_chars');
Index: wp-includes/post-template.php
===================================================================
--- wp-includes/post-template.php	(.../2.1)	(revision 5900)
+++ wp-includes/post-template.php	(.../2.1.3)	(revision 5900)
@@ -273,6 +273,7 @@
 	$r = array_merge($defaults, $r);
 
 	$output = '';
+	$current_page = 0;
 
 	// sanitize, mostly to keep spaces out
 	$r['exclude'] = preg_replace('[^0-9,]', '', $r['exclude']);
@@ -288,7 +289,8 @@
 			$output .= '<li class="pagenav">' . $r['title_li'] . '<ul>';
 
 		global $wp_query;
-		$current_page = $wp_query->get_queried_object_id();
+		if ( is_page() )
+			$current_page = $wp_query->get_queried_object_id();
 		$output .= walk_page_tree($pages, $r['depth'], $current_page, $r);
 
 		if ( $r['title_li'] )
Index: wp-includes/cache.php
===================================================================
--- wp-includes/cache.php	(.../2.1)	(revision 5900)
+++ wp-includes/cache.php	(.../2.1.3)	(revision 5900)
@@ -1,6 +1,7 @@
 <?php
 function wp_cache_add($key, $data, $flag = '', $expire = 0) {
 	global $wp_object_cache;
+	$data = unserialize(serialize($data));
 
 	return $wp_object_cache->add($key, $data, $flag, $expire);
 }
@@ -37,12 +38,14 @@
 
 function wp_cache_replace($key, $data, $flag = '', $expire = 0) {
 	global $wp_object_cache;
+	$data = unserialize(serialize($data));
 
 	return $wp_object_cache->replace($key, $data, $flag, $expire);
 }
 
 function wp_cache_set($key, $data, $flag = '', $expire = 0) {
 	global $wp_object_cache;
+	$data = unserialize(serialize($data));
 
 	return $wp_object_cache->set($key, $data, $flag, $expire);
 }
Index: wp-includes/bookmark.php
===================================================================
--- wp-includes/bookmark.php	(.../2.1)	(revision 5900)
+++ wp-includes/bookmark.php	(.../2.1.3)	(revision 5900)
@@ -3,6 +3,7 @@
 function get_bookmark($bookmark_id, $output = OBJECT) {
 	global $wpdb;
 
+	$bookmark_id = (int) $bookmark_id;
 	$link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id'");
 	$link->link_category = wp_get_link_cats($bookmark_id);
 
Index: wp-includes/query.php
===================================================================
--- wp-includes/query.php	(.../2.1)	(revision 5900)
+++ wp-includes/query.php	(.../2.1.3)	(revision 5900)
@@ -765,9 +765,11 @@
 				$searchand = ' AND ';
 			}
 			$term = addslashes_gpc($q['s']); 
-			if (!$q['sentence'] && count($q['search_terms']) > 1 && $q['search_terms'][0] != $q['s'] ) $search .= " OR (post_title LIKE '{$n}{$term}{$n}') OR (post_content LIKE '{$n}{$term}{$n}')";
-			
-			$search = " AND ({$search}) ";
+			if (!$q['sentence'] && count($q['search_terms']) > 1 && $q['search_terms'][0] != $q['s'] )
+				$search .= " OR (post_title LIKE '{$n}{$term}{$n}') OR (post_content LIKE '{$n}{$term}{$n}')";
+
+			if ( !empty($search) )
+				$search = " AND ({$search}) ";
 		}
 
 		// Category stuff
@@ -794,16 +796,16 @@
 			$in_cats = substr($in_cats, 0, -2);
 			$out_cats = substr($out_cats, 0, -2);
 			if ( strlen($in_cats) > 0 )
-				$in_cats = " AND category_id IN ($in_cats)";
+				$in_cats = " AND $wpdb->post2cat.category_id IN ($in_cats)";
 			if ( strlen($out_cats) > 0 ) {
-				$ids = $wpdb->get_col("SELECT post_id FROM $wpdb->post2cat WHERE category_id IN ($out_cats)");
+				$ids = $wpdb->get_col("SELECT post_id FROM $wpdb->post2cat WHERE $wpdb->post2cat.category_id IN ($out_cats)");
 				if ( is_array($ids) && count($ids > 0) ) {
 					foreach ( $ids as $id )
 						$out_posts .= "$id, ";
 					$out_posts = substr($out_posts, 0, -2);
 				}
 				if ( strlen($out_posts) > 0 )
-					$out_cats = " AND ID NOT IN ($out_posts)";
+					$out_cats = " AND $wpdb->posts.ID NOT IN ($out_posts)";
 				else
 					$out_cats = '';
 			}
@@ -929,9 +931,9 @@
 
 			if ( is_user_logged_in() ) {
 				if ( 'post' == $post_type )
-					$cap = 'edit_private_posts';
+					$cap = 'read_private_posts';
 				else
-					$cap = 'edit_private_pages';
+					$cap = 'read_private_pages';
 
 				if ( current_user_can($cap) )
 					$where .= " OR post_status = 'private'";
Index: wp-includes/link-template.php
===================================================================
--- wp-includes/link-template.php	(.../2.1)	(revision 5900)
+++ wp-includes/link-template.php	(.../2.1.3)	(revision 5900)
@@ -93,8 +93,9 @@
 function get_page_link($id = false) {
 	global $post;
 
+	$id = (int) $id;
 	if ( !$id )
-		$id = $post->ID;
+		$id = (int) $post->ID;
 
 	if ( 'page' == get_option('show_on_front') && $id == get_option('page_on_front') )
 		$link = get_option('home');
@@ -109,7 +110,7 @@
 	global $post, $wp_rewrite;
 
 	if ( !$id )
-		$id = $post->ID;
+		$id = (int) $post->ID;
 
 	$pagestruct = $wp_rewrite->get_page_permastruct();
 
@@ -130,7 +131,7 @@
 	$link = false;
 
 	if (! $id) {
-		$id = $post->ID;
+		$id = (int) $post->ID;
 	}
 
 	$object = get_post($id);
@@ -379,7 +380,7 @@
 function get_pagenum_link($pagenum = 1) {
 	global $wp_rewrite;
 
-	$qstr = wp_specialchars($_SERVER['REQUEST_URI']);
+	$qstr = $_SERVER['REQUEST_URI'];
 
 	$page_querystring = "paged";
 	$page_modstring = "page/";
@@ -446,7 +447,7 @@
 	return $qstr;
 }
 
-function next_posts($max_page = 0) { // original by cfactor at cooltux.org
+function get_next_posts_page_link($max_page = 0) {
 	global $paged, $pagenow;
 
 	if ( !is_single() ) {
@@ -454,10 +455,14 @@
 			$paged = 1;
 		$nextpage = intval($paged) + 1;
 		if ( !$max_page || $max_page >= $nextpage )
-			echo get_pagenum_link($nextpage);
+			return get_pagenum_link($nextpage);
 	}
 }
 
+function next_posts($max_page = 0) {
+	echo clean_url(get_next_posts_page_link($max_page));
+}
+
 function next_posts_link($label='Next Page &raquo;', $max_page=0) {
 	global $paged, $wpdb, $wp_query;
 	if ( !$max_page ) {
@@ -473,18 +478,20 @@
 	}
 }
 
-
-function previous_posts() { // original by cfactor at cooltux.org
+function get_previous_posts_page_link() {
 	global $paged, $pagenow;
 
 	if ( !is_single() ) {
 		$nextpage = intval($paged) - 1;
 		if ( $nextpage < 1 )
 			$nextpage = 1;
-		echo get_pagenum_link($nextpage);
+		return get_pagenum_link($nextpage);
 	}
 }
 
+function previous_posts() {
+	echo clean_url(get_previous_posts_page_link());
+}
 
 function previous_posts_link($label='&laquo; Previous Page') {
 	global $paged;
Index: wp-includes/formatting.php
===================================================================
--- wp-includes/formatting.php	(.../2.1)	(revision 5900)
+++ wp-includes/formatting.php	(.../2.1.3)	(revision 5900)
@@ -63,7 +63,6 @@
 	$pee = preg_replace("/\n\n+/", "\n\n", $pee); // take care of duplicates
 	$pee = preg_replace('/\n?(.+?)(?:\n\s*\n|\z)/s', "<p>$1</p>\n", $pee); // make paragraphs, including one at the end
 	$pee = preg_replace('|<p>\s*?</p>|', '', $pee); // under certain strange conditions it could create a P of entirely whitespace
-	$pee = preg_replace( '|<p>(<div[^>]*>\s*)|', "$1<p>", $pee );
 	$pee = preg_replace('!<p>([^<]+)\s*?(</(?:div|address|form)[^>]*>)!', "<p>$1</p>$2", $pee);
 	$pee = preg_replace( '|<p>|', "$1<p>", $pee );
 	$pee = preg_replace('!<p>\s*(</?' . $allblocks . '[^>]*>)\s*</p>!', "$1", $pee); // don't pee all over a tag
@@ -82,7 +81,7 @@
 	if ( strstr( $pee, '<pre' ) )
 		$pee = preg_replace('!(<pre.*?>)(.*?)</pre>!ise', " stripslashes('$1') .  stripslashes(clean_pre('$2'))  . '</pre>' ", $pee);
 	$pee = preg_replace( "|\n</p>$|", '</p>', $pee );
-/**/
+
 	return $pee;
 }
 
@@ -1073,7 +1072,11 @@
 	$strip = array('%0d', '%0a');
 	$url = str_replace($strip, '', $url);
 	$url = str_replace(';//', '://', $url);
-	$url = (!strstr($url, '://')) ? 'http://'.$url : $url;
+	// Append http unless a relative link starting with / or a php file.
+	if ( strpos($url, '://') === false &&
+		substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9]+?\.php/i', $url) )
+		$url = 'http://' . $url;
+	
 	$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&#038;$1', $url);
 	if ( !is_array($protocols) )
 		$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); 
Index: wp-includes/author-template.php
===================================================================
--- wp-includes/author-template.php	(.../2.1)	(revision 5900)
+++ wp-includes/author-template.php	(.../2.1.3)	(revision 5900)
@@ -144,7 +144,7 @@
 
 function get_author_posts_url($author_id, $author_nicename = '') {
 	global $wpdb, $wp_rewrite, $post, $cache_userdata;
-	$auth_ID = $author_id;
+	$auth_ID = (int) $author_id;
 	$link = $wp_rewrite->get_author_permastruct();
 
 	if ( empty($link) ) {
Index: wp-includes/category.php
===================================================================
--- wp-includes/category.php	(.../2.1)	(revision 5900)
+++ wp-includes/category.php	(.../2.1.3)	(revision 5900)
@@ -33,7 +33,7 @@
 	$key = md5( serialize( $r ) );
 	if ( $cache = wp_cache_get( 'get_categories', 'category' ) )
 		if ( isset( $cache[ $key ] ) )
-			return $cache[ $key ];
+			return apply_filters('get_categories', $cache[$key], $r);
 
 	$where = 'cat_ID > 0';
 	$inclusions = '';
@@ -146,6 +146,7 @@
 		wp_cache_add($category->cat_ID, $category, 'category');
 		$_category = $category;
 	} else {
+		$category = (int) $category;
 		if ( ! $_category = wp_cache_get($category, 'category') ) {
 			$_category = $wpdb->get_row("SELECT * FROM $wpdb->categories WHERE cat_ID = '$category' LIMIT 1");
 			wp_cache_set($category, $_category, 'category');
Index: wp-includes/post.php
===================================================================
--- wp-includes/post.php	(.../2.1)	(revision 5900)
+++ wp-includes/post.php	(.../2.1.3)	(revision 5900)
@@ -74,16 +74,16 @@
 // get extended entry info (<!--more-->)
 function get_extended($post) {
 	//Match the new style more links
-	if (preg_match('/<!--more(.+?)?-->/', $post, $matches)) {
-		list($main,$extended) = explode($matches[0],$post,2);
+	if ( preg_match('/<!--more(.*?)-->/', $post, $matches) ) {
+		list($main, $extended) = explode($matches[0], $post, 2);
 	} else {
 		$main = $post;
 		$extended = '';
 	}
 	
 	// Strip leading and trailing whitespace
-	$main = preg_replace('/^[\s]*(.*)[\s]*$/','\\1',$main);
-	$extended = preg_replace('/^[\s]*(.*)[\s]*$/','\\1',$extended);
+	$main = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $main);
+	$extended = preg_replace('/^[\s]*(.*)[\s]*$/', '\\1', $extended);
 
 	return array('main' => $main, 'extended' => $extended);
 }
@@ -105,6 +105,7 @@
 			$post_cache[$blog_id][$post->ID] = &$post;
 		$_post = & $post_cache[$blog_id][$post->ID];
 	} else {
+		$post = (int) $post;
 		if ( $_post = wp_cache_get($post, 'pages') )
 			return get_page($_post, $output);
 		elseif ( isset($post_cache[$blog_id][$post]) )
@@ -374,7 +375,7 @@
 	global $id, $post_meta_cache, $wpdb, $blog_id;
 
 	if ( !$post_id )
-		$post_id = $id;
+		$post_id = (int) $id;
 
 	$post_id = (int) $post_id;
 
@@ -446,6 +447,8 @@
 }
 
 function wp_get_post_categories($post_id = 0) {
+	$post_id = (int) $post_id;
+
 	$cats = &get_the_category($post_id);
 	$cat_ids = array();
 	foreach ( $cats as $cat )
@@ -457,6 +460,7 @@
 	global $wpdb;
 
 	// Set the limit clause, if we got a limit
+	$num = (int) $num;
 	if ($num) {
 		$limit = "LIMIT $num";
 	}
@@ -470,6 +474,8 @@
 function wp_get_single_post($postid = 0, $mode = OBJECT) {
 	global $wpdb;
 
+	$postid = (int) $postid;
+
 	$post = get_post($postid, $mode);
 
 	// Set categories
@@ -533,7 +539,7 @@
 
 	// Get the post ID.
 	if ( $update )
-		$post_ID = $ID;
+		$post_ID = (int) $ID;
 
 	// Create a valid post name.  Drafts are allowed to have an empty
 	// post name.
@@ -637,7 +643,7 @@
 			(post_author, post_date, post_date_gmt, post_content, post_content_filtered, post_title, post_excerpt,  post_status, post_type, comment_status, ping_status, post_password, post_name, to_ping, pinged, post_modified, post_modified_gmt, post_parent, menu_order, post_mime_type)
 			VALUES
 			('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', '$post_parent', '$menu_order', '$post_mime_type')");
-			$post_ID = $wpdb->insert_id;
+			$post_ID = (int) $wpdb->insert_id;
 	}
 
 	if ( empty($post_name) && 'draft' != $post_status ) {
@@ -763,6 +769,8 @@
 
 function wp_set_post_categories($post_ID = 0, $post_categories = array()) {
 	global $wpdb;
+
+	$post_ID = (int) $post_ID;
 	// If $post_categories isn't already an array, make it one:
 	if (!is_array($post_categories) || 0 == count($post_categories) || empty($post_categories))
 		$post_categories = array(get_option('default_category'));
@@ -773,7 +781,7 @@
 	$old_categories = $wpdb->get_col("
 		SELECT category_id
 		FROM $wpdb->post2cat
-		WHERE post_id = $post_ID");
+		WHERE post_id = '$post_ID'");
 
 	if (!$old_categories) {
 		$old_categories = array();
@@ -788,8 +796,8 @@
 		foreach ($delete_cats as $del) {
 			$wpdb->query("
 				DELETE FROM $wpdb->post2cat
-				WHERE category_id = $del
-					AND post_id = $post_ID
+				WHERE category_id = '$del'
+					AND post_id = '$post_ID'
 				");
 		}
 	}
@@ -799,10 +807,11 @@
 
 	if ($add_cats) {
 		foreach ($add_cats as $new_cat) {
+			$new_cat = (int) $new_cat;
 			if ( !empty($new_cat) )
 				$wpdb->query("
 					INSERT INTO $wpdb->post2cat (post_id, category_id) 
-					VALUES ($post_ID, $new_cat)");
+					VALUES ('$post_ID', '$new_cat')");
 		}
 	}
 
@@ -928,6 +937,7 @@
 		wp_cache_add($page->ID, $page, 'pages');
 		$_page = $page;
 	} else {
+		$page = (int) $page;
 		// first, check the cache
 		if ( ! ( $_page = wp_cache_get($page, 'pages') ) ) {
 			// not in the page cache?
@@ -1244,7 +1254,7 @@
 	$update = false;
 	if ( !empty($ID) ) {
 		$update = true;
-		$post_ID = $ID;
+		$post_ID = (int) $ID;
 	}
 
 	// Create a valid post name.
@@ -1339,7 +1349,7 @@
 			(post_author, post_date, post_date_gmt, post_content, post_content_filtered, post_title, post_excerpt,  post_status, post_type, comment_status, ping_status, post_password, post_name, to_ping, pinged, post_modified, post_modified_gmt, post_parent, menu_order, post_mime_type, guid)
 			VALUES
 			('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', '$post_parent', '$menu_order', '$post_mime_type', '$guid')");
-			$post_ID = $wpdb->insert_id;
+			$post_ID = (int) $wpdb->insert_id;
 	}
 
 	if ( empty($post_name) ) {
@@ -1494,7 +1504,7 @@
 		$mime = (int) $mime;
 		if ( !$post =& get_post( $mime ) )
 			return false;
-		$post_id = $post->ID;
+		$post_id = (int) $post->ID;
 		$mime = $post->post_mime_type;
 	}
 
Index: wp-includes/version.php
===================================================================
--- wp-includes/version.php	(.../2.1)	(revision 5900)
+++ wp-includes/version.php	(.../2.1.3)	(revision 5900)
@@ -2,7 +2,7 @@
 
 // This holds the version number in a separate file so we can bump it without cluttering the SVN
 
-$wp_version = '2.1';
-$wp_db_version = 4772;
+$wp_version = '2.1.3';
+$wp_db_version = 4773;
 
 ?>
Index: wp-includes/js/scriptaculous/wp-scriptaculous.js
===================================================================
--- wp-includes/js/scriptaculous/wp-scriptaculous.js	(.../2.1)	(revision 0)
+++ wp-includes/js/scriptaculous/wp-scriptaculous.js	(.../2.1.3)	(revision 5900)
@@ -0,0 +1,40 @@
+// Copyright (c) 2005 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
+// 
+// Permission is hereby granted, free of charge, to any person obtaining
+// a copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to
+// permit persons to whom the Software is furnished to do so, subject to
+// the following conditions:
+// 
+// The above copyright notice and this permission notice shall be
+// included in all copies or substantial portions of the Software.
+
+var Scriptaculous = {
+  Version: '1.6.1',
+  require: function(libraryName) {
+    // inserting via DOM fails in Safari 2.0, so brute force approach
+    document.write('<script type="text/javascript" src="'+libraryName+'"></script>');
+  },
+  load: function() {
+    if((typeof Prototype=='undefined') || 
+       (typeof Element == 'undefined') || 
+       (typeof Element.Methods=='undefined') ||
+       parseFloat(Prototype.Version.split(".")[0] + "." +
+                  Prototype.Version.split(".")[1]) < 1.5)
+       throw("script.aculo.us requires the Prototype JavaScript framework >= 1.5.0");
+    
+    $A(document.getElementsByTagName("script")).findAll( function(s) {
+      return (s.src && s.src.match(/scriptaculous\.js(\?.*)?$/))
+    }).each( function(s) {
+      var path = s.src.replace(/scriptaculous\.js(\?.*)?$/,'');
+      var includes = s.src.match(/\?.*load=([a-z,]*)/);
+      if ( includes )
+       includes[1].split(',').each(
+       function(include) { Scriptaculous.require(path+include+'.js') });
+    });
+  }
+}
+
+Scriptaculous.load();
Index: wp-includes/js/tinymce/tiny_mce_config.php
===================================================================
--- wp-includes/js/tinymce/tiny_mce_config.php	(.../2.1)	(revision 5900)
+++ wp-includes/js/tinymce/tiny_mce_config.php	(.../2.1.3)	(revision 5900)
@@ -1,5 +1,6 @@
 <?php
 	@ require('../../../wp-config.php');
+	cache_javascript_headers();
 
 	function wp_translate_tinymce_lang($text) {
 		if ( ! function_exists('__') ) {
@@ -43,7 +44,7 @@
 	$mce_popups_css = get_option('siteurl') . '/wp-includes/js/tinymce/plugins/wordpress/popups.css';
 	$mce_css = get_option('siteurl') . '/wp-includes/js/tinymce/plugins/wordpress/wordpress.css';
 	$mce_css = apply_filters('mce_css', $mce_css);
-	if ( $_SERVER['HTTPS'] ) {
+	if ( $_SERVER['HTTPS'] == 'on' ) {
 		$mce_css = str_replace('http://', 'https://', $mce_css);
 		$mce_popups_css = str_replace('http://', 'https://', $mce_popups_css);
 	}
@@ -73,6 +74,7 @@
 	convert_newlines_to_brs : false,
 	remove_linebreaks : false,
 	fix_list_elements : true,
+	gecko_spellcheck : true,
 	entities : "38,amp,60,lt,62,gt",
 	content_css : "<?php echo $mce_css; ?>",
 	valid_elements : "<?php echo $valid_elements; ?>",
Index: wp-includes/js/tinymce/wp-mce-help.php
===================================================================
--- wp-includes/js/tinymce/wp-mce-help.php	(.../2.1)	(revision 5900)
+++ wp-includes/js/tinymce/wp-mce-help.php	(.../2.1.3)	(revision 5900)
@@ -1,4 +1,6 @@
-<?php require_once('../../../wp-config.php'); ?>
+<?php require_once('../../../wp-config.php');
+header('Content-Type: text/html; charset=' . get_bloginfo('charset'));
+?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
 <head>
Index: wp-includes/js/tinymce/tiny_mce_gzip.php
===================================================================
--- wp-includes/js/tinymce/tiny_mce_gzip.php	(.../2.1)	(revision 5900)
+++ wp-includes/js/tinymce/tiny_mce_gzip.php	(.../2.1.3)	(revision 5900)
@@ -6,7 +6,7 @@
  *
  * @version 1.08
  * @author Moxiecode
- * @copyright Copyright © 2005-2006, Moxiecode Systems AB, All rights reserved.
+ * @copyright Copyright  2005-2006, Moxiecode Systems AB, All rights reserved.
  *
  * This file compresses the TinyMCE JavaScript using GZip and
  * enables the browser to do two requests instead of one for each .js file.
@@ -82,7 +82,7 @@
 $debug = false;							// Enable this option if you need debuging info
 
 // Headers
-header("Content-type: text/javascript; charset: UTF-8");
+header("Content-Type: text/javascript; charset=" . get_bloginfo('charset'));
 // header("Cache-Control: must-revalidate");
 header("Vary: Accept-Encoding"); // Handle proxies
 header("Expires: " . gmdate("D, d M Y H:i:s", time() + $expiresOffset) . " GMT");
Index: wp-includes/general-template.php
===================================================================
--- wp-includes/general-template.php	(.../2.1)	(revision 5900)
+++ wp-includes/general-template.php	(.../2.1.3)	(revision 5900)
@@ -147,8 +147,7 @@
 
 
 function wp_title($sep = '&raquo;', $display = true) {
-	global $wpdb;
-	global $m, $year, $monthnum, $day, $category_name, $wp_locale, $posts;
+	global $wpdb, $wp_locale, $wp_query;
 
 	$cat = get_query_var('cat');
 	$p = get_query_var('p');
@@ -156,6 +155,10 @@
 	$category_name = get_query_var('category_name');
 	$author = get_query_var('author');
 	$author_name = get_query_var('author_name');
+	$m = (int) get_query_var('m');
+	$year = (int) get_query_var('year');
+	$monthnum = (int)get_query_var('monthnum');
+	$day = (int) get_query_var('day');
 	$title = '';
 
 	// If there's a category
@@ -196,14 +199,15 @@
 	if ( !empty($year) ) {
 		$title = $year;
 		if ( !empty($monthnum) )
-			$title .= " $sep ".$wp_locale->get_month($monthnum);
+			$title .= " $sep " . $wp_locale->get_month($monthnum);
 		if ( !empty($day) )
-			$title .= " $sep ".zeroise($day, 2);
+			$title .= " $sep " . zeroise($day, 2);
 	}
 
 	// If there is a post
 	if ( is_single() || is_page() ) {
-		$title = strip_tags($posts[0]->post_title);
+		$queried = $wp_query->get_queried_object();
+		$title = strip_tags($queried->post_title);
 		$title = apply_filters('single_post_title', $title);
 	}
 
@@ -256,7 +260,12 @@
 
 
 function single_month_title($prefix = '', $display = true ) {
-	global $m, $monthnum, $wp_locale, $year;
+	global $wp_locale;
+
+	$m = (int) get_query_var('m');
+	$year = (int) get_query_var('year');
+	$monthnum = (int) get_query_var('monthnum');
+
 	if ( !empty($monthnum) && !empty($year) ) {
 		$my_year = $year;
 		$my_month = $wp_locale->get_month($monthnum);
@@ -280,6 +289,7 @@
 function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
 	$text = wptexturize($text);
 	$title_text = attribute_escape($text);
+	$url = clean_url($url);
 
 	if ('link' == $format)
 		return "\t<link rel='archives' title='$title_text' href='$url' />\n";
@@ -962,7 +972,7 @@
 		$link = str_replace('%#%', $current - 1, $link);
 		if ( $add_args )
 			$link = add_query_arg( $add_args, $link );
-		$page_links[] = "<a class='prev page-numbers' href='" . attribute_escape($link) . "'>$prev_text</a>";
+		$page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
 	endif;
 	for ( $n = 1; $n <= $total; $n++ ) :
 		if ( $n == $current ) :
@@ -974,7 +984,7 @@
 				$link = str_replace('%#%', $n, $link);
 				if ( $add_args )
 					$link = add_query_arg( $add_args, $link );
-				$page_links[] = "<a class='page-numbers' href='" . attribute_escape($link) . "'>$n</a>";
+				$page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n</a>";
 				$dots = true;
 			elseif ( $dots && !$show_all ) :
 				$page_links[] = "<span class='page-numbers dots'>...</span>";
@@ -987,7 +997,7 @@
 		$link = str_replace('%#%', $current + 1, $link);
 		if ( $add_args )
 			$link = add_query_arg( $add_args, $link );
-		$page_links[] = "<a class='next page-numbers' href='" . attribute_escape($link) . "'>$next_text</a>";
+		$page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
 	endif;
 	switch ( $type ) :
 		case 'array' :
Index: wp-includes/capabilities.php
===================================================================
--- wp-includes/capabilities.php	(.../2.1)	(revision 5900)
+++ wp-includes/capabilities.php	(.../2.1.3)	(revision 5900)
@@ -55,7 +55,7 @@
 		unset($this->role_objects[$role]);
 		unset($this->role_names[$role]);
 		unset($this->roles[$role]);
-		
+
 		if ( $this->use_db )
 			update_option($this->role_key, $this->roles);
 	}
@@ -427,7 +427,7 @@
 		}
 
 		$author_data = get_userdata($user_id);
-		$page_author_data = get_userdata($post->post_author);
+		$page_author_data = get_userdata($page->post_author);
 		if ($user_id == $page_author_data->ID)
 			$caps[] = 'read';
 		else
Index: wp-includes/classes.php
===================================================================
--- wp-includes/classes.php	(.../2.1)	(revision 5900)
+++ wp-includes/classes.php	(.../2.1.3)	(revision 5900)
@@ -148,6 +148,9 @@
 				$this->query_vars[$wpvar] = $_GET[$wpvar];
 			elseif (!empty($perma_query_vars[$wpvar]))
 				$this->query_vars[$wpvar] = $perma_query_vars[$wpvar];
+
+			if ( !empty( $this->query_vars[$wpvar] ) )
+				$this->query_vars[$wpvar] = (string) $this->query_vars[$wpvar];
 		}
 
 		foreach ($this->private_query_vars as $var) {
Index: wp-includes/cron.php
===================================================================
--- wp-includes/cron.php	(.../2.1)	(revision 5900)
+++ wp-includes/cron.php	(.../2.1.3)	(revision 5900)
@@ -93,6 +93,10 @@
 }
 
 function wp_cron() {
+	// Prevent infinite loops caused by lack of wp-cron.php
+	if ( strpos($_SERVER['REQUEST_URI'], '/wp-cron.php') !== false )
+		return;
+
 	$crons = _get_cron_array();
 	
 	if ( !is_array($crons) )
Index: wp-includes/pluggable.php
===================================================================
--- wp-includes/pluggable.php	(.../2.1)	(revision 5900)
+++ wp-includes/pluggable.php	(.../2.1.3)	(revision 5900)
@@ -473,7 +473,7 @@
 if ( !function_exists('wp_verify_nonce') ) :
 function wp_verify_nonce($nonce, $action = -1) {
 	$user = wp_get_current_user();
-	$uid = $user->id;
+	$uid = (int) $user->id;
 
 	$i = ceil(time() / 43200);
 
@@ -487,7 +487,7 @@
 if ( !function_exists('wp_create_nonce') ) :
 function wp_create_nonce($action = -1) {
 	$user = wp_get_current_user();
-	$uid = $user->id;
+	$uid = (int) $user->id;
 
 	$i = ceil(time() / 43200);
 
Index: wp-includes/comment.php
===================================================================
--- wp-includes/comment.php	(.../2.1)	(revision 5900)
+++ wp-includes/comment.php	(.../2.1.3)	(revision 5900)
@@ -81,6 +81,7 @@
 			$comment_cache[$comment->comment_ID] = &$comment;
 		$_comment = & $comment_cache[$comment->comment_ID];
 	} else {
+		$comment = (int) $comment;
 		if ( !isset($comment_cache[$comment]) ) {
 			$_comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment' LIMIT 1");
 			$comment_cache[$comment->comment_ID] = & $_comment;
@@ -169,7 +170,7 @@
 	if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
 		$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
 		$comment_author_url = stripslashes($comment_author_url);
-		$comment_author_url = attribute_escape($comment_author_url);
+		$comment_author_url = clean_url($comment_author_url);
 		$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
 	}
 }
@@ -345,7 +346,7 @@
 	('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id')
 	");
 
-	$id = $wpdb->insert_id;
+	$id = (int) $wpdb->insert_id;
 
 	if ( $comment_approved == 1)
 		wp_update_comment_count($comment_post_ID);
Index: wp-includes/theme.php
===================================================================
--- wp-includes/theme.php	(.../2.1)	(revision 5900)
+++ wp-includes/theme.php	(.../2.1.3)	(revision 5900)
@@ -345,7 +345,7 @@
 function get_page_template() {
 	global $wp_query;
 
-	$id = $wp_query->post->ID;
+	$id = (int) $wp_query->post->ID;
 	$template = get_post_meta($id, '_wp_page_template', true);
 
 	if ( 'default' == $template )
Index: wp-includes/feed.php
===================================================================
--- wp-includes/feed.php	(.../2.1)	(revision 5900)
+++ wp-includes/feed.php	(.../2.1.3)	(revision 5900)
@@ -108,7 +108,7 @@
 
 
 function get_author_rss_link($echo = false, $author_id, $author_nicename) {
-	$auth_ID = $author_id;
+	$auth_ID = (int) $author_id;
 	$permalink_structure = get_option('permalink_structure');
 
 	if ( '' == $permalink_structure ) {
Index: wp-includes/rss.php
===================================================================
--- wp-includes/rss.php	(.../2.1)	(revision 5900)
+++ wp-includes/rss.php	(.../2.1.3)	(revision 5900)
@@ -782,13 +782,13 @@
 
 	if ( preg_match( $pat, $date_str, $match ) ) {
 		list( $year, $month, $day, $hours, $minutes, $seconds) =
-			array( $match[1], $match[2], $match[3], $match[4], $match[5], $match[6]);
+			array( $match[1], $match[2], $match[3], $match[4], $match[5], $match[7]);
 
 		# calc epoch for current date assuming GMT
 		$epoch = gmmktime( $hours, $minutes, $seconds, $month, $day, $year);
 
 		$offset = 0;
-		if ( $match[10] == 'Z' ) {
+		if ( $match[11] == 'Z' ) {
 			# zulu time, aka GMT
 		}
 		else {
Index: wp-includes/functions.php
===================================================================
--- wp-includes/functions.php	(.../2.1)	(revision 5900)
+++ wp-includes/functions.php	(.../2.1.3)	(revision 5900)
@@ -566,7 +566,7 @@
 	$post_id_array = (array) explode(',', $post_ids);
 	$count = count( $post_id_array);
 	for ( $i = 0; $i < $count; $i++ ) {
-		$post_id = $post_id_array[ $i ];
+		$post_id = (int) $post_id_array[ $i ];
 		if ( isset( $category_cache[$blog_id][$post_id] ) ) {
 			unset( $post_id_array[ $i ] );
 			continue;
@@ -620,7 +620,7 @@
 	$post_id_array = (array) explode(',', $post_id_list);
 	$count = count( $post_id_array);
 	for ( $i = 0; $i < $count; $i++ ) {
-		$post_id = $post_id_array[ $i ];
+		$post_id = (int) $post_id_array[ $i ];
 		if ( isset( $post_meta_cache[$blog_id][$post_id] ) ) { // If the meta is already cached
 			unset( $post_id_array[ $i ] );
 			continue;
@@ -920,9 +920,11 @@
 	return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl));
 }
 
-function wp_nonce_field($action = -1) {
-	echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />';
-	wp_referer_field();
+function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) {
+	$name = attribute_escape($name);
+	echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />';
+	if ( $referer )
+		wp_referer_field();
 }
 
 function wp_referer_field() {
@@ -1190,7 +1192,7 @@
 
 	$adminurl = get_option('siteurl') . '/wp-admin';
 	if ( wp_get_referer() )
-		$adminurl = wp_get_referer();
+		$adminurl = clean_url(wp_get_referer());
 
 	$title = __('WordPress Confirmation');
 	// Remove extra layer of slashes.
@@ -1198,16 +1200,16 @@
 	if ( $_POST ) {
 		$q = http_build_query($_POST);
 		$q = explode( ini_get('arg_separator.output'), $q);
-		$html .= "\t<form method='post' action='$pagenow'>\n";
+		$html .= "\t<form method='post' action='" . attribute_escape($pagenow) . "'>\n";
 		foreach ( (array) $q as $a ) {
 			$v = substr(strstr($a, '='), 1);
 			$k = substr($a, 0, -(strlen($v)+1));
 			$html .= "\t\t<input type='hidden' name='" . attribute_escape(urldecode($k)) . "' value='" . attribute_escape(urldecode($v)) . "' />\n";
 		}
 		$html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
-		$html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_explain_nonce($action) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
+		$html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
 	} else {
-		$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_explain_nonce($action) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
+		$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
 	}
 	$html .= "</body>\n</html>";
 	wp_die($html, $title);
Index: wp-includes/script-loader.php
===================================================================
--- wp-includes/script-loader.php	(.../2.1)	(revision 5900)
+++ wp-includes/script-loader.php	(.../2.1.3)	(revision 5900)
@@ -17,7 +17,7 @@
 		$this->add( 'colorpicker', '/wp-includes/js/colorpicker.js', false, '3517' );
 		$this->add( 'tiny_mce', '/wp-includes/js/tinymce/tiny_mce_gzip.php', false, '20061113' );
 		$mce_config = apply_filters('tiny_mce_config_url', '/wp-includes/js/tinymce/tiny_mce_config.php');
-		$this->add( 'wp_tiny_mce', $mce_config, array('tiny_mce'), '20061113' );
+		$this->add( 'wp_tiny_mce', $mce_config, array('tiny_mce'), '20070225' );
 		$this->add( 'prototype', '/wp-includes/js/prototype.js', false, '1.5.0');
 		$this->add( 'autosave', '/wp-includes/js/autosave-js.php', array('prototype', 'sack'), '20070116');
 		$this->add( 'wp-ajax', '/wp-includes/js/wp-ajax-js.php', array('prototype'), '20070118');
@@ -78,7 +78,7 @@
 					if ( isset($this->args[$handle]) )
 						$ver .= '&amp;' . $this->args[$handle];
 					$src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
-					$src = add_query_arg('ver', $ver, $src);
+					$src = clean_url(add_query_arg('ver', $ver, $src));
 					echo "<script type='text/javascript' src='$src'></script>\n";
 				}
 				$this->printed[] = $handle;
Index: wp-includes/registration.php
===================================================================
--- wp-includes/registration.php	(.../2.1)	(revision 5900)
+++ wp-includes/registration.php	(.../2.1.3)	(revision 5900)
@@ -89,7 +89,7 @@
 		$query = "UPDATE $wpdb->users SET user_pass='$user_pass', user_email='$user_email', user_url='$user_url', user_nicename = '$user_nicename', display_name = '$display_name' WHERE ID = '$ID'";
 		$query = apply_filters('update_user_query', $query);
 		$wpdb->query( $query );
-		$user_id = $ID;
+		$user_id = (int) $ID;
 	} else {
 		$query = "INSERT INTO $wpdb->users
 		(user_login, user_pass, user_email, user_url, user_registered, user_nicename, display_name)
@@ -97,7 +97,7 @@
 		('$user_login', '$user_pass', '$user_email', '$user_url', '$user_registered', '$user_nicename', '$display_name')";
 		$query = apply_filters('create_user_query', $query);
 		$wpdb->query( $query );
-		$user_id = $wpdb->insert_id;
+		$user_id = (int) $wpdb->insert_id;
 	}
 
 	update_usermeta( $user_id, 'first_name', $first_name);
Index: wp-includes/comment-template.php
===================================================================
--- wp-includes/comment-template.php	(.../2.1)	(revision 5900)
+++ wp-includes/comment-template.php	(.../2.1.3)	(revision 5900)
@@ -150,7 +150,7 @@
 	$post_id = (int) $post_id;
 
 	if ( !$post_id )
-		$post_id = $id;
+		$post_id = (int) $id;
 
 	$post = get_post($post_id);
 	if ( ! isset($post->comment_count) )
@@ -271,6 +271,12 @@
 		return false;
 }
 
+function wp_comment_form_unfiltered_html_nonce() {
+	global $post;
+	if ( current_user_can('unfiltered_html') )
+		wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);
+}
+
 function comments_template( $file = '/comments.php' ) {
 	global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity;
 
Index: wp-includes/bookmark-template.php
===================================================================
--- wp-includes/bookmark-template.php	(.../2.1)	(revision 5900)
+++ wp-includes/bookmark-template.php	(.../2.1.3)	(revision 5900)
@@ -96,7 +96,7 @@
 			$output .= get_option('links_recently_updated_prepend');
 		$the_link = '#';
 		if ( !empty($row->link_url) )
-			$the_link = wp_specialchars($row->link_url);
+			$the_link = clean_url($row->link_url);
 		$rel = $row->link_rel;
 		if ( '' != $rel )
 			$rel = ' rel="' . $rel . '"';
@@ -165,7 +165,7 @@
 	if ( empty($cats) || ! is_array($cats) )
 		return '';
 
-	$cat_id = $cats[0]; // Take the first cat.
+	$cat_id = (int) $cats[0]; // Take the first cat.
 
 	$cat = get_category($cat_id);
 	return $cat->cat_name;
@@ -260,7 +260,7 @@
 
 		$the_link = '#';
 		if ( !empty($bookmark->link_url) )
-			$the_link = wp_specialchars($bookmark->link_url);
+			$the_link = clean_url($bookmark->link_url);
 
 		$rel = $bookmark->link_rel;
 		if ( '' != $rel )
@@ -344,10 +344,14 @@
 		$bookmarks = get_bookmarks("limit=$limit&category=$category&show_updated=$show_updated&orderby=$orderby&order=$order&hide_invisible=$hide_invisible&show_updated=$show_updated");
 		
 		if ( !empty($bookmarks) ) {
-			$output .= str_replace(array('%id', '%class'), array("linkuncat", $class), $category_before);
-			$output .= "$title_before$title_li$title_after\n\t<ul>\n";
-			$output .= _walk_bookmarks($bookmarks, $r);
-			$output .= "\n\t</ul>\n$category_after\n";
+			if ( !empty( $title_li ) ){
+				$output .= str_replace(array('%id', '%class'), array("linkcat-$category", $class), $category_before);
+				$output .= "$title_before$title_li$title_after\n\t<ul>\n";
+				$output .= _walk_bookmarks($bookmarks, $r);
+				$output .= "\n\t</ul>\n$category_after\n";
+			} else {
+				$output .= _walk_bookmarks($bookmarks, $r);
+			}
 		}
 	}
 
Index: wp-includes/user.php
===================================================================
--- wp-includes/user.php	(.../2.1)	(revision 5900)
+++ wp-includes/user.php	(.../2.1.3)	(revision 5900)
@@ -9,6 +9,7 @@
 
 function get_usernumposts($userid) {
 	global $wpdb;
+	$userid = (int) $userid;
 	return $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->posts WHERE post_author = '$userid' AND post_type = 'post' AND post_status = 'publish'");
 }
 
@@ -160,8 +161,8 @@
 
 	$userdata = $user->data;
 	$user_login	= $user->user_login;
-	$user_level	= $user->user_level;
-	$user_ID	= $user->ID;
+	$user_level	= (int) $user->user_level;
+	$user_ID	= (int) $user->ID;
 	$user_email	= $user->user_email;
 	$user_url	= $user->user_url;
 	$user_pass_md5	= md5($user->user_pass);
Index: wp-includes/category-template.php
===================================================================
--- wp-includes/category-template.php	(.../2.1)	(revision 5900)
+++ wp-includes/category-template.php	(.../2.1.3)	(revision 5900)
@@ -62,8 +62,9 @@
 function get_the_category($id = false) {
 global $post, $category_cache, $blog_id;
 
+	$id = (int) $id;
 	if ( !$id )
-		$id = $post->ID;
+		$id = (int) $post->ID;
 
 	if ( !isset($category_cache[$blog_id][$id]) )
 		update_post_category_cache($id);
Index: xmlrpc.php
===================================================================
--- xmlrpc.php	(.../2.1)	(revision 5900)
+++ xmlrpc.php	(.../2.1.3)	(revision 5900)
@@ -209,7 +209,7 @@
 
 		$this->escape($args);
 
-		$post_ID    = $args[1];
+		$post_ID    = (int) $args[1];
 		$user_login = $args[2];
 		$user_pass  = $args[3];
 
@@ -244,7 +244,7 @@
 
 		$this->escape($args);
 
-		$blog_ID    = $args[1]; /* though we don't use it yet */
+		$blog_ID    = (int) $args[1]; /* though we don't use it yet */
 		$user_login = $args[2];
 		$user_pass  = $args[3];
 		$num_posts  = $args[4];
@@ -292,7 +292,7 @@
 
 		$this->escape($args);
 
-	  $blog_ID    = $args[1];
+	  $blog_ID    = (int) $args[1];
 	  $user_login = $args[2];
 	  $user_pass  = $args[3];
 	  $template   = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */
@@ -326,7 +326,7 @@
 
 		$this->escape($args);
 
-	  $blog_ID    = $args[1];
+	  $blog_ID    = (int) $args[1];
 	  $user_login = $args[2];
 	  $user_pass  = $args[3];
 	  $content    = $args[4];
@@ -363,7 +363,7 @@
 
 		$this->escape($args);
 
-	  $blog_ID    = $args[1]; /* though we don't use it yet */
+	  $blog_ID    = (int) $args[1]; /* though we don't use it yet */
 	  $user_login = $args[2];
 	  $user_pass  = $args[3];
 	  $content    = $args[4];
@@ -411,7 +411,7 @@
 
 		$this->escape($args);
 
-	  $post_ID     = $args[1];
+	  $post_ID     = (int) $args[1];
 	  $user_login  = $args[2];
 	  $user_pass   = $args[3];
 	  $content     = $args[4];
@@ -435,6 +435,9 @@
 
 	  extract($actual_post);
 
+	  if ( ('publish' == $post_status) && !current_user_can('publish_posts') )
+	  	return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.');
+
 	  $post_title = xmlrpc_getposttitle($content);
 	  $post_category = xmlrpc_getpostcategory($content);
 	  $post_content = xmlrpc_removepostdata($content);
@@ -459,7 +462,7 @@
 
 		$this->escape($args);
 
-	  $post_ID     = $args[1];
+	  $post_ID     = (int) $args[1];
 	  $user_login  = $args[2];
 	  $user_pass   = $args[3];
 	  $publish     = $args[4];
@@ -500,7 +503,7 @@
 
 		$this->escape($args);
 
-	  $blog_ID     = $args[0]; // we will support this in the near future
+	  $blog_ID     = (int) $args[0]; // we will support this in the near future
 	  $user_login  = $args[1];
 	  $user_pass   = $args[2];
 	  $content_struct = $args[3];
@@ -535,7 +538,9 @@
 	    $post_content = $post_content . "\n<!--more-->\n" . $post_more;
 	  }
 
-		$to_ping = $content_struct['mt_tb_ping_urls'];
+	  $to_ping = $content_struct['mt_tb_ping_urls'];
+	  if ( is_array($to_ping) )
+	  	$to_ping = implode(' ', $to_ping);
 
 	  // Do some timestamp voodoo
 	  $dateCreatedd = $content_struct['dateCreated'];
@@ -595,7 +600,7 @@
 
 		$this->escape($args);
 
-	  $post_ID     = $args[0];
+	  $post_ID     = (int) $args[0];
 	  $user_login  = $args[1];
 	  $user_pass   = $args[2];
 	  $content_struct = $args[3];
@@ -629,12 +634,18 @@
 	  $post_more = $content_struct['mt_text_more'];
 	  $post_status = $publish ? 'publish' : 'draft';
 
+
+	  if ( ('publish' == $post_status) && !current_user_can('publish_posts') )
+	  	return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.');
+
 	  if ($post_more) {
 	    $post_content = $post_content . "\n<!--more-->\n" . $post_more;
 	  }
 
-		$to_ping = $content_struct['mt_tb_ping_urls'];
-
+	  $to_ping = $content_struct['mt_tb_ping_urls'];
+	  if ( is_array($to_ping) )
+	  	$to_ping = implode(' ', $to_ping);
+	  
 	  $comment_status = (empty($content_struct['mt_allow_comments'])) ?
 	    get_option('default_comment_status')
 	    : $content_struct['mt_allow_comments'];
@@ -676,7 +687,7 @@
 
 		$this->escape($args);
 
-	  $post_ID     = $args[0];
+	  $post_ID     = (int) $args[0];
 	  $user_login  = $args[1];
 	  $user_pass   = $args[2];
 
@@ -731,10 +742,10 @@
 
 		$this->escape($args);
 
-		$blog_ID     = $args[0];
+		$blog_ID     = (int) $args[0];
 		$user_login  = $args[1];
 		$user_pass   = $args[2];
-		$num_posts   = $args[3];
+		$num_posts   = (int) $args[3];
 
 		if (!$this->login_pass_ok($user_login, $user_pass)) {
 			return $this->error;
@@ -797,7 +808,7 @@
 
 		$this->escape($args);
 
-		$blog_ID     = $args[0];
+		$blog_ID     = (int) $args[0];
 		$user_login  = $args[1];
 		$user_pass   = $args[2];
 
@@ -831,7 +842,7 @@
 
 		global $wpdb;
 
-		$blog_ID     = $wpdb->escape($args[0]);
+		$blog_ID     = (int) $args[0];
 		$user_login  = $wpdb->escape($args[1]);
 		$user_pass   = $wpdb->escape($args[2]);
 		$data        = $args[3];
@@ -857,8 +868,9 @@
 
 		$upload = wp_upload_bits($name, $type, $bits);
 		if ( ! empty($upload['error']) ) {
-			logIO('O', '(MW) Could not write file '.$name);
-			return new IXR_Error(500, 'Could not write file '.$name);
+			$errorString = 'Could not write file ' . $name . ' (' . $upload['error'] . ')';
+			logIO('O', '(MW) ' . $errorString);
+			return new IXR_Error(500, $errorString);
 		}
 		// Construct the attachment array
 		// attach to post_id -1
@@ -888,10 +900,10 @@
 
 		$this->escape($args);
 
-		$blog_ID     = $args[0];
+		$blog_ID     = (int) $args[0];
 		$user_login  = $args[1];
 		$user_pass   = $args[2];
-		$num_posts   = $args[3];
+		$num_posts   = (int) $args[3];
 
 		if (!$this->login_pass_ok($user_login, $user_pass)) {
 			return $this->error;
@@ -933,7 +945,7 @@
 
 		$this->escape($args);
 
-		$blog_ID     = $args[0];
+		$blog_ID     = (int) $args[0];
 		$user_login  = $args[1];
 		$user_pass   = $args[2];
 
@@ -962,7 +974,7 @@
 
 		$this->escape($args);
 
-		$post_ID     = $args[0];
+		$post_ID     = (int) $args[0];
 		$user_login  = $args[1];
 		$user_pass   = $args[2];
 
@@ -977,7 +989,7 @@
 		foreach($catids as $catid) {
 			$categories[] = array(
 				'categoryName' => get_cat_name($catid),
-				'categoryId' => $catid,
+				'categoryId' => (string) $catid,
 				'isPrimary' => $isPrimary
 			);
 			$isPrimary = false;
@@ -992,7 +1004,7 @@
 
 		$this->escape($args);
 
-		$post_ID     = $args[0];
+		$post_ID     = (int) $args[0];
 		$user_login  = $args[1];
 		$user_pass   = $args[2];
 		$categories  = $args[3];
@@ -1075,7 +1087,7 @@
 
 		$this->escape($args);
 
-		$post_ID     = $args[0];
+		$post_ID     = (int) $args[0];
 		$user_login  = $args[1];
 		$user_pass   = $args[2];
 
@@ -1137,18 +1149,18 @@
 		} elseif (preg_match('#p/[0-9]{1,}#', $urltest['path'], $match)) {
 			// the path defines the post_ID (archives/p/XXXX)
 			$blah = explode('/', $match[0]);
-			$post_ID = $blah[1];
+			$post_ID = (int) $blah[1];
 			$way = 'from the path';
 		} elseif (preg_match('#p=[0-9]{1,}#', $urltest['query'], $match)) {
 			// the querystring defines the post_ID (?p=XXXX)
 			$blah = explode('=', $match[0]);
-			$post_ID = $blah[1];
+			$post_ID = (int) $blah[1];
 			$way = 'from the querystring';
 		} elseif (isset($urltest['fragment'])) {
 			// an #anchor is there, it's either...
 			if (intval($urltest['fragment'])) {
 				// ...an integer #XXXX (simpliest case)
-				$post_ID = $urltest['fragment'];
+				$post_ID = (int) $urltest['fragment'];
 				$way = 'from the fragment (numeric)';
 			} elseif (preg_match('/post-[0-9]+/',$urltest['fragment'])) {
 				// ...a post id in the form 'post-###'
Index: wp-trackback.php
===================================================================
--- wp-trackback.php	(.../2.1)	(revision 5900)
+++ wp-trackback.php	(.../2.1.3)	(revision 5900)
@@ -84,7 +84,7 @@
 		$title = (strlen($title) > 250) ? substr($title, 0, 250) . '...' : $title;
 	}
 
-	$comment_post_ID = $tb_id;
+	$comment_post_ID = (int) $tb_id;
 	$comment_author = $blog_name;
 	$comment_author_email = '';
 	$comment_author_url = $tb_url;
Index: wp-admin/edit-comments.php
===================================================================
--- wp-admin/edit-comments.php	(.../2.1)	(revision 5900)
+++ wp-admin/edit-comments.php	(.../2.1.3)	(revision 5900)
@@ -56,7 +56,7 @@
 	$i = 0;
 	foreach ($_POST['delete_comments'] as $comment) : // Check the permissions on each
 		$comment = (int) $comment;
-		$post_id = $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment");
+		$post_id = (int) $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment");
 		// $authordata = get_userdata( $wpdb->get_var("SELECT post_author FROM $wpdb->posts WHERE ID = $post_id") );
 		if ( current_user_can('edit_post', $post_id) ) {
 			if ( !empty( $_POST['spam_button'] ) )
@@ -101,7 +101,7 @@
 $r = '';
 if ( 1 < $page ) {
 	$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
-	$r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
+	$r .=  '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
 }
 if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 	for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) :
@@ -111,7 +111,7 @@
 			$p = false;
 			if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
 				$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
-				$r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n";
+				$r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
 				$in = true;
 			elseif ( $in == true ) :
 				$r .= "...\n";
@@ -122,7 +122,7 @@
 }
 if ( ( $page ) * 20 < $total || -1 == $total ) {
 	$args['apage'] = $page + 1;
-	$r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
+	$r .=  '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
 }
 echo "<p class='pagenav'>$r</p>";
 ?>
@@ -248,7 +248,7 @@
 $r = '';
 if ( 1 < $page ) {
 	$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
-	$r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
+	$r .=  '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
 }
 if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 	for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) :
@@ -258,7 +258,7 @@
 			$p = false;
 			if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
 				$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
-				$r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n";
+				$r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
 				$in = true;
 			elseif ( $in == true ) :
 				$r .= "...\n";
@@ -269,7 +269,7 @@
 }
 if ( ( $page ) * 20 < $total || -1 == $total ) {
 	$args['apage'] = $page + 1;
-	$r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
+	$r .=  '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
 }
 echo "<p class='pagenav'>$r</p>";
 ?>
Index: wp-admin/admin-ajax.php
===================================================================
--- wp-admin/admin-ajax.php	(.../2.1)	(revision 5900)
+++ wp-admin/admin-ajax.php	(.../2.1.3)	(revision 5900)
@@ -155,7 +155,7 @@
 	if ( !current_user_can( 'edit_post', $id ) )
 		die('-1');
 	if ( $id < 0 ) {
-		$now = current_time('timestamp');
+		$now = current_time('timestamp', 1);
 		if ( $pid = wp_insert_post( array(
 			'post_title' => sprintf('Draft created on %s at %s', date(get_option('date_format'), $now), date(get_option('time_format'), $now))
 		) ) )
@@ -231,7 +231,7 @@
 	if($_POST['post_ID'] < 0) {
 		$_POST['temp_ID'] = $_POST['post_ID'];
 		$id = wp_write_post();
-		if(is_wp_error($id))
+		if( is_wp_error($id) )
 			die($id->get_error_message());
 		else
 			die("$id");
Index: wp-admin/post.php
===================================================================
--- wp-admin/post.php	(.../2.1)	(revision 5900)
+++ wp-admin/post.php	(.../2.1.3)	(revision 5900)
@@ -69,7 +69,7 @@
 	?>
 	<div id='preview' class='wrap'>
 	<h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
-		<iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+		<iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
 	</div>
 	<?php
 	break;
Index: wp-admin/admin-functions.php
===================================================================
--- wp-admin/admin-functions.php	(.../2.1)	(revision 5900)
+++ wp-admin/admin-functions.php	(.../2.1.3)	(revision 5900)
@@ -139,19 +139,19 @@
 
 	$post = & get_post( $post_ID, ARRAY_A );
 
-	$search = "#<a[^>]+rel=('|\" )[^'\"]*attachment[^>]*>#ie";
+	$search = "#<a[^>]+rel=('|\")[^'\"]*attachment[^>]*>#ie";
 
 	// See if we have any rel="attachment" links
 	if ( 0 == preg_match_all( $search, $post['post_content'], $anchor_matches, PREG_PATTERN_ORDER ) )
 		return;
 
 	$i = 0;
-	$search = "#[\s]+rel=(\"|' )(.*? )wp-att-(\d+ )\\1#i";
+	$search = "#[\s]+rel=(\"|')(.*?)wp-att-(\d+)\\1#i";
 	foreach ( $anchor_matches[0] as $anchor ) {
 		if ( 0 == preg_match( $search, $anchor, $id_matches ) )
 			continue;
 
-		$id = $id_matches[3];
+		$id = (int) $id_matches[3];
 
 		// While we have the attachment ID, let's adopt any orphans.
 		$attachment = & get_post( $id, ARRAY_A );
@@ -358,7 +358,7 @@
 	else if ( !empty( $post_title ) ) {
 		$text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
 		$text       = funky_javascript_fix( $text);
-		$popupurl   = attribute_escape($_REQUEST['popupurl']);
+		$popupurl   = clean_url($_REQUEST['popupurl']);
         $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
     }
 
@@ -417,7 +417,7 @@
 	$user = new WP_User( $user_id );
 	$user->user_login   = attribute_escape($user->user_login);
 	$user->user_email   = attribute_escape($user->user_email);
-	$user->user_url     = attribute_escape($user->user_url);
+	$user->user_url     = clean_url($user->user_url);
 	$user->first_name   = attribute_escape($user->first_name);
 	$user->last_name    = attribute_escape($user->last_name);
 	$user->display_name = attribute_escape($user->display_name);
@@ -435,7 +435,7 @@
 function add_user() {
 	if ( func_num_args() ) { // The hackiest hack that ever did hack
 		global $current_user, $wp_roles;
-		$user_id = func_get_arg( 0 );
+		$user_id = (int) func_get_arg( 0 );
 
 		if ( isset( $_POST['role'] ) ) {
 			if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) {
@@ -453,7 +453,7 @@
 	global $current_user, $wp_roles, $wpdb;
 	if ( $user_id != 0 ) {
 		$update = true;
-		$user->ID = $user_id;
+		$user->ID = (int) $user_id;
 		$userdata = get_userdata( $user_id );
 		$user->user_login = $wpdb->escape( $userdata->user_login );
 	} else {
@@ -478,7 +478,7 @@
 	if ( isset( $_POST['email'] ))
 		$user->user_email = wp_specialchars( trim( $_POST['email'] ));
 	if ( isset( $_POST['url'] ) ) {
-		$user->user_url = wp_specialchars( trim( $_POST['url'] ));
+		$user->user_url = clean_url( trim( $_POST['url'] ));
 		$user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
 	}
 	if ( isset( $_POST['first_name'] ))
@@ -562,11 +562,11 @@
 function get_link_to_edit( $link_id ) {
 	$link = get_link( $link_id );
 
-	$link->link_url         = attribute_escape($link->link_url);
+	$link->link_url         = clean_url($link->link_url);
 	$link->link_name        = attribute_escape($link->link_name);
 	$link->link_image       = attribute_escape($link->link_image);
 	$link->link_description = attribute_escape($link->link_description);
-	$link->link_rss         = attribute_escape($link->link_rss);
+	$link->link_rss         = clean_url($link->link_rss);
 	$link->link_rel         = attribute_escape($link->link_rel);
 	$link->link_notes       =  wp_specialchars($link->link_notes);
 	$link->post_category    = $link->link_category;
@@ -576,7 +576,7 @@
 
 function get_default_link_to_edit() {
 	if ( isset( $_GET['linkurl'] ) )
-		$link->link_url = attribute_escape( $_GET['linkurl']);
+		$link->link_url = clean_url( $_GET['linkurl']);
 	else
 		$link->link_url = '';
 
@@ -599,10 +599,10 @@
 		wp_die( __( 'Cheatin&#8217; uh?' ));
 
 	$_POST['link_url'] = wp_specialchars( $_POST['link_url'] );
-	$_POST['link_url'] = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $_POST['link_url']) ? $_POST['link_url'] : 'http://' . $_POST['link_url'];
+	$_POST['link_url'] = clean_url($_POST['link_url']);
 	$_POST['link_name'] = wp_specialchars( $_POST['link_name'] );
 	$_POST['link_image'] = wp_specialchars( $_POST['link_image'] );
-	$_POST['link_rss'] = wp_specialchars( $_POST['link_rss'] );
+	$_POST['link_rss'] = clean_url($_POST['link_rss']);
 	$_POST['link_category'] = $_POST['post_category'];
 
 	if ( !empty( $link_id ) ) {
@@ -781,8 +781,8 @@
 	$pad = str_repeat( '&#8212; ', $level );
 	if ( current_user_can( 'manage_categories' ) ) {
 		$edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->cat_ID' class='edit'>".__( 'Edit' )."</a></td>";
-		$default_cat_id = get_option( 'default_category' );
-		$default_link_cat_id = get_option( 'default_link_category' );
+		$default_cat_id = (int) get_option( 'default_category' );
+		$default_link_cat_id = (int) get_option( 'default_link_category' );
 
 		if ( ($category->cat_ID != $default_cat_id ) && ($category->cat_ID != $default_link_cat_id ) )
 			$edit .= "<td><a href='" . wp_nonce_url( "categories.php?action=delete&amp;cat_ID=$category->cat_ID", 'delete-category_' . $category->cat_ID ) . "' onclick=\"return deleteSomething( 'cat', $category->cat_ID, '" . js_escape(sprintf( __("You are about to delete the category '%s'.\nAll of its posts will go into the default category of '%s'\nAll of its bookmarks will go into the default category of '%s'.\n'OK' to delete, 'Cancel' to stop." ), $category->cat_name, get_catname( $default_cat_id ), get_catname( $default_link_cat_id ) )) . "' );\" class='delete'>".__( 'Delete' )."</a>";
@@ -821,7 +821,7 @@
 
 		$post->post_title = wp_specialchars( $post->post_title );
 		$pad = str_repeat( '&#8212; ', $level );
-		$id = $post->ID;
+		$id = (int) $post->ID;
 		$class = ('alternate' == $class ) ? '' : 'alternate';
 ?>
   <tr id='page-<?php echo $id; ?>' class='<?php echo $class; ?>'> 
@@ -830,7 +830,7 @@
       <?php echo $pad; ?><?php the_title() ?>
     </td> 
     <td><?php the_author() ?></td>
-    <td><?php if ( '0000-00-00 00:00:00' ==$post->post_modified ) _e('Unpublished'); else echo mysql2date( 'Y-m-d g:i a', $post->post_modified ); ?></td> 
+    <td><?php if ( '0000-00-00 00:00:00' ==$post->post_modified ) _e('Unpublished'); else echo mysql2date( __('Y-m-d g:i a'), $post->post_modified ); ?></td> 
 	<td><a href="<?php the_permalink(); ?>" rel="permalink" class="edit"><?php _e( 'View' ); ?></a></td>
     <td><?php if ( current_user_can( 'edit_page', $id ) ) { echo "<a href='page.php?action=edit&amp;post=$id' class='edit'>" . __( 'Edit' ) . "</a>"; } ?></td> 
     <td><?php if ( current_user_can( 'delete_page', $id ) ) { echo "<a href='" . wp_nonce_url( "page.php?action=delete&amp;post=$id", 'delete-page_' . $id ) .  "' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . js_escape(sprintf( __("You are about to delete the '%s' page.\n'OK' to delete, 'Cancel' to stop." ), get_the_title() ) ) . "' );\">" . __( 'Delete' ) . "</a>"; } ?></td> 
@@ -867,7 +867,7 @@
 	}
 	$r .= "</td>\n\t\t<td>";
 	if ( current_user_can( 'edit_user', $user_object->ID ) ) {
-		$edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
+		$edit_link = add_query_arg( 'wp_http_referer', urlencode( clean_url( stripslashes( $_SERVER['REQUEST_URI'] ) ) ), "user-edit.php?user_id=$user_object->ID" );
 		$r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
 	}
 	$r .= "</td>\n\t</tr>";
@@ -1269,7 +1269,7 @@
 
 	if ( $items ) {
 		foreach ( $items as $item ) {
-			// A page cannot be it's own parent.
+			// A page cannot be its own parent.
 			if (!empty ( $post_ID ) ) {
 				if ( $item->ID == $post_ID ) {
 					continue;
@@ -1533,6 +1533,14 @@
 	return add_submenu_page( 'themes.php', $page_title, $menu_title, $access_level, $file, $function );
 }
 
+function add_users_page( $page_title, $menu_title, $access_level, $file, $function = '' ) {
+	if ( current_user_can('edit_users') )
+		$parent = 'users.php';
+	else
+		$parent = 'profile.php';
+	return add_submenu_page( $parent, $page_title, $menu_title, $access_level, $file, $function );
+}
+
 function validate_file( $file, $allowed_files = '' ) {
 	if ( false !== strpos( $file, './' ))
 		return 1;
@@ -1602,7 +1610,7 @@
 	}
 	elseif ( file_exists( ABSPATH . $file ) && is_file( ABSPATH . $file ) ) {
 		$template_data = implode( '', file( ABSPATH . $file ) );
-		if ( preg_match( "|Template Name:(.* )|i", $template_data, $name ))
+		if ( preg_match( "|Template Name:(.*)|i", $template_data, $name ))
 			return $name[1];
 	}
 
@@ -1914,7 +1922,7 @@
 	if ( strstr( $size, 'g' ) )
 		$bytes = $size * 1024 * 1024 * 1024;
 ?>
-<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo $action ?>">
+<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>">
 <p>
 <label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> )
 <input type="file" id="upload" name="import" size="25" />
@@ -2190,7 +2198,7 @@
 
 			$thumbpath = str_replace( basename( $file ), $thumb, $file );
 
-			// move the thumbnail to it's final destination
+			// move the thumbnail to its final destination
 			if ( $type[2] == 1 ) {
 				if (!imagegif( $thumbnail, $thumbpath ) ) {
 					$error = __( "Thumbnail path invalid" );
@@ -2215,8 +2223,7 @@
 	if (!empty ( $error ) ) {
 		return $error;
 	} else {
-		apply_filters( 'wp_create_thumbnail', $thumbpath );
-		return $thumbpath;
+		return apply_filters( 'wp_create_thumbnail', $thumbpath );
 	}
 }
 
Index: wp-admin/custom-header.php
===================================================================
--- wp-admin/custom-header.php	(.../2.1)	(revision 5900)
+++ wp-admin/custom-header.php	(.../2.1.3)	(revision 5900)
@@ -174,7 +174,7 @@
 <h2><?php _e('Upload New Header Image'); ?></h2><p><?php _e('Here you can upload a custom header image to be shown at the top of your blog instead of the default one. On the next screen you will be able to crop the image.'); ?></p>
 <p><?php printf(__('Images of exactly <strong>%1$d x %2$d pixels</strong> will be used as-is.'), HEADER_IMAGE_WIDTH, HEADER_IMAGE_HEIGHT); ?></p>
 
-<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo add_query_arg('step', 2) ?>" style="margin: auto; width: 50%;">
+<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;">
 <label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" />
 <input type="hidden" name="action" value="save" />
 <p class="submit">
@@ -188,7 +188,7 @@
 <div class="wrap">
 <h2><?php _e('Reset Header Image and Color'); ?></h2>
 <p><?php _e('This will restore the original header image and color. You will not be able to retrieve any customizations.') ?></p>
-<form method="post" action="<?php echo add_query_arg('step', 1) ?>">
+<form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)) ?>">
 <input type="submit" name="resetheader" value="<?php _e('Restore Original Header'); ?>" />
 </form>
 </div>
@@ -223,12 +223,12 @@
 
 		if ( $width == HEADER_IMAGE_WIDTH && $height == HEADER_IMAGE_HEIGHT ) {
 			set_theme_mod('header_image', $url);
-			$header = apply_filters('wp_create_file_in_uploads', $header); // For replication
+			$header = apply_filters('wp_create_file_in_uploads', $file, $id); // For replication
 			return $this->finished();
 		} elseif ( $width > HEADER_IMAGE_WIDTH ) {
 			$oitar = $width / HEADER_IMAGE_WIDTH;
 			$image = wp_crop_image($file, 0, 0, $width, $height, HEADER_IMAGE_WIDTH, $height / $oitar, false, str_replace(basename($file), 'midsize-'.basename($file), $file));
-			$image = apply_filters('wp_create_file_in_uploads', $image); // For replication
+			$image = apply_filters('wp_create_file_in_uploads', $image, $id); // For replication
 
 			$url = str_replace(basename($url), basename($image), $url);
 			$width = $width / $oitar;
@@ -240,7 +240,7 @@
 
 <div class="wrap">
 
-<form method="POST" action="<?php echo add_query_arg('step', 3) ?>">
+<form method="POST" action="<?php echo attribute_escape(add_query_arg('step', 3)) ?>">
 
 <p><?php _e('Choose the part of the image you want to use as your header.'); ?></p>
 <div id="testWrap">
@@ -286,8 +286,7 @@
 		// cleanup
 		$file = get_attached_file( $_POST['attachment_id'] );
 		$medium = str_replace(basename($file), 'midsize-'.basename($file), $file);
-		@unlink( $medium );
-		apply_filters( 'wp_delete_file', $medium );
+		@unlink( apply_filters( 'wp_delete_file', $medium ) );
 		wp_delete_attachment( $_POST['attachment_id'] );
 
 		return $this->finished();
Index: wp-admin/edit-page-form.php
===================================================================
--- wp-admin/edit-page-form.php	(.../2.1)	(revision 5900)
+++ wp-admin/edit-page-form.php	(.../2.1.3)	(revision 5900)
@@ -13,7 +13,7 @@
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
 }
 
-$sendto = attribute_escape(stripslashes(wp_get_referer()));
+$sendto = clean_url(stripslashes(wp_get_referer()));
 
 if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
 	$sendto = 'redo';
Index: wp-admin/options-general.php
===================================================================
--- wp-admin/options-general.php	(.../2.1)	(revision 5900)
+++ wp-admin/options-general.php	(.../2.1.3)	(revision 5900)
@@ -60,7 +60,7 @@
 <table class="optiontable"> 
 <tr> 
 <th scope="row"><?php _e('<abbr title="Coordinated Universal Time">UTC</abbr> time is:') ?> </th> 
-<td><code><?php echo gmdate('Y-m-d g:i:s a'); ?></code></td> 
+<td><code><?php echo gmdate(__('Y-m-d g:i:s a')); ?></code></td> 
 </tr>
 <tr>
 <th scope="row"><?php _e('Times in the weblog should differ by:') ?> </th>
Index: wp-admin/admin-db.php
===================================================================
--- wp-admin/admin-db.php	(.../2.1)	(revision 5900)
+++ wp-admin/admin-db.php	(.../2.1.3)	(revision 5900)
@@ -123,7 +123,7 @@
 
 	if (!$update) {
 		$wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename, category_description, category_parent, links_private, posts_private) VALUES ('0', '$cat_name', '$category_nicename', '$category_description', '$category_parent', '$links_private', '$posts_private')");
-		$cat_ID = $wpdb->insert_id;
+		$cat_ID = (int) $wpdb->insert_id;
 	} else {
 		$wpdb->query ("UPDATE $wpdb->categories SET cat_name = '$cat_name', category_nicename = '$category_nicename', category_description = '$category_description', category_parent = '$category_parent', links_private = '$links_private', posts_private = '$posts_private' WHERE cat_ID = '$cat_ID'");
 	}
@@ -245,7 +245,7 @@
 	if (!$category_nicename = sanitize_title($cat_name))
 		return 0;
 
-	return $wpdb->get_var("SELECT cat_ID FROM $wpdb->categories WHERE category_nicename = '$category_nicename'");
+	return (int) $wpdb->get_var("SELECT cat_ID FROM $wpdb->categories WHERE category_nicename = '$category_nicename'");
 }
 
 function wp_delete_user($id, $reassign = 'novalue') {
@@ -299,6 +299,8 @@
 	if ( !empty($link_id) )
 		$update = true;
 
+	$link_id = (int) $link_id;
+
 	if( trim( $link_name ) == '' )
 		return 0;
 	$link_name = apply_filters('pre_link_name', $link_name);
@@ -360,7 +362,7 @@
 			WHERE link_id='$link_id'");
 	} else {
 		$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_image, link_target, link_description, link_visible, link_owner, link_rating, link_rel, link_notes, link_rss) VALUES('$link_url','$link_name', '$link_image', '$link_target', '$link_description', '$link_visible', '$link_owner', '$link_rating', '$link_rel', '$link_notes', '$link_rss')");
-		$link_id = $wpdb->insert_id;
+		$link_id = (int) $wpdb->insert_id;
 	}
 
 	wp_set_link_cats($link_id, $link_category);
@@ -443,7 +445,7 @@
 	$old_categories = $wpdb->get_col("
 		SELECT category_id
 		FROM $wpdb->link2cat
-		WHERE link_id = $link_ID");
+		WHERE link_id = '$link_ID'");
 
 	if (!$old_categories) {
 		$old_categories = array();
@@ -456,10 +458,11 @@
 
 	if ($delete_cats) {
 		foreach ($delete_cats as $del) {
+			$del = (int) $del;
 			$wpdb->query("
 				DELETE FROM $wpdb->link2cat
-				WHERE category_id = $del
-					AND link_id = $link_ID
+				WHERE category_id = '$del'
+					AND link_id = '$link_ID'
 				");
 		}
 	}
@@ -469,9 +472,11 @@
 
 	if ($add_cats) {
 		foreach ($add_cats as $new_cat) {
-			$wpdb->query("
-				INSERT INTO $wpdb->link2cat (link_id, category_id)
-				VALUES ($link_ID, $new_cat)");
+			$new_cat = (int) $new_cat;
+			if ( !empty($new_cat) )
+				$wpdb->query("
+					INSERT INTO $wpdb->link2cat (link_id, category_id)
+					VALUES ('$link_ID', '$new_cat')");
 		}
 	}
 
Index: wp-admin/import/livejournal.php
===================================================================
--- wp-admin/import/livejournal.php	(.../2.1)	(revision 5900)
+++ wp-admin/import/livejournal.php	(.../2.1.3)	(revision 5900)
@@ -82,7 +82,7 @@
 			$comments = $comments[1];
 
 			if ( $comments ) {
-				$comment_post_ID = $post_id;
+				$comment_post_ID = (int) $post_id;
 				$num_comments = 0;
 				foreach ($comments as $comment) {
 					preg_match('|<event>(.*?)</event>|is', $comment, $comment_content);
Index: wp-admin/import/dotclear.php
===================================================================
--- wp-admin/import/dotclear.php	(.../2.1)	(revision 5900)
+++ wp-admin/import/dotclear.php	(.../2.1.3)	(revision 5900)
@@ -437,8 +437,8 @@
 				extract($comment);
 
 				// WordPressify Data
-				$comment_ID = ltrim($comment_id, '0');
-				$comment_post_ID = $postarr[$post_id];
+				$comment_ID = (int) ltrim($comment_id, '0');
+				$comment_post_ID = (int) $postarr[$post_id];
 				$comment_approved = "$comment_pub";
 				$name = $wpdb->escape(csc ($comment_auteur));
 				$email = $wpdb->escape($comment_email);
Index: wp-admin/import/mt.php
===================================================================
--- wp-admin/import/mt.php	(.../2.1)	(revision 5900)
+++ wp-admin/import/mt.php	(.../2.1.3)	(revision 5900)
@@ -171,7 +171,7 @@
 			return;
 		}
 		$this->file = $file['file'];
-		$this->id = $file['id'];
+		$this->id = (int) $file['id'];
 
 		$this->get_entries();
 		$this->mt_authors_form();
@@ -295,7 +295,7 @@
 					}
 				}
 
-				$comment_post_ID = $post_id;
+				$comment_post_ID = (int) $post_id;
 				$comment_approved = 1;
 
 				// Now for comments
Index: wp-admin/import/blogware.php
===================================================================
--- wp-admin/import/blogware.php	(.../2.1)	(revision 5900)
+++ wp-admin/import/blogware.php	(.../2.1.3)	(revision 5900)
@@ -104,7 +104,7 @@
 			$comments = $comments[1];
 
 			if ( $comments ) {
-				$comment_post_ID = $post_id;
+				$comment_post_ID = (int) $post_id;
 				$num_comments = 0;
 				foreach ($comments as $comment) {
 					preg_match('|<body>(.*?)</body>|is', $comment, $comment_content);
Index: wp-admin/import/wordpress.php
===================================================================
--- wp-admin/import/wordpress.php	(.../2.1)	(revision 5900)
+++ wp-admin/import/wordpress.php	(.../2.1.3)	(revision 5900)
@@ -174,7 +174,7 @@
 			return;
 		}
 		$this->file = $file['file'];
-		$this->id = $file['id'];
+		$this->id = (int) $file['id'];
 
 		$this->get_entries();
 		$this->wp_authors_form();
@@ -201,7 +201,7 @@
 			if ( empty($parent) )
 				$category_parent = '0';
 			else
-				$category_parent = (int) category_exists($parent);
+				$category_parent = category_exists($parent);
 
 			$catarr = compact('category_nicename', 'category_parent', 'posts_private', 'links_private', 'posts_private', 'cat_name');
 
Index: wp-admin/upload.php
===================================================================
--- wp-admin/upload.php	(.../2.1)	(revision 5900)
+++ wp-admin/upload.php	(.../2.1.3)	(revision 5900)
@@ -90,7 +90,7 @@
 	$href = add_query_arg( array('tab' => $t, 'ID' => '', 'action' => '', 'paged' => '') );
 	if ( isset($tab_array[4]) && is_array($tab_array[4]) )
 		add_query_arg( $tab_array[4], $href );
-	$_href = attribute_escape( $href);
+	$_href = clean_url( $href);
 	$page_links = '';
 	$class = 'upload-tab alignleft';
 	if ( $tab == $t ) {
Index: wp-admin/edit-form-advanced.php
===================================================================
--- wp-admin/edit-form-advanced.php	(.../2.1)	(revision 5900)
+++ wp-admin/edit-form-advanced.php	(.../2.1.3)	(revision 5900)
@@ -168,11 +168,11 @@
 ?>
 <input name="referredby" type="hidden" id="referredby" value="<?php 
 if ( !empty($_REQUEST['popupurl']) )
-	echo attribute_escape(stripslashes($_REQUEST['popupurl']));
+	echo clean_url(stripslashes($_REQUEST['popupurl']));
 else if ( url_to_postid(wp_get_referer()) == $post_ID )
 	echo 'redo';
 else
-	echo attribute_escape(stripslashes(wp_get_referer()));
+	echo clean_url(stripslashes(wp_get_referer()));
 ?>" /></p>
 
 <?php do_action('edit_form_advanced'); ?>
Index: wp-admin/upload-functions.php
===================================================================
--- wp-admin/upload-functions.php	(.../2.1)	(revision 5900)
+++ wp-admin/upload-functions.php	(.../2.1.3)	(revision 5900)
@@ -35,7 +35,7 @@
 	$r = '';
 
 	if ( $href )
-		$r .= "<a id='file-link-$id' href='$href' title='$post_title' class='file-link $class'>\n";
+		$r .= "<a id='file-link-$id' href='" . clean_url($href) ."' title='$post_title' class='file-link $class'>\n";
 	if ( $href || $image_src )
 		$r .= "\t\t\t$innerHTML";
 	if ( $href )
@@ -83,9 +83,9 @@
 				echo '[&nbsp;';
 				echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
 				echo '&nbsp;|&nbsp;';
-					echo '<a href="' . attribute_escape(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
+					echo '<a href="' . clean_url(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
 				echo '&nbsp;|&nbsp;';
-				echo '<a href="' . attribute_escape(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
+				echo '<a href="' . clean_url(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
 				echo '&nbsp;]'; ?></span>
 		</div>
 
@@ -123,9 +123,9 @@
 				echo '[&nbsp;';
 				echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
 				echo '&nbsp;|&nbsp;';
-					echo '<a href="' . attribute_escape(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
+					echo '<a href="' . clean_url(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
 				echo '&nbsp;|&nbsp;';
-				echo '<a href="' . attribute_escape(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
+				echo '<a href="' . clean_url(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
 				echo '&nbsp;]'; ?></span>
 		</div>
 
Index: wp-admin/admin-header.php
===================================================================
--- wp-admin/admin-header.php	(.../2.1)	(revision 5900)
+++ wp-admin/admin-header.php	(.../2.1.3)	(revision 5900)
@@ -2,7 +2,7 @@
 @header('Content-type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
 if (!isset($_GET["page"])) require_once('admin.php');
 if ( $editing ) {
-	wp_enqueue_script( array("dbx-admin-key?pagenow=$pagenow",'admin-custom-fields') );
+	wp_enqueue_script( array('dbx-admin-key?pagenow=' . attribute_escape($pagenow),'admin-custom-fields') );
 	if ( current_user_can('manage_categories') )
 		wp_enqueue_script( 'ajaxcat' );
 	if ( user_can_richedit() )
Index: wp-admin/edit.php
===================================================================
--- wp-admin/edit.php	(.../2.1)	(revision 5900)
+++ wp-admin/edit.php	(.../2.1.3)	(revision 5900)
@@ -177,7 +177,7 @@
 
 	case 'date':
 		?>
-		<td><?php if ( '0000-00-00 00:00:00' ==$post->post_modified ) _e('Unpublished'); else the_time('Y-m-d \<\b\r \/\> g:i:s a'); ?></td>
+		<td><?php if ( '0000-00-00 00:00:00' ==$post->post_modified ) _e('Unpublished'); else the_time(_('Y-m-d \<\b\r \/\> g:i:s a')); ?></td>
 		<?php
 		break;
 	case 'title':
@@ -279,17 +279,17 @@
 
 <?php comment_text() ?>
 
-<p><?php comment_date('M j, g:i A');  ?> &#8212; [
+<p><?php comment_date(__('M j, g:i A'));  ?> &#8212; [
 <?php
 if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
 	echo " <a href='comment.php?action=editcomment&amp;c=".$comment->comment_ID."'>" .  __('Edit') . '</a>';
-	echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&amp;p=' . $post->ID . '&amp;c=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by '%s'.\n'Cancel' to stop, 'OK' to delete."), js_escape($comment->comment_author)) . "', theCommentList );\">" . __('Delete') . '</a> ';
+	echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&amp;p=' . $comment->comment_post_ID . '&amp;c=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . js_escape(sprintf(__("You are about to delete this comment by '%s'.\n'Cancel' to stop, 'OK' to delete."), $comment->comment_author)) . "', theCommentList );\">" . __('Delete') . '</a> ';
 	if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
-		echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&amp;p=' . $post->ID . '&amp;c=' . $comment->comment_ID, 'unapprove-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\', theCommentList );">' . __('Unapprove') . '</a> </span>';
-		echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&amp;p=' . $post->ID . '&amp;c=' . $comment->comment_ID, 'approve-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\', theCommentList );">' . __('Approve') . '</a> </span>';
+		echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&amp;p=' . $comment->comment_post_ID . '&amp;c=' . $comment->comment_ID, 'unapprove-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\', theCommentList );">' . __('Unapprove') . '</a> </span>';
+		echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&amp;p=' . $comment->comment_post_ID . '&amp;c=' . $comment->comment_ID, 'approve-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\', theCommentList );">' . __('Approve') . '</a> </span>';
 	}
-	echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&amp;dt=spam&amp;p=".$comment->comment_post_ID."&amp;c=".$comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by '%s'.\n'Cancel' to stop, 'OK' to mark as spam."), js_escape( $comment->comment_author))  . "', theCommentList );\">" . __('Spam') . "</a> ]";
-} // end if any comments to show
+	echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&amp;dt=spam&amp;p=" . $comment->comment_post_ID . "&amp;c=" . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . js_escape(sprintf(__("You are about to mark as spam this comment by '%s'.\n'Cancel' to stop, 'OK' to mark as spam."), $comment->comment_author))  . "', theCommentList );\">" . __('Spam') . "</a> ";
+}
 ?>
 </p>
 		</li>
Index: wp-admin/upgrade.php
===================================================================
--- wp-admin/upgrade.php	(.../2.1)	(revision 5900)
+++ wp-admin/upgrade.php	(.../2.1.3)	(revision 5900)
@@ -28,7 +28,7 @@
 <?php
 switch($step) {
 	case 0:
-		$goback = attribute_escape(stripslashes(wp_get_referer()));
+		$goback = clean_url(stripslashes(wp_get_referer()));
 ?> 
 <p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p> 
 <h2 class="step"><a href="upgrade.php?step=1&amp;backto=<?php echo $goback; ?>"><?php _e('Upgrade WordPress &raquo;'); ?></a></h2>
@@ -40,7 +40,7 @@
 		if ( empty( $_GET['backto'] ) )
 			$backto = __get_option('home');
 		else
-			$backto = attribute_escape(stripslashes($_GET['backto']));
+			$backto = clean_url(stripslashes($_GET['backto']));
 ?> 
 <h2><?php _e('Step 1'); ?></h2> 
 	<p><?php printf(__("There's actually only one step. So if you see this, you're done. <a href='%s'>Have fun</a>!"),  $backto); ?></p>
Index: wp-admin/index-extra.php
===================================================================
--- wp-admin/index-extra.php	(.../2.1)	(revision 5900)
+++ wp-admin/index-extra.php	(.../2.1.3)	(revision 5900)
@@ -2,6 +2,8 @@
 require_once('admin.php');
 require_once (ABSPATH . WPINC . '/rss.php');
 
+@header('Content-type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
+
 switch ( $_GET['jax'] ) {
 
 case 'incominglinks' :
Index: wp-admin/user-edit.php
===================================================================
--- wp-admin/user-edit.php	(.../2.1)	(revision 5900)
+++ wp-admin/user-edit.php	(.../2.1.3)	(revision 5900)
@@ -55,7 +55,7 @@
 <div id="message" class="updated fade">
 	<p><strong><?php _e('User updated.') ?></strong></p>
 	<?php if ( $wp_http_referer ) : ?>
-	<p><a href="<?php echo attribute_escape($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
+	<p><a href="<?php echo clean_url($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
 	<?php endif; ?>
 </div>
 <?php endif; ?>
Index: wp-admin/options-reading.php
===================================================================
--- wp-admin/options-reading.php	(.../2.1)	(revision 5900)
+++ wp-admin/options-reading.php	(.../2.1.3)	(revision 5900)
@@ -40,7 +40,6 @@
 	</p>
 </div>
 <?php endif; ?>
-</fieldset>
 </td> 
 </tr> 
 </table> 
@@ -54,7 +53,6 @@
 <th width="33%" scope="row"><?php _e('Show at most:') ?></th> 
 <td>
 <input name="posts_per_page" type="text" id="posts_per_page" value="<?php form_option('posts_per_page'); ?>" size="3" /> <?php _e('posts') ?>
-</select>
 </td> 
 </tr> 
 </table> 
@@ -72,7 +70,7 @@
 <td>
 <p><label><input name="rss_use_excerpt"  type="radio" value="0" <?php checked(0, get_option('rss_use_excerpt')); ?>	/> <?php _e('Full text') ?></label><br />
 <label><input name="rss_use_excerpt" type="radio" value="1" <?php checked(1, get_option('rss_use_excerpt')); ?> /> <?php _e('Summary') ?></label></p>
-<p><?php _e('Note: If you use the <code>&lt;--more--&gt;</code> feature, it will cut off posts in RSS feeds.'); ?></p>
+<p><?php _e('Note: If you use the <code>&lt;!--more--&gt;</code> feature, it will cut off posts in RSS feeds.'); ?></p>
 </td>
 </tr> 
 </table> 
Index: wp-admin/link-manager.php
===================================================================
--- wp-admin/link-manager.php	(.../2.1)	(revision 5900)
+++ wp-admin/link-manager.php	(.../2.1.3)	(revision 5900)
@@ -133,7 +133,7 @@
 	foreach ($links as $link) {
 		$link->link_name = attribute_escape($link->link_name);
 		$link->link_description = wp_specialchars($link->link_description);
-		$link->link_url = attribute_escape($link->link_url);
+		$link->link_url = clean_url($link->link_url);
 		$link->link_category = wp_get_link_cats($link->link_id);
 		$short_url = str_replace('http://', '', $link->link_url);
 		$short_url = str_replace('www.', '', $short_url);
Index: wp-admin/bookmarklet.php
===================================================================
--- wp-admin/bookmarklet.php	(.../2.1)	(revision 5900)
+++ wp-admin/bookmarklet.php	(.../2.1.3)	(revision 5900)
@@ -37,7 +37,7 @@
 
 
 $content  = wp_specialchars($_REQUEST['content']);
-$popupurl = attribute_escape($_REQUEST['popupurl']);
+$popupurl = clean_url($_REQUEST['popupurl']);
 if ( !empty($content) ) {
 	$post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
 } else {
Index: wp-admin/page.php
===================================================================
--- wp-admin/page.php	(.../2.1)	(revision 5900)
+++ wp-admin/page.php	(.../2.1.3)	(revision 5900)
@@ -63,7 +63,7 @@
 	?>
 	<div id='preview' class='wrap'>
 	<h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
-		<iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+		<iframe src="<?php echo clean_url(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
 	</div>
 	<?php
 	break;
Index: wp-admin/edit-pages.php
===================================================================
--- wp-admin/edit-pages.php	(.../2.1)	(revision 5900)
+++ wp-admin/edit-pages.php	(.../2.1.3)	(revision 5900)
@@ -19,7 +19,7 @@
 </form>
 
 <?php
-wp('post_type=page&orderby=menu_order&what_to_show=posts&posts_per_page=-1&posts_per_archive_page=-1');
+wp('post_type=page&orderby=menu_order&what_to_show=posts&posts_per_page=-1&posts_per_archive_page=-1&order=asc');
 
 if ( $_GET['s'] )
 	$all = false;