Merged in from DEV trunk...

KTS-2178 "cross site scripting" Implemented. Committed By: Conrad Vermeulen Reviewed By: Kevin Fourie git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/trunk@6966 c91229c3-7414-0410-bfa2-8a42b809f60b

Merged in from DEV trunk...
KTS-2178 "cross site scripting" Implemented. Committed By: Conrad Vermeulen Reviewed By: Kevin Fourie git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/trunk@6966 c91229c3-7414-0410-bfa2-8a42b809f60b
kevin_fourie
1 parent c0664039
Showing 67 changed files with 1378 additions and 1288 deletions
lib/browse/BrowseColumns.inc.php
lib/browse/Criteria.inc
lib/browse/DocumentCollection.inc.php
lib/documentmanagement/Document.inc
lib/foldermanagement/Folder.inc
lib/widgets/forms.inc.php
plugins/browseabledashlet/templates/browseabledashlet/dashlet.smarty
plugins/ktcore/KTColumns.inc.php
plugins/ktcore/KTDocumentActions.php
plugins/ktcore/KTPermissions.php
plugins/ktstandard/KTDocumentLinksColumns.php
plugins/rssplugin/KTrss.inc.php
plugins/rssplugin/templates/RSSPlugin/dashlet.smarty
plugins/rssplugin/templates/RSSPlugin/rssdocumentaction.smarty
plugins/rssplugin/templates/RSSPlugin/rssfolderaction.smarty
templates/kt3/fieldsets/generic.smarty
templates/kt3/fieldsets/generic_versioned.smarty
templates/kt3/fieldsets/simple.smarty
templates/kt3/fieldsets/simple_versioned.smarty
templates/kt3/minimal_page.smarty
@@ -6,7 +6,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -30,17 +30,17 @@
  */
 /** BrowserColumns
- * 
+ *
  *  Presentation and render logic for the different columns.  Each has two
  *  major methods:
  *
  *     function renderHeader($sReturnURL)
  *     function renderData($aDataRow)
- *  
+ *
  *  renderHeader returns the _content_ of the header row.
  *  renderData returns the _content_ of the body row.
  */
- 
+
 require_once(KT_LIB_DIR . '/database/dbutil.inc');
 require_once(KT_LIB_DIR . '/users/User.inc');
@@ -53,36 +53,36 @@ class BrowseColumn {
     var $sort_on = false;
     var $sort_direction = 'asc';
     var $name = '-';
-    
-    function BrowseColumn($sLabel, $sName) { 
-       $this->label = $sLabel; 
-       $this->name = $sName; 
+
+    function BrowseColumn($sLabel, $sName) {
+       $this->label = $sLabel;
+       $this->name = $sName;
     }
     // FIXME is it _really_ worth using a template here?
-    function renderHeader($sReturnURL) { 
-        $text = _kt('Abstract') . ': ' . $this->label; 
+    function renderHeader($sReturnURL) {
+        $text = _kt('Abstract') . ': ' . $this->label;
         $href = $sReturnURL . '&sort_on=' . $this->name . '&sort_order=';
         if ($this->sort_on) {
             $href .= $this->sort_direction == 'asc' ? 'desc' : 'asc' ;
         } else {
             $href .= $this->sort_direction = 'asc';
         }
-        
-        return '<a href="' . $href . '">'.$text.'</a>';        
+
+        return '<a href="' . $href . '">'.$text.'</a>';
     }
-    
-    function renderData($aDataRow) { 
+
+    function renderData($aDataRow) {
        if ($aDataRow['type'] == 'folder') {
-           return $this->name . ': '. print_r($aDataRow['folder']->getName(), true);            
+           return $this->name . ': '. print_r($aDataRow['folder']->getName(), true);
         } else {
-           return $this->name . ': '. print_r($aDataRow['document']->getName(), true); 
+           return $this->name . ': '. print_r($aDataRow['document']->getName(), true);
         }
     }
     function setSortedOn($bIsSortedOn) { $this->sort_on = $bIsSortedOn; }
     function getSortedOn() { return $this->sort_on; }
     function setSortDirection($sSortDirection) { $this->sort_direction = $sSortDirection; }
     function getSortDirection() { return $this->sort_direction; }
-    
+
     function addToFolderQuery() { return array(null, null, null); }
     function addToDocumentQuery() { return array(null, null, null); }
 }
@@ -95,7 +95,7 @@ class TitleColumn extends BrowseColumn {
         $this->aOptions = $aOptions;
     }
     // unlike others, this DOESN'T give its name.
-    function renderHeader($sReturnURL) { 
+    function renderHeader($sReturnURL) {
         $text = _kt('Title');
         $href = $sReturnURL . '&sort_on=' . $this->name . '&sort_order=';
         if ($this->sort_on) {
@@ -103,9 +103,9 @@ class TitleColumn extends BrowseColumn {
         } else {
             $href .= $this->sort_direction = 'asc';
         }
-        
+
         return '<a href="' . $href . '">'.$text.'</a>';
-        
+
     }
     function renderFolderLink($aDataRow) {
@@ -116,7 +116,7 @@ class TitleColumn extends BrowseColumn {
     }
     function renderDocumentLink($aDataRow) {
-        $outStr = '<a href="' . $this->buildDocumentLink($aDataRow) . '" title="' . $aDataRow['document']->getFilename().'">';
+        $outStr = '<a href="' . $this->buildDocumentLink($aDataRow) . '" title="' . htmlentities($aDataRow['document']->getFilename(), ENT_NOQUOTES, 'UTF-8').'">';
         $outStr .= htmlentities($aDataRow['document']->getName(), ENT_NOQUOTES, 'UTF-8');
         $outStr .= '</a>';
         return $outStr;
@@ -133,14 +133,14 @@ class TitleColumn extends BrowseColumn {
             return KTBrowseUtil::getUrlForFolder($aDataRow['folder']);
         }
     }
-    
+
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
        $outStr = '';
        if ($aDataRow['type'] == 'folder') {
            $outStr .= '<span class="contenttype folder">';
            $outStr .= $this->renderFolderLink($aDataRow);
-           $outStr .= '</span>';           
+           $outStr .= '</span>';
         } else {
            $outStr .= '<span class="contenttype '.$this->_mimeHelper($aDataRow['document']->getMimeTypeId()).'">';
            $outStr .= $this->renderDocumentLink($aDataRow);
@@ -149,11 +149,11 @@ class TitleColumn extends BrowseColumn {
         }
         return $outStr;
     }
-    
+
     function prettySize($size) {
         $finalSize = $size;
         $label = 'b';
-        
+
         if ($finalSize > 1000) { $label='Kb'; $finalSize = floor($finalSize/1000); }
         if ($finalSize > 1000) { $label='Mb'; $finalSize = floor($finalSize/1000); }
         return $finalSize . $label;
@@ -169,15 +169,15 @@ class TitleColumn extends BrowseColumn {
 class DateColumn extends BrowseColumn {
     var $field_function;
-    
+
     // $sDocumentFieldFunction is _called_ on the document.
     function DateColumn($sLabel, $sName, $sDocumentFieldFunction) {
         $this->field_function = $sDocumentFieldFunction;
         parent::BrowseColumn($sLabel, $sName);
-        
+
     }
-    
-    function renderHeader($sReturnURL) { 
+
+    function renderHeader($sReturnURL) {
         $text = $this->label;
         $href = $sReturnURL . '&sort_on=' . $this->name . '&sort_order=';
         if ($this->sort_on) {
@@ -185,31 +185,31 @@ class DateColumn extends BrowseColumn {
         } else {
             $href .= $this->sort_direction = 'asc';
         }
-        
+
         return '<a href="' . $href . '">'.$text.'</a>';
-        
+
     }
-    
+
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
        $outStr = '';
        if ($aDataRow['type'] == 'folder') {
            $outStr = '&nbsp;';       // no-op on folders.
         } else {
            $fn = $this->field_function;
            $dColumnDate = strtotime($aDataRow['document']->$fn());
-           
+
            // now reformat this into something "pretty"
            $outStr = date('Y-m-d H:i', $dColumnDate);
         }
         return $outStr;
     }
-    
+
     function _mimeHelper($iMimeTypeId) {
         // FIXME lazy cache this.
         $sQuery = 'SELECT icon_path FROM mime_types WHERE id = ?';
         $res = DBUtil::getOneResult(array($sQuery, array($iMimeTypeId)));
-        
+
         if ($res[0] !== null) {
            return $res[0];
         } else {
@@ -228,15 +228,15 @@ class DateColumn extends BrowseColumn {
 class UserColumn extends BrowseColumn {
     var $field_function;
-    
+
     // $sDocumentFieldFunction is _called_ on the document.
     function UserColumn($sLabel, $sName, $sDocumentFieldFunction) {
         $this->field_function = $sDocumentFieldFunction;
         parent::BrowseColumn($sLabel, $sName);
-        
+
     }
-    
-    function renderHeader($sReturnURL) { 
+
+    function renderHeader($sReturnURL) {
         $text = $this->label;
         $href = $sReturnURL . '&sort_on=' . $this->name . '&sort_order=';
         if ($this->sort_on) {
@@ -244,13 +244,13 @@ class UserColumn extends BrowseColumn {
         } else {
             $href .= $this->sort_direction = 'asc';
         }
-        
+
         return '<a href="' . $href . '">'.$text.'</a>';
-        
+
     }
-    
+
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         $outStr = '';
         $fn = $this->field_function;
         $iUserId = null;
@@ -294,36 +294,36 @@ class SelectionColumn extends BrowseColumn {
         parent::BrowseColumn($sLabel, $sName);
     }
-    function renderHeader($sReturnURL) { 
+    function renderHeader($sReturnURL) {
         // FIXME clean up access to oPage.
         global $main;
         $main->requireJSResource('resources/js/toggleselect.js');
-        
+
         return '<input type="checkbox" title="toggle all" onclick="toggleSelectFor(this, \''.$this->name.'\')">';
-        
+
     }
-    
+
     // only include the _f or _d IF WE HAVE THE OTHER TYPE.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         $localname = $this->name;
-        
-        if (($aDataRow['type'] === 'folder') && ($this->show_folders)) { 
+
+        if (($aDataRow['type'] === 'folder') && ($this->show_folders)) {
             if ($this->show_documents) {
-                $localname .= '_f[]'; 
+                $localname .= '_f[]';
             }
-            $v = $aDataRow['folderid']; 
-        } else if (($aDataRow['type'] === 'document') && $this->show_documents) { 
+            $v = $aDataRow['folderid'];
+        } else if (($aDataRow['type'] === 'document') && $this->show_documents) {
             if ($this->show_folders) {
-                $localname .= '_d[]'; 
+                $localname .= '_d[]';
             }
-            $v = $aDataRow['docid']; 
-        } else { 
-            return '&nbsp;'; 
+            $v = $aDataRow['docid'];
+        } else {
+            return '&nbsp;';
         }
-        
+
         return '<input type="checkbox" name="' . $localname . '" onclick="activateRow(this)" value="' . $v . '"/>';
     }
-    
+
 }
@@ -337,58 +337,58 @@ class SingleSelectionColumn extends SelectionColumn {
         parent::BrowseColumn($sLabel, $sName);
     }
-    function renderHeader($sReturnURL) { 
+    function renderHeader($sReturnURL) {
         global $main;
     }
-    
+
     // only include the _f or _d IF WE HAVE THE OTHER TYPE.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         $localname = $this->name;
-        
-        if (($aDataRow['type'] === 'folder') && ($this->show_folders)) { 
+
+        if (($aDataRow['type'] === 'folder') && ($this->show_folders)) {
             if ($this->show_documents) {
-                $localname .= '_f'; 
+                $localname .= '_f';
             }
-            $v = $aDataRow['folderid']; 
-        } else if (($aDataRow['type'] === 'document') && $this->show_documents) { 
+            $v = $aDataRow['folderid'];
+        } else if (($aDataRow['type'] === 'document') && $this->show_documents) {
             if ($this->show_folders) {
-                $localname .= '_d'; 
+                $localname .= '_d';
             }
-            $v = $aDataRow['docid']; 
-        } else { 
-            return '&nbsp;'; 
+            $v = $aDataRow['docid'];
+        } else {
+            return '&nbsp;';
         }
-        
+
         return '<input type="radio" name="' . $localname . '" value="' . $v . '"/>';
     }
-    
+
 }
 class WorkflowColumn extends BrowseColumn {
-    function renderHeader($sReturnURL) {         
-        $text = $this->label; 
+    function renderHeader($sReturnURL) {
+        $text = $this->label;
         $href = $sReturnURL . '&sort_on=' . $this->name . '&sort_order=';
         if ($this->sort_on) {
             $href .= $this->sort_direction == 'asc' ? 'desc' : 'asc' ;
         } else {
             $href .= $this->sort_direction = 'asc';
         }
-        
+
         return '<a href="' . $href . '">'.$text.'</a>';
     }
-    
+
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         $localname = $this->name;
-        
+
         // only _ever_ show this folder documents.
-        if ($aDataRow['type'] === 'folder') { 
+        if ($aDataRow['type'] === 'folder') {
             return '&nbsp;';
         }
-        
+
         $oWorkflow = KTWorkflowUtil::getWorkflowForDocument($aDataRow['document']);
         $oState = KTWorkflowUtil::getWorkflowStateForDocument($aDataRow['document']);
         if (($oState == null) || ($oWorkflow == null)) {
@@ -400,23 +400,23 @@ class WorkflowColumn extends BrowseColumn {
 }
 class DownloadColumn extends BrowseColumn {
-    
-    function renderHeader($sReturnURL) {         
-        $text = '&nbsp;'; 
-        
+
+    function renderHeader($sReturnURL) {
+        $text = '&nbsp;';
+
         return $text;
     }
-    
-    function renderData($aDataRow) { 
+
+    function renderData($aDataRow) {
         $localname = $this->name;
-        
+
         // only _ever_ show this folder documents.
-        if ($aDataRow['type'] === 'folder') { 
+        if ($aDataRow['type'] === 'folder') {
             return '&nbsp;';
         }
-    
+
         // FIXME at some point we may want to hide this if the user doens't have the download action, but its OK for now.
         $link = KTUtil::ktLink('action.php','ktcore.actions.document.view', 'fDocumentId=' . $aDataRow['document']->getId());
         $outStr = sprintf('<a href="%s" class="ktAction ktDownload" title="%s">%s</a>', $link, _kt('Download Document'), _kt('Download Document'));
@@ -8,7 +8,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -19,9 +19,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -92,7 +92,7 @@ class BrowseCriterion {
     }
     function parameterDisplay($aData) {
-	return sprintf("%s %s", $this->baseParameterDisplay(), $aData[$this->getWidgetBase()]);
+	return sprintf("%s %s", $this->baseParameterDisplay(), htmlentities($aData[$this->getWidgetBase()],ENT_QUOTES, 'UTF-8'));
     }
     function folderQuery ($iParentID, $sSortDirection) {
@@ -144,7 +144,7 @@ class BrowseCriterion {
             // $sSortField = $this->getSortField();
             $documentQuery .= "ORDER BY " . $this->getSortField() . " " . $sSortDirection;
         }
-        
+
         return array($documentQuery, $aParams);
     }
@@ -176,7 +176,7 @@ class BrowseCriterion {
     function getID() {
         return $this->iID;
     }
-    
+
     function getNameSpace() {
 	return $this->sNamespace;
     }
@@ -203,10 +203,10 @@ class BrowseCriterion {
             return $this->getNotWidget($aPreValue) . "<input type=\"text\" size=\"50\" name=\"" . $this->getWidgetBase() . "\" />";
         }
     }
-    
+
     function getNotWidget($aPreValue=null) {
         if (!$this->bHandleNot) { return ''; }
-        
+
         // not perfect, but acceptable.
         $form_name = $this->getWidgetBase() . '_not';
         $pos_select = '';
@@ -229,7 +229,7 @@ class BrowseCriterion {
             $is_string = _kt('is');
         } else {
             $not_string = _kt('does not contain');
-            $is_string = _kt('contains');        
+            $is_string = _kt('contains');
         }
         $widget = sprintf('<select name="%s"><option value="0"%s>%s</option><option value="1"%s>%s</option></select>&nbsp;', $form_name, $pos_select, $is_string, $neg_select, $not_string);
         return $widget;
@@ -254,14 +254,14 @@ class BrowseCriterion {
         // handle the boolean "not" stuff UNLESS our caller is doing so already.
         if ($handle_not) {
             $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
-            
+
             if (is_null($want_invert) || ($want_invert == "0")) { // use explicit "0" check
                 return $val;
             } else {
                 $val[0] = '(NOT (' . $val[0] . '))';
             }
         }
-        
+
         return $val;
     }
@@ -276,7 +276,7 @@ class NameCriterion extends BrowseCriterion {
     var $bString = true;
     var $sSearchTable = "DC";
     var $bContains = true;
-    
+
     var $sDocumentField = 'filename';
     var $sSortField = 'filename';
     var $sNamespace = 'ktcore.criteria.name';
@@ -343,7 +343,7 @@ class TitleCriterion extends BrowseCriterion {
     function TitleCriterion() {
         $this->sDisplay = _kt('Document Title');
     }
-    
+
     function documentDisplay ($oDocument) {
         return $oDocument->getName();
     }
@@ -370,7 +370,7 @@ class CreatorCriterion extends BrowseCriterion {
     function CreatorCriterion() {
         $this->sDisplay = _kt('Creator');
     }
-    
+
     function documentDisplay ($oDocument) {
         $oCreator = User::get($oDocument->getCreatorID());
         if ($oCreator) {
@@ -388,7 +388,7 @@ class CreatorCriterion extends BrowseCriterion {
 	$oUser =& User::get($aData[$this->getWidgetBase()]);
 	if(PEAR::isError($oUser)) {
 	    return $sBase . 'unknown user';
-	} 
+	}
 	return $sBase . $oUser->getName();
     }
@@ -434,7 +434,7 @@ class DateCreatedCriterion extends BrowseCriterion {
 	if($sStart) {
 	    $sDisp .= _kt('after ') .$sStart;
-	} 
+	}
 	if($sStart && $sEnd) {
 	    $sDisp .= _kt(' and ');
 	}
@@ -449,9 +449,9 @@ class DateCreatedCriterion extends BrowseCriterion {
     }
     function searchWidget ($aRequest, $aPreValue = null) {
         global $default;
-        
+
         // IMPORTANT:  this requires the presence of kt3-calendar.js
-        
+
         $sStartWidget = $this->getWidgetBase() . "_start";
         $sEndWidget = $this->getWidgetBase() . "_end";
         /* // legacy code.
@@ -480,8 +480,8 @@ class DateCreatedCriterion extends BrowseCriterion {
         } else {
             $sEnd = $aRequest[$this->getWidgetBase() . "_end"];
         }
-        
-        
+
+
         $val = null;
         if ($sStart && $sEnd) {
             $val = array($this->getSearchTable() . "." . $this->getSearchField() . " BETWEEN ? AND ?", array($sStart, $sEnd));
@@ -491,17 +491,17 @@ class DateCreatedCriterion extends BrowseCriterion {
             $val = array($this->getSearchTable() . "." . $this->getSearchField() . " < ?", array($sEnd));
         } else {
            return null;
-        }  
-        
+        }
+
         // handle the boolean "not" stuff.
         $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
-        
+
         if (is_null($want_invert) || ($want_invert == "0")) {
             return $val;
         } else {
             $val[0] = '(NOT (' . $val[0] . '))';
         }
-        
+
         // finally
         return $val;
     }
@@ -636,15 +636,15 @@ class GenericMetadataCriterion extends BrowseCriterion {
         $p = parent::searchSQL($aRequest, false); // handle not ourselves.
         $p[0] = join(' AND ', array($p[0], "$this->sSearchTable.document_field_id = ?"));
         $p[1] = array_merge($p[1], array($this->iID));
-        
+
         // handle the boolean "not" stuff.
         $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
         if (is_null($want_invert) || ($want_invert == "0")) {
             return $p;
         } else {
             $p[0] = '(NOT (' . $p[0] . '))';
-        }        
-        
+        }
+
         return $p;
     }
@@ -671,9 +671,9 @@ class GeneralMetadataCriterion extends BrowseCriterion {
     {
     	$this->sDisplay = _kt('General Metadata');
     }
-    
+
     function documentDisplay ($oDocument) {
-       
+
         return 'General Metadata';
     }
@@ -682,11 +682,11 @@ class GeneralMetadataCriterion extends BrowseCriterion {
         return $this->aLookup['field'];
     }
-    
+
     function searchSQL ($aRequest) {
-        $val = array('('.$this->getSearchTable() . "." .  $this->getSearchField() . " LIKE '%!%' OR DM.name LIKE '%!%'  )", 
-        array(DBUtil::escapeSimple($aRequest[$this->getWidgetBase()]),DBUtil::escapeSimple($aRequest[$this->getWidgetBase()])));       
-        
+        $val = array('('.$this->getSearchTable() . "." .  $this->getSearchField() . " LIKE '%!%' OR DM.name LIKE '%!%'  )",
+        array(DBUtil::escapeSimple($aRequest[$this->getWidgetBase()]),DBUtil::escapeSimple($aRequest[$this->getWidgetBase()])));
+
         return $val;
     }
@@ -736,7 +736,7 @@ class SizeCriterion extends BrowseCriterion {
     function SizeCriterion() {
 	$this->sDisplay = _kt('File Size');
     }
-    
+
     function documentDisplay ($oDocument) {
         return $oDocument->getFileSize();
     }
@@ -747,7 +747,7 @@ class SizeCriterion extends BrowseCriterion {
     function parameterDisplay($aData) {
 	$sBase = $this->getWidgetBase();
-	return sprintf("%s %s %s %s", $this->baseParameterDisplay(), $this->aCmps[$aData[$sBase.'_not']], $aData[$sBase.'_num'], $this->aTypes[$aData[$sBase.'_type']]);
+	return sprintf("%s %s %s %s", $this->baseParameterDisplay(), $this->aCmps[$aData[$sBase.'_not']], htmlentities($aData[$sBase.'_num'],ENT_QUOTES,'UTF-8'), $this->aTypes[$aData[$sBase.'_type']]);
     }
     function searchWidget ($aRequest, $aPreValue = null) {
@@ -763,7 +763,7 @@ class SizeCriterion extends BrowseCriterion {
 	// build number
 	$sNumInput = sprintf('<input type="text" name="%s" value="%s"/>', $sNumWidget, KTUtil::arrayGet($aPreValue, $sNumWidget, ''));
-	       
+
 	// build type selection widget
 	$sTypeSelect = '<select name="'.$sTypeWidget.'">';
@@ -802,8 +802,8 @@ class ContentCriterion extends BrowseCriterion {
     function ContentCriterion() {
 	$this->sDisplay = _kt('Document Text');
-    }    
-    
+    }
+
     function documentDisplay ($oDocument) {
         return "Document Text";
     }
@@ -812,7 +812,7 @@ class ContentCriterion extends BrowseCriterion {
     }
     function getSearchField () {
         return "document_text";
-    } 
+    }
     function searchSQL ($aRequest) {
         $oKTConfig =& KTConfig::getSingleton();
@@ -840,8 +840,8 @@ class ContentCriterion extends BrowseCriterion {
             return $p;
         } else {
             $p[0] = '(NOT (' . $p[0] . '))';
-        }        
-        
+        }
+
         return $p;
     }
@@ -859,8 +859,8 @@ class WorkflowStateCriterion extends BrowseCriterion {
     function WorkflowStateCriterion() {
 	$this->sDisplay = _kt('Workflow State');
-    }    
-    
+    }
+
     function documentDisplay ($oDocument) {
         $oState =& KTWorkflowState::getByDocument($oDocument);
         if ($oState) {
@@ -894,14 +894,14 @@ class WorkflowStateCriterion extends BrowseCriterion {
         $p = array();
         $p[0] = "DM.workflow_state_id = ?";
         $p[1] = $aRequest[$this->getWidgetBase()];
-        
+
         // handle the boolean "not" stuff.
         $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
         if (is_null($want_invert) || ($want_invert == "0")) {
             return $p;
         } else {
             $p[0] = '(NOT (' . $p[0] . '))';
-        }        
+        }
         return $p;
     }
@@ -920,7 +920,7 @@ class WorkflowStateCriterion extends BrowseCriterion {
         foreach ($aStates as $oState) {
             $oWorkflow =& KTWorkflow::get($oState->getWorkflowId());
             $sSelStr = '';
-            if ($preval == $oState->getId()) { $sSelStr = ' selected="true"'; }            
+            if ($preval == $oState->getId()) { $sSelStr = ' selected="true"'; }
             $sRet .= "<option value=\"" . $oState->getId() . "\"" . $sSelStr . ">" . $oWorkflow->getName() . " - " . $oState->getName() . "</option>\n";
         }
         $sRet .= "</select>\n";
@@ -937,9 +937,9 @@ class DiscussionTextCriterion extends BrowseCriterion {
     function DiscussionTextCriterion() {
 	$this->sDisplay = _kt('Discussion Threads');
-    }    
-    
-    
+    }
+
+
     function documentDisplay ($oDocument) {
         return "Discussion Threads";
     }
@@ -959,15 +959,15 @@ class DiscussionTextCriterion extends BrowseCriterion {
         $p = array();
         $p[0] = "MATCH(DDCT.body) AGAINST (? $boolean_mode)";
 	$p[1] = KTUtil::phraseQuote($aRequest[$this->getWidgetBase()]);
-        
+
         // handle the boolean "not" stuff.
         $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
         if (is_null($want_invert) || ($want_invert == "0")) {
             return $p;
         } else {
             $p[0] = '(NOT (' . $p[0] . '))';
-        }       
-        
+        }
+
         return $p;
     }
@@ -989,8 +989,8 @@ class SearchableTextCriterion extends BrowseCriterion {
     function SearchableTextCriterion() {
 	$this->sDisplay = _kt('Simple Search Text');
-    }        
-    
+    }
+
     function documentDisplay ($oDocument) {
         return "Simple search text";
     }
@@ -1000,7 +1000,7 @@ class SearchableTextCriterion extends BrowseCriterion {
     function getSearchField () {
         return "document_text";
-    } 
+    }
     function searchSQL ($aRequest) {
         $oKTConfig =& KTConfig::getSingleton();
@@ -1015,11 +1015,11 @@ class SearchableTextCriterion extends BrowseCriterion {
         } else {
             $boolean_mode = "";
         }
-		
+
 		$p = array();
 		$temp = str_replace('%', '', $aRequest[$this->getWidgetBase()]);
 		$keywords = explode(' ', $temp);
-		
+
 		for($i=0; $i<count($keywords); $i++){
 			if($keywords[$i] == ' ' or $keywords[$i] == ''){
 				continue;
@@ -1036,7 +1036,7 @@ class SearchableTextCriterion extends BrowseCriterion {
 					continue;
 				}
 				$keywords[$i] = '%'.$keywords[$i].'%';
-			}			
+			}
 			$p[0] = "DST.document_text LIKE ? AND DST.document_text LIKE ? ";
 			$p[1] = $keywords;
 		}else{
@@ -1050,8 +1050,8 @@ class SearchableTextCriterion extends BrowseCriterion {
             return $p;
         } else {
             $p[0] = '(NOT (' . $p[0] . '))';
-        }                
-        
+        }
+
         return $p;
     }
@@ -1071,8 +1071,8 @@ class TransactionTextCriterion extends BrowseCriterion {
     function TransactionTextCriterion() {
 	$this->sDisplay = _kt('Transaction Text');
-    }        
-    
+    }
+
     function documentDisplay ($oDocument) {
         return "Transaction text";
     }
@@ -1092,15 +1092,15 @@ class TransactionTextCriterion extends BrowseCriterion {
         $p = array();
         $p[0] = "MATCH(DTT.document_text) AGAINST (? $boolean_mode)";
 	$p[1] = KTUtil::phraseQuote($aRequest[$this->getWidgetBase()]);
-        
+
         // handle the boolean "not" stuff.
         $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
         if (is_null($want_invert) || ($want_invert == "0")) {
             return $p;
         } else {
             $p[0] = '(NOT (' . $p[0] . '))';
-        }       
-        
+        }
+
         return $p;
     }
@@ -1118,11 +1118,11 @@ class TagCloudCriterion extends BrowseCriterion {
     var $sSortField = 'tag';
     var $sNamespace = 'ktcore.criteria.tagcloud';
     var $sSearchTable = "TWS" ;
-    
+
     function TagCloudCriterion() {
 	$this->sDisplay = _kt('Tag Cloud');
-    }        
-    
+    }
+
     function documentDisplay ($oDocument) {
         return "Tag Cloud";
     }
@@ -1132,16 +1132,16 @@ class TagCloudCriterion extends BrowseCriterion {
     function searchSQL ($aRequest) {
          $p = parent::searchSQL($aRequest, false); // handle not ourselves.
-                
+
         // handle the boolean "not" stuff.
         $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
         if (is_null($want_invert) || ($want_invert == "0")) {
             return $p;
         } else {
             $p[0] = '(NOT (' . $p[0] . '))';
-        }        
-        
-        return $p;   	
+        }
+
+        return $p;
     }
     function searchJoinSQL () {
@@ -1163,14 +1163,14 @@ class DateCreatedDeltaCriterion extends DateCreatedCriterion {
     function DateCreatedDeltaCriterion() {
 	$this->sDisplay = _kt('Date Created Delta');
-    }        
+    }
-    function parameterDisplay($aData) {	
+    function parameterDisplay($aData) {
 	$sNum = KTUtil::arrayGet($aData, $this->getWidgetBase() . '_num');
 	$sType = KTUtil::arrayGet($aData, $this->getWidgetBase() . '_type');
 	return sprintf('%s %s %s', $this->baseParameterDisplay(), $sNum, $this->aTypes[$sType]);
     }
-    
+
     function searchWidget ($aRequest, $aPreValue = null) {
         $sNumWidget = $this->getWidgetBase() . '_num';
         $sTypeWidget = $this->getWidgetBase() . '_type';
@@ -1196,7 +1196,7 @@ class DateCreatedDeltaCriterion extends DateCreatedCriterion {
 	$sType = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_type');
 	$val = array($this->getSearchTable() . "." . $this->getSearchField() . " > SUBDATE(NOW(), INTERVAL ? {$sType})", array($sNum));
-        
+
         $want_invert = KTUtil::arrayGet($aRequest, $this->getWidgetBase() . '_not');
         if (is_null($want_invert) || ($want_invert == "0")) {
             return $val;
@@ -1215,8 +1215,8 @@ class DateModifiedDeltaCriterion extends DateCreatedDeltaCriterion {
     function DateModifiedDeltaCriterion() {
 	$this->sDisplay = _kt('Date Modified Delta');
-    }        
-    
+    }
+
     function documentDisplay ($oDocument) {
         return $oDocument->getLastModifiedDate();
     }
@@ -6,7 +6,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -29,9 +29,9 @@
  *
  */
-require_once(KT_LIB_DIR . '/templating/templating.inc.php'); 
-require_once(KT_LIB_DIR . '/documentmanagement/Document.inc'); 
-require_once(KT_LIB_DIR . '/foldermanagement/Folder.inc'); 
+require_once(KT_LIB_DIR . '/templating/templating.inc.php');
+require_once(KT_LIB_DIR . '/documentmanagement/Document.inc');
+require_once(KT_LIB_DIR . '/foldermanagement/Folder.inc');
 require_once(KT_LIB_DIR . '/browse/PartialQuery.inc.php');
 class DocumentCollection {
@@ -43,90 +43,90 @@ class DocumentCollection {
    var $_aDocumentJoinParams = null;
    var $_sDocumentSortField = null;
    var $_queryObj = null;
-   
+
    // current documents (in _this_ batch.)
    var $activeset = null;
    var $_documentData = array();             // [docid] => array();
    var $_folderData = array();               // [folderid] => array();
    var $columns = array();                   // the columns in use
-   
+
    var $returnURL = null;
-   
+
    var $folderCount = 0;
    var $documentCount = 0;
-   var $itemCount = 0;   
+   var $itemCount = 0;
    var $batchStart = 0;                      // if batch specified a "start".
    var $batchPage = 0;
    var $batchSize = 20;                      // size of the batch   // FIXME make this configurable.
-   
-   
+
+
    var $sort_column;
    var $sort_order;
-   
+
    var $is_advanced = false;
-   
+
    var $empty_message;
-   
+
    /* initialisation */
-   
+
    function DocumentCollection() {
-       $this->empty_message = _kt('No folders or documents in this location.');   
+       $this->empty_message = _kt('No folders or documents in this location.');
    }
-   
+
    // columns should be added in the "correct" order (e.g. display order)
-   function addColumn($oBrowseColumn) { array_push($this->columns, $oBrowseColumn); }   
-   function setQueryObject($oQueryObj) { $this->_queryObj = $oQueryObj; }   
+   function addColumn($oBrowseColumn) { array_push($this->columns, $oBrowseColumn); }
+   function setQueryObject($oQueryObj) { $this->_queryObj = $oQueryObj; }
+
+   /* fetch cycle */
-   /* fetch cycle */   
-   
    // FIXME this needs to be handled by US, not browse / search.
-   
+
    function setBatching($sReturnURL, $iBatchPage, $iBatchSize) {
       $this->returnURL = $sReturnURL;
-	  $this->batchPage = $iBatchPage; 
-	  $this->batchSize = $iBatchSize; 
-	  $this->batchStart = $this->batchPage * $this->batchSize; 
-   }      
-   
+	  $this->batchPage = $iBatchPage;
+	  $this->batchSize = $iBatchSize;
+	  $this->batchStart = $this->batchPage * $this->batchSize;
+   }
+
    // column is the label of the column.
-   
-   function setSorting($sSortColumn, $sSortOrder) { 
+
+   function setSorting($sSortColumn, $sSortOrder) {
       // FIXME affect the column based on this.
-	  
+
 	  // defaults
 	  $this->_sDocumentSortField = 'DM.name';
 	  $this->_sFolderSortField = 'F.name';
-	  
+
 	  // then we start.
-      $this->sort_column = $sSortColumn; 
-	  $this->sort_order = $sSortOrder; 
-	  
-	  
+      $this->sort_column = $sSortColumn;
+	  $this->sort_order = $sSortOrder;
+
+
 	  // this is O(n).  Do this only after adding all columns.
-	  foreach ($this->columns as $key => $oColumn) { 
-		 if ($oColumn->name == $sSortColumn) { 
+	  foreach ($this->columns as $key => $oColumn) {
+		 if ($oColumn->name == $sSortColumn) {
 		    // nb: don't use $oColumn - its a different object (?)
 			$this->columns[$key]->setSortedOn(true);
 			$this->columns[$key]->setSortDirection($sSortOrder);
-			
+
 			// get the join params from the object.
 			$aFQ = $this->columns[$key]->addToFolderQuery();
 			$aDQ = $this->columns[$key]->addToDocumentQuery();
-			
+
 			$this->_sFolderJoinClause = $aFQ[0];
    			$this->_aFolderJoinParams = $aFQ[1];
 			if ($aFQ[2]) { $this->_sFolderSortField = $aFQ[2]; }
    			$this->_sDocumentJoinClause = $aDQ[0];
    			$this->_aDocumentJoinParams = $aDQ[1];
 			if ($aDQ[2]) { $this->_sDocumentSortField = $aDQ[2]; }
-			
+
 		 } else {
 		    $oColumn->setSortedOn(false);
 		 }
-		 
+
 	  }
-	  
+
    }
    // finally, generate the results.  either (documents or folders) could be null/empty
@@ -144,14 +144,14 @@ class DocumentCollection {
           $this->documentCount = 0;
       }
 	  $this->itemCount = $this->documentCount + $this->folderCount;
-	  
+
 	  // now we need the active set:  this is based on the batchsize,
 	  // batchstart.  this is divided into folders/documents. (_no_ intermingling).
 	  $folderSet = null;
 	  $documentSet = null;
 	  // assume we have not documents.  This impacts "where" our documents start.
-	  // 
+	  //
 	  $no_folders = true;
 	  $documents_to_get = $this->batchSize;
 	  $folders_to_get = 0;
@@ -165,10 +165,10 @@ class DocumentCollection {
 		 } else {
 		    $documents_to_get -= $folders_to_get; // batch-size less the folders.
 		 }
-		 
+
 	  }
-	  
-	  
+
+
 	  if ($no_folders) {
           $this->batchStart -= $this->folderCount;
 		 $documentSet = $this->_queryObj->getDocuments($documents_to_get, $this->batchStart, $this->_sDocumentSortField, $this->sort_order, $this->_sDocumentJoinClause, $this->_aDocumentJoinParams);
@@ -177,7 +177,7 @@ class DocumentCollection {
 		 if ($documents_to_get > 0) {
 	        $documentSet = $this->_queryObj->getDocuments($documents_to_get, 0, $this->_sDocumentSortField, $this->sort_order, $this->_sDocumentJoinClause, $this->_aDocumentJoinParams);
 		 }
-		 
+
 	  }
 	  //var_dump($folderSet);
 	  $this->activeset = array(
@@ -186,49 +186,49 @@ class DocumentCollection {
 	  );
    }
-   // stub:  fetch all relevant information about a document (that will reasonably be fetched).  
-   function getDocumentInfo($iDocumentId) { 
+   // stub:  fetch all relevant information about a document (that will reasonably be fetched).
+   function getDocumentInfo($iDocumentId) {
       if (array_key_exists($iDocumentId, $this->_documentData)) {
-         return $this->_documentData[$iDocumentId];  
+         return $this->_documentData[$iDocumentId];
       } else {
          $this->_documentData[$iDocumentId] = $this->_retrieveDocumentInfo($iDocumentId);
          return $this->_documentData[$iDocumentId];
       }
-   }   
-   function _retrieveDocumentInfo($iDocumentId) { 
+   }
+   function _retrieveDocumentInfo($iDocumentId) {
       $row_info = array('docid' => $iDocumentId);
 	  $row_info['type'] = 'document';
 	  $row_info['document'] =& Document::get($iDocumentId);
-	  
+
 	  return $row_info;
    }
-   
+
    // FIXME get more document info.
-   function getFolderInfo($iFolderId) { 
+   function getFolderInfo($iFolderId) {
       if (array_key_exists($iFolderId, $this->_folderData)) {
-         return $this->_folderData[$iFolderId];  
+         return $this->_folderData[$iFolderId];
       } else {
          $this->_folderData[$iFolderId] = $this->_retrieveFolderInfo($iFolderId);
          return $this->_folderData[$iFolderId];
-      } 
-   }   
-   
+      }
+   }
+
    // FIXME get more folder info.
-   function _retrieveFolderInfo($iFolderId) { 
+   function _retrieveFolderInfo($iFolderId) {
       $row_info = array('folderid' => $iFolderId);
 	  $row_info['type'] = 'folder';
-	  $row_info['folder'] =& Folder::get($iFolderId);	  
-	  
+	  $row_info['folder'] =& Folder::get($iFolderId);
+
 	  return $row_info;
    }
-   
+
    // render a particular row.
    function renderRow($iDocumentId) { ; }
    // link url for a particular page.
-   function pageLink($iPageNumber) { 
-	  return $this->returnURL . '&page=' . $iPageNumber . '&sort_on=' . $this->sort_column . '&sort_order=' . $this->sort_order; 
+   function pageLink($iPageNumber) {
+	  return $this->returnURL . '&page=' . $iPageNumber . '&sort_on=' . $this->sort_column . '&sort_order=' . $this->sort_order;
    }
-   
+
    function render() {
       // sort out the batch
       $pagecount = (int) floor($this->itemCount / $this->batchSize);
@@ -236,7 +236,7 @@ class DocumentCollection {
 		 $pagecount += 1;
       }
 	  // FIXME expose the current set of rows to the document.
-	  
+
       $oTemplating =& KTTemplating::getSingleton();
 	  $oTemplate = $oTemplating->loadTemplate('kt3/document_collection');
 	  $aTemplateData = array(
@@ -246,7 +246,7 @@ class DocumentCollection {
 		 'returnURL' => $this->returnURL,
 		 'columncount' => count($this->columns),
 	  );
-	  
+
 	  // in order to allow OTHER things than batch to move us around, we do:
 	  return $oTemplate->render($aTemplateData);
    }
@@ -272,52 +272,52 @@ class AdvancedCollection {
     var $_queryObj = null;
     var $sort_column;
     var $sort_order;
-       
+
     // current documents (in _this_ batch.)
-    var $activeset = null;     
+    var $activeset = null;
     var $_documentData = array();             // [docid] => array();
     var $_folderData = array();               // [folderid] => array();
     var $columns = array();                   // the columns in use
-    
+
     var $returnURL = null;
-   
+
     var $folderCount = 0;
     var $documentCount = 0;
-    var $itemCount = 0;   
+    var $itemCount = 0;
     var $batchStart = 0;                      // if batch specified a "start".
     var $batchPage = 0;
     var $batchSize = 20;                      // size of the batch   // FIXME make this configurable.
-    
+
     var $aOptions = array();
     var $bShowFolders = true;
     var $bShowDocuments = true;
-    
-    var $_gotData = false;    
+
+    var $_gotData = false;
     var $_sorted = false;
-    
+
     var $is_browse = false;
-    
+
     var $empty_message;
     /* initialisation */
     function setOptions($aOptions) {
-        $this->aOptions = $aOptions;   
- 
+        $this->aOptions = $aOptions;
+
         // batching
-        $this->batchPage = KTUtil::arrayGet($aOptions, 'batch_page', 0);       
-        $this->batchSize = KTUtil::arrayGet($aOptions, 'batch_size', 25);       
-        $this->batchStart =  $this->batchPage * $this->batchSize; 
-        
+        $this->batchPage = KTUtil::arrayGet($aOptions, 'batch_page', 0);
+        $this->batchSize = KTUtil::arrayGet($aOptions, 'batch_size', 25);
+        $this->batchStart =  $this->batchPage * $this->batchSize;
+
         // visibility
-        $this->bShowFolders = KTUtil::arrayGet($aOptions, 'show_folders', true, false);       
+        $this->bShowFolders = KTUtil::arrayGet($aOptions, 'show_folders', true, false);
         $this->bShowDocuments = KTUtil::arrayGet($aOptions, 'show_documents', true, false);
-        
+
         $this->is_browse = KTUtil::arrayGet($aOptions, 'is_browse', false);
-        
+
         // sorting
-        $this->sort_column = KTUtil::arrayGet($aOptions, 'sort_on', 'ktcore.columns.title');    
-        $this->sort_order = KTUtil::arrayGet($aOptions, 'sort_order', 'asc');        
+        $this->sort_column = KTUtil::arrayGet($aOptions, 'sort_on', 'ktcore.columns.title');
+        $this->sort_order = KTUtil::arrayGet($aOptions, 'sort_order', 'asc');
         // url options
         $sURL = KTUtil::arrayGet($aOptions, 'return_url', false);
@@ -325,19 +325,19 @@ class AdvancedCollection {
             $sURL = KTUtil::arrayGet($aOptions, 'result_url', $_SERVER['PHP_SELF']);
         }
         $this->returnURL = $sURL;
-        
+
         $this->empty_message = KTUtil::arrayGet($aOptions, 'empty_message', _kt('No folders or documents in this location.'));
-    }   
-    
-    
+    }
+
+
     // we use a lot of standard variable names for these (esp. in columns.)
     // no need to replicate the code everywhere.
     function getEnvironOptions() {
         $aNewOptions = array();
-        
+
         // batching
         $aNewOptions['batch_page'] = (int) KTUtil::arrayGet($_REQUEST, 'page', 0);
-        
+
         // evil with cookies.
         $batch_size = KTUtil::arrayGet($_REQUEST, 'page_size');
         if (empty($batch_size)) {
@@ -347,28 +347,28 @@ class AdvancedCollection {
             setcookie('__kt_batch_size', $batch_size);
         }
         $aNewOptions['batch_size'] = (int) $batch_size;
-        
+
         // ordering. (direction and column)
-        $aNewOptions['sort_on'] = KTUtil::arrayGet($_REQUEST, 'sort_on', 'ktcore.columns.title');	   
-        $displayOrder = KTUtil::arrayGet($_REQUEST, 'sort_order', 'asc');		
+        $aNewOptions['sort_on'] = KTUtil::arrayGet($_REQUEST, 'sort_on', 'ktcore.columns.title');
+        $displayOrder = KTUtil::arrayGet($_REQUEST, 'sort_order', 'asc');
         if ($displayOrder !== 'asc') { $displayOrder = 'desc'; }
         $aNewOptions['sort_order'] = $displayOrder;
-        
-        // probably URL         
-        $aNewOptions['result_url'] = $_SERVER['PHP_SELF'];        
-        
+
+        // probably URL
+        $aNewOptions['result_url'] = $_SERVER['PHP_SELF'];
+
         // return the environ options
         return $aNewOptions;
     }
-    
+
     function setColumnOptions($sColumnNamespace, $aOptions) {
         foreach ($this->columns as $key => $oColumn) {
             if ($oColumn->namespace == $sColumnNamespace) {
-                $this->columns[$key]->setOptions($aOptions);    
+                $this->columns[$key]->setOptions($aOptions);
             }
         }
     }
-   
+
     function getColumnOptions($sColumnNamespace) {
         foreach ($this->columns as $key => $oColumn) {
             if ($oColumn->namespace == $sColumnNamespace) {
@@ -376,59 +376,59 @@ class AdvancedCollection {
             }
         }
     }
-   
+
     // columns should be added in the "correct" order (e.g. display order)
-    function addColumn($oBrowseColumn) { array_push($this->columns, $oBrowseColumn); }   
+    function addColumn($oBrowseColumn) { array_push($this->columns, $oBrowseColumn); }
     function addColumns($aColumns) { $this->columns = kt_array_merge($this->columns, $aColumns); }
-    function setQueryObject($oQueryObj) { $this->_queryObj = $oQueryObj; }   
+    function setQueryObject($oQueryObj) { $this->_queryObj = $oQueryObj; }
+
+    /* fetch cycle */
+    function setSorting() {
+
+        $this->_sorted = true;
-    /* fetch cycle */      
-    function setSorting() { 
-    
-        $this->_sorted = true;    
-    
         // defaults
         $this->_sDocumentSortField = 'DM.name';
-        $this->_sFolderSortField = 'F.name';        
-        
-        foreach ($this->columns as $key => $oColumn) { 
-            if ($oColumn->namespace == $this->sort_column) { 
+        $this->_sFolderSortField = 'F.name';
+
+        foreach ($this->columns as $key => $oColumn) {
+            if ($oColumn->namespace == $this->sort_column) {
                 $this->columns[$key]->setSortedOn(true);
                 $this->columns[$key]->setSortDirection($this->sort_order);
                 // get the join params from the object.
                 $aFQ = $this->columns[$key]->addToFolderQuery();
                 $aDQ = $this->columns[$key]->addToDocumentQuery();
-                                
+
                 $this->_sFolderJoinClause = $aFQ[0];
                 $this->_aFolderJoinParams = $aFQ[1];
-                
+
                 if ($aFQ[2]) { $this->_sFolderSortField = $aFQ[2]; }
                 $this->_sDocumentJoinClause = $aDQ[0];
-                $this->_aDocumentJoinParams = $aDQ[1];           
-                
-                if ($aDQ[2]) { 
+                $this->_aDocumentJoinParams = $aDQ[1];
+
+                if ($aDQ[2]) {
                     $this->_sDocumentSortField = $aDQ[2]; }
                 } else {
         		    $oColumn->setSortedOn(false);
                 }
         }
     }
-   
+
     // finally, generate the results.  either (documents or folders) could be null/empty
     // FIXME handle column-for-sorting (esp. md?)
     function getResults() {
-   
+
         if ($this->_gotInfo == true) {
-            return; 
-        }   
-   
+            return;
+        }
+
         // this impacts the query used.
         if (!$this->_sorted) {
             $this->setSorting();
-        }   
-   
+        }
+
         // work out how many of each item type we're going to expect.
         if ($this->bShowFolders) {
             $this->folderCount = $this->_queryObj->getFolderCount();
@@ -439,9 +439,9 @@ class AdvancedCollection {
         } else {
             $this->folderCount = 0;
         }
-        
+
         if ($this->bShowDocuments) {
-            $this->documentCount = $this->_queryObj->getDocumentCount();      
+            $this->documentCount = $this->_queryObj->getDocumentCount();
             if (PEAR::isError($this->documentCount)) {
                 $_SESSION['KTErrorMessage'][] = $this->documentCount->toString();
                 $this->documentCount = 0;
@@ -449,21 +449,21 @@ class AdvancedCollection {
         } else {
             $this->documentCount = 0;
         }
-        
+
         $this->itemCount = $this->documentCount + $this->folderCount;
-        
+
         // now we need the active set:  this is based on the batchsize,
         // batchstart.  this is divided into folders/documents. (_no_ intermingling).
         $folderSet = null;
         $documentSet = null;
         // assume we have not documents.  This impacts "where" our documents start.
-        // 
+        //
         $no_folders = true;
         if ($this->bShowDocuments) {
             $documents_to_get = $this->batchSize;
         } else {
-            $documents_to_get = 0;            
+            $documents_to_get = 0;
         }
         $folders_to_get = 0;
@@ -480,27 +480,27 @@ class AdvancedCollection {
         if ($no_folders) {
             $this->batchStart -= $this->folderCount;
-            $documentSet = $this->_queryObj->getDocuments($documents_to_get, 
-                    $this->batchStart, 
-                    $this->_sDocumentSortField, 
-                    $this->sort_order, 
-                    $this->_sDocumentJoinClause, 
+            $documentSet = $this->_queryObj->getDocuments($documents_to_get,
+                    $this->batchStart,
+                    $this->_sDocumentSortField,
+                    $this->sort_order,
+                    $this->_sDocumentJoinClause,
                     $this->_aDocumentJoinParams);
         } else {
-            $folderSet = $this->_queryObj->getFolders($folders_to_get, 
-                $this->batchStart, 
-                $this->_sFolderSortField, 
-                $this->sort_order, 
-                $this->_sFolderJoinQuery, 
+            $folderSet = $this->_queryObj->getFolders($folders_to_get,
+                $this->batchStart,
+                $this->_sFolderSortField,
+                $this->sort_order,
+                $this->_sFolderJoinQuery,
                 $this->_aFolderJoinParams);
-            // if we're getting -any- documents this round, then get some.                
+            // if we're getting -any- documents this round, then get some.
             if ($documents_to_get > 0) {
-                $documentSet = $this->_queryObj->getDocuments($documents_to_get, 
-                    0, 
-                    $this->_sDocumentSortField, 
-                    $this->sort_order, 
-                    $this->_sDocumentJoinClause, 
+                $documentSet = $this->_queryObj->getDocuments($documents_to_get,
+                    0,
+                    $this->_sDocumentSortField,
+                    $this->sort_order,
+                    $this->_sDocumentJoinClause,
                     $this->_aDocumentJoinParams);
             }
         }
@@ -516,11 +516,11 @@ class AdvancedCollection {
             //var_dump($documentSet); exit(0);
             $documentSet = array();
             $this->documentCount = 0;
-            
+
         }
-        
-        $this->itemCount = $this->documentCount + $this->folderCount;        
-        
+
+        $this->itemCount = $this->documentCount + $this->folderCount;
+
         $this->activeset = array(
             'folders' => $folderSet,
             'documents' => $documentSet,
@@ -529,72 +529,72 @@ class AdvancedCollection {
         $this->_gotInfo = true; // don't do this twice ...
     }
-    // stub:  fetch all relevant information about a document (that will reasonably be fetched).  
-    function getDocumentInfo($iDocumentId) { 
+    // stub:  fetch all relevant information about a document (that will reasonably be fetched).
+    function getDocumentInfo($iDocumentId) {
         if (array_key_exists($iDocumentId, $this->_documentData)) {
-            return $this->_documentData[$iDocumentId];  
+            return $this->_documentData[$iDocumentId];
         } else {
             $this->_documentData[$iDocumentId] = $this->_retrieveDocumentInfo($iDocumentId);
             return $this->_documentData[$iDocumentId];
         }
     }
-      
-    function _retrieveDocumentInfo($iDocumentId) { 
+
+    function _retrieveDocumentInfo($iDocumentId) {
         $row_info = array('docid' => $iDocumentId);
         $row_info['type'] = 'document';
         $row_info['document'] =& Document::get($iDocumentId);
         return $row_info;
     }
-   
+
     // FIXME get more document info.
-    function getFolderInfo($iFolderId) { 
+    function getFolderInfo($iFolderId) {
         if (array_key_exists($iFolderId, $this->_folderData)) {
-            return $this->_folderData[$iFolderId];  
+            return $this->_folderData[$iFolderId];
         } else {
             $this->_folderData[$iFolderId] = $this->_retrieveFolderInfo($iFolderId);
             return $this->_folderData[$iFolderId];
-        } 
+        }
     }
-   
+
     // FIXME get more folder info.
-    function _retrieveFolderInfo($iFolderId) { 
+    function _retrieveFolderInfo($iFolderId) {
         $row_info = array('folderid' => $iFolderId);
         $row_info['type'] = 'folder';
-        $row_info['folder'] =& Folder::get($iFolderId);	  
-        
+        $row_info['folder'] =& Folder::get($iFolderId);
+
         return $row_info;
     }
-   
+
     // render a particular row.
     function renderRow($iDocumentId) { ; }
-    
+
     // link url for a particular page.
-    function pageLink($iPageNumber) { 
-        $qs = sprintf('page=%s&sort_on=%s&sort_order=%s', $iPageNumber, $this->sort_column, $this->sort_order);    
-        return KTUtil::addQueryString($this->returnURL, $qs); 
+    function pageLink($iPageNumber) {
+        $qs = sprintf('page=%s&sort_on=%s&sort_order=%s', $iPageNumber, $this->sort_column, $this->sort_order);
+        return KTUtil::addQueryString($this->returnURL, $qs);
     }
-   
-    function render() {        
+
+    function render() {
         $this->setSorting();
-        $this->getResults(); 
-        
+        $this->getResults();
+
         // ensure all columns use the correct url
         //var_dump($this->returnURL); exit(0);
         $aOpt = array('return_url' => $this->returnURL);
         foreach ($this->columns as $k => $v) {
             $this->columns[$k]->setOptions($aOpt);
         }
-    
+
         // sort out the batch
         $pagecount = (int) floor($this->itemCount / $this->batchSize);
         if (($this->itemCount % $this->batchSize) != 0) {
             $pagecount += 1;
         }
-	  
+
 	    // ick.
 	    global $main;
 	    $main->requireJSResource('resources/js/browsehelper.js');
-	  
+
         $oTemplating =& KTTemplating::getSingleton();
         $oTemplate = $oTemplating->loadTemplate('kt3/document_collection');
         $aTemplateData = array(
@@ -603,10 +603,10 @@ class AdvancedCollection {
 		    'currentpage' => $this->batchPage,
             'returnURL' => $this->returnURL,
             'columncount' => count($this->columns),
-            'bIsBrowseCollection' => $this->is_browse,            
+            'bIsBrowseCollection' => $this->is_browse,
             'batch_size' => $this->batchSize,
         );
-        
+
         // in order to allow OTHER things than batch to move us around, we do:
         return $oTemplate->render($aTemplateData);
     }
@@ -6,7 +6,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -42,76 +42,76 @@ require_once(KT_LIB_DIR . &#39;/documentmanagement/documentmetadataversion.inc.php&#39;)
 class Document {
     var $iId;
-    
+
     var $_oDocumentCore = null;
     var $_oDocumentContentVersion = null;
     var $_oDocumentMetadataVersion = null;
-    
+
     var $iCurrentMetadataVersionId = null;
     // {{{ getters/setters
     // locally stored info.
-    
+
     function getId() { return $this->iId; }
-    
+
     // Document Core
-    
+
     function getFolderID() { return $this->_oDocumentCore->getFolderId(); }
     function setFolderID($iNewValue) { $this->_oDocumentCore->setFolderId($iNewValue); }
     function getFullPath() { return $this->_oDocumentCore->getFullPath(); }
-    
+
     function getCreatorID() { return $this->_oDocumentCore->getCreatorId(); }
     function setCreatorID($iNewValue) { $this->_oDocumentCore->setCreatorId($iNewValue); }
-    
+
     function getOwnerID() { return $this->_oDocumentCore->getOwnerId(); }
     function setOwnerID($iNewValue) { $this->_oDocumentCore->setOwnerId($iNewValue); }
-    
+
     function getLastModifiedDate() { return $this->_oDocumentCore->getLastModifiedDate(); }
     function setLastModifiedDate($dNewValue) { $this->_oDocumentCore->setLastModifiedDate($dNewValue); }
-    
+
     function getCreatedDateTime() { return $this->_oDocumentCore->getCreatedDateTime(); }
-    
+
     function getIsCheckedOut() { return $this->_oDocumentCore->getIsCheckedOut(); }
     function setIsCheckedOut($bNewValue) { $this->_oDocumentCore->setIsCheckedOut(KTUtil::anyToBool($bNewValue)); }
-    
+
     function getCheckedOutUserID() { return $this->_oDocumentCore->getCheckedOutUserId(); }
     function setCheckedOutUserID($iNewValue) { $this->_oDocumentCore->setCheckedOutUserId($iNewValue); }
-    
+
     function getPermissionObjectID() { return $this->_oDocumentCore->getPermissionObjectId(); }
     function setPermissionObjectID($iNewValue) { $this->_oDocumentCore->setPermissionObjectId($iNewValue); }
-    
+
     function getPermissionLookupID() { return $this->_oDocumentCore->getPermissionLookupId(); }
     function setPermissionLookupID($iNewValue) { $this->_oDocumentCore->setPermissionLookupId($iNewValue); }
-        
+
     function getModifiedUserId() { return $this->_oDocumentCore->getModifiedUserId(); }
     function setModifiedUserId($iNewValue) { $this->_oDocumentCore->setModifiedUserId($iNewValue); }
     function getImmutable() { return $this->_oDocumentCore->getImmutable(); }
     function setImmutable($mValue) { $this->_oDocumentCore->setImmutable($mValue); }
-    
+
     function getRestoreFolderId() { return $this->_oDocumentCore->getRestoreFolderId(); }
-    function setRestoreFolderId($iValue) { $this->_oDocumentCore->setRestoreFolderId($iValue); }    
+    function setRestoreFolderId($iValue) { $this->_oDocumentCore->setRestoreFolderId($iValue); }
     function getRestoreFolderPath() { return $this->_oDocumentCore->getRestoreFolderPath(); }
-    function setRestoreFolderPath($sValue) { $this->_oDocumentCore->setRestoreFolderPath($sValue); }    
-    
-    
+    function setRestoreFolderPath($sValue) { $this->_oDocumentCore->setRestoreFolderPath($sValue); }
+
+
     // Document Metadata Items
-    
+
     function getDocumentTypeID() { return $this->_oDocumentMetadataVersion->getDocumentTypeId(); }
     function setDocumentTypeID($sNewValue) { $this->_oDocumentMetadataVersion->setDocumentTypeId($sNewValue); }
-    
+
     function getName() { return $this->_oDocumentMetadataVersion->getName(); }
     function setName($sNewValue) { $this->_oDocumentMetadataVersion->setName($sNewValue); }
     function getDescription() { return $this->_oDocumentMetadataVersion->getDescription(); }
     function setDescription($sNewValue) { $this->_oDocumentMetadataVersion->setDescription($sNewValue); }
-    
+
     function getStatusID() { return $this->_oDocumentCore->getStatusId(); }
     function setStatusID($iNewValue) { $this->_oDocumentMetadataVersion->setStatusId($iNewValue); $this->_oDocumentCore->setStatusId($iNewValue); }
-    
+
     function getMetadataVersion() { return $this->_oDocumentMetadataVersion->getMetadataVersion(); }
     function setMetadataVersion($iNewValue) { $this->_oDocumentMetadataVersion->getMetadataVersion($iNewValue); }
@@ -120,7 +120,7 @@ class Document {
     function getContentVersionId() { return $this->_oDocumentMetadataVersion->getContentVersionId(); }
     function setContentVersionId($iNewValue) { $this->_oDocumentMetadataVersion->setContentVersionId($iNewValue); }
-    
+
     function getVersionCreated() { return $this->_oDocumentMetadataVersion->getVersionCreated(); }
     function getVersionCreatorId() { return $this->_oDocumentMetadataVersion->getVersionCreatorId(); }
@@ -129,29 +129,29 @@ class Document {
     function getWorkflowStateId() { return $this->_oDocumentMetadataVersion->getWorkflowStateId(); }
     function setWorkflowStateId($mValue) { $this->_oDocumentMetadataVersion->setWorkflowStateId($mValue); }
-    // Document Content Version   
-    
+    // Document Content Version
+
     function getFileName() { return $this->_oDocumentContentVersion->getFileName(); }
     function setFileName($sNewValue) { $this->_oDocumentContentVersion->setFileName($sNewValue); }
-    
+
     function getFileSize() { return $this->_oDocumentContentVersion->getSize(); }
     function setFileSize($iNewValue) { $this->_oDocumentContentVersion->setSize($iNewValue); }
-    
+
     function getSize() { return $this->_oDocumentContentVersion->getSize(); }
     function setSize($iNewValue) { $this->_oDocumentContentVersion->setSize($iNewValue); }
-    
+
     function getMimeTypeID() { return $this->_oDocumentContentVersion->getMimeTypeId(); }
     function setMimeTypeID($iNewValue) { $this->_oDocumentContentVersion->setMimeTypeId($iNewValue); }
-    
+
     function getMajorVersionNumber() { return $this->_oDocumentContentVersion->getMajorVersionNumber(); }
     function setMajorVersionNumber($iNewValue) { $this->_oDocumentContentVersion->setMajorVersionNumber($iNewValue); }
-    
+
     function getMinorVersionNumber() { return $this->_oDocumentContentVersion->getMinorVersionNumber(); }
     function setMinorVersionNumber($iNewValue) { $this->_oDocumentContentVersion->setMinorVersionNumber($iNewValue); }
     function getStoragePath() { return $this->_oDocumentContentVersion->getStoragePath(); }
     function setStoragePath($sNewValue) { $this->_oDocumentContentVersion->setStoragePath($sNewValue); }
-    
+
     // }}}
     // {{{ getParentID
@@ -190,10 +190,10 @@ class Document {
     function update($bPathMove = false) {
         $res = $this->_oDocumentCore->update($bPathMove);
         if (PEAR::isError($res)) { var_dump($res); return $res; }
-        
+
         $res = $this->_oDocumentContentVersion->update($bPathMove);
         if (PEAR::isError($res)) { var_dump($res); return $res; }
-        
+
         $res = $this->_oDocumentMetadataVersion->update($bPathMove);
         if (PEAR::isError($res)) { var_dump($res); return $res; }
@@ -209,7 +209,7 @@ class Document {
         $iId = (int)$iId;
         $oDocument = new Document();
         $res = $oDocument->load($iId, $iMetadataVersion);
-        if (PEAR::isError($res)) { 
+        if (PEAR::isError($res)) {
             return $res;
         }
         return $oDocument;
@@ -221,21 +221,21 @@ class Document {
         $this->iId = $iId;
         $this->_oDocumentCore = KTDocumentCore::get($iId);
         if (PEAR::isError($this->_oDocumentCore)) { return $this->_oDocumentCore; }
-        
+
         // FIXME add error $res if MDV > $_oDC->getMDV
-        if (is_null($iMetadataVersionId)) { 
-            $this->_oDocumentMetadataVersion = KTDocumentMetadataVersion::get($this->_oDocumentCore->getMetadataVersionId()); 
+        if (is_null($iMetadataVersionId)) {
+            $this->_oDocumentMetadataVersion = KTDocumentMetadataVersion::get($this->_oDocumentCore->getMetadataVersionId());
             $this->iCurrentMetadataVersionId = $this->_oDocumentCore->getMetadataVersionId();
         } else {
             $this->_oDocumentMetadataVersion = KTDocumentMetadataVersion::get($iMetadataVersionId);
             $this->iCurrentMetadataVersionId = $iMetadataVersionId;
         }
-        if (PEAR::isError($this->_oDocumentMetadataVersion)) 
-        { 
-        //	var_dump($this->_oDocumentMetadataVersion); 
-        	return $this->_oDocumentMetadataVersion; 
+        if (PEAR::isError($this->_oDocumentMetadataVersion))
+        {
+        //	var_dump($this->_oDocumentMetadataVersion);
+        	return $this->_oDocumentMetadataVersion;
         }
-        
+
         $this->_oDocumentContentVersion = KTDocumentContentVersion::get($this->_oDocumentMetadataVersion->getContentVersionId());
         if (PEAR::isError($this->_oDocumentContentVersion)) { return $this->_oDocumentContentVersion; }
     }
@@ -278,7 +278,7 @@ class Document {
         $sFolderPath = Folder::getFolderDisplayPath($this->getFolderID());
         // #3425 for consistency
         return ($bDisplayIcon ? $this->getIcon() : "") .
-           ($sFolderPath == "" ? "Deleted Folder" : $sFolderPath) . " &raquo; " . $this->getName();
+           ($sFolderPath == "" ? "Deleted Folder" : $sFolderPath) . " &raquo; " . sanitizeForHTML($this->getName());
     }
     // }}}
@@ -308,7 +308,7 @@ class Document {
         return true;
     }
     // }}}
-    
+
     function &getByFilenameAndFolder($sFileName, $iFolderID) {
         $sD = KTUtil::getTableName('documents');
         $sDM = KTUtil::getTableName('document_metadata_version');
@@ -319,7 +319,7 @@ class Document {
             WHERE DC.filename = ? AND D.folder_id = ?";
         $aParams = array($sFileName, $iFolderID);
         $id = DBUtil::getOneResultKey(array($sQuery, $aParams), 'id');
-        return Document::get($id);   
+        return Document::get($id);
     }
     // {{{ nameExists
@@ -359,7 +359,7 @@ class Document {
             WHERE DM.name = ? AND D.folder_id = ?";
         $aParams = array($sName, $iFolderID);
         $id = DBUtil::getOneResultKey(array($sQuery, $aParams), 'id');
-        return Document::get($id);   
+        return Document::get($id);
     }
     // {{{ getDocumentDisplayPath
@@ -384,7 +384,7 @@ class Document {
         // FIXME this appears to be deprecated, or at least should be
         $sTable = KTUtil::getTableName('document_text');
         $sQuery = "DELETE FROM $sTable WHERE document_id = ?";
-        $aParams = array($iDocumentID);        
+        $aParams = array($iDocumentID);
         $res = DBUtil::runQuery(array($sQuery, $aParams));
         return $res;
     }
@@ -397,7 +397,7 @@ class Document {
             'permission_lookup_id' => $iLookupID,
             'status_id' => LIVE,
         ), array('multi' => true, 'ids' => true));
-        
+
         $aList = array();
         foreach ($aIds as $iId) {
             $aList[] = Document::get($iId);
@@ -418,7 +418,7 @@ class Document {
         $aParams = array($iStateId);
         $aIds = DBUtil::getResultArrayKey(array($sQuery, $aParams), 'document_id');
-        
+
         $aList = array();
         foreach ($aIds as $iId) {
             $aList[] = Document::get($iId);
@@ -442,19 +442,19 @@ class Document {
         */
         $oDocument = new Document();
         $aOptions = array_change_key_case($aOptions);
-        
-        
+
+
         $aCoreKeys = array(
             "CreatorId",
             "Created",
             "ModifiedUserId",
             "Modified",
-            "FolderId", 
+            "FolderId",
             "StatusId",
-            "RestoreFolderId",            
+            "RestoreFolderId",
             "RestoreFolderPath",
         );
-        
+
         $aCore = array();
         foreach ($aCoreKeys as $sKey) {
             $sKey = strtolower($sKey);
@@ -463,7 +463,7 @@ class Document {
                 $aCore[$sKey] = $sValue;
             }
         }
-        
+
         $aMetadataVersionKeys = array(
             "MetadataVersion",
             "ContentVersionId",
@@ -474,7 +474,7 @@ class Document {
             "VersionCreated",
             "VersionCreatorId",
         );
-        
+
         $aMetadataVersion = array();
         foreach ($aMetadataVersionKeys as $sKey) {
             $sKey = strtolower($sKey);
@@ -484,7 +484,7 @@ class Document {
             }
         }
         $aMetadataVersion['VersionCreatorId'] = $aCore['creatorid'];
-        
+
         $aContentKeys = array(
             "Filename",
             "Size",
@@ -493,7 +493,7 @@ class Document {
             "MinorVersion",
             "StoragePath",
         );
-        
+
         $aContentVersion = array();
         foreach ($aContentKeys as $sKey) {
             $sKey = strtolower($sKey);
@@ -501,8 +501,8 @@ class Document {
             if (!is_null($sValue)) {
                 $aContentVersion[$sKey] = $sValue;
             }
-        }        
-        
+        }
+
         $oDocument->_oDocumentCore = KTDocumentCore::createFromArray($aCore);
         if (PEAR::isError($oDocument->_oDocumentCore)) {
             return $oDocument->_oDocumentCore;
@@ -592,11 +592,11 @@ class Document {
     // }}}
     function clearAllCaches() {
-        
+
         KTEntityUtil::clearAllCaches('KTDocumentCore');
         KTEntityUtil::clearAllCaches('KTDocumentContentVersion');
         KTEntityUtil::clearAllCaches('KTDocumentMetadataVersion');
-        
+
         return KTEntityUtil::clearAllCaches('Document');
     }
@@ -606,7 +606,7 @@ class Document {
         $sQuery = sprintf("SELECT comment FROM %s
                            WHERE transaction_namespace = ? AND document_id = ?
-                           ORDER BY datetime DESC", 
+                           ORDER BY datetime DESC",
 			  $sDocumentTransactionTable, $sDocumentMetadataTable);
 	$aParams = array($sTransactionNamespace, $this->getId());
@@ -628,10 +628,10 @@ class Document {
 	$aComment = explode(':', $sComment);
 	return trim($aComment[1]);
     }
-    
-	
+
+
 }
 ?>
@@ -8,7 +8,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -19,9 +19,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -35,7 +35,7 @@ require_once(KT_LIB_DIR . &quot;/documentmanagement/Document.inc&quot;);
 require_once(KT_LIB_DIR . "/util/sanitize.inc");
 class Folder extends KTEntity {
-	
+
 	/** folder primary key */
 	var $iId;
 	/** folder name */
@@ -45,7 +45,7 @@ class Folder extends KTEntity {
 	/** folder parent primary key */
 	var $iParentID;
 	/** primary key of user who created folder */
-	var $iCreatorID;	
+	var $iCreatorID;
 	/** public status of folder */
 	var $bIsPublic = false;
 	/** comma deliminated string of parent ids */
@@ -74,12 +74,12 @@ class Folder extends KTEntity {
         'bRestrictDocumentTypes' => 'restrict_document_types',
     );
     // }}}
-	
+
 	function getID() { return $this->iId; }
 	function getName() { return sanitizeForSQLtoHTML($this->sName); }
 	function setName($sNewValue) { $this->sName = sanitizeForSQL($sNewValue); }
-	function getDescription() { return sanitizeForSQLtoHTML($this->sDescription); } 
-	function setDescription($sNewValue) { $this->sDescription = sanitizeForSQL($sNewValue); } 
+	function getDescription() { return sanitizeForSQLtoHTML($this->sDescription); }
+	function setDescription($sNewValue) { $this->sDescription = sanitizeForSQL($sNewValue); }
 	function getParentID() { return $this->iParentID; }
 	function setParentID($iNewValue) { $this->iParentID = $iNewValue; }
 	function getCreatorID() { return $this->iCreatorID; }
@@ -111,7 +111,7 @@ class Folder extends KTEntity {
         /**
          * Returns a comma delimited string containing the parent folder ids, strips leading /
-         * 
+         *
          * @return String	comma delimited string containing the parent folder ids
          */
         function generateFolderIDs($iFolderId) {
@@ -136,13 +136,13 @@ class Folder extends KTEntity {
             }
             return sprintf('%s,%s,%s', $sParentFolderParentFolderIds, $iParentId, $oFolder->getId());
         }
-	
+
 	/**
 	 * Recursively generates forward slash deliminated string giving full path of document
 	 * from file system root url
 	 */
 	function generateFullFolderPath($iFolderId) {
-		//if the folder is not the root folder 
+		//if the folder is not the root folder
 		if ($iFolderId == 0) {
             return;
         }
@@ -167,13 +167,13 @@ class Folder extends KTEntity {
         }
         return sprintf('%s/%s', $res, $oFolder->getName());
 	}
-	
+
 	/**
 	 * Returns a forward slash deliminated string giving full path of document, strips leading /
-	 */	
+	 */
 	function generateFolderPath($iFolderID) {
 		$sPath = Folder::generateFullFolderPath($iFolderID);
-		return $sPath;			
+		return $sPath;
 	}
     function _fieldValues () {
@@ -197,7 +197,7 @@ class Folder extends KTEntity {
         global $default;
         return $default->folders_table;
     }
-	
+
 	/**
 	* Update the current folder values in the database
 	*
@@ -206,7 +206,7 @@ class Folder extends KTEntity {
 	function update($bPathChange = false) {
         $res = parent::update();
         if ($res === true) {
-            if ($bPathChange) {				
+            if ($bPathChange) {
                 // XXX: TransactionCheckPoint
                 $this->updateChildPaths($this->iId);
                 $this->updateDocumentPaths($this->iId);
@@ -214,15 +214,15 @@ class Folder extends KTEntity {
         }
         return $res;
 	}
-	
+
 	function renameFolder($sOldPath) {
 		PhysicalFolderManagement::renameFolder($sOldPath, $default->documentRoot . "/" . $this->sFullPath . "/" . $this->sName);
 	}
-	
+
 	/**
 	* When a folder is renamed, we must update
 	* the paths of the children in the database
-	* 
+	*
 	*/
 	function updateChildPaths($iId) {
 		global $default;
@@ -230,7 +230,7 @@ class Folder extends KTEntity {
         $sql = $default->db;
 		$aFolders =& Folder::getByParentId($iId);
 		foreach ($aFolders as $oFolder) {
-			$oFolder->update(true);		
+			$oFolder->update(true);
 		}
 		return;
 	}
@@ -256,7 +256,7 @@ class Folder extends KTEntity {
         }
         return true;
     }
-	
+
     /**
      * Returns the documents in this folder
      */
@@ -270,7 +270,7 @@ class Folder extends KTEntity {
 		}
 		return implode(',', $res);
     }
-	
+
     function &get($iFolderID) {
         return KTEntityUtil::get('Folder', $iFolderID);
     }
@@ -288,7 +288,7 @@ class Folder extends KTEntity {
         }
         return ($res != 0); // handle pre-existing duplicates gracefully.
 	}
-	
+
 	/**
     * Static function
     * Get a list of Documents
@@ -304,13 +304,13 @@ class Folder extends KTEntity {
 	/**
 	* Static function.
 	* Get the full path for a folder
-	* 
-	* @param 	Primary key of folder to generate path for	
+	*
+	* @param 	Primary key of folder to generate path for
 	*
 	* @return String full path of folder
 	*/
 	function getFolderPath($iFolderID) {
-		global $default;		
+		global $default;
 		$oFolder = Folder::get($iFolderID);
 		$sPath = $default->documentRoot . "/" . $oFolder->getFullPath() . "/" . $oFolder->getName() . "/";
 		return $sPath;
@@ -319,18 +319,18 @@ class Folder extends KTEntity {
 	/**
      * Static function.
      * Get the full path for a folder as an array
-     * 
-     * @param int primary key of folder to generate path for	
+     *
+     * @param int primary key of folder to generate path for
      *
      * @return array full path of folder as an array of folderIDs
      */
     function getFolderPathNamesAsArray($iFolderID) {
 		global $default;
 		$oFolder = Folder::get($iFolderID);
-		$aPathArray = array();		
+		$aPathArray = array();
 		if ($oFolder) {
 			if (strlen($oFolder->getFullPath()) > 0) {
-				if (strlen($oFolder->getFullPath()) > 1) {				
+				if (strlen($oFolder->getFullPath()) > 1) {
 					$aPathArray = explode("/",$oFolder->getFullPath());
 				} else {
 					$aPathArray = array($oFolder->getFullPath());
@@ -348,17 +348,17 @@ class Folder extends KTEntity {
         return Folder::getFolderPathNamesAsArray($this->getID());
     }
     // }}}
-	
+
 	/**
      * Static function.
      * Get the full path for a folder as an array
-     * 
-     * @param int primary key of folder to generate path for	
+     *
+     * @param int primary key of folder to generate path for
      *
      * @return array full path of folder as an array of folderIDs
      */
     function getFolderPathAsArray($iFolderID) {
-		global $default;		
+		global $default;
 		$oFolder = Folder::get($iFolderID);
         if ($oFolder === false) {
             return false;
@@ -366,36 +366,41 @@ class Folder extends KTEntity {
 		if (strlen($oFolder->getParentFolderIDs()) > 0) {
             if ($oFolder->iParentID == 0) {
                 $aPathArray = array();
-            } else if (strlen($oFolder->getParentFolderIDs()) > 1) {				
+            } else if (strlen($oFolder->getParentFolderIDs()) > 1) {
 				$aPathArray = explode(",",$oFolder->getParentFolderIDs());
 			} else {
 				$aPathArray = array($oFolder->getParentFolderIDs());
 			}
 			$aPathArray[count($aPathArray)] = $oFolder->getID();
-		} else {			
+		} else {
 			$aPathArray = array($oFolder->getID());
-		}		
+		}
 		return $aPathArray;
     }
-	
+
 	/**
 	* Static function.
 	* Get the path for a folder that will be displated to the user
-	* 
-	* @param 	Primary key of folder to generate path for	
+	*
+	* @param 	Primary key of folder to generate path for
 	*
 	* @return String full path of folder
 	*/
 	function getFolderDisplayPath($iFolderID) {
 		global $default;
         $aPathNamesArray = Folder::getFolderPathNamesAsArray($iFolderID);
+
+        foreach($aPathNamesArray as $k=>$v)
+        {
+            $aPathNamesArray[$k] = sanitizeForHTML($v);
+        }
         if (count($aPathNamesArray) > 0) {
         	return implode(" &raquo; ", $aPathNamesArray);
         } else {
         	return "";
         }
 	}
-	
+
 	/**
 	* Static function
 	* Get the primary key of the parent folder
@@ -404,14 +409,14 @@ class Folder extends KTEntity {
 	*
 	* @return integer primary key of parent folder
 	*/
-	function getParentFolderID($iFolderID) {		
+	function getParentFolderID($iFolderID) {
 		if ($iFolderID != 0) {
 		    $oFolder = Folder::get($iFolderID);
 			return $oFolder->getParentFolderID();
 		}
 		return 0;
 	}
-	
+
 	/**
 	* Static function
 	* Checks if a given folder already exists using the folder name
@@ -431,7 +436,7 @@ class Folder extends KTEntity {
 		}
 		return false;
 	}
-	
+
 	/**
 	* Checks if a given folder already exists using the folder name
 	*
@@ -441,13 +446,13 @@ class Folder extends KTEntity {
 	*/
 	function folderExistsID($iFolderID) {
 		$oFolder = Folder::get($iFolderID);
-		if (PEAR::isError($oFolder)) { 
+		if (PEAR::isError($oFolder)) {
 		    return false; // no such folder, or bad ID
 		} else {
 		    return true;
 		}
 	}
-	
+
 	/**
 	* Get the folder name using the primary key
 	*
@@ -463,15 +468,15 @@ class Folder extends KTEntity {
 		    return $oFolder->getName();
 		}
 	}
-	
-	
+
+
     function getByParentIDAndLookupID($iParentID, $iLookupID) {
         return KTEntityUtil::getByDict('Folder', array(
             'parent_id' => $iParentID,
             'permission_lookup_id' => $iLookupID,
         ), array('multi' => true));
     }
-	
+
 	function getByParentId($iParentID) {
 	    return KTEntityUtil::getByDict('Folder', array(
             'parent_id' => $iParentID,
 <?php
 /**
  * $Id$
- *    
+ *
  * The contents of this file are subject to the KnowledgeTree Public
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -31,7 +31,7 @@
 /* handle basic machinery for form handling, including working with
  * widgets, sessions and validation
  */
- 
+
 require_once(KT_LIB_DIR . "/widgets/widgetfactory.inc.php");
 require_once(KT_LIB_DIR . "/validation/validatorfactory.inc.php");
@@ -39,11 +39,11 @@ class KTForm {
     // serialisation info
     var $_kt_form_name;
     var $sIdentifier; // a simple identifier.
-    
+
     // visual options
     var $sLabel;
     var $sDescription;
-    
+
     // core storage options
     var $_widgets;          // what widgets get stored
     var $_validators;       // validators
@@ -59,12 +59,12 @@ class KTForm {
     var $_errors;
     var $_method;
     var $_noframe;
-    
+
     var $_oVF;
     var $_oWF;
-    
-    
+
+
     // we don't use a constructor here, rather use aOptions
     function setOptions($aOptions) {
         // we grab the "context" dispatcher(ish) object here
@@ -72,16 +72,16 @@ class KTForm {
         $this->_context =& $context;
         // form identifier (namespace)
-        $this->sIdentifier = KTUtil::arrayGet($aOptions, 'identifier','kt.default');        
+        $this->sIdentifier = KTUtil::arrayGet($aOptions, 'identifier','kt.default');
         // form name
-        $this->_kt_form_name = KTUtil::arrayGet($aOptions, '_kt_form_name', 
+        $this->_kt_form_name = KTUtil::arrayGet($aOptions, '_kt_form_name',
             $this->generateFormName($this->sIdentifier), false);
-        
+
         // form labelling
         $this->sLabel = KTUtil::arrayGet($aOptions, 'label');
         $this->sDescription = KTUtil::arrayGet($aOptions, 'description');
-        
+
         // actions
         $this->_action = KTUtil::arrayGet($aOptions, 'action');
         $qs = KTUtil::arrayGet($aOptions, 'actionparams','');
@@ -91,7 +91,7 @@ class KTForm {
                 $this->_enctype="multipart/form-data";
             }
         }
-        
+
         $targeturl = KTUtil::arrayGet($aOptions, 'targeturl', false);
         if($targeturl === false) {
             $this->_actionurl = KTUtil::addQueryStringSelf($qs);
@@ -114,43 +114,43 @@ class KTForm {
         }
         $this->_noframe = KTUtil::arrayGet($aOptions, 'noframe', false);
-        
+
         // cancel
         // there are a few options here:
         //   1. cancel_action
         //   2. cancel_url
         $cancel_action = KTUtil::arrayGet($aOptions, 'cancel_action');
         $cancel_url = KTUtil::arrayGet($aOptions, 'cancel_url');
-        
+
         if (!empty($cancel_action)) {
-            $this->bCancel = true; 
+            $this->bCancel = true;
             // there are two cases here - if we have a context, we can
             // use the meldPersistQuery to create the url.
             if (!is_null($context)) {
-                $sQuery = $context->meldPersistQuery("", 
+                $sQuery = $context->meldPersistQuery("",
                     $cancel_action);
-                $this->_cancelurl = 
+                $this->_cancelurl =
                     KTUtil::addQueryString($_SERVER['PHP_SELF'], $sQuery);
             } else {
                 // give it a try using addQSSelf
                 $this->_cancelurl = KTUtil::addQueryStringSelf(
-                    sprintf('%s=%s', $this->_event, $cancel_action));           
+                    sprintf('%s=%s', $this->_event, $cancel_action));
             }
-            
-            
+
+
         } else if (!empty($cancel_url)) {
-            $this->bCancel = true;                        
+            $this->bCancel = true;
             $this->_cancelurl = $cancel_url;
         } else {
             $this->bCancel = false;
         }
-        
+
         // FIXME process extra arguments more intelligently
         $default_args = array();
         if (!is_null($this->_context)) {
             $default_args = $this->_context->meldPersistQuery("","",true);
         }
-        $this->_extraargs = KTUtil::arrayGet($aOptions, 
+        $this->_extraargs = KTUtil::arrayGet($aOptions,
             'extraargs', $default_args);
         // method
@@ -158,7 +158,7 @@ class KTForm {
         $this->_extraargs['postReceived'] = 1;
     }
-    
+
     function getWidget(&$aInfo) {
         if (is_null($this->_oWF)) {
             $this->_oWF =& KTWidgetFactory::getSingleton();
@@ -167,13 +167,13 @@ class KTForm {
         if (is_null($aInfo)) {
             $widget = null;
         } else if (is_object($aInfo)) {
-        
+
             // assume this is a fully configured object
             $widget =& $aInfo;
         } else {
             $namespaceOrObject = $aInfo[0];
             $config = (array) $aInfo[1];
-            
+
             $widget =& $this->_oWF->get($namespaceOrObject, $config);
         }
@@ -183,10 +183,10 @@ class KTForm {
     function getValidator($aInfo) {
         if (is_null($this->_oVF)) {
             $this->_oVF =& KTValidatorFactory::getSingleton();
-        }        
-        
+        }
+
         $validator = null;
-        
+
         // we don't want to expose the factory stuff to the user - its an
         // arbitrary distinction to the user.  Good point from NBM ;)
         if (is_null($aInfo)) {
@@ -197,29 +197,29 @@ class KTForm {
         } else {
             $namespaceOrObject = $aInfo[0];
             $config = (array) $aInfo[1];
-                
+
             $validator =& $this->_oVF->get($namespaceOrObject, $config);
         }
-        
+
         return $validator;
     }
-    
+
     // set the "form widgets" that will be used.
     // these are pushed into the "data" component
     function setWidgets($aWidgets) {
         $this->_widgets = array();
-        
+
         if (is_null($this->_oWF)) {
             $this->_oWF =& KTWidgetFactory::getSingleton();
         }
-        
+
         $this->addWidgets($aWidgets);
     }
-    
+
     function addWidgets($aWidgets) {
-        foreach ($aWidgets as $aInfo) {    
+        foreach ($aWidgets as $aInfo) {
             $widget = $this->getWidget($aInfo);
-            
+
             if (is_null($widget)) {
                 continue;
             } else {
@@ -227,51 +227,51 @@ class KTForm {
             }
         }
     }
-    
+
     function setValidators($aValidators) {
         $this->_validators = array();
-        
+
         if (is_null($this->_oVF)) {
             $this->_oVF =& KTValidatorFactory::getSingleton();
-        }        
-        
+        }
+
         $this->addValidators($aValidators);
     }
-    
+
     function addValidators($aValidators) {
         // we don't want to expose the factory stuff to the user - its an
         // arbitrary distinction to the user.  Good point from NBM ;)
         foreach ($aValidators as $aInfo) {
             $validator = $this->getValidator($aInfo);
-        
+
             if (is_null($validator)) {
                 continue;
             } else {
                 $this->_validators[] = $validator;
             }
-        }    
+        }
     }
-    
+
     function addValidator($aInfo) {
         $validator = $this->getValidator($aInfo);
-            
+
         if (is_null($validator)) {
             return false;
         } else {
             $this->_validators[] =& $validator;
-        }    
+        }
     }
-    
+
     function addWidget($aInfo) {
         $widget = $this->getWidget($aInfo);
-    
+
         if (is_null($widget)) {
             return false;
         } else {
             $this->_widgets[] =& $widget;
-        }    
-    }    
-    
+        }
+    }
+
     function addInitializedWidget($oWidget) {
         $this->_widgets[] = $oWidget;
     }
@@ -279,10 +279,10 @@ class KTForm {
     function render() {
         $sWidgets = $this->renderWidgets();
         $sButtons = $this->renderButtons();
-        
+
         return $this->renderContaining($sWidgets . ' ' . $sButtons);
     }
-    
+
     function renderPage($sTitle = null, $sDescription = null) {
         if ($sTitle == null) {
             $sTitle = $this->sLabel;
@@ -292,35 +292,35 @@ class KTForm {
         if (!is_null($sDescription)) {
             $sHelpText = sprintf('<p class="descriptiveText">%s</p>', $sDescription);
         }
-        return sprintf('<h2>%s</h2> %s %s', $sTitle, $sHelpText, $pageval);
-    }    
-    
+        return sprintf('<h2>%s</h2> %s %s', sanitizeForHTML($sTitle), $sHelpText, $pageval);
+    }
+
     function getErrors() {
         $aErrors = array();
-        $old_data = KTUtil::arrayGet((array) $_SESSION['_kt_old_data'], 
+        $old_data = KTUtil::arrayGet((array) $_SESSION['_kt_old_data'],
             $this->_kt_form_name, array());
         if (KTUtil::arrayGet($old_data, 'identifier') == $this->sIdentifier) {
             $aErrors = (array) unserialize(KTUtil::arrayGet($old_data, 'errors'));
-        }    
+        }
         return $aErrors;
     }
-    
+
     function renderWidgets() {
         if (empty($this->_widgets)) {
             return '&nbsp;';
         }
-        
+
         // do this all at the *last* possible moment
         // now we need to do two things:
         //
-        //   1. inform each "widget" that it needs to wrap itself inside 
+        //   1. inform each "widget" that it needs to wrap itself inside
         //      the "data" var
-        //   2. replace the widget's default values with the ones from the 
+        //   2. replace the widget's default values with the ones from the
         //      failed request, as appropriate.
         $bUseOld = false;
         $aOldData = array();
         $aErrors = array();
-        $old_data = KTUtil::arrayGet((array) $_SESSION['_kt_old_data'], 
+        $old_data = KTUtil::arrayGet((array) $_SESSION['_kt_old_data'],
             $this->_kt_form_name, array());
         if (KTUtil::arrayGet($old_data, 'identifier') == $this->sIdentifier) {
             $bUseOld = true;
@@ -331,7 +331,7 @@ class KTForm {
             }
             $aErrors = (array) unserialize(KTUtil::arrayGet($old_data, 'errors'));
         }
-        
+
         foreach ($this->_widgets as $k => $v) {
             if (PEAR::isError($v)) {
                 continue; // error, handle it in render.
@@ -339,16 +339,16 @@ class KTForm {
             $widget =& $this->_widgets[$k]; // reference needed since we're changing them
             $widget->wrapName('data');
             if ($bUseOld) {
-                $widget->setDefault(KTUtil::arrayGet($aOldData, $widget->getBasename(), 
+                $widget->setDefault(KTUtil::arrayGet($aOldData, $widget->getBasename(),
                     $widget->getDefault(), false));
                 $widget->setErrors(KTUtil::arrayGet($aErrors, $widget->getBasename()));
             }
         }
-        
+
         // too much overhead by half to use a template here
         // so we do it the "old fashioned" way.
         $rendered = array();
-        
+
         foreach ($this->_widgets as $v) {
             if (PEAR::isError($v)) {
                 $rendered[] = sprintf(_kt('<div class="ktError"><p>Unable to show widget &mdash; %s</p></div>'), $v->getMessage());
@@ -356,45 +356,45 @@ class KTForm {
                 $rendered[] = $v->render();
             }
         }
-        
+
         return implode(' ', $rendered);
     }
-    
+
     function renderButtons() {
         $oKTTemplating =& KTTemplating::getSingleton();
         $oTemplate = $oKTTemplating->loadTemplate('ktcore/forms/buttons');
-        
+
         // now do the render.
         $oTemplate->setData(array(
-           'context' => &$this, 
+           'context' => &$this,
         ));
-        
+
         return $oTemplate->render();
     }
-    
+
     function renderContaining() {
-    
+
         $args = func_get_args();
         $sInner = implode(' ', $args);
-    
+
         $oKTTemplating =& KTTemplating::getSingleton();
         $oTemplate = $oKTTemplating->loadTemplate('ktcore/forms/outerform');
-        
+
         // remove inner "action" var from extraargs
         // if its there at all.
         unset($this->_extraargs[$this->_event]);
         $this->_extraargs['_kt_form_name'] = $this->_kt_form_name;
-        
+
         // now do the render.
         $oTemplate->setData(array(
-           'context' => &$this, 
+           'context' => &$this,
            'inner' => $sInner,
         ));
-        
+
         return $oTemplate->render();
     }
-    
-    function generateFormName($sIdentifier = null) {    
+
+    function generateFormName($sIdentifier = null) {
         if (!is_null($sIdentifier)) {
             // try use the existing one from the request.
             $existing = KTUtil::arrayGet($_REQUEST, '_kt_form_name');
@@ -409,62 +409,62 @@ class KTForm {
         }
         return KTUtil::randomString(32); // unique 32 char string
     }
-    
+
     function validate() {
         // we first ask each widget to pull its data out.
         // while we do that, we create the storage set for the session
         // that widgets can call on later.
-        
+
         $raw_data = KTUtil::arrayGet($_REQUEST, 'data');
         $processed_data = array();
         foreach ($this->_widgets as $oWidget) {
             if (PEAR::isError($oWidget)) {
                 continue;
             }
-            
-            // widgets are expected to place their data in the "basename" 
+
+            // widgets are expected to place their data in the "basename"
             // entry in the processed data area
             //
             // they should also be able to reconstruct their inputs from this
             // since its what they get later.
-            
+
             $res = $oWidget->process($raw_data);
             $processed_data = kt_array_merge($processed_data, $res);
         }
-    
+
         // before we validate ANYTHING we store data into the session
         $store_data = array(); // we only want to store serialized values here
         foreach ($processed_data as $k => $v) {
             $store_data[$k] = serialize($v);
         }
-        
+
         $_SESSION['_kt_old_data'][$this->_kt_form_name]['data'] = serialize($store_data);
-        $_SESSION['_kt_old_data'][$this->_kt_form_name]['identifier'] = 
-            $this->sIdentifier;        
-        $_SESSION['_kt_old_data'][$this->_kt_form_name]['created'] = 
+        $_SESSION['_kt_old_data'][$this->_kt_form_name]['identifier'] =
+            $this->sIdentifier;
+        $_SESSION['_kt_old_data'][$this->_kt_form_name]['created'] =
             getCurrentDateTime();
-        
+
         $results = array();
         $errors = array();
-        
+
         // some things can be checked by the actual widgets involved.  These
         // are obvious (e.g. required) and shouldn't require the developer to
         // think about them.
         //
         // to accomplish this, we call each widget's "getValidators" method.
-        // 
+        //
         // note that autovalidation can be turned off for a widget by passing
         // "autovalidate" => "false" in the widget's config.
-        
+
         $extra_validators = array();
         foreach ($this->_widgets as $oWidget) {
-            if (PEAR::isError($oWidget)) { 
+            if (PEAR::isError($oWidget)) {
                 continue;
             }
-            
+
             $res = $oWidget->getValidators();
-            
+
             if (!is_null($res)) {
                 if (is_array($res)) {
                     $extra_validators = kt_array_merge($extra_validators, $res);
@@ -473,23 +473,23 @@ class KTForm {
                 }
             }
         }
-        
+
         $validators = kt_array_merge($extra_validators, $this->_validators);
-        
+
         foreach ($validators as $oValidator) {
             if (PEAR::isError($oValidator)) {
                 // don't bother with broken validators, but warn the user/dev
                 $errors['_kt_global'][] = $oValidator->getMessage();
-                continue; 
+                continue;
             }
-            
+
             $res = $oValidator->validate($processed_data);
-            
+
             // results comes out with a set of names and values.
             // these *shouldn't* overlap, so just merge them
             $extra_results = KTUtil::arrayGet($res, 'results', array());
             $results = kt_array_merge($results, $extra_results);
-            
+
             // errors *can* overlap
             // the format is:
             //   basename => array(errors)
@@ -501,27 +501,27 @@ class KTForm {
             $extra_errors = KTUtil::arrayGet($res, 'errors', array());
             foreach ($extra_errors as $varname => $aErrors) {
                 if (is_string($aErrors)) {
-                    $errors[$varname][] = $aErrors; 
+                    $errors[$varname][] = $aErrors;
                 } else {
                     $errors[$varname] = kt_array_merge($errors[$varname], $aErrors);
                 }
             }
         }
-        
+
         $this->_errors = $errors; // store for later use without unserialising
         if (!empty($errors)) {
-            $_SESSION['_kt_old_data'][$this->_kt_form_name]['errors'] = 
+            $_SESSION['_kt_old_data'][$this->_kt_form_name]['errors'] =
                 serialize($errors);
-        } 
-        
+        }
+
         //var_dump($errors); exit(0);
-         
+
         return array(
             'errors' => $errors,
             'results' => $results,
         );
     }
-    
+
     function handleError($sGlobalError = null, $aSimplerErrors = null) {
         if (!is_null($sGlobalError)) {
             $this->_errors['_kt_global'][] = $sGlobalError;
@@ -531,23 +531,23 @@ class KTForm {
                 $this->_errors[$k] = kt_array_merge($this->_errors[$k], $v);
             }
             // since we've changed them, update the stored version
-            $_SESSION['_kt_old_data'][$this->_kt_form_name]['errors'] = 
-                serialize($this->_errors);           
+            $_SESSION['_kt_old_data'][$this->_kt_form_name]['errors'] =
+                serialize($this->_errors);
         }
         if (is_array($this->_errors)) {
             $global_errors = KTUtil::arrayGet($this->_errors, '_kt_global', array());
             $_SESSION['KTErrorMessage'] = kt_array_merge($_SESSION['KTErrorMessage'], $global_errors);
         }
-        
+
         if (!empty($this->_failaction) && !is_null($this->_context)) {
-            $this->_context->errorRedirectTo($this->_failaction, 
-                _kt("Please correct the errors indicated."), 
+            $this->_context->errorRedirectTo($this->_failaction,
+                _kt("Please correct the errors indicated."),
                 sprintf("_kt_form_name=%s",$this->_kt_form_name));
             exit(0);
         } else if ($this->_failurl){
             redirect(KTUtil::addQueryString($this->_failurl,
-                sprintf("_kt_form_name=%s",$this->_kt_form_name)));   
-            exit(0);         
+                sprintf("_kt_form_name=%s",$this->_kt_form_name)));
+            exit(0);
         } else {
             return '<div class="ktError"><p>' . _kt("An error occured, and no error handlers were configured.") . '</p></div>';
             exit(0);
@@ -11,7 +11,7 @@
 {foreach from=$folders item=oFolder}
     <tr class="browse_column {cycle values=odd,even}"><td><span 
        class="contenttype folder"><a {capture assign=fid}{$oFolder->getId()}{/capture}
-       href="{ktLink base="browse.php" query="fFolderId=`$fid`"}">{$oFolder->getName()}</a> </span>
+       href="{ktLink base="browse.php" query="fFolderId=`$fid`"}">{$oFolder->getName()|sanitize}</a> </span>
     </td></tr>
 {/foreach}
 </tbody>
 <?php
 /**
  * $Id$
- *    
+ *
  * The contents of this file are subject to the KnowledgeTree Public
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -41,40 +41,40 @@ class AdvancedTitleColumn extends AdvancedColumn {
     var $link_folders = true;
     var $link_documents = true;
-    function setOptions($aOptions) {        
+    function setOptions($aOptions) {
         $this->link_folders = KTUtil::arrayGet($aOptions, 'link_folders', $this->link_folders, false);
-        $this->link_documents = KTUtil::arrayGet($aOptions, 'link_documents', $this->link_documents, false);        
+        $this->link_documents = KTUtil::arrayGet($aOptions, 'link_documents', $this->link_documents, false);
         parent::setOptions($aOptions);
     }
-    
+
     function AdvancedTitleColumn() {
         $this->label = _kt("Title");
-    }    
-       
-    // what is used for sorting 
+    }
+
+    // what is used for sorting
     // query addition is:
     //    [0] => join claus
     //    [1] => join params
-    //    [2] => ORDER 
-    
-    function addToFolderQuery() { 
-        return array(null, 
-            null, 
+    //    [2] => ORDER
+
+    function addToFolderQuery() {
+        return array(null,
+            null,
             "F.name",
-        ); 
+        );
     }
-    function addToDocumentQuery() { 
-            return array(null, 
-            null, 
+    function addToDocumentQuery() {
+            return array(null,
+            null,
             "DM.name"
-        ); 
+        );
     }
-    
+
     function renderFolderLink($aDataRow) {
         /* this check has to be done so that any titles longer than 40 characters is not displayed incorrectly.
          as mozilla cannot wrap text without white spaces */
-        if (mb_strlen($aDataRow["folder"]->getName(), 'UTF-8') > 40) { 
+        if (mb_strlen($aDataRow["folder"]->getName(), 'UTF-8') > 40) {
         	mb_internal_encoding("UTF-8");
             $outStr = htmlentities(mb_substr($aDataRow["folder"]->getName(), 0, 40, 'UTF-8')."...", ENT_NOQUOTES, 'UTF-8');
         }else{
@@ -90,15 +90,15 @@ class AdvancedTitleColumn extends AdvancedColumn {
     function renderDocumentLink($aDataRow) {
         /* this check has to be done so that any titles longer than 40 characters is not displayed incorrectly.
          as mozilla cannot wrap text without white spaces */
-        if (mb_strlen($aDataRow["document"]->getName(), 'UTF-8') > 40) { 
+        if (mb_strlen($aDataRow["document"]->getName(), 'UTF-8') > 40) {
         	mb_internal_encoding("UTF-8");
             $outStr = htmlentities(mb_substr($aDataRow["document"]->getName(), 0, 40, 'UTF-8')."...", ENT_NOQUOTES, 'UTF-8');
         }else{
             $outStr = htmlentities($aDataRow["document"]->getName(), ENT_NOQUOTES, 'UTF-8');
         }
-        
+
         if($this->link_documents) {
-            $outStr = '<a href="' . $this->buildDocumentLink($aDataRow) . '" title="' . $aDataRow["document"]->getFilename().'">' . 
+            $outStr = '<a href="' . $this->buildDocumentLink($aDataRow) . '" title="' . htmlentities($aDataRow["document"]->getFilename(), ENT_QUOTES, 'UTF-8').'">' .
                 $outStr . '</a>';
         }
         return $outStr;
@@ -116,7 +116,7 @@ class AdvancedTitleColumn extends AdvancedColumn {
     function buildFolderLink($aDataRow) {
         if (is_null(KTUtil::arrayGet($this->aOptions, 'direct_folder'))) {
             $dest = KTUtil::arrayGet($this->aOptions, 'folder_link');
-	    $params = kt_array_merge(KTUtil::arrayGet($this->aOptions, 'qs_params', array()), 
+	    $params = kt_array_merge(KTUtil::arrayGet($this->aOptions, 'qs_params', array()),
 				     array('fFolderId' => $aDataRow['folder']->getId()));
             if (empty($dest)) {
@@ -129,9 +129,9 @@ class AdvancedTitleColumn extends AdvancedColumn {
             return KTBrowseUtil::getUrlForFolder($aDataRow['folder']);
         }
     }
-    
+
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) {     
+    function renderData($aDataRow) {
        if ($aDataRow["type"] == "folder") {
            $contenttype = 'folder';
            $link = $this->renderFolderLink($aDataRow);
@@ -143,11 +143,11 @@ class AdvancedTitleColumn extends AdvancedColumn {
            return sprintf('<span class="contenttype %s">%s (%s)</span>', $contenttype, $link, $size);
         }
     }
-    
+
     function prettySize($size) {
         $finalSize = $size;
         $label = 'b';
-        
+
         if ($finalSize > 1000) { $label='Kb'; $finalSize = floor($finalSize/1000); }
         if ($finalSize > 1000) { $label='Mb'; $finalSize = floor($finalSize/1000); }
         return $finalSize . $label;
@@ -159,7 +159,7 @@ class AdvancedTitleColumn extends AdvancedColumn {
     }
 }
-/* 
+/*
  * Column to handle dates
  */
@@ -168,17 +168,17 @@ class AdvancedDateColumn extends AdvancedColumn {
     var $document_field_function;
     var $folder_field_function;
-    var $sortable = true;    
+    var $sortable = true;
     var $document_sort_column;
     var $folder_sort_column;
     var $namespace = 'ktcore.columns.genericdate';
-    
+
     function AdvancedDateColumn() {
         $this->label = _kt('Generic Date Function');
     }
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         $outStr = '';
         if (($aDataRow["type"] == "folder") && (!is_null($this->folder_field_function))) {
             $res = call_user_func(array($aDataRow["folder"],  $this->folder_field_function));
@@ -186,7 +186,7 @@ class AdvancedDateColumn extends AdvancedColumn {
             // now reformat this into something "pretty"
             return date("Y-m-d H:i", $dColumnDate);
- 
+
         } else if (($aDataRow["type"] == "document") && (!is_null($this->document_field_function))) {
             $res = call_user_func(array($aDataRow["document"],  $this->document_field_function));
             $dColumnDate = strtotime($res);
@@ -210,11 +210,11 @@ class AdvancedDateColumn extends AdvancedColumn {
 class CreationDateColumn extends AdvancedDateColumn {
     var $document_field_function = 'getCreatedDateTime';
     var $folder_field_function = null;
-    
+
     var $document_sort_column = "D.created";
     var $folder_sort_column = null;
     var $namespace = 'ktcore.columns.creationdate';
-    
+
     function CreationDateColumn() {
         $this->label = _kt('Created');
     }
@@ -223,11 +223,11 @@ class CreationDateColumn extends AdvancedDateColumn {
 class ModificationDateColumn extends AdvancedDateColumn {
     var $document_field_function = 'getLastModifiedDate';
     var $folder_field_function = null;
-    
+
     var $document_sort_column = "D.modified";
     var $folder_sort_column = null;
     var $namespace = 'ktcore.columns.modificationdate';
-    
+
     function ModificationDateColumn() {
         $this->label = _kt('Modified');
     }
@@ -236,25 +236,25 @@ class ModificationDateColumn extends AdvancedDateColumn {
 class AdvancedUserColumn extends AdvancedColumn {
     var $document_field_function;
     var $folder_field_function;
-    var $sortable = false; // by default    
+    var $sortable = false; // by default
     var $document_sort_column;
     var $folder_sort_column;
     var $namespace = 'ktcore.columns.genericuser';
-    
+
     function AdvancedUserColumn() {
-        $this->label = null; // abstract.        
+        $this->label = null; // abstract.
     }
-    
+
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         $iUserId = null;
         if (($aDataRow["type"] == "folder") && (!is_null($this->folder_field_function))) {
             if (method_exists($aDataRow['folder'], $this->folder_field_function)) {
-                $iUserId = call_user_func(array($aDataRow['folder'], $this->folder_field_function)); 
+                $iUserId = call_user_func(array($aDataRow['folder'], $this->folder_field_function));
             }
         } else if (($aDataRow["type"] == "document") && (!is_null($this->document_field_function))) {
             if (method_exists($aDataRow['document'], $this->document_field_function)) {
-                $iUserId = call_user_func(array($aDataRow['document'], $this->document_field_function)); 
+                $iUserId = call_user_func(array($aDataRow['document'], $this->document_field_function));
             }
         }
         if (is_null($iUserId)) {
@@ -271,7 +271,7 @@ class AdvancedUserColumn extends AdvancedColumn {
     function addToFolderQuery() {
         return array(null, null, null);
     }
-    
+
     function addToDocumentQuery() {
         return array(null, null, null);
     }
@@ -280,20 +280,20 @@ class AdvancedUserColumn extends AdvancedColumn {
 class CreatorColumn extends AdvancedUserColumn {
     var $document_field_function = "getCreatorID";
     var $folder_field_function = "getCreatorID";
-    var $sortable = true; // by default    
+    var $sortable = true; // by default
     var $namespace = 'ktcore.columns.creator';
-    
+
     function CreatorColumn() {
-        $this->label = _kt("Creator"); // abstract.        
+        $this->label = _kt("Creator"); // abstract.
     }
 }
 class AdvancedSelectionColumn extends AdvancedColumn {
     var $rangename = null;
     var $show_folders = true;
-    var $show_documents = true;   
-    
-    var $namespace = "ktcore.columns.selection"; 
+    var $show_documents = true;
+
+    var $namespace = "ktcore.columns.selection";
     function AdvancedSelectionColumn() {
         $this->label = '';
@@ -302,40 +302,40 @@ class AdvancedSelectionColumn extends AdvancedColumn {
     function setOptions($aOptions) {
         AdvancedColumn::setOptions($aOptions);
         $this->rangename = KTUtil::arrayGet($this->aOptions, 'rangename', $this->rangename);
-        $this->show_folders = KTUtil::arrayGet($this->aOptions, 'show_folders', $this->show_folders, false);        
-        $this->show_documents = KTUtil::arrayGet($this->aOptions, 'show_documents', $this->show_documents, false);                
+        $this->show_folders = KTUtil::arrayGet($this->aOptions, 'show_folders', $this->show_folders, false);
+        $this->show_documents = KTUtil::arrayGet($this->aOptions, 'show_documents', $this->show_documents, false);
     }
-    function renderHeader($sReturnURL) { 
+    function renderHeader($sReturnURL) {
         global $main;
         $main->requireJSResource("resources/js/toggleselect.js");
-        
+
         return sprintf('<input type="checkbox" title="toggle all" onclick="toggleSelectFor(this, \'%s\')" />', $this->rangename);
-        
+
     }
-    
+
     // only include the _f or _d IF WE HAVE THE OTHER TYPE.
-    function renderData($aDataRow) { 
-        $localname = $this->rangename;
-        
-        if (($aDataRow["type"] === "folder") && ($this->show_folders)) { 
+    function renderData($aDataRow) {
+        $localname = htmlentities($this->rangename,ENT_QUOTES,'UTF-8');
+
+        if (($aDataRow["type"] === "folder") && ($this->show_folders)) {
             if ($this->show_documents) {
-                $localname .= "_f[]"; 
+                $localname .= "_f[]";
             }
-            $v = $aDataRow["folderid"]; 
-        } else if (($aDataRow["type"] === "document") && $this->show_documents) { 
+            $v = $aDataRow["folderid"];
+        } else if (($aDataRow["type"] === "document") && $this->show_documents) {
             if ($this->show_folders) {
-                $localname .= "_d[]"; 
+                $localname .= "_d[]";
             }
-            $v = $aDataRow["docid"]; 
-        } else { 
-            return '&nbsp;'; 
+            $v = $aDataRow["docid"];
+        } else {
+            return '&nbsp;';
         }
-        
+
         return sprintf('<input type="checkbox" name="%s" onclick="activateRow(this)" value="%s"/>', $localname, $v);
     }
-    
-    
+
+
     // no label, but we do have a title
     function getName() {
         return _kt("Multiple Selection");
@@ -350,36 +350,36 @@ class AdvancedSingleSelectionColumn extends AdvancedSelectionColumn {
         parent::AdvancedSelectionColumn();
         $this->label = null;
     }
-    
+
     function renderHeader() {
-        return '&nbsp;';    
+        return '&nbsp;';
     }
-    
+
     // only include the _f or _d IF WE HAVE THE OTHER TYPE.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         $localname = $this->rangename;
-        
-        if (($aDataRow["type"] === "folder") && ($this->show_folders)) { 
+
+        if (($aDataRow["type"] === "folder") && ($this->show_folders)) {
             if ($this->show_documents) {
-                $localname .= "_f"; 
+                $localname .= "_f";
             }
-            $v = $aDataRow["folderid"]; 
-        } else if (($aDataRow["type"] === "document") && $this->show_documents) { 
+            $v = $aDataRow["folderid"];
+        } else if (($aDataRow["type"] === "document") && $this->show_documents) {
             if ($this->show_folders) {
-                $localname .= "_d"; 
+                $localname .= "_d";
             }
-            $v = $aDataRow["docid"]; 
-        } else { 
-            return '&nbsp;'; 
+            $v = $aDataRow["docid"];
+        } else {
+            return '&nbsp;';
         }
-        
+
         return '<input type="radio" name="' . $localname . '" value="' . $v . '"/>';
     }
     // no label, but we do have a title
     function getName() {
         return _kt("Single Selection");
-    }    
+    }
 }
@@ -389,16 +389,16 @@ class AdvancedWorkflowColumn extends AdvancedColumn {
     function AdvancedWorkflowColumn() {
         $this->label = _kt("Workflow State");
-        $this->sortable = false;        
+        $this->sortable = false;
     }
-    
+
     // use inline, since its just too heavy to even _think_ about using smarty.
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         // only _ever_ show this for documents.
-        if ($aDataRow["type"] === "folder") { 
+        if ($aDataRow["type"] === "folder") {
             return '&nbsp;';
         }
-        
+
         $oWorkflow = KTWorkflowUtil::getWorkflowForDocument($aDataRow['document']);
         $oState = KTWorkflowUtil::getWorkflowStateForDocument($aDataRow['document']);
         if (($oState == null) || ($oWorkflow == null)) {
@@ -415,21 +415,21 @@ class AdvancedWorkflowColumn extends AdvancedColumn {
 class AdvancedDownloadColumn extends AdvancedColumn {
     var $namespace = 'ktcore.columns.download';
-    
+
     function AdvancedDownloadColumn() {
         $this->label = null;
     }
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         // only _ever_ show this for documents.
-        if ($aDataRow["type"] === "folder") { 
+        if ($aDataRow["type"] === "folder") {
             return '&nbsp;';
         }
-    
+
         $link = KTUtil::ktLink('action.php','ktcore.actions.document.view', 'fDocumentId=' . $aDataRow['document']->getId());
         return sprintf('<a href="%s" class="ktAction ktDownload" title="%s">%s</a>', $link, _kt('Download Document'), _kt('Download Document'));
     }
-    
+
     function getName() { return _kt('Download'); }
 }
@@ -437,17 +437,17 @@ class AdvancedDownloadColumn extends AdvancedColumn {
 class DocumentIDColumn extends AdvancedColumn {
     var $bSortable = false;
     var $namespace = 'ktcore.columns.docid';
-    
+
     function DocumentIDColumn() {
         $this->label = _kt("Document ID");
     }
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         // only _ever_ show this for documents.
-        if ($aDataRow["type"] === "folder") { 
+        if ($aDataRow["type"] === "folder") {
             return '&nbsp;';
         }
-    
+
         return htmlentities($aDataRow['document']->getId(), ENT_NOQUOTES, 'UTF-8');
     }
 }
@@ -455,21 +455,21 @@ class DocumentIDColumn extends AdvancedColumn {
 class ContainingFolderColumn extends AdvancedColumn {
     var $namespace = 'ktcore.columns.containing_folder';
-    
+
     function ContainingFolderColumn() {
         $this->label = _kt("View Folder");
     }
-    function renderData($aDataRow) { 
+    function renderData($aDataRow) {
         // only _ever_ show this for documents.
-        if ($aDataRow["type"] === "folder") { 
+        if ($aDataRow["type"] === "folder") {
             return '&nbsp;';
         }
-    
+
         $link = KTBrowseUtil::getUrlForFolder($aDataRow['document']->getFolderId());
         return sprintf('<a href="%s" class="ktAction ktMoveUp" title="%s">%s</a>', $link, _kt('View Folder'), _kt('View Folder'));
     }
-    
+
     function getName() { return _kt('Opening Containing Folder'); }
 }
@@ -6,7 +6,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -42,7 +42,7 @@ require_once(KT_LIB_DIR . &#39;/browse/PartialQuery.inc.php&#39;);
 require_once(KT_LIB_DIR . '/widgets/forms.inc.php');
-// {{{ KTDocumentDetailsAction 
+// {{{ KTDocumentDetailsAction
 class KTDocumentDetailsAction extends KTDocumentAction {
     var $sName = 'ktcore.actions.document.displaydetails';
@@ -143,7 +143,7 @@ class KTDocumentVersionHistoryAction extends KTDocumentAction {
         );
         return $oTemplate->render($aTemplateData);
     }
-    
+
     function do_startComparison() {
         $comparison_version = KTUtil::arrayGet($_REQUEST, 'fComparisonVersion');
@@ -151,7 +151,7 @@ class KTDocumentVersionHistoryAction extends KTDocumentAction {
         if (PEAR::isError($oDocument)) {
             return $this->redirectToMain(_kt('The document you selected was invalid'));
         }
-        
+
         if (!Permission::userHasDocumentReadPermission($oDocument)) {
             return $this->errorRedirectToMain(_kt('You are not allowed to view this document'));
         }
@@ -176,7 +176,7 @@ class KTDocumentVersionHistoryAction extends KTDocumentAction {
         );
         return $oTemplate->render($aTemplateData);
     }
-    
+
     function do_viewComparison() {
         // this is just a redirector
         $QS = array(
@@ -185,22 +185,22 @@ class KTDocumentVersionHistoryAction extends KTDocumentAction {
             'fBaseVersion' => $_REQUEST['fBaseVersion'],
             'fComparisonVersion' => $_REQUEST['fComparisonVersion'],
         );
-        
+
         $frag = array();
-        
+
         foreach ($QS as $k => $v) {
             $frag[] = sprintf('%s=%s', urlencode($k), urlencode($v));
         }
-        
+
         redirect(KTUtil::ktLink('view.php',null,implode('&', $frag)));
     }
-    
-    
+
+
     function getUserForId($iUserId) {
         $u = User::get($iUserId);
         if (PEAR::isError($u) || ($u == false)) { return _kt('User no longer exists'); }
         return $u->getName();
-    }    
+    }
 }
 // }}}
@@ -208,7 +208,7 @@ class KTDocumentVersionHistoryAction extends KTDocumentAction {
 // {{{ KTDocumentViewAction
 class KTDocumentViewAction extends KTDocumentAction {
     var $sName = 'ktcore.actions.document.view';
-    var $sIconClass = 'download';    
+    var $sIconClass = 'download';
     function getDisplayName() {
         return _kt('Download');
@@ -230,13 +230,13 @@ class KTDocumentViewAction extends KTDocumentAction {
         } else {
             $res = $oStorage->download($this->oDocument);
         }
-        
+
         if ($res === false) {
             $this->addErrorMessage(_kt('The file you requested is not available - please contact the system administrator if this is incorrect.'));
             redirect(generateControllerLink('viewDocument',sprintf(_kt('fDocumentId=%d'),$this->oDocument->getId())));
-            exit(0);  
+            exit(0);
         }
-        
+
         $oDocumentTransaction = & new DocumentTransaction($this->oDocument, _kt('Document downloaded'), 'ktcore.transactions.download', $aOptions);
         $oDocumentTransaction->create();
         exit(0);
@@ -258,7 +258,7 @@ class KTDocumentCheckOutAction extends KTDocumentAction {
         return _kt('Checkout');
     }
-    function getInfo() {    
+    function getInfo() {
         if ($this->oDocument->getIsCheckedOut()) {
             return null;
         }
@@ -272,10 +272,10 @@ class KTDocumentCheckOutAction extends KTDocumentAction {
             return $res;
         }
         // since we actually check the doc out, then download it ...
-        if (($_REQUEST[$this->event_var] == 'checkout_final') && ($this->oDocument->getCheckedOutUserID() == $_SESSION['userID'])) { 
-             return true; 
+        if (($_REQUEST[$this->event_var] == 'checkout_final') && ($this->oDocument->getCheckedOutUserID() == $_SESSION['userID'])) {
+             return true;
         }
-        
+
         // "normal".
         if ($this->oDocument->getIsCheckedOut()) {
             $_SESSION['KTErrorMessage'][] = _kt('This document is already checked out');
@@ -317,9 +317,9 @@ class KTDocumentCheckOutAction extends KTDocumentAction {
             array('ktcore.validators.boolean', array(
                 'test' => 'download_file',
                 'output' => 'download_file',
-            )),            
+            )),
         ));
-        
+
         return $oForm;
     }
@@ -337,13 +337,13 @@ class KTDocumentCheckOutAction extends KTDocumentAction {
     }
     function do_checkout() {
-    
+
         $oForm = $this->form_checkout();
         $res = $oForm->validate();
         if (!empty($res['errors'])) {
             return $oForm->handleError();
         }
-    
+
         $data = $res['results'];
         $oTemplate =& $this->oValidator->validateTemplate('ktcore/action/checkout_final');
@@ -354,17 +354,17 @@ class KTDocumentCheckOutAction extends KTDocumentAction {
         if (PEAR::isError($res)) {
             return $this->errorRedirectToMain(sprintf(_kt('Failed to check out the document: %s'), $res->getMessage()));
         }
-        
-        
+
+
         $this->commitTransaction();
-        
+
         if (!$data['download_file']) {
             $this->addInfoMessage(_kt('Document checked out.'));
             redirect(KTBrowseUtil::getUrlForDocument($this->oDocument));
             exit(0);
         }
-        
+
         $oTemplate->setData(array(
             'context' => &$this,
             'reason' => $sReason,
@@ -376,7 +376,7 @@ class KTDocumentCheckOutAction extends KTDocumentAction {
         $sReason = KTUtil::arrayGet($_REQUEST, 'reason');
         $this->oValidator->notEmpty($sReason);
-        
+
         $oStorage =& KTStorageManagerUtil::getSingleton();
         $oStorage->download($this->oDocument, true);
         exit(0);
@@ -446,33 +446,33 @@ class KTDocumentCheckInAction extends KTDocumentAction {
             'context' => &$this,
             'file_upload' => true,         // otherwise the post is not received.
         ));
-        
+
         $major_inc = sprintf('%d.%d', $this->oDocument->getMajorVersionNumber()+1, 0);
-        $minor_inc = sprintf('%d.%d', $this->oDocument->getMajorVersionNumber(), $this->oDocument->getMinorVersionNumber()+1);        
-        
+        $minor_inc = sprintf('%d.%d', $this->oDocument->getMajorVersionNumber(), $this->oDocument->getMinorVersionNumber()+1);
+
         $oForm->setWidgets(array(
             array('ktcore.widgets.file', array(
                 'label' => _kt('File'),
-                'description' => sprintf(_kt('Please specify the file you wish to upload.  Unless you also indicate that you are changing its filename (see "Force Original Filename" below), this will need to be called <strong>%s</strong>'), $this->oDocument->getFilename()),
+                'description' => sprintf(_kt('Please specify the file you wish to upload.  Unless you also indicate that you are changing its filename (see "Force Original Filename" below), this will need to be called <strong>%s</strong>'), htmlentities($this->oDocument->getFilename(),ENT_QUOTES,'UTF-8')),
                 'name' => 'file',
                 'basename' => 'file',
                 'required' => true,
             )),
             array('ktcore.widgets.boolean',array(
-                'label' => _kt('Major Update'), 
-                'description' => sprintf(_kt('If this is checked, then the document\'s version number will be increased to %s.  Otherwise, it will be considered a minor update, and the version number will be %s.'), $major_inc, $minor_inc), 
-                'name' => 'major_update', 
+                'label' => _kt('Major Update'),
+                'description' => sprintf(_kt('If this is checked, then the document\'s version number will be increased to %s.  Otherwise, it will be considered a minor update, and the version number will be %s.'), $major_inc, $minor_inc),
+                'name' => 'major_update',
                 'value' => false,
-            )),            
+            )),
             array('ktcore.widgets.reason', array(
                 'label' => _kt('Reason'),
                 'description' => _kt('Please describe the changes you made to the document.  Bear in mind that you can use a maximum of <strong>250</strong> characters.'),
                 'name' => 'reason',
             )),
             array('ktcore.widgets.boolean',array(
-                'label' => _kt('Force Original Filename'), 
-                'description' => sprintf(_kt('If this is checked, the uploaded document must have the same filename as the original: <strong>%s</strong>'), $this->oDocument->getFilename()), 
-                'name' => 'forcefilename', 
+                'label' => _kt('Force Original Filename'),
+                'description' => sprintf(_kt('If this is checked, the uploaded document must have the same filename as the original: <strong>%s</strong>'), htmlentities($this->oDocument->getFilename(),ENT_QUOTES,'UTF-8')),
+                'name' => 'forcefilename',
                 'value' => true,
             )),
         ));
@@ -485,17 +485,17 @@ class KTDocumentCheckInAction extends KTDocumentAction {
             array('ktcore.validators.boolean', array(
                 'test' => 'major_update',
                 'output' => 'major_update',
-            )),                                   
+            )),
             array('ktcore.validators.file', array(
                 'test' => 'file',
                 'output' => 'file',
-            )),           
+            )),
             array('ktcore.validators.boolean', array(
                 'test' => 'forcefilename',
                 'output' => 'forcefilename',
-            )),                       
+            )),
         ));
-        
+
         return $oForm;
     }
@@ -503,7 +503,7 @@ class KTDocumentCheckInAction extends KTDocumentAction {
     function do_main() {
         $this->oPage->setBreadcrumbDetails(_kt('Checkin'));
         $oTemplate =& $this->oValidator->validateTemplate('ktcore/action/checkin');
-        
+
         $oForm = $this->form_main();
         $oTemplate->setData(array(
@@ -517,24 +517,24 @@ class KTDocumentCheckInAction extends KTDocumentAction {
         $oForm = $this->form_main();
         $res = $oForm->validate();
         $data = $res['results'];
-        
+
         $extra_errors = array();
-        
+
         if ($data['forcefilename'] && ($data['file']['name'] != $this->oDocument->getFilename())) {
-            $extra_errors['file'] = sprintf(_kt('The file you uploaded was not called "%s". If you wish to change the filename, please set "Force Original Filename" below to false. '), $this->oDocument->getFilename());
+            $extra_errors['file'] = sprintf(_kt('The file you uploaded was not called "%s". If you wish to change the filename, please set "Force Original Filename" below to false. '), htmlentities($this->oDocument->getFilename(),ENT_QUOTES,'UTF-8'));
         }
-        
+
         if (!empty($res['errors']) || !empty($extra_errors)) {
             return $oForm->handleError(null, $extra_errors);
         }
-    
+
         $sReason = $data['reason'];
-        
+
         $sCurrentFilename = $this->oDocument->getFileName();
         $sNewFilename = $data['file']['name'];
         $aOptions = array();
-        
+
         if ($data['major_update']) {
             $aOptions['major_update'] = true;
         }
@@ -542,7 +542,7 @@ class KTDocumentCheckInAction extends KTDocumentAction {
         if ($sCurrentFilename != $sNewFilename) {
             $aOptions['newfilename'] = $sNewFilename;
         }
-      
+
         $res = KTDocumentUtil::checkin($this->oDocument, $data['file']['tmp_name'], $sReason, $this->oUser, $aOptions);
         if (PEAR::isError($res)) {
             $this->errorRedirectToMain(_kt('An error occurred while trying to check in the document'), 'fDocumentId=' . $this->oDocument->getId() . '&reason=' . $sReason);
@@ -561,7 +561,7 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
     var $_sShowPermission = 'ktcore.permissions.write';
     var $bAllowInAdminMode = true;
     var $bInAdminMode = null;
-    var $sIconClass = 'cancel_checkout';    
+    var $sIconClass = 'cancel_checkout';
     function getDisplayName() {
         return _kt('Cancel Checkout');
@@ -573,10 +573,10 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
         }
         if (is_null($this->bInAdminMode)) {
             $oFolder = Folder::get($this->oDocument->getFolderId());
-            if (KTBrowseUtil::inAdminMode($this->oUser, $oFolder)) { 
+            if (KTBrowseUtil::inAdminMode($this->oUser, $oFolder)) {
                 $this->bAdminMode = true;
-                return parent::getInfo(); 
-            }                   
+                return parent::getInfo();
+            }
         } else if ($this->bInAdminMode == true) {
             return parent::getInfo();
         }
@@ -588,7 +588,7 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
     function check() {
         $res = parent::check();
-       
+
         if ($res !== true) {
             return $res;
         }
@@ -600,10 +600,10 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
         // hard override if we're in admin mode for this doc.
         if (is_null($this->bInAdminMode)) {
             $oFolder = Folder::get($this->oDocument->getFolderId());
-            if (KTBrowseUtil::inAdminMode($this->oUser, $oFolder)) { 
+            if (KTBrowseUtil::inAdminMode($this->oUser, $oFolder)) {
                 $this->bAdminMode = true;
-                return true; 
-            }                   
+                return true;
+            }
         } else if ($this->bInAdminMode == true) {
             return true;
         }
@@ -639,16 +639,16 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
                 'output' => 'reason',
             )),
         ));
-        
+
         return $oForm;
     }
     function do_main() {
         $this->oPage->setBreadcrumbDetails(_kt('cancel checkout'));
         $oTemplate =& $this->oValidator->validateTemplate('ktcore/action/cancel_checkout');
-        
+
         $oForm = $this->form_main();
-        
+
         $oTemplate->setData(array(
             'context' => &$this,
             'form' => $oForm,
@@ -663,9 +663,9 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
         if (!empty($res['errors'])) {
             return $oForm->handleError();
         }
-        
+
         $data = $res['results'];
-        
+
         $this->startTransaction();
         // actually do the checkin.
         $this->oDocument->setIsCheckedOut(0);
@@ -675,7 +675,7 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
             $this->rollbackTransaction();
             return $this->errorRedirectToMain(_kt('Failed to force the document\'s checkin.'),sprintf('fDocumentId=%d'),$this->oDocument->getId());
         }
-        
+
         // checkout cancelled transaction
         $oDocumentTransaction = & new DocumentTransaction($this->oDocument, $data['reason'], 'ktcore.transactions.force_checkin');
         $res = $oDocumentTransaction->create();
@@ -683,7 +683,7 @@ class KTDocumentCancelCheckOutAction extends KTDocumentAction {
             $this->rollbackTransaction();
             return $this->errorRedirectToMain(_kt('Failed to force the document\'s checkin.'),sprintf('fDocumentId=%d'),$this->oDocument->getId());
         }
-        $this->commitTransaction(); 
+        $this->commitTransaction();
         redirect(KTBrowseUtil::getUrlForDocument($this->oDocument));
     }
 }
@@ -746,7 +746,7 @@ class KTDocumentDeleteAction extends KTDocumentAction {
                 'output' => 'reason',
             )),
         ));
-        
+
         return $oForm;
     }
@@ -770,17 +770,17 @@ class KTDocumentDeleteAction extends KTDocumentAction {
         if (!empty($res['errors'])) {
             return $oForm->handleError();
         }
-        
+
         $sReason = $data['reason'];
-        
+
         $fFolderId = $this->oDocument->getFolderId();
         $res = KTDocumentUtil::delete($this->oDocument, $sReason);
         if (PEAR::isError($res)) {
             $this->errorRedirectToMain(sprintf(_kt('Unexpected failure deleting document: %s'), $res->getMessage()));
-        } 
+        }
         $_SESSION['KTInfoMessage'][] = sprintf(_kt('Document "%s" Deleted.'),$this->oDocument->getName());
-                
+
         controllerRedirect('browse', 'fFolderId=' .  $fFolderId);
         exit(0);
     }
@@ -838,15 +838,15 @@ class KTDocumentMoveAction extends KTDocumentAction {
             'cancel_url' => KTBrowseUtil::getUrlForDocument($this->oDocument),
             'fail_action' => 'main',
             'context' => $this,
-        ));    
+        ));
         /*
          *  This is somewhat more complex than most forms, since the "filename"
          *  and title shouldn't appear unless there's a clash.
          *
          *  This is still not the most elegant solution.
-         */   
-    
+         */
+
         $oForm->setWidgets(array(
             array('ktcore.widgets.foldercollection', array(
                 'label' => _kt('Target Folder'),
@@ -861,8 +861,8 @@ class KTDocumentMoveAction extends KTDocumentAction {
                 'name' => 'reason',
             )),
         ));
- 
-         
+
+
         $oForm->setValidators(array(
             array('ktcore.validators.string', array(
                 'test' => 'reason',
@@ -874,10 +874,10 @@ class KTDocumentMoveAction extends KTDocumentAction {
                 'test' => 'browse',
                 'output' => 'browse',
             )),
-        ));        
- 
+        ));
+
         // here's the ugly bit.
-        
+
         $err = $oForm->getErrors();
         if (!empty($err['name']) || !empty($err['filename'])) {
             $oForm->addWidget(
@@ -914,7 +914,7 @@ class KTDocumentMoveAction extends KTDocumentAction {
         }
         return $oForm;
     }
-    
+
     function do_move() {
         $oForm = $this->form_move();
         $res = $oForm->validate();
@@ -926,59 +926,59 @@ class KTDocumentMoveAction extends KTDocumentAction {
             if ($data['browse']->getId() == $this->oDocument->getFolderID()) {
                 $extra_errors['browse'] = _kt('You cannot move the document within the same folder.');
             } else {
-                $bNameClash = KTDocumentUtil::nameExists($data['browse'], $this->oDocument->getName());        
+                $bNameClash = KTDocumentUtil::nameExists($data['browse'], $this->oDocument->getName());
                 if ($bNameClash && isset($data['name'])) {
                     $name = $data['name'];
-                    $bNameClash = KTDocumentUtil::nameExists($data['browse'], $name);                        
+                    $bNameClash = KTDocumentUtil::nameExists($data['browse'], $name);
                 } else {
                     $name = $this->oDocument->getName();
                 }
                 if ($bNameClash) {
                     $extra_errors['name'] = _kt('A document with this title already exists in your chosen folder.  Please choose a different folder, or specify a new title for the copied document.');
             }
-            
-                $bFileClash = KTDocumentUtil::fileExists($data['browse'], $this->oDocument->getFilename());              
+
+                $bFileClash = KTDocumentUtil::fileExists($data['browse'], $this->oDocument->getFilename());
                 if ($bFileClash && isset($data['filename'])) {
                     $filename = $data['filename'];
-                    $bFileClash = KTDocumentUtil::fileExists($data['browse'], $filename);              
+                    $bFileClash = KTDocumentUtil::fileExists($data['browse'], $filename);
                 } else {
                     $filename = $this->oDocument->getFilename();
-                }            
+                }
                 if ($bFileClash) {
                     $extra_errors['filename'] = _kt('A document with this filename already exists in your chosen folder.  Please choose a different folder, or specify a new filename for the copied document.');
                 }
-                
+
                 if (!Permission::userHasFolderWritePermission($data['browse'])) {
                     $extra_errors['browse'] = _kt('You do not have permission to create new documents in that folder.');
                 }
             }
         }
-        
+
         if (!empty($errors) || !empty($extra_errors)) {
-            return $oForm->handleError(null, $extra_errors);   
+            return $oForm->handleError(null, $extra_errors);
         }
-        
+
         $this->startTransaction();
         // now try update it.
-        
+
         $res = KTDocumentUtil::move($this->oDocument, $data['browse'], $this->oUser, $sReason);
         if (PEAR::isError($oNewDoc)) {
             $this->errorRedirectTo('main', _kt('Failed to move document: ') . $oNewDoc->getMessage());
             exit(0);
         }
-        
+
         $this->oDocument->setName($name);       // if needed.
         $this->oDocument->setFilename($filename);   // if needed.
-                
+
         $res = $this->oDocument->update();
         if (PEAR::isError($res)) {
             return $this->errorRedirectTo('main', _kt('Failed to move document: ') . $res->getMessage());
         }
         $this->commitTransaction();
-        
+
         controllerRedirect('viewDocument', 'fDocumentId=' .  $this->oDocument->getId());
-        exit(0);        
+        exit(0);
     }
 }
@@ -1009,7 +1009,7 @@ class KTDocumentCopyAction extends KTDocumentAction {
         if ($this->oDocument->getIsCheckedOut()) {
             return null;
         }
-        
+
         return parent::getInfo();
     }
@@ -1028,7 +1028,7 @@ class KTDocumentCopyAction extends KTDocumentAction {
         $this->oDocumentFolder = $this->oValidator->validateFolder($this->oDocument->getFolderId());
         return true;
     }
-    
+
     function form_copyselection() {
         $oForm = new KTForm;
         $oForm->setOptions(array(
@@ -1039,15 +1039,15 @@ class KTDocumentCopyAction extends KTDocumentAction {
             'cancel_url' => KTBrowseUtil::getUrlForDocument($this->oDocument),
             'fail_action' => 'main',
             'context' => $this,
-        ));    
+        ));
         /*
          *  This is somewhat more complex than most forms, since the "filename"
          *  and title shouldn't appear unless there's a clash.
          *
          *  This is still not the most elegant solution.
-         */   
-    
+         */
+
         $oForm->setWidgets(array(
             array('ktcore.widgets.foldercollection', array(
                 'label' => _kt('Target Folder'),
@@ -1062,8 +1062,8 @@ class KTDocumentCopyAction extends KTDocumentAction {
                 'name' => 'reason',
             )),
         ));
- 
-         
+
+
         $oForm->setValidators(array(
             array('ktcore.validators.string', array(
                 'test' => 'reason',
@@ -1075,10 +1075,10 @@ class KTDocumentCopyAction extends KTDocumentAction {
                 'test' => 'browse',
                 'output' => 'browse',
             )),
-        ));        
- 
+        ));
+
         // here's the ugly bit.
-        
+
         $err = $oForm->getErrors();
         if (!empty($err['name']) || !empty($err['filename'])) {
             $oForm->addWidget(
@@ -1122,7 +1122,7 @@ class KTDocumentCopyAction extends KTDocumentAction {
         return $oForm->renderPage(_kt('Copy Document') . ': ' . $this->oDocument->getName());
     }
-    function do_copy() {   
+    function do_copy() {
         $oForm = $this->form_copyselection();
         $res = $oForm->validate();
         $errors = $res['errors'];
@@ -1131,59 +1131,59 @@ class KTDocumentCopyAction extends KTDocumentAction {
         if (!is_null($data['browse'])) {
-            $bNameClash = KTDocumentUtil::nameExists($data['browse'], $this->oDocument->getName());        
+            $bNameClash = KTDocumentUtil::nameExists($data['browse'], $this->oDocument->getName());
             if ($bNameClash && isset($data['name'])) {
                 $name = $data['name'];
-                $bNameClash = KTDocumentUtil::nameExists($data['browse'], $name);                        
+                $bNameClash = KTDocumentUtil::nameExists($data['browse'], $name);
             } else {
                 $name = $this->oDocument->getName();
             }
             if ($bNameClash) {
                 $extra_errors['name'] = _kt('A document with this title already exists in your chosen folder.  Please choose a different folder, or specify a new title for the copied document.');
             }
-        
-            $bFileClash = KTDocumentUtil::fileExists($data['browse'], $this->oDocument->getFilename());              
+
+            $bFileClash = KTDocumentUtil::fileExists($data['browse'], $this->oDocument->getFilename());
             if ($bFileClash && isset($data['filename'])) {
                 $filename = $data['filename'];
-                $bFileClash = KTDocumentUtil::fileExists($data['browse'], $filename);              
+                $bFileClash = KTDocumentUtil::fileExists($data['browse'], $filename);
             } else {
                 $filename = $this->oDocument->getFilename();
-            }            
+            }
             if ($bFileClash) {
                 $extra_errors['filename'] = _kt('A document with this filename already exists in your chosen folder.  Please choose a different folder, or specify a new filename for the copied document.');
             }
-            
+
             if (!Permission::userHasFolderWritePermission($data['browse'])) {
                 $extra_errors['browse'] = _kt('You do not have permission to create new documents in that folder.');
             }
         }
-        
+
         if (!empty($errors) || !empty($extra_errors)) {
-            return $oForm->handleError(null, $extra_errors);   
+            return $oForm->handleError(null, $extra_errors);
         }
-        
+
         // FIXME agree on document-duplication rules re: naming, etc.
-        
+
         $this->startTransaction();
         // now try update it.
-        
+
         $oNewDoc = KTDocumentUtil::copy($this->oDocument, $data['browse'], $sReason);
         if (PEAR::isError($oNewDoc)) {
             $this->errorRedirectTo('main', _kt('Failed to copy document: ') . $oNewDoc->getMessage(), sprintf('fDocumentId=%d&fFolderId=%d', $this->oDocument->getId(), $this->oFolder->getId()));
             exit(0);
         }
-        
+
         $oNewDoc->setName($name);
         $oNewDoc->setFilename($filename);
-                
+
         $res = $oNewDoc->update();
         if (PEAR::isError($res)) {
             return $this->errorRedirectTo('main', _kt('Failed to copy document: ') . $res->getMessage(), sprintf('fDocumentId=%d&fFolderId=%d', $this->oDocument->getId(), $this->oFolder->getId()));
         }
         $this->commitTransaction();
-            
+
         // FIXME do we need to refactor all trigger usage into the util function?
         $oKTTriggerRegistry = KTTriggerRegistry::getSingleton();
         $aTriggers = $oKTTriggerRegistry->getTriggers('copyDocument', 'postValidate');
@@ -1198,13 +1198,13 @@ class KTDocumentCopyAction extends KTDocumentAction {
             $oTrigger->setInfo($aInfo);
             $ret = $oTrigger->postValidate();
         }
-        
+
         //$aOptions = array('user' => $oUser);
         //$oDocumentTransaction = & new DocumentTransaction($oNewDoc, 'Document copied from old version.', 'ktcore.transactions.create', $aOptions);
         //$res = $oDocumentTransaction->create();
-        
+
         $_SESSION['KTInfoMessage'][] = _kt('Document copied.');
-        
+
         controllerRedirect('viewDocument', 'fDocumentId=' .  $oNewDoc->getId());
         exit(0);
     }
@@ -1252,10 +1252,10 @@ class KTDocumentArchiveAction extends KTDocumentAction {
                 'output' => 'reason',
             )),
         ));
-        
+
         return $oForm;
     }
-    
+
     function do_main() {
         $this->oPage->setBreadcrumbDetails(_kt('Archive Document'));
         $oTemplate =& $this->oValidator->validateTemplate('ktcore/action/archive');
@@ -1270,16 +1270,16 @@ class KTDocumentArchiveAction extends KTDocumentAction {
     }
     function do_archive() {
-    
+
         $oForm = $this->form_main();
         $res = $oForm->validate();
         $data = $res['results'];
         if (!empty($res['errors'])) {
             return $oForm->handleError();
         }
-        
+
         $sReason = $data['reason'];
-    
+
         $this->startTransaction();
         $this->oDocument->setStatusID(ARCHIVED);
         $res = $this->oDocument->update();
@@ -1290,7 +1290,7 @@ class KTDocumentArchiveAction extends KTDocumentAction {
         }
         $oDocumentTransaction = & new DocumentTransaction($this->oDocument, sprintf(_kt('Document archived: %s'), $sReason), 'ktcore.transactions.update');
         $oDocumentTransaction->create();
-        
+
         $this->commitTransaction();
         $oKTTriggerRegistry = KTTriggerRegistry::getSingleton();
@@ -1320,11 +1320,11 @@ class KTDocumentArchiveAction extends KTDocumentAction {
 class KTDocumentWorkflowAction extends KTDocumentAction {
     var $sName = 'ktcore.actions.document.workflow';
     var $_sShowPermission = 'ktcore.permissions.read';
-    
-    var $sHelpPage = 'ktcore/user/workflow.html';    
+
+    var $sHelpPage = 'ktcore/user/workflow.html';
     function predispatch() {
-        $this->persistParams(array('fTransitionId'));    
+        $this->persistParams(array('fTransitionId'));
     }
     function getDisplayName() {
@@ -1350,7 +1350,7 @@ class KTDocumentWorkflowAction extends KTDocumentAction {
         }
         $fieldErrors = null;
-        
+
         $transition_fields = array();
         if ($aTransitions) {
             $aVocab = array();
@@ -1364,8 +1364,8 @@ class KTDocumentWorkflowAction extends KTDocumentAction {
             $fieldOptions = array('vocab' => $aVocab);
             $transition_fields[] = new KTLookupWidget(_kt('Transition to perform'), _kt('The transition listed will cause the document to change from its current state to the listed destination state.'), 'fTransitionId', null, $this->oPage, true, null, $fieldErrors, $fieldOptions);
             $transition_fields[] = new KTTextWidget(
-                _kt('Reason for transition'), _kt('Describe why this document qualifies to be changed from its current state to the destination state of the transition chosen.'), 
-                'fComments', '', 
+                _kt('Reason for transition'), _kt('Describe why this document qualifies to be changed from its current state to the destination state of the transition chosen.'),
+                'fComments', '',
                 $this->oPage, true, null, null,
                 array('cols' => 80, 'rows' => 4));
         }
@@ -1399,7 +1399,7 @@ class KTDocumentWorkflowAction extends KTDocumentAction {
     function do_performTransition() {
         $oDocument =& $this->oValidator->validateDocument($_REQUEST['fDocumentId']);
-        $oTransition =& $this->oValidator->validateWorkflowTransition($_REQUEST['fTransitionId']);        
+        $oTransition =& $this->oValidator->validateWorkflowTransition($_REQUEST['fTransitionId']);
         $aErrorOptions = array(
             'redirect_to' => array('main', sprintf('fDocumentId=%d', $_REQUEST['fDocumentId'])),
@@ -1407,7 +1407,7 @@ class KTDocumentWorkflowAction extends KTDocumentAction {
         );
         $sComments =& $this->oValidator->validateString($_REQUEST['fComments'], $aErrorOptions);
-        
+
         $oUser =& User::get($_SESSION['userID']);
         $res = KTWorkflowUtil::performTransitionOnDocument($oTransition, $oDocument, $oUser, $sComments);
@@ -1420,7 +1420,7 @@ class KTDocumentWorkflowAction extends KTDocumentAction {
             array('fDocumentId' => $oDocument->getId()));
         }
     }
-    
+
     function form_quicktransition() {
         $oForm = new KTForm;
@@ -1446,36 +1446,36 @@ class KTDocumentWorkflowAction extends KTDocumentAction {
                 'test' => 'reason',
                 'max_length' => 250,
                 'output' => 'reason',
-            )),                     
+            )),
         ));
-        
+
         return $oForm;
     }
     function do_quicktransition() {
         // make sure this gets through.
         $this->persistParams(array('fTransitionId'));
-        
+
         $transition_id = $_REQUEST['fTransitionId'];
         $oTransition = KTWorkflowTransition::get($transition_id);
-        
+
         $oForm = $this->form_quicktransition();
         return $oForm->renderPage(sprintf(_kt('Perform Transition: %s'), $oTransition->getName()));
     }
-    
+
     function do_performquicktransition() {
         $oForm = $this->form_quicktransition();
         $res = $oForm->validate();
-        
+
         if (!empty($res['errors'])) {
             return $oForm->handleError();
-        }    
-        
+        }
+
         $this->startTransaction();
-        
+
         $data = $res['results'];
         $oTransition = KTWorkflowTransition::get($_REQUEST['fTransitionId']);
-        
+
         $res = KTWorkflowUtil::performTransitionOnDocument($oTransition, $this->oDocument, $this->oUser, $data['reason']);
         if(!Permission::userHasDocumentReadPermission($this->oDocument)) {
@@ -1483,10 +1483,10 @@ class KTDocumentWorkflowAction extends KTDocumentAction {
             $_SESSION['KTInfoMessage'][] = _kt('Transition performed') . '. ' . _kt('You no longer have permission to view this document');
             controllerRedirect('browse', sprintf('fFolderId=%d', $this->oDocument->getFolderId()));
         } else {
-            $this->commitTransaction();        
+            $this->commitTransaction();
             $_SESSION['KTInfoMessage'][] = _kt('Transition performed');
             controllerRedirect('viewDocument', sprintf('fDocumentId=%d', $this->oDocument->getId()));
-        }        
+        }
     }
 }
@@ -1499,7 +1499,7 @@ class KTOwnershipChangeAction extends KTDocumentAction {
     function getDisplayName() {
         return _kt('Change Document Ownership');
     }
-    
+
     function form_owner() {
         $oForm = new KTForm;
         $oForm->setOptions(array(
@@ -1529,49 +1529,49 @@ class KTOwnershipChangeAction extends KTDocumentAction {
                 'output' => 'user',
             )),
         ));
-        
+
         return $oForm;
     }
-    function do_main() { 
+    function do_main() {
         $this->oPage->setBreadcrumbDetails(_kt('Changing Ownership'));
         $oTemplate =& $this->oValidator->validateTemplate('ktcore/document/ownershipchangeaction');
-        
+
         $change_form = $this->form_owner();
-        
+
         $oTemplate->setData(array(
             'context' => $this,
             'form' => $change_form,
-        ));     
+        ));
         return $oTemplate->render();
     }
-    
+
     function do_reown() {
         $oForm = $this->form_owner();
         $res = $oForm->validate();
         $data = $res['results'];
         $errors = $res['errors'];
-        
+
         if (!empty($errors)) {
-            return $oForm->handleError();   
+            return $oForm->handleError();
         }
         $oUser = $data['user'];
-        
+
         $this->startTransaction();
-        
+
         $this->oDocument->setOwnerID($oUser->getId());
         $res = $this->oDocument->update();
         if (PEAR::isError($res)) {
             $this->errorRedirectToMain(sprintf(_kt('Failed to update document: %s'), $res->getMessage()), sprintf('fDocumentId=%d', $this->oDocument->getId()));
         }
-        
+
         $res = KTPermissionUtil::updatePermissionLookup($this->oDocument);
-        
+
         if (PEAR::isError($res)) {
             $this->errorRedirectToMain(sprintf(_kt('Failed to update document: %s'), $res->getMessage()), sprintf('fDocumentId=%d', $this->oDocument->getId()));
         }
-        
+
         $this->successRedirectToMain(_kt('Ownership changed.'), sprintf('fDocumentId=%d', $this->oDocument->getId()));
     }
 }
@@ -6,7 +6,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -17,9 +17,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -64,21 +64,21 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
     function do_main() {
         $this->oPage->setBreadcrumbDetails(_kt("Document Permissions"));
         $oTemplate = $this->oValidator->validateTemplate("ktcore/document/document_permissions");
-		
+
         $oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
         $aPermissions = KTPermission::getList();
         $aMapPermissionGroup = array();
-        $aMapPermissionRole = array();	
-		$aMapPermissionUser = array();	
-		
+        $aMapPermissionRole = array();
+		$aMapPermissionUser = array();
+
 		$aAllGroups = Group::getList();   // probably small enough
 		$aAllRoles = Role::getList();     // probably small enough.
 		// users are _not_ fetched this way.
-		
+
 		$aActiveGroups = array();
 		$aActiveUsers = array();
 		$aActiveRoles = array();
-		
+
         foreach ($aPermissions as $oPermission) {
             $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
             if (PEAR::isError($oPLA)) {
@@ -97,15 +97,15 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
             foreach ($aIds as $iId) {
                 $aMapPermissionRole[$iPermissionID][$iId] = true;
 				$aActiveRoles[$iId] = true;
-            }		
+            }
 			$aIds = $oDescriptor->getUsers();
             $aMapPermissionUser[$iPermissionID] = array();
             foreach ($aIds as $iId) {
                 $aMapPermissionUser[$iPermissionID][$iId] = true;
 				$aActiveUsers[$iId] = true;
-            }		
+            }
         }
-		
+
 		// now we constitute the actual sets.
 		$users = array();
 		$groups = array();
@@ -117,19 +117,19 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
 			$users[$oUser->getName()] = $oUser;
 		}
 		asort($users); // ascending, per convention.
-		
+
 		foreach ($aActiveGroups as $id => $marker) {
 		    $oGroup = Group::get($id);
 			$groups[$oGroup->getName()] = $oGroup;
 		}
 		asort($groups);
-		
+
 		foreach ($aActiveRoles as $id => $marker) {
 		    $oRole = Role::get($id);
 			$roles[$oRole->getName()] = $oRole;
 		}
 		asort($roles);
-		
+
         $bEdit = KTPermissionUtil::userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oDocument);
 		$sInherited = '';
@@ -151,7 +151,7 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
                         }
                     }
                 }
-            }        
+            }
         }
@@ -163,7 +163,7 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
                 $aWorkflowControls[$oAssignment->getPermissionId()] = true;
                 unset($aDynamicControls[$oAssignment->getPermissionId()]);
             }
-        }       
+        }
         $aTemplateData = array(
@@ -171,15 +171,15 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
             "permissions" => $aPermissions,
             "groups" => $groups,
 			"users" => $users,
-            "roles" => $roles,			
+            "roles" => $roles,
             "iDocumentID" => $_REQUEST['fDocumentID'],
             "aMapPermissionGroup" => $aMapPermissionGroup,
-            "aMapPermissionRole" => $aMapPermissionRole,			
+            "aMapPermissionRole" => $aMapPermissionRole,
 			"aMapPermissionUser" => $aMapPermissionUser,
             "edit" => $bEdit,
             "inherited" => $sInherited,
             'workflow_controls' => $aWorkflowControls,
-            'conditions_control' => $aDynamicControls, 
+            'conditions_control' => $aDynamicControls,
         );
         return $oTemplate->render($aTemplateData);
     }
@@ -245,7 +245,7 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
                         }
                     }
                 }
-            }        
+            }
         }
@@ -257,7 +257,7 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
                 $aWorkflowControls[$oAssignment->getPermissionId()] = true;
                 unset($aDynamicControls[$oAssignment->getPermissionId()]);
             }
-        }       
+        }
         $aTemplateData = array(
@@ -273,7 +273,7 @@ class KTDocumentPermissionsAction extends KTDocumentAction {
             "edit" => $bEdit,
             "inherited" => $sInherited,
             'workflow_controls' => $aWorkflowControls,
-            'conditions_control' => $aDynamicControls,             
+            'conditions_control' => $aDynamicControls,
         );
         return $oTemplate->render($aTemplateData);
     }
@@ -295,19 +295,19 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         $this->oPage->setBreadcrumbDetails(_kt("Allocate Roles"));
         $oTemplating =& KTTemplating::getSingleton();
         $oTemplate = $oTemplating->loadTemplate("ktcore/folder/roles");
-        
+
         // we need to have:
         //   - a list of roles
         //   - with their users / groups
         //   - and that allocation id
         $aRoles = array(); // stores data for display.
-        
+
         $aRoleList = Role::getList('id > 0');
         foreach ($aRoleList as $oRole) {
             $iRoleId = $oRole->getId();
             $aRoles[$iRoleId] = array("name" => $oRole->getName());
             $oRoleAllocation = RoleAllocation::getAllocationsForFolderAndRole($this->oFolder->getId(), $iRoleId);
-            
+
             $u = array();
             $g = array();
             $aid = null;
@@ -335,15 +335,15 @@ class KTRoleAllocationPlugin extends KTFolderAction {
             $aRoles[$iRoleId]['allocation_id'] = $aid;
             $aRoles[$iRoleId]['real_allocation_id'] = $raid;
         }
-        
+
         /*
         print '<pre>';
         var_dump($aRoles);
         print '</pre>';
         */
-        
-        
+
+
         // FIXME this is test data.
         /*
         $aRoles = array(
@@ -352,10 +352,10 @@ class KTRoleAllocationPlugin extends KTFolderAction {
             3 => array('name' => 'Inherited', 'users' => array(), 'groups' => array(1), 'allocation_id' => null),
         );
         */
-        
-        
+
+
         // final step.
-        
+
         // map to users, groups.
         foreach ($aRoles as $key => $role) {
             $_users = array();
@@ -366,11 +366,11 @@ class KTRoleAllocationPlugin extends KTFolderAction {
                 }
             }
 			if (empty($_users)) {
-			    $aRoles[$key]['users'] = '<span class="descriptiveText"> ' . _kt('no users') . '</span>'; 	
+			    $aRoles[$key]['users'] = '<span class="descriptiveText"> ' . _kt('no users') . '</span>';
 			} else {
                 $aRoles[$key]['users'] = join(', ',$_users);
 			}
-            
+
             $_groups = array();
             foreach ($aRoles[$key]['groups'] as $iGroupId) {
                 $oGroup = Group::get($iGroupId);
@@ -379,22 +379,23 @@ class KTRoleAllocationPlugin extends KTFolderAction {
                 }
             }
 			if (empty($_groups)) {
-			    $aRoles[$key]['groups'] = '<span class="descriptiveText"> ' . _kt('no groups') . '</span>'; 	
+			    $aRoles[$key]['groups'] = '<span class="descriptiveText"> ' . _kt('no groups') . '</span>';
 			} else {
 			    $aRoles[$key]['groups'] = join(', ',$_groups);
 			}
         }
-        
+
         $aTemplateData = array(
             'context' => &$this,
             'roles' => $aRoles,
+            'folderName'=>$this->oFolder->getName(),
             'is_root' => ($this->oFolder->getId() == 1),
         );
         return $oTemplate->render($aTemplateData);
     }
-    
-    
-    
+
+
+
     function do_overrideParent() {
         $role_id = KTUtil::arrayGet($_REQUEST, 'role_id', null);
         $oRole = Role::get($role_id);
@@ -405,20 +406,20 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         $oRoleAllocation = new RoleAllocation();
         $oRoleAllocation->setFolderId($this->oFolder->getId());
         $oRoleAllocation->setRoleId($role_id);
-        
-        // create a new permission descriptor. 
+
+        // create a new permission descriptor.
         // FIXME we really want to duplicate the original (if it exists)
-        
+
         $aAllowed = array(); // no-op, for now.
 		$this->startTransaction();
-		
+
         $oRoleAllocation->setAllowed($aAllowed);
         $res = $oRoleAllocation->create();
-		
+
 		if (PEAR::isError($res) || ($res == false)) {
 			$this->errorRedirectToMain(_kt('Failed to create the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
 		}
-        
+
         $oTransaction = KTFolderTransaction::createFromArray(array(
             'folderid' => $this->oFolder->getId(),
             'comment' => _kt('Override parent allocation'),
@@ -452,42 +453,42 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         	$oRoleAllocation->setAllowed($aAllowed);
         	$res = $oRoleAllocation->update();
-        	
-        	if (PEAR::isError($res) || ($res == false)) 
+
+        	if (PEAR::isError($res) || ($res == false))
         	{
 				$this->errorRedirectToMain(_kt('Failed to create the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
 			}
         }
-        
+
         // regenerate permissions
-        
+
 		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
         $this->successRedirectToMain(_kt('Role allocation created.'), sprintf('fFolderId=%d', $this->oFolder->getId()));
     }
-    
-    function do_useParent() { 
+
+    function do_useParent() {
         $role_id = KTUtil::arrayGet($_REQUEST, 'role_id', null);
         $oRole = Role::get($role_id);
         if (PEAR::isError($oRole)) {
-            $this->errorRedirectToMain(_kt('Invalid Role.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+            $this->errorRedirectToMain(_kt('Invalid Role.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
         }
         $role_id = $oRole->getId(); // numeric, for various testing purposes.
-        
+
         $oRoleAllocation = RoleAllocation::getAllocationsForFolderAndRole($this->oFolder->getId(), $role_id);
-        
+
         if ($oRoleAllocation->getFolderId() != $this->oFolder->getId()) {
-            $this->errorRedirectToMain(_kt('Already using a different descriptor.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
-        } 
+            $this->errorRedirectToMain(_kt('Already using a different descriptor.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
+        }
         $this->startTransaction();
-		
+
         $res = $oRoleAllocation->delete();
-		
+
         if (PEAR::isError($res) || ($res == false)) {
-            $this->errorRedirectToMain(_kt('Unable to change role allocation.') . print_r($res, true), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+            $this->errorRedirectToMain(_kt('Unable to change role allocation.') . print_r($res, true), sprintf('fFolderId=%d',$this->oFolder->getId()));
             exit(0);
         }
-		
+
         $oTransaction = KTFolderTransaction::createFromArray(array(
             'folderid' => $this->oFolder->getId(),
             'comment' => _kt('Use parent allocation'),
@@ -503,34 +504,34 @@ class KTRoleAllocationPlugin extends KTFolderAction {
 		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
-        $this->successRedirectToMain(_kt('Role now uses parent.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+        $this->successRedirectToMain(_kt('Role now uses parent.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
     }
-    
+
     function rootoverride($role_id) {
         if ($this->oFolder->getId() != 1) {
             $this->errorRedirectToMain(_kt("Cannot create allocation for non-root locations."));
         }
-        
+
         $oRoleAllocation = new RoleAllocation();
         $oRoleAllocation->setFolderId($this->oFolder->getId());
         $oRoleAllocation->setRoleId($role_id);
-        
-        // create a new permission descriptor. 
+
+        // create a new permission descriptor.
         // FIXME we really want to duplicate the original (if it exists)
-        
+
         $aAllowed = array(); // no-op, for now.
 		$this->startTransaction();
-		
+
         $oRoleAllocation->setAllowed($aAllowed);
         $res = $oRoleAllocation->create();
-		
+
 		if (PEAR::isError($res) || ($res == false)) {
 			$this->errorRedirectToMain(_kt('Failed to create the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
 		}
-		
+
 		return $oRoleAllocation;
     }
-    
+
     function do_editRoleUsers() {
         $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'alloc_id');
@@ -542,22 +543,22 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         if ((PEAR::isError($oRoleAllocation)) || ($oRoleAllocation=== false)) {
             $this->errorRedirectToMain(_kt('No such role allocation.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
         }
-        
-        
+
+
         $this->oPage->setBreadcrumbDetails(_kt('Manage Users for Role'));
         $this->oPage->setTitle(sprintf(_kt('Manage Users for Role')));
-        
+
         $initJS = 'var optGroup = new OptionTransfer("userSelect","chosenUsers"); ' .
         'function startTrans() { var f = getElement("userroleform"); ' .
         ' optGroup.saveNewRightOptions("userFinal"); ' .
         ' optGroup.init(f); }; ' .
-        ' addLoadEvent(startTrans); '; 
+        ' addLoadEvent(startTrans); ';
         $this->oPage->requireJSStandalone($initJS);
-        
+
         $aInitialUsers = $oRoleAllocation->getUsers();
         $aAllUsers = User::getList();
-        
-        
+
+
         // FIXME this is massively non-performant for large userbases..
         $aRoleUsers = array();
         $aFreeUsers = array();
@@ -569,8 +570,8 @@ class KTRoleAllocationPlugin extends KTFolderAction {
                 $aFreeUsers[$oUser->getId()] = $oUser;
             }
         }
-        
-        $oTemplating =& KTTemplating::getSingleton();        
+
+        $oTemplating =& KTTemplating::getSingleton();
         $oTemplate = $oTemplating->loadTemplate("ktcore/folder/roles_manageusers");
         $aTemplateData = array(
             "context" => $this,
@@ -580,8 +581,8 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         );
         return $oTemplate->render($aTemplateData);
     }
-	
-    function do_editRoleGroups() { 
+
+    function do_editRoleGroups() {
         $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'alloc_id');
         if (($this->oFolder->getId() == 1) && is_null($role_allocation_id)) {
@@ -592,22 +593,22 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         if ((PEAR::isError($oRoleAllocation)) || ($oRoleAllocation=== false)) {
             $this->errorRedirectToMain(_kt('No such role allocation.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
         }
-        
-        $oRole = Role::get($oRoleAllocation->getRoleId());             
+
+        $oRole = Role::get($oRoleAllocation->getRoleId());
         $this->oPage->setBreadcrumbDetails(_kt('Manage Groups for Role'));
         $this->oPage->setTitle(sprintf(_kt('Manage Groups for Role "%s"'), $oRole->getName()));
-        
+
         $initJS = 'var optGroup = new OptionTransfer("groupSelect","chosenGroups"); ' .
         'function startTrans() { var f = getElement("grouproleform"); ' .
         ' optGroup.saveNewRightOptions("groupFinal"); ' .
         ' optGroup.init(f); }; ' .
-        ' addLoadEvent(startTrans); '; 
+        ' addLoadEvent(startTrans); ';
         $this->oPage->requireJSStandalone($initJS);
-        
+
         $aInitialUsers = $oRoleAllocation->getGroups();
         $aAllUsers = Group::getList();
-        
-        
+
+
         // FIXME this is massively non-performant for large userbases..
         $aRoleUsers = array();
         $aFreeUsers = array();
@@ -619,10 +620,10 @@ class KTRoleAllocationPlugin extends KTFolderAction {
                 $aFreeUsers[$oGroup->getId()] = $oGroup;
             }
         }
-        
-   
-        
-        $oTemplating =& KTTemplating::getSingleton();        
+
+
+
+        $oTemplating =& KTTemplating::getSingleton();
         $oTemplate = $oTemplating->loadTemplate("ktcore/folder/roles_managegroups");
         $aTemplateData = array(
             "context" => $this,
@@ -633,7 +634,7 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         );
         return $oTemplate->render($aTemplateData);
 	}
-    
+
     function do_setRoleUsers() {
         $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'allocation_id');
@@ -653,24 +654,24 @@ class KTRoleAllocationPlugin extends KTFolderAction {
 			}
 		}
 		if (empty($aFinalUserIds)) { $aFinalUserIds = null; }
-		
+
 		// hack straight in.
 		$oPD = $oRoleAllocation->getPermissionDescriptor();
-		$aAllowed = $oPD->getAllowed();		
-		
-		
-		
+		$aAllowed = $oPD->getAllowed();
+
+
+
 		// now, grab the existing allowed and modify.
 		$aAllowed['user'] = $aFinalUserIds;
-		
+
 		$oRoleAllocation->setAllowed($aAllowed);
 		$res = $oRoleAllocation->update();
-		
+
 		if (PEAR::isError($res) || ($res == false)) {
 			$this->errorRedirectToMain(_kt('Failed to change the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
 		}
-		
+
         $oTransaction = KTFolderTransaction::createFromArray(array(
             'folderid' => $this->oFolder->getId(),
             'comment' => _kt('Set role users'),
@@ -685,12 +686,12 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         $this->oValidator->notErrorFalse($oTransaction, $aOptions);
 		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
-		
-        $this->successRedirectToMain(_kt('Allocation changed.'), sprintf('fFolderId=%d',$this->oFolder->getId())); 
+
+        $this->successRedirectToMain(_kt('Allocation changed.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
     }
-    
+
     function do_setRoleGroups() {
-	    
+
         $role_allocation_id = KTUtil::arrayGet($_REQUEST, 'allocation_id');
         $oRoleAllocation = RoleAllocation::get($role_allocation_id);
         if ((PEAR::isError($oRoleAllocation)) || ($oRoleAllocation=== false)) {
@@ -708,24 +709,24 @@ class KTRoleAllocationPlugin extends KTFolderAction {
 			}
 		}
 		if (empty($aFinalGroupIds)) { $aFinalGroupIds = null; }
-		
+
 		// hack straight in.
 		$oPD = $oRoleAllocation->getPermissionDescriptor();
-		$aAllowed = $oPD->getAllowed();		
-		
-		
-		
+		$aAllowed = $oPD->getAllowed();
+
+
+
 		// now, grab the existing allowed and modify.
 		$aAllowed['group'] = $aFinalGroupIds;
-		
+
 		$oRoleAllocation->setAllowed($aAllowed);
 		$res = $oRoleAllocation->update();
-		
+
 		if (PEAR::isError($res) || ($res == false)) {
 			$this->errorRedirectToMain(_kt('Failed to change the role allocation.') . print_r($res, true), sprintf('fFolderId=%d', $this->oFolder->getId()));
 		}
-		
+
         $oTransaction = KTFolderTransaction::createFromArray(array(
             'folderid' => $this->oFolder->getId(),
             'comment' => _kt('Set role groups'),
@@ -740,14 +741,14 @@ class KTRoleAllocationPlugin extends KTFolderAction {
         $this->oValidator->notErrorFalse($oTransaction, $aOptions);
 		$this->renegeratePermissionsForRole($oRoleAllocation->getRoleId());
-		
-        $this->successRedirectToMain(_kt('Allocation changed.'), sprintf('fFolderId=%d',$this->oFolder->getId()));     
+
+        $this->successRedirectToMain(_kt('Allocation changed.'), sprintf('fFolderId=%d',$this->oFolder->getId()));
     }
-   	
+
 	function renegeratePermissionsForRole($iRoleId) {
 	    $iStartFolderId = $this->oFolder->getId();
-		/* 
-		 * 1. find all folders & documents "below" this one which use the role 
+		/*
+		 * 1. find all folders & documents "below" this one which use the role
 		 *    definition _active_ (not necessarily present) at this point.
 		 * 2. tell permissionutil to regen their permissions.
 		 *
@@ -755,7 +756,7 @@ class KTRoleAllocationPlugin extends KTFolderAction {
 		 *
 		 *  folder_queue <- (iStartFolderId)
 		 *  while folder_queue is not empty:
-		 *     active_folder = 
+		 *     active_folder =
 		 *     for each folder in the active_folder:
 		 *         find folders in _this_ folder without a role-allocation on the iRoleId
 		 *            add them to the folder_queue
@@ -763,38 +764,38 @@ class KTRoleAllocationPlugin extends KTFolderAction {
 		 *         find documents in this folder:
 		 *            update their permissions.
 		 */
-		
+
 		$sRoleAllocTable = KTUtil::getTableName('role_allocations');
 		$sFolderTable = KTUtil::getTableName('folders');
 		$sQuery = sprintf('SELECT f.id as id FROM %s AS f LEFT JOIN %s AS ra ON (f.id = ra.folder_id) WHERE ra.id IS NULL AND f.parent_id = ?', $sFolderTable, $sRoleAllocTable);
-		
-		
+
+
 		$folder_queue = array($iStartFolderId);
 		while (!empty($folder_queue)) {
 			$active_folder = array_pop($folder_queue);
-			
-			$aParams = array($active_folder);			
-			
+
+			$aParams = array($active_folder);
+
 			$aNewFolders = DBUtil::getResultArrayKey(array($sQuery, $aParams), 'id');
 			if (PEAR::isError($aNewFolders)) {
 				$this->errorRedirectToMain(_kt('Failure to generate folderlisting.'));
 			}
 			$folder_queue = kt_array_merge ($folder_queue, (array) $aNewFolders); // push.
-			
+
 			// update the folder.
 			$oFolder =& Folder::get($active_folder);
 			if (PEAR::isError($oFolder) || ($oFolder == false)) {
 			    $this->errorRedirectToMain(_kt('Unable to locate folder: ') . $active_folder);
 			}
-			
+
 			KTPermissionUtil::updatePermissionLookup($oFolder);
 			$aDocList =& Document::getList(array('folder_id = ?', $active_folder));
 			if (PEAR::isError($aDocList) || ($aDocList === false)) {
 			    $this->errorRedirectToMain(sprintf(_kt('Unable to get documents in folder %s: %s'), $active_folder, $aDocList->getMessage()));
 			}
-			
-			foreach ($aDocList as $oDoc) { 
+
+			foreach ($aDocList as $oDoc) {
 			    if (!PEAR::isError($oDoc)) {
 			        KTPermissionUtil::updatePermissionLookup($oDoc);
 				}
@@ -818,13 +819,13 @@ class KTDocumentRolesAction extends KTDocumentAction {
         $this->oPage->setBreadcrumbDetails(_kt("View Roles"));
         $oTemplating = new KTTemplating;
         $oTemplate = $oTemplating->loadTemplate("ktcore/action/view_roles");
-        
+
         // we need to have:
         //   - a list of roles
         //   - with their users / groups
         //   - and that allocation id
         $aRoles = array(); // stores data for display.
-        
+
         $aRoleList = Role::getList();
         foreach ($aRoleList as $oRole) {
             $iRoleId = $oRole->getId();
@@ -833,7 +834,7 @@ class KTDocumentRolesAction extends KTDocumentAction {
 			if (is_null($oRoleAllocation)) {
 				$oRoleAllocation = RoleAllocation::getAllocationsForFolderAndRole($this->oDocument->getFolderID(), $iRoleId);
 			}
-            
+
             $u = array();
             $g = array();
             $aid = null;
@@ -855,12 +856,12 @@ class KTDocumentRolesAction extends KTDocumentAction {
             $aRoles[$iRoleId]['users'] = $u;
             $aRoles[$iRoleId]['groups'] = $g;
             $aRoles[$iRoleId]['real_allocation_id'] = $raid;
-        }     
-        
+        }
+
         // final step.
-        
+
         // map to users, groups.
-        foreach ($aRoles as $key => $role) {          
+        foreach ($aRoles as $key => $role) {
             $_users = array();
             foreach ($aRoles[$key]['users'] as $iUserId) {
                 $oUser = User::get($iUserId);
@@ -869,11 +870,11 @@ class KTDocumentRolesAction extends KTDocumentAction {
                 }
             }
 			if (empty($_users)) {
-			    $aRoles[$key]['users'] = '<span class="descriptiveText"> ' . _kt('no users') . '</span>'; 	
+			    $aRoles[$key]['users'] = '<span class="descriptiveText"> ' . _kt('no users') . '</span>';
 			} else {
 			    $aRoles[$key]['users'] = implode(', ',$_users);
-			}		
-		
+			}
+
             $_groups = array();
             foreach ($aRoles[$key]['groups'] as $iGroupId) {
                 $oGroup = Group::get($iGroupId);
@@ -882,12 +883,12 @@ class KTDocumentRolesAction extends KTDocumentAction {
                 }
             }
 			if (empty($_groups)) {
-			    $aRoles[$key]['groups'] = '<span class="descriptiveText"> ' . _kt('no groups') . '</span>'; 	
+			    $aRoles[$key]['groups'] = '<span class="descriptiveText"> ' . _kt('no groups') . '</span>';
 			} else {
 			    $aRoles[$key]['groups'] = implode(', ',$_groups);
 			}
         }
-        
+
         $aTemplateData = array(
             'context' => &$this,
             'roles' => $aRoles,
@@ -7,7 +7,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -18,9 +18,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -48,13 +48,13 @@ $oCR-&gt;getColumn(&#39;ktcore.columns.title&#39;);
 class KTDocumentLinkTitle extends AdvancedTitleColumn {
     var $namespace = 'ktdocumentlinks.columns.title';
-    function renderDocumentLink($aDataRow) {        
+    function renderDocumentLink($aDataRow) {
         $aOptions = $this->getOptions();
         $fParentDocId = KTUtil::arrayGet(KTUtil::arrayGet($aOptions, 'qs_params', array()),
                                          'fDocumentId', False);
         if ((int)$aDataRow["document"]->getId() === (int)$fParentDocId) {
-            return $aDataRow["document"]->getName() . 
+            return htmlentities($aDataRow["document"]->getName(),ENT_QUOTES, 'UTF-8') .
                 ' <span class="descriptiveText">(' . _kt('you cannot link to the source document') . ')';
         } else {
             return parent::renderDocumentLink($aDataRow);
@@ -4,7 +4,7 @@
  * License Version 1.1.2 ("License"); You may not use this file except in
  * compliance with the License. You may obtain a copy of the License at
  * http://www.knowledgetree.com/KPL
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
  * See the License for the specific language governing rights and
@@ -15,9 +15,9 @@
  *    (ii) the KnowledgeTree copyright notice
  * in the same form as they appear in the distribution.  See the License for
  * requirements.
- * 
+ *
  * The Original Code is: KnowledgeTree Open Source
- * 
+ *
  * The Initial Developer of the Original Code is The Jam Warehouse Software
  * (Pty) Ltd, trading as KnowledgeTree.
  * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
@@ -52,7 +52,7 @@ class KTrss{
     	$sQuery = "SELECT id, url, title FROM plugin_rss WHERE user_id = ?";
         $aParams = array($iUserId);
         $aFeeds = DBUtil::getResultArray(array($sQuery, $aParams));
-        
+
         if (PEAR::isError($aFeeds)) {
             // XXX: log error
             return false;
@@ -61,7 +61,7 @@ class KTrss{
             return $aFeeds;
         }
     }
-    
+
     // Gets full listing of data of documents and folders subscribed to
     function getInternalFeed($iUserId){
     	$documents=KTrss::getDocuments($iUserId);
@@ -75,13 +75,13 @@ class KTrss{
     	}
     	return $response;
     }
-    
+
     // Get list of document subscriptions
     function getDocumentList($iUserId){
     	$sQuery = "SELECT document_id as id FROM document_subscriptions WHERE user_id = ?";
         $aParams = array($iUserId);
         $aDocumentList = DBUtil::getResultArrayKey(array($sQuery, $aParams), 'id');
-        
+
         if (PEAR::isError($aDocumentList)) {
             // XXX: log error
             return false;
@@ -90,13 +90,13 @@ class KTrss{
             return $aDocumentList;
         }
     }
-    
+
     // Get list of folder subscriptions
     function getFolderList($iUserId){
     	$sQuery = "SELECT folder_id as id, is_tree as tree FROM folder_subscriptions WHERE user_id = ?";
         $aParams = array($iUserId);
         $aFolderList = DBUtil::getResultArray(array($sQuery, $aParams));
-        
+
         if (PEAR::isError($aFolderList)) {
             // XXX: log error
             return false;
@@ -105,14 +105,14 @@ class KTrss{
             return $aFolderList;
         }
     }
-    
+
     // Get data for all documents subscribed to
     function getDocuments($iUserId){
     	$aDList = KTrss::getDocumentList($iUserId);
     	if($aDList){
 	    	foreach($aDList as $document_id){
 		        $document = KTrss::getOneDocument($document_id, $iUserId);
-		        if($document){				
+		        if($document){
 		        	$aDocuments[] = $document;
 		        }
 	    	}
@@ -125,7 +125,7 @@ class KTrss{
             return $aDocuments;
         }
     }
-    
+
     // Get data for all folders subscribed to
     function getFolders($iUserId){
     	$aFList = KTrss::getFolderList($iUserId);
@@ -139,7 +139,7 @@ class KTrss{
 		        }
 	    	}
     	}
-    	
+
     	if (PEAR::isError($aFolders)) {
             // XXX: log error
             return false;
@@ -148,13 +148,13 @@ class KTrss{
             return $aFolders;
         }
     }
-    
+
     function getChildrenFolderTransactions($iParentFolderId, $depth = '1'){
     	if($depth == '1'){
 	    	$sQuery = "SELECT id from folders WHERE parent_folder_ids LIKE ?";
 	    	$aParams = array('%'.$iParentFolderId);
     	}//else
-        
+
         $aFolderList = DBUtil::getResultArray(array($sQuery, $aParams));
         if (PEAR::isError($aFolderList)) {
             // XXX: log error
@@ -162,7 +162,7 @@ class KTrss{
         }
         if ($aFolderList) {
             foreach($aFolderList as $folderElement){
-		        $folder_id = $folderElement['id'];	        
+		        $folder_id = $folderElement['id'];
 		        $aFolderTransactions = array_merge($aFolderTransactions, KTrss::getFolderTransactions($folder_id));
 	    	}
         }
@@ -170,13 +170,13 @@ class KTrss{
             return $aFolderTransactions;
         }
     }
-    
+
     function getChildrenDocumentTransactions($iParentFolderId, $depth = '1'){
     	if($depth == '1'){
     		$sQuery = "SELECT id from documents WHERE parent_folder_ids LIKE ? ";
     		$aParams = array('%'.$iParentFolderId);
     	}//else
-        
+
         $aDocumentList = DBUtil::getResultArray(array($sQuery, $aParams));
         if (PEAR::isError($aDocumentList)) {
@@ -185,7 +185,7 @@ class KTrss{
         }
         if ($aDocumentList) {
             foreach($aDocumentList as $documentElement){
-		        $document_id = $documentElement['id'];       
+		        $document_id = $documentElement['id'];
 		        $aDocumentTransactions = array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id));
 	    	}
         }
@@ -193,19 +193,19 @@ class KTrss{
             return $aDocumentTransactions;
         }
     }
-    
+
     // get information on document
     function getOneDocument($iDocumentId, $iUserId){
         $aDData = KTrss::getDocumentData($iUserId, $iDocumentId);
         $aDTransactions = KTrss::getDocumentTransactions($iDocumentId);
         if($aDData){
         	$aDData['itemType'] = 'document';
-        	
+
     		// create mime info
 			$aMimeInfo = KTrss::getMimeTypeInfo($iUserId, $iDocumentId);
 			$aDData['mimeTypeFName'] = $aMimeInfo['typeFName'];
 			$aDData['mimeTypeIcon'] = $aMimeInfo['typeIcon'];
-			
+
         	$aDocument[] = $aDData;
         	$aDocument[] = $aDTransactions;
         }
@@ -216,33 +216,33 @@ class KTrss{
             return $aDocument;
         }
     }
-	
+
     // get information for folder
     function getOneFolder($iFolderId){
     	$aFData = KTrss::getFolderData($iFolderId);
         $aFTransactions = array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId));
         $aFTransactions = array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId));
-        
+
         $code = 'if (strtotime($a[datetime]) == strtotime($b[datetime])){
 	        return 0;
 	    }
 	    return (strtotime($a[datetime]) > strtotime($b[datetime])) ? -1 : 1;';
-        
+
 		$compare = create_function('$a,$b', $code);
-		
+
         usort($aFTransactions, $compare);
         for($i=0; $i<4; $i++){
         	$aFTransactions_new[] = $aFTransactions[$i];
         }
 		$aFTransactions = $aFTransactions_new;
-		
+
         if($aFData){
         	$aFData['itemType'] = 'folder';
-        	
+
     		// create mime info
 			$aFData['mimeTypeFName'] = 'Folder';
 			$aFData['mimeTypeIcon'] = KTrss::getFolderIcon();
-			
+
         	$aFolder[] = $aFData;
         	$aFolder[] = $aFTransactions;
         	$aFolderBox[] = $aFolder;
@@ -254,7 +254,7 @@ class KTrss{
             return $aFolder;
         }
     }
-    
+
     // Takes in an array as a parameter and returns rss2.0 compatible xml
     function arrayToXML($aItems){
     	// Build path to host
@@ -282,7 +282,7 @@ class KTrss{
 	    		$sTypeSelect = 'document.transactionhistory&amp;fDocumentId';
 	    	}
 	    	$feed .= "<item>\n" .
-	    	         	"<title>".$aItems[0][0][name]."</title>\n" .
+	    	         	"<title>".htmlentities($aItems[0][0][name],ENT_QUOTES, 'UTF-8')."</title>\n" .
 	    	         	"<link>".$hostPath."action.php?kt_path_info=ktcore.actions.".$sTypeSelect."=".$aItems[0][0]['id']."</link>\n" .
 	    	         	"<description>\n" .
 	    	         	"&lt;table border='0' width='90%'&gt;\n".
@@ -291,14 +291,14 @@ class KTrss{
 									"&lt;a href='".$hostPath."action.php?kt_path_info=ktcore.actions.".$sTypeSelect."=".$aItems[0][0][id]."' &gt;&lt;img src='".$aItems[0][mimeTypeIcon]."' align='left' height='16px' width='16px' alt='' border='0' /&gt;&lt;/a&gt;" .
 								"&lt;/td&gt;\n".
 								"&lt;td align='left'&gt; ".$aItems[0][mimeTypeFName]."&lt;/td&gt;\n".
-							"&lt;/tr&gt;\n".					
+							"&lt;/tr&gt;\n".
 							"&lt;tr&gt;\n".
 								"&lt;td colspan='2'&gt;\n".
 									ucfirst($aItems[0]['itemType'])." Information (ID: ".$aItems[0][0][id].")&lt;/&gt;\n".
 									"&lt;hr&gt;\n".
 									"&lt;table width='95%'&gt;\n".
 										"&lt;tr&gt;\n".
-											"&lt;td&gt;Filename: ".$aItems[0][0][filename]."&lt;/td&gt;\n".
+											"&lt;td&gt;Filename: ".str_replace('&','&amp;',htmlentities($aItems[0][0][filename],ENT_QUOTES, 'UTF-8'))."&lt;/td&gt;\n".
 											"&lt;td&gt;\n".
 										"&lt;/tr&gt;\n".
 										"&lt;tr&gt;\n".
@@ -326,11 +326,11 @@ class KTrss{
 										foreach($aItems[1] as $item){
 										$feed .= "&lt;tr&gt;\n".
 											"&lt;td&gt;".$item[type]." name:&lt;/td&gt;\n".
-											"&lt;td&gt;".$item[name]."&lt;/td&gt;\n".
+											"&lt;td&gt;".str_replace('&','&amp;',htmlentities($item[name],ENT_QUOTES, 'UTF-8'))."&lt;/td&gt;\n".
 										"&lt;/tr&gt;\n".
 										"&lt;tr&gt;\n".
 											"&lt;td&gt;Path:&lt;/td&gt;\n".
-											"&lt;td&gt;".$item[fullpath]."&lt;/td&gt;\n".
+											"&lt;td&gt;".str_replace('&','&amp;',htmlentities($item[fullpath],ENT_QUOTES, 'UTF-8'))."&lt;/td&gt;\n".
 										"&lt;/tr&gt;\n".
 										"&lt;tr&gt;\n".
 											"&lt;td&gt;Transaction:&lt;/td&gt;\n".
@@ -338,7 +338,7 @@ class KTrss{
 										"&lt;/tr&gt;\n".
 										"&lt;tr&gt;\n".
 											"&lt;td&gt;Comment:&lt;/td&gt;\n".
-											"&lt;td&gt;".$item[comment]."&lt;/td&gt;\n".
+											"&lt;td&gt;".str_replace('&','&amp;',htmlentities($item[comment],ENT_QUOTES, 'UTF-8'))."&lt;/td&gt;\n".
 										"&lt;/tr&gt;\n".
 										"&lt;tr&gt;\n";if($item[version]){
 											$feed .= "&lt;td&gt;Version:&lt;/td&gt;\n".
@@ -354,7 +354,7 @@ class KTrss{
 										"&lt;/tr&gt;\n".
 										"&lt;tr&gt;\n".
 											"&lt;td colspan='2'&gt;&lt;hr width='100' align='left'&gt;&lt;/td&gt;\n".
-										"&lt;/tr&gt;\n";}		
+										"&lt;/tr&gt;\n";}
 								$feed .= "&lt;/table&gt;\n".
 								"&lt;/td&gt;\n".
 							"&lt;/tr&gt;\n".
@@ -364,10 +364,10 @@ class KTrss{
 	    }
 	    $feed .= "</channel>\n" .
 	    		 "</rss>\n";
-	    		 
-	   return $feed;		
+
+	   return $feed;
     }
-    
+
     // Takes in an array as a parameter and returns rss2.0 compatible xml
     function errorToXML($sError){
     	// Build path to host
@@ -394,21 +394,21 @@ class KTrss{
     			 "</item>\n";
 	    $feed .= "</channel>\n" .
 	    		 "</rss>\n";
-	    		 
-	   return $feed;		
+
+	   return $feed;
     }
-    
+
     // Delete feed function
     function deleteFeed($iFeedId){
     	$res = DBUtil::autoDelete('plugin_rss', $iFeedId);
     }
-    
+
     // Get title for external feed
     function getExternalFeedTitle($iFeedId){
     	$sQuery = "SELECT title FROM plugin_rss WHERE id = ?";
         $aParams = array($iFeedId);
         $sFeedTitle = DBUtil::getOneResultKey(array($sQuery, $aParams), 'title');
-        
+
         if (PEAR::isError($sFeedTitle)) {
             // XXX: log error
             return false;
@@ -417,13 +417,13 @@ class KTrss{
             return $sFeedTitle;
         }
     }
-    
+
     // Get url for external feed
     function getExternalFeedUrl($iFeedId){
     	$sQuery = "SELECT url FROM plugin_rss WHERE id = ?";
         $aParams = array($iFeedId);
         $sFeedUrl = DBUtil::getOneResultKey(array($sQuery, $aParams), 'url');
-        
+
         if (PEAR::isError($sFeedUrl)) {
             // XXX: log error
             return false;
@@ -432,16 +432,16 @@ class KTrss{
             return $sFeedUrl;
         }
     }
-    
+
     // Update external feed data
     function updateFeed($iFeedId, $sFeedTitle, $sFeedUrl){
     	$sQuery = "UPDATE plugin_rss SET title=?, url=? WHERE id=?";
         $aParams = array($sFeedTitle, $sFeedUrl, $iFeedId);
         $res = DBUtil::runQuery(array($sQuery, $aParams));
-        
+
         return $res;
     }
-    
+
     // Create new external feed
     function createFeed($sFeedTitle, $sFeedUrl, $iUserId){
         $aParams = array(
@@ -453,59 +453,59 @@ class KTrss{
         return $res;
     }
-    
+
     // Function to validate that a user has permissions for a specific document
     function validateDocumentPermissions($iUserId, $iDocumentId){
 		// check if user id is in session. If not, set it
 		if(!isset($_SESSION["userID"])){
-			$_SESSION['userID'] = $iUserId;	
+			$_SESSION['userID'] = $iUserId;
 		}
 		// get document object
 		$oDocument =& Document::get($iDocumentId);
 		if (PEAR::isError($oDocument)) {
             return false;
         }
-		
+
 		// check permissions for document
 		if(Permission::userHasDocumentReadPermission($oDocument)){
-		    return true;	
+		    return true;
 		}else{
 			return false;
 		}
 	}
-	
+
 	// Function to validate that a user has permissions for a specific folder
 	function validateFolderPermissions($iUserId, $iFolderId){
 		// check if user id is in session. If not, set it
 		if(!isset($_SESSION["userID"])){
-			$_SESSION['userID'] = $iUserId;	
+			$_SESSION['userID'] = $iUserId;
 		}
 		// get folder object
 		$oFolder = Folder::get($iFolderId);
 		if (PEAR::isError($oFolder)) {
             return false;
         }
-		
+
 		// check permissions for folder
 		if(Permission::userHasFolderReadPermission($oFolder)){
-		    return true;	
+		    return true;
 		}else{
 			return false;
 		}
 	}
-	
+
 	// get icon link for rss
 	function getRssLinkIcon(){
     	// built server path
         global $default;
     	$sHostPath = "http" . ($default->sslEnabled ? "s" : "") . "://".$_SERVER['HTTP_HOST']."/".$GLOBALS['KTRootUrl']."/";
-        
+
         // create image
         $icon = "<img src='".$sHostPath."resources/graphics/rss.gif' alt='RSS' border=0/>";
-        
+
         return $icon;
     }
-    
+
     // get rss link for a document/folder
     function getRssLink($iItemId, $sItemType){
         $item = strToLower($sItemType);
@@ -514,34 +514,34 @@ class KTrss{
         }else if($item == 'document'){
         	$sItemParameter = '?docId';
         }
-        
+
         // built server path
         global $default;
         $sHostPath = "http" . ($default->sslEnabled ? "s" : "") . "://" . $_SERVER['HTTP_HOST'];
-        
+
         // build link
     	$sLink = $sHostPath.KTBrowseUtil::buildBaseUrl('rss').$sItemParameter.'='.$iItemId;
-    	
+
     	return $sLink;
     }
-    
+
     // get rss icon link
     function getImageLink($iItemId, $sItemType){
     	return "<a href='".KTrss::getRssLink($iItemId, $sItemType)."' target='_blank'>".KTrss::getRssLinkIcon()."</a>";
     }
-    
+
     // get the mime type id for a document
     function getDocumentMimeTypeId($iUserId, $iDocumentId){
 		if(!isset($_SESSION["userID"])){
-			$_SESSION['userID'] = $iUserId;	
+			$_SESSION['userID'] = $iUserId;
 		}
 		// get document object
 		$oDocument =& Document::get($iDocumentId);
-		
+
 		$docMime = $oDocument->getMimeTypeID();
 		return $docMime;
 	}
-	
+
 	// get mime information for a document
     function getMimeTypeInfo($iUserId, $iDocumentId){
         global $default;
@@ -549,27 +549,27 @@ class KTrss{
 		$mimeinfo['typeName'] = KTMime::getMimeTypeName($mimeinfo['typeId']); // mime type name
 		$mimeinfo['typeFName'] = KTMime::getFriendlyNameForString($mimeinfo['typeName']); // mime type friendly name
 		$mimeinfo['typeIcon'] = "http" . ($default->sslEnabled ? "s" : "") . "://".$_SERVER['HTTP_HOST']."/".$GLOBALS['KTRootUrl']."/resources/mimetypes/".KTMime::getIconPath($mimeinfo['typeId']).".png"; //icon path
-		
+
 		return $mimeinfo;
     }
-    
+
     // get the default folder icon
     function getFolderIcon(){
     	global $default;
     	return $mimeinfo['typeIcon'] = "http" . ($default->sslEnabled ? "s" : "") . "://".$_SERVER['HTTP_HOST']."/".$GLOBALS['KTRootUrl']."/thirdparty/icon-theme/16x16/mimetypes/x-directory-normal.png"; //icon path
     }
-    
+
     // get a document information
     function getDocumentData($iUserId, $iDocumentId){
     	if(!isset($_SESSION["userID"])){
-			$_SESSION['userID'] = $iUserId;	
+			$_SESSION['userID'] = $iUserId;
 		}
 		// get document object
 		$oDocument =& Document::get($iDocumentId);
-		
+
 		$cv = $oDocument->getContentVersionId();
 		$mv = $oDocument->getMetadataVersionId();
-		
+
 		$sQuery = "SELECT dcv.document_id AS id, dmver.name AS name, dcv.filename AS filename, c.name AS author, o.name AS owner, dtl.name AS type, dwfs.name AS workflow_status " .
 				"FROM documents AS d LEFT JOIN document_content_version AS dcv ON d.id = dcv.document_id " .
 				"LEFT JOIN users AS o ON d.owner_id = o.id " .
@@ -582,14 +582,14 @@ class KTrss{
 				"AND dmver.id = ? " .
 				"AND dcv.id = ? " .
 				"LIMIT 1";
-		
+
 		$aParams = array($iDocumentId, $mv, $cv);
         $aDocumentData = DBUtil::getResultArray(array($sQuery, $aParams));
         if($aDocumentData){
 			return $aDocumentData;
         }
     }
-    
+
     // get a folder information
     function getFolderData($iFolderId){
 		$sQuery = "SELECT f.id AS id, f.name AS name, f.name AS filename, c.name AS author, o.name AS owner, f.description AS description " .
@@ -598,14 +598,14 @@ class KTrss{
 				"LEFT JOIN users AS c ON f.creator_id = c.id " .
 				"WHERE f.id = ? " .
 				"LIMIT 1";
-		
+
 		$aParams = array($iFolderId);
         $aFolderData = DBUtil::getResultArray(array($sQuery, $aParams));
         if($aFolderData){
 			return $aFolderData;
         }
     }
-    
+
     // get a listing of the latest 3 transactions for a document
     function getDocumentTransactions($iDocumentId){
     	$sQuery = "SELECT DT.datetime AS datetime, 'Document' AS type, DMV.name, D.full_path AS fullpath, DTT.name AS transaction_name, U.name AS user_name, DT.version AS version, DT.comment AS comment " .
@@ -616,14 +616,14 @@ class KTrss{
     			"WHERE DT.document_id = ? " .
     			"ORDER BY DT.datetime DESC " .
     			"LIMIT 4";
-    			
+
     	$aParams = array($iDocumentId);
     	$aDocumentTransactions = DBUtil::getResultArray(array($sQuery, $aParams));
     	if($aDocumentTransactions){
 			return $aDocumentTransactions;
         }
     }
-    
+
     // Get a listing of the latest 3 transactions for a folder
     function getFolderTransactions($iFolderId){
     	$sQuery = "SELECT FT.datetime AS datetime, 'Folder' AS type, F.name, F.full_path AS fullpath, DTT.name AS transaction_name, U.name AS user_name, FT.comment AS comment " .
@@ -633,7 +633,7 @@ class KTrss{
     			"WHERE FT.folder_id = ? " .
     			"ORDER BY FT.datetime DESC " .
     			"LIMIT 4";
-    			
+
     	$aParams = array($iFolderId);
     	$aFolderTransactions = DBUtil::getResultArray(array($sQuery, $aParams));
     	if($iFolderId){
@@ -9,13 +9,13 @@
 		{/if}
 		{if $feedlist}
 		{section name=feed loop=$feedlist}
-		<option value='{$feedlist[feed].url}'>{$feedlist[feed].title}</option>
+		<option value='{$feedlist[feed].url}'>{$feedlist[feed].title|sanitize}</option>
 		{/section}
 		{/if}
 	</select>
 	{if ($action.url)}<a href="{$action.url}"
-{if $action.description}title="{$action.description}"{/if}
-     >{$action.name}</a>{else}{$action.name}{/if}
+{if $action.description}title="{$action.description|sanitize}"{/if}
+     >{$action.name}</a>{else}{$action.name|sanitize}{/if}
 	</form>
 	{/if}
 </div>
@@ -26,7 +26,7 @@
 		<table width='90%'>
 		    {section name=i start=0 loop=$itemcount}
 			<tr>
-				<td><strong><a href='{$internalrss.items[i].link}'>{$internalrss.items[i].title}</a><strong></td>
+				<td><strong><a href='{$internalrss.items[i].link}'>{$internalrss.items[i].title|sanitize}</a><strong></td>
 			</tr>
 			<tr>
 				<td>{$internalrss.items[i].description}</td>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}RSS for Document{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}RSS for Document{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p>
 {i18n}You can copy the following link into any RSS aggregator to create a feed to the selected document.{/i18n}
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}RSS for folder{/i18n}: {$context->oFolder->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}RSS for folder{/i18n}: {$context->oFolder->getName()|sanitize}</h2>
 <p>
 {i18n}You can copy the following link into any RSS aggregator to create a feed to the selected folder.{/i18n}
 <ul>
@@ -8,9 +8,9 @@
     <table class="metadatatable" cellspacing="0" cellpadding="5">
     <tr class="even first">
         <th>{i18n}Document Filename{/i18n}</th>
-        <td>{$filename|wordwrap:40:"\n":true} ({$context->_sizeHelper($document->getSize())})</td>
+        <td>{$filename|wordwrap:40:"\n":true|sanitize} ({$context->_sizeHelper($document->getSize())})</td>
     </tr>
-    
+
     <tr class="odd">
         <th>{i18n}File is a{/i18n}</th>
         <td>{$context->_mimeHelper($document->getMimeTypeID())}</td>
@@ -20,7 +20,7 @@
         <th>{i18n}Document Version{/i18n}</th>
         <td>{$document->getMajorVersionNumber()}.{$document->getMinorVersionNumber()}</td>
     </tr>
-        
+
     <tr class="odd">
         <th>{i18n}Created by{/i18n}</th>
         <td>{$creator} ({$creation_date})</td>
@@ -7,20 +7,20 @@
     <table class="metadatatable versioned" cellspacing="0" cellpadding="5">
-{capture assign="oldval"}{$comparison_title}{/capture}
-{capture assign="newval"}{$title}{/capture}    
+{capture assign="oldval"}{$comparison_title|sanitize}{/capture}
+{capture assign="newval"}{$title|sanitize}{/capture}
     <tr class="odd first">
         <th>{i18n}Document Title{/i18n}</th>
         <td class="current {if ($oldval != $newval)}different{/if}">{$newval}</td>
-        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>        
+        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>
     </tr>
-    
-{capture assign="oldval"}{$comparison_filename} ({$context->_sizeHelper($comparison_document->getSize())}){/capture}
-{capture assign="newval"}{$filename} ({$context->_sizeHelper($document->getSize())}){/capture}
+
+{capture assign="oldval"}{$comparison_filename|sanitize} ({$context->_sizeHelper($comparison_document->getSize())}){/capture}
+{capture assign="newval"}{$filename|sanitize} ({$context->_sizeHelper($document->getSize())}){/capture}
     <tr class="even">
         <th>{i18n}Document Filename{/i18n}</th>
         <td class="current {if ($oldval != $newval)}different{/if}">{$newval}</td>
-        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>        
+        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>
     </tr>
 {capture assign="oldval"}{$context->_mimeHelper($comparison_document->getMimeTypeID())}{/capture}
@@ -28,17 +28,17 @@
     <tr class="odd">
         <th>{i18n}File is a{/i18n}</th>
         <td class="current {if ($oldval != $newval)}different{/if}">{$newval}</td>
-        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>        
+        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>
     </tr>
-        
+
 {capture assign="oldval"}{$comparison_document->getMajorVersionNumber()}.{$comparison_document->getMinorVersionNumber()}{/capture}
 {capture assign="newval"}{$document->getMajorVersionNumber()}.{$document->getMinorVersionNumber()}{/capture}
     <tr class="even">
         <th>{i18n}Document Version{/i18n}</th>
         <td class="current {if ($oldval != $newval)}different{/if}">{$newval}</td>
-        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>        
+        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>
     </tr>
-        
+
     <tr class="odd">
         <th>{i18n}Created by{/i18n}</th>
         <td colspan="2">{$creator} ({$creation_date}) <span class="descriptiveText">({i18n}this cannot change between versions{/i18n})</td>
@@ -54,15 +54,15 @@
     <tr class="odd">
         <th>{i18n}Last update by{/i18n}</th>
         <td class="current {if ($oldval != $newval)}different{/if}">{$newval}</td>
-        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>        
+        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>
     </tr>
 {capture assign="oldval"}{$comparison_document_type}{/capture}
-{capture assign="newval"}{$document_type}{/capture}    
+{capture assign="newval"}{$document_type}{/capture}
     <tr class="even">
         <th>{i18n}Document Type{/i18n}</th>
         <td class="current {if ($oldval != $newval)}different{/if}">{$newval}</td>
-        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>        
+        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>
     </tr>
 {capture assign="oldval"}{if $comparison_workflow_state}
@@ -78,7 +78,7 @@
     <tr class="odd">
         <th>{i18n}Workflow status{/i18n}</th>
         <td class="current {if ($oldval != $newval)}different{/if}">{$newval}</td>
-        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>        
+        <td class="previous {if ($oldval != $newval)}different{/if}">{$oldval}</td>
     </tr>
     <tr class="even">
@@ -3,16 +3,16 @@
         <p class="descriptiveText">
         {$description}
     </p>
-    
+
     <table class="metadatatable" cellspacing="0" cellpadding="5">
       {foreach item=aFieldPair from=$fieldset_values name=fields}
     <tr class="{cycle values=even,odd} {if $smarty.foreach.fields.first}first{/if}">
         <th>{$aFieldPair.field->getName()}</th>
-        <td>{if ($aFieldPair.value !== null)}{$aFieldPair.value}
+        <td>{if ($aFieldPair.value !== null)}{$aFieldPair.value|sanitize}
             {else}<span class="descriptiveText">{i18n}no value{/i18n}</span>{/if}</td>
     </tr>
       {/foreach}
     </table>
-    
+
     <div class="floatClear"><!-- --> </div>
 </div>
@@ -7,17 +7,17 @@
         {i18n arg_name=$name}This is the data assigned to the
 <strong>#name#</strong> aspect of this document.{/i18n}
     </p>
-    
+
     <table class="metadatatable versioned" cellspacing="0" cellpadding="5">
       {foreach item=aFieldPair from=$fieldset_values name=fields}
     <tr class="{cycle values=even,odd} {if $smarty.foreach.fields.first}first{/if}">
         <th>{$aFieldPair.field->getName()}</th>
         <td class="current {if ($aFieldPair.current_value != $aFieldPair.previous_value)}different{/if}">
-            {if ($aFieldPair.current_value !== null)}{$aFieldPair.current_value}
+            {if ($aFieldPair.current_value !== null)}{$aFieldPair.current_value|sanitize}
             {else}<span class="descriptiveText">{i18n}no value in this version{/i18n}</span>{/if}</td>
         <td class="previous {if ($aFieldPair.current_value != $aFieldPair.previous_value)}different{/if}">
-            {if ($aFieldPair.previous_value !== null)}{$aFieldPair.previous_value}
-            {else}<span class="descriptiveText">{i18n}no value in this version{/i18n}</span>{/if}</td>            
+            {if ($aFieldPair.previous_value !== null)}{$aFieldPair.previous_value|sanitize}
+            {else}<span class="descriptiveText">{i18n}no value in this version{/i18n}</span>{/if}</td>
     </tr>
       {/foreach}
     </table>
@@ -3,12 +3,12 @@
 <html>
 <head>
     <title>{$page->title} | {$page->systemName}</title>
-    
+
     <!-- CSS Files. -->
     {foreach item=sResourceURL from=$page->getCSSResources()}
        <link rel="stylesheet" type="text/css" href="{$rootUrl}/{$sResourceURL}" />
     {/foreach}
-    
+
     <!-- Standalone CSS. -->
     {foreach item=sCSS from=$page->getCSSStandalone()}
        <style>
@@ -56,7 +56,7 @@
         FIXME:  page does not set user.
         {/if}
         &middot;
-        
+
         {foreach item=aMenuItem from=$page->userMenu name=prefmenu}
          {if ($aMenuItem.active == 1)}
@@ -76,20 +76,20 @@
 <span class="additional">{i18n}You are here{/i18n}: </span>
 {if ($page->breadcrumbSection !== false)}
    {if ($page->breadcrumbSection.url) }
-        <a href="{$page->breadcrumbSection.url}" class="primary">{$page->breadcrumbSection.label}</a> 
+        <a href="{$page->breadcrumbSection.url}" class="primary">{$page->breadcrumbSection.label}</a>
    {else}
-        <span  class="primary">{$page->breadcrumbSection.label}</span> 
+        <span  class="primary">{$page->breadcrumbSection.label}</span>
    {/if}
 {/if}
 {if (($page->breadcrumbSection !== false) && ($page->breadcrumbs !== false))}
-&raquo; 
+&raquo;
 {/if}
 {if ($page->breadcrumbs !== false)}
   {foreach item=aCrumb from=$page->breadcrumbs name=bc}
      {if ($aCrumb.url) }
-        <a href="{$aCrumb.url}">{$aCrumb.label}</a> 
+        <a href="{$aCrumb.url}">{$aCrumb.label|sanitize}</a>
      {else}
-        <span>{$aCrumb.label}</span> 
+        <span>{$aCrumb.label|sanitize}</span>
      {/if}
      {if (!$smarty.foreach.bc.last)}
         &raquo;
@@ -97,7 +97,7 @@
   {/foreach}
 {/if}
 {if ($page->breadcrumbDetails !== false)}
-<span class="additional">({$page->breadcrumbDetails})</span> 
+<span class="additional">({$page->breadcrumbDetails})</span>
 {/if}
 </div>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html> 
+<html>
 <head>
     <title>{$page->title}{if ($page->secondary_title != null)} &mdash; {$page->secondary_title}{/if} | {$page->systemName}</title>
-    
+
     <!-- CSS Files. -->
-    
+
     {foreach item=sResourceURL from=$page->getCSSResources()}
        <link rel="stylesheet" type="text/css" href="{$rootUrl}/{$sResourceURL}" />
     {/foreach}
@@ -14,17 +14,17 @@
 	<link rel="stylesheet" type="text/css" href="{$rootUrl}/{$sResourceURL}" />
 	{/foreach}
     {/if}
-    
+
        <link rel="stylesheet" type="text/css" href="{$rootUrl}/resources/css/kt-print.css"
            media="print" />
     <link rel="icon" href="{$rootUrl}/resources/favicon.ico" type="image/x-icon">
-    <link rel="shortcut icon" href="{$rootUrl}/resources/favicon.ico" type="image/x-icon"> 
+    <link rel="shortcut icon" href="{$rootUrl}/resources/favicon.ico" type="image/x-icon">
 {if $refreshTimeout}
        <meta http-equiv="refresh" content="{$refreshTimeout}" />
 {/if}
-    
+
     <!-- evil CSS workarounds - inspired by Plone's approach -->
     <!-- Internet Explorer CSS Fixes -->
     <!--[if lt IE 7]>
@@ -37,7 +37,7 @@
     	{/foreach}
 	    {/if}
     <![endif]-->
-    
+
     <!-- Standalone CSS. -->
     {foreach item=sCSS from=$page->getCSSStandalone()}
        <style>
@@ -89,7 +89,7 @@
 	                                {/if}
 	                                    <li><div id="menu_divider"></div></li>
 	                            {/foreach}
-	        					
+
 	                            <!-- user menu -->
 	                            <li class="pref">
 	                                {if ($page->user)}
@@ -121,20 +121,20 @@
                     <span class="additional">{i18n}You are here{/i18n}: </span>
                     {if ($page->breadcrumbSection !== false)}
                         {if ($page->breadcrumbSection.url) }
-                            <a href="{$page->breadcrumbSection.url}" class="primary">{$page->breadcrumbSection.label}</a> 
+                            <a href="{$page->breadcrumbSection.url}" class="primary">{$page->breadcrumbSection.label|sanitize}</a>
                         {else}
-                            <span  class="primary">{$page->breadcrumbSection.label}</span> 
+                            <span  class="primary">{$page->breadcrumbSection.label|sanitize}</span>
                         {/if}
                     {/if}
                     {if (($page->breadcrumbSection !== false) && ($page->breadcrumbs !== false))}
-                        &raquo; 
+                        &raquo;
                     {/if}
                     {if ($page->breadcrumbs !== false)}
                         {foreach item=aCrumb from=$page->breadcrumbs name=bc}
                             {if ($aCrumb.url) }
-                                <a href="{$aCrumb.url}">{$aCrumb.label}</a> 
+                                <a href="{$aCrumb.url}">{$aCrumb.label|sanitize}</a>
                             {else}
-                                <span>{$aCrumb.label|mb_truncate:40:"...":true}</span> 
+                                <span>{$aCrumb.label|mb_truncate:40:"...":true|sanitize}</span>
                             {/if}
                             {if (!$smarty.foreach.bc.last)}
                                 &raquo;
@@ -142,7 +142,7 @@
                         {/foreach}
                     {/if}
                     {if ($page->breadcrumbDetails !== false)}
-                        <span class="additional">({$page->breadcrumbDetails})</span> 
+                        <span class="additional">({$page->breadcrumbDetails})</span>
                     {/if}
                 </div>
             {/if}
@@ -175,7 +175,7 @@
 			                        {if ($page->getHelpURL() != null)}<a class="ktHelp" href="{$page->getHelpURL()}">Help</a> {/if}
 			                    </h1>
 			                {/if}
-			
+
 			                <!-- any status / error messages get added here. -->
                 {if (!empty($page->errStack))}
                     <div class="ktError">
@@ -187,7 +187,7 @@
                         <div class="error_dashlet_topleft_small"></div>
 			            <div class="error_dashlet_toprepeat_small"></div>
 			        	<div class="error_dashlet_topright_small"></div>
-			        	
+
 			        	<div class="error_dashlet_bottomleft"></div>
 			            <div class="error_dashlet_bottomrepeat_small"></div>
 			        	<div class="error_dashlet_bottomright"></div>
@@ -204,7 +204,7 @@
                         <div class="info_dashlet_topleft_small"></div>
 			            <div class="info_dashlet_toprepeat_small"></div>
 			        	<div class="info_dashlet_topright_small"></div>
-			        	
+
 			        	<div class="info_dashlet_bottomleft"></div>
 			            <div class="info_dashlet_bottomrepeat_small"></div>
 			        	<div class="info_dashlet_bottomright"></div>
@@ -237,6 +237,6 @@
 		</table>
         <div class="floatClear"></div>
     </div>
-</div> 
+</div>
 </body>
 </html>
@@ -19,9 +19,9 @@
                 <td class="username">{$aTransactionRow.user_name}</td>
                 <td class="action">{i18n}{$aTransactionRow.transaction_name}{/i18n}</td>
                 <td class="date">{$aTransactionRow.datetime}</td>
-                <td class="comment">{$aTransactionRow.comment}</td>
+                <td class="comment">{$aTransactionRow.comment|sanitize}</td>
             </tr>
             {/foreach}
         </tbody>
-        
+
     </table>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Add a folder to{/i18n}:<br />{$context->oFolder->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Add a folder to{/i18n}:<br />{$context->oFolder->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}Folders are one way of organising documents
 in the document management system.  Folders provide meaning in the
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Archive Document{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Archive Document{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}Archiving a document changes the
 document's state to invisible to non-administrative users. Only an
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Request Assistance{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Request Assistance{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}If you are unable to perform an action
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Cancel Checkout{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Cancel Checkout{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}If you do not want to have this document be checked-out,
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Checkin Document{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Checkin Document{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}Checking in a document updates the document
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Checkout Document{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Checkout Document{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}Checking out a document reserves it for your
 exclusive use.  This ensures that you can edit the document without
@@ -16,7 +16,7 @@ addLoadEvent(scheduleCheckout);
 {/capture}
 {$context->oPage->requireJSStandalone($sJavascript)}
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Checkout Document{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Checkout Document{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 {capture assign=link}{$sLocation|addQSSelf}{/capture}
 <p class="descriptiveText">{i18n arg_link=$link}The document you wish to
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}View Roles{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}View Roles{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}
     In many cases, workflow actions will be assigned to certain <strong>roles</strong>
@@ -22,7 +22,7 @@
     <tr class="{cycle values=odd,even}">
         <td>{$aRole.name}</td>
         <td>
-           {if ($aRole.users != null)}<strong>{i18n}Users{/i18n}:</strong> {$aRole.users}<br />{/if} 
+           {if ($aRole.users != null)}<strong>{i18n}Users{/i18n}:</strong> {$aRole.users}<br />{/if}
            {if ($aRole.groups != null)}<strong>{i18n}Groups{/i18n}:</strong> {$aRole.groups}{/if}
         </td>
     </tr>
@@ -6,9 +6,9 @@
 <dl>
 <dt>{i18n}Subject{/i18n}</dt>
-<dd>{$subject}</dd>
+<dd>{$subject|sanitize}</dd>
 <dt>{i18n}Details{/i18n}</dt>
-<dd>{$details} </dd>
+<dd>{$details|sanitize} </dd>
 </dl>
     <div class="actionoptions">
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{$context->getDisplayName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{$context->getDisplayName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}These are the results of the bulk action{/i18n}:</p>
@@ -17,8 +17,8 @@
 <tbody>
 {foreach from=$list.folders item=item}
     <tr class="{cycle values=even,odd}">
-        <td>{$item.0}</td>
-        <td>{$item.1}</td>
+        <td>{$item.0|sanitize}</td>
+        <td>{$item.1|sanitize}</td>
     </tr>
 {/foreach}
 </tbody>
@@ -42,8 +42,8 @@
 {foreach from=$list.documents item=item}
     <tr class="{cycle values=even,odd}">
-        <td>{$item.0}</td>
-        <td>{$item.1}</td>
+        <td>{$item.0|sanitize}</td>
+        <td>{$item.1|sanitize}</td>
     </tr>
 {/foreach}
 </tbody>
@@ -17,8 +17,8 @@
 <tbody>
 {foreach from=$failed.folders item=item}
     <tr class="{cycle values=even,odd}">
-        <td>{$item.0}</td>
-        <td>{$item.1}</td>
+        <td>{$item.0|sanitize}</td>
+        <td>{$item.1|sanitize}</td>
     </tr>
 {/foreach}
 </tbody>
@@ -43,8 +43,8 @@
 {foreach from=$failed.documents item=item}
     <tr class="{cycle values=even,odd}">
-        <td>{$item.0}</td>
-        <td>{$item.1}</td>
+        <td>{$item.0|sanitize}</td>
+        <td>{$item.1|sanitize}</td>
     </tr>
 {/foreach}
 </tbody>
@@ -59,7 +59,7 @@
 <h3>{i18n}Folders{/i18n}</h3>
 <ul>
 {foreach from=$folders item=folder}
-<li>{$folder}</li>
+<li>{$folder|sanitize}</li>
 {/foreach}
 </ul>
 {/if}
@@ -68,7 +68,7 @@
 <h3>{i18n}Documents{/i18n}</h3>
 <ul>
 {foreach from=$documents item=document}
-<li>{$document}</li>
+<li>{$document|sanitize}</li>
 {/foreach}
 </ul>
 {/if}
@@ -2,7 +2,7 @@
 {if (!empty($documents))}
 <dl>
 {foreach item=oDocument from=$documents}
-  <dt>{$oDocument->getName()} | <a href="{$context->getDocumentLink($oDocument)}">{i18n}View Document{/i18n}</a></dt>
+  <dt>{$oDocument->getName()|sanitize} | <a href="{$context->getDocumentLink($oDocument)}">{i18n}View Document{/i18n}</a></dt>
 {/foreach}
 </ul>
 {else}
@@ -20,7 +20,7 @@ state.{/i18n}&lt;/span&gt;&lt;/div&gt;
   <tbody>
     {foreach item=oDoc from=$documents}
     <tr>
-      <td>{$oDoc->getName()}<input type="hidden" name="selected_docs[]" value="{$oDoc->getId()}" /></td>
+      <td>{$oDoc->getName()|sanitize}<input type="hidden" name="selected_docs[]" value="{$oDoc->getId()}" /></td>
       <td class="descriptiveText">{$oDoc->getDisplayPath()}</td>
     </tr>
     {/foreach}
@@ -7,7 +7,7 @@
 <h2>{i18n}Deleted Documents{/i18n}</h2>
-<p class="descriptiveText">{i18n}Documents which are deleted by users are hidden from view 
+<p class="descriptiveText">{i18n}Documents which are deleted by users are hidden from view
 but still available for restoration.  Since "soft deletes" consume system resources, it
 is possible to <strong>expunge</strong> these documents.  Alternatively, you
 can <strong>restore</strong> them as necessary.{/i18n}</p>
@@ -30,12 +30,12 @@ can &lt;strong&gt;restore&lt;/strong&gt; them as necessary.{/i18n}&lt;/p&gt;
       <th>{i18n}Last Modification{/i18n}</th>
       <th>{i18n}Deletion Comment{/i18n}</th>
     </tr>
-  </thead>  
+  </thead>
   <tbody id="output">
     {foreach item=oDoc from=$documents}
     <tr>
       <td><input type="checkbox" name="selected_docs[]" value="{$oDoc->getId()}"/></td>
-      <td>{$oDoc->getName()}</td>
+      <td>{$oDoc->getName()|sanitize}</td>
 {*      <td>{getCrumbStringForDocument document=$oDoc}</td> *}
       <td>{$oDoc->getLastModifiedDate()}</td>
       <td>{$oDoc->getLastDeletionComment()}</td>
@@ -20,7 +20,7 @@ confirm that you want to delete these documents.{/i18n}&lt;/span&gt;&lt;/div&gt;
   <tbody>
     {foreach item=oDoc from=$documents}
     <tr>
-      <td>{$oDoc->getName()}<input type="hidden" name="selected_docs[]" value="{$oDoc->getId()}" /></td>
+      <td>{$oDoc->getName()|sanitize}<input type="hidden" name="selected_docs[]" value="{$oDoc->getId()}" /></td>
     </tr>
     {/foreach}
   </tbody>
@@ -14,14 +14,14 @@ confirm that you want to restore these documents.{/i18n}&lt;/span&gt;&lt;/div&gt;
     <tr>
       <th>{i18n}Document Name{/i18n}</th>
-      <th>{i18n}Restore To{/i18n}</th>      
+      <th>{i18n}Restore To{/i18n}</th>
     </tr>
   </thead>
   <tbody>
     {foreach item=oDoc from=$documents}
     <tr>
-      <td>{$oDoc->getName()}<input type="hidden" name="selected_docs[]" value="{$oDoc->getId()}" /></td>
-      <td>{$context->getRestoreLocationFor($oDoc)}</td>      
+      <td>{$oDoc->getName()|sanitize}<input type="hidden" name="selected_docs[]" value="{$oDoc->getId()}" /></td>
+      <td>{$context->getRestoreLocationFor($oDoc)}</td>
     </tr>
     {/foreach}
   </tbody>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Version Comparison{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Version Comparison{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 {capture assign=from}
 <strong>{$document->getMajorVersionNumber()}.{$document->getMinorVersionNumber()}</strong> ({$document->getMetadataVersion()})
@@ -24,7 +24,7 @@ note{/i18n}:&lt;/strong&gt; {i18n arg_version=$to arg_appname=&quot;$appname&quot;}the informati
 #version# comes from an older version of #appname# and may be
 incorrect.{/i18n}
 {/if}
-  
+
 {foreach item=oFieldset from=$fieldsets}
 {$oFieldset->renderComparison($document_data, $comparison_data)}
 {/foreach}
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document permissions{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document permissions{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}This page shows the permissions that apply to
 this specific document.  Where the folder view shows you information by role and group,
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Version History{/i18n}:<br />{$document->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Version History{/i18n}:<br />{$document->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}This page lists versions of document metadata and allows you to compare a metadata version with the current metadata content.{/i18n}</p>
@@ -27,9 +27,9 @@
                 {if ($document->getMetadataVersion() == $oVersion->getMetadataVersion())}
                    <strong>{i18n}current version{/i18n}</strong>
                 {else}
-                   <a href="{addQS}action=viewComparison&fDocumentId={$document->getId()}&fBaseVersion={$oVersion->getMetadataVersionId()}&fComparisonVersion={$oVersion->getCurrentMetadataVersionId()}{/addQS}">{i18n}compare with current{/i18n}</a></td>                
+                   <a href="{addQS}action=viewComparison&fDocumentId={$document->getId()}&fBaseVersion={$oVersion->getMetadataVersionId()}&fComparisonVersion={$oVersion->getCurrentMetadataVersionId()}{/addQS}">{i18n}compare with current{/i18n}</a></td>
                 {/if}
-                </td>     
+                </td>
                 <td>
                 {if (count($versions) == 1)}
                 &mdash;
@@ -41,5 +41,5 @@
             </tr>
             {/foreach}
         </tbody>
-        
+
     </table>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Change Ownership{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Change Ownership{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 {$form->render()}
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Resolved permissions per user{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Resolved permissions per user{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}This page shows the permissions that
 individual users have on this document.  Only the users which have permissions
-assigned are shown.{/i18n}</p> 
+assigned are shown.{/i18n}</p>
 <p class="descriptiveText">{i18n}Users may have permissions on this
 document due to membership of a group, or fulfilling a specific role on
-this document.{/i18n}</p> 
+this document.{/i18n}</p>
 {if (empty($users)) }
 <div class="ktInfoMessage"><span>{i18n}No users have permissions on this item.{/i18n}</span></div>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Transaction History{/i18n}:<br />{$document->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Transaction History{/i18n}:<br />{$document->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}This page provides details of all activities that have been carried out on the document.{/i18n}</p>
@@ -20,10 +20,10 @@
                 <td class="username">{$aTransactionRow.user_name}</td>
                 <td class="action">{i18n}{$aTransactionRow.transaction_name}{/i18n}</td>
                 <td class="date">{$aTransactionRow.datetime}</td>
-                <td class="contentversion">{$aTransactionRow.version}</td>                
-                <td class="comment">{$aTransactionRow.comment}</td>
+                <td class="contentversion">{$aTransactionRow.version}</td>
+                <td class="comment">{$aTransactionRow.comment|sanitize}</td>
             </tr>
             {/foreach}
         </tbody>
-        
+
     </table>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Details{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Details{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 {if ($document->getIsCheckedOut() == 1)}
 {capture assign=checkout_user}<strong>{$sCheckoutUser}</strong>{/capture}
@@ -9,18 +9,18 @@
 {else}
 {if ($canCheckin)}
 <div class="ktInfoMessage">
-<span>{i18n arg_checkoutuser=$checkout_user}This document is currently checked out by #checkoutuser#, but you 
+<span>{i18n arg_checkoutuser=$checkout_user}This document is currently checked out by #checkoutuser#, but you
 have sufficient priviledges to cancel their checkout.{/i18n}</span>
 </div>
 {else}
 <div class="ktInfoMessage">
-	<span>{i18n arg_checkoutuser=$checkout_user arg_appname="$appname"}This document is currently checked out by #checkoutuser#.  You cannot make 
+	<span>{i18n arg_checkoutuser=$checkout_user arg_appname="$appname"}This document is currently checked out by #checkoutuser#.  You cannot make
 changes until that user checks it in.  If you have urgent modifications to make, please
 contact your #appname# Administrator.{/i18n}</span>
 </div>
 {/if}
 {/if}
-{/if}    
+{/if}
 {if ($document->getImmutable() == true)}
 <div class="ktInfoMessage">
@@ -12,9 +12,9 @@
 {capture assign=sJavascript}
 {literal}
 function swapInItem(elementId, req) {
-    
+
     var cp = getElement(elementId);
-    
+
     cp.innerHTML = req.responseText;
     initialiseConditionalFieldsets();
 }
@@ -28,8 +28,8 @@ function swapElementFromRequest(elementId, url) {
     var cp = getElement(elementId);
     cp.innerHTML=_("loading...");
     deff.addCallback(partial(swapInItem, elementId));
-    
-    
+
+
 }
 function getMetadataForType(id) {
@@ -54,7 +54,7 @@ addLoadEvent(startupMetadata);
 {/capture}
 {$context->oPage->requireJSStandalone($sJavascript)}
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Import files into{/i18n}:<br />{$context->oFolder->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Import files into{/i18n}:<br />{$context->oFolder->getName()|sanitize}</h2>
 <form method="POST" action="{$smarty.server.PHP_SELF}" enctype="multipart/form-data">
 <fieldset><legend>{i18n}Import from Server Location{/i18n}</legend>
@@ -12,9 +12,9 @@
 {capture assign=sJavascript}
 {literal}
 function swapInItem(elementId, req) {
-    
+
     var cp = getElement(elementId);
-    
+
     cp.innerHTML = req.responseText;
     initialiseConditionalFieldsets();
 }
@@ -28,8 +28,8 @@ function swapElementFromRequest(elementId, url) {
     var cp = getElement(elementId);
     cp.innerHTML=_("loading...");
     deff.addCallback(partial(swapInItem, elementId));
-    
-    
+
+
 }
 function getMetadataForType(id) {
@@ -54,7 +54,7 @@ addLoadEvent(startupMetadata);
 {/capture}
 {$context->oPage->requireJSStandalone($sJavascript)}
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Upload files into{/i18n}:<br />{$context->oFolder->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Upload files into{/i18n}:<br />{$context->oFolder->getName()|sanitize}</h2>
 <form method="POST" action="{$smarty.server.PHP_SELF|addQueryString:"postExpected=1&fFolderId="}{$context->oFolder->getId()}" enctype="multipart/form-data">
 <fieldset><legend>{i18n}Bulk upload{/i18n}</legend>
-<h2>{i18n arg_foldername=$foldername}Folder permissions for "#foldername#"{/i18n}</h2>
+<h2>Folder permissions for "{$foldername|sanitize}"</h2>
@@ -31,9 +31,9 @@
 <form action="{$smarty.server.PHP_SELF}" method="POST">
 <div class="field">
-  
+
   <p class="descriptiveText">{i18n}Select roles and groups for whom you wish to change permission assignment from the box on the left, and move them over to the box on the right using the button with right-pointing arrows. You can then allocate or remove permissions from these entities and save by pressing the 'Update Permission Assignments' button'.{/i18n}</p>
-      
+
 <table>
 <thead>
@@ -55,11 +55,11 @@
     </td>
     <td>
-    
+
     <input type="button" id="entities_add" value="&raquo;" />
     <br /><br/>
     <input type="button" id="entities_remove" value="&laquo;" />
-    
+
     </td>
     <td style="vertical-align: top">
@@ -74,7 +74,7 @@
   <input name="entities_items_added" id="entities_items_added" type="hidden" />
   <input name="entities_items_removed" id="entities_items_removed" type="hidden" />
-  
+
   <input type="hidden" name="kt_core_fieldsets_expect[entities]" value ="1" />
 </div>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Rename Folder{/i18n}:<br />{$folderName}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Rename Folder{/i18n}:<br />{$folderName|sanitize}</h2>
 </h2><p class="descriptiveText">{i18n}This page allows you to rename a
 folder.{/i18n}</p>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Resolved permissions per user{/i18n}: {$context->oFolder->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Resolved permissions per user{/i18n}: {$context->oFolder->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}This page shows the permissions that
 individual users have on this folder.  Only the users which have permissions
-assigned are shown.{/i18n}</p> 
+assigned are shown.{/i18n}</p>
 <p class="descriptiveText">{i18n}Users may have permissions on this
 folder due to membership of a group, or fulfilling a specific role on
-this folder.{/i18n}</p> 
+this folder.{/i18n}</p>
 {if (empty($users)) }
 <div class="ktInfoMessage"><span>{i18n}No users have permissions on this item.{/i18n}</span></div>
 {else}
 {if $edit}
-{i18n}Manage security{/i18n}: <a href="{addQS}action=edit&fFolderId={$oFolder->getId()}{/addQS}">{i18n}Edit permissions{/i18n}</a> 
-| <a href="{addQS}fFolderId={$oFolder->getId()}{/addQS}">{i18n}View permissions overview{/i18n}</a> 
+{i18n}Manage security{/i18n}: <a href="{addQS}action=edit&fFolderId={$oFolder->getId()}{/addQS}">{i18n}Edit permissions{/i18n}</a>
+| <a href="{addQS}fFolderId={$oFolder->getId()}{/addQS}">{i18n}View permissions overview{/i18n}</a>
 {else}
-{i18n}Manage security{/i18n}: <a href="{addQS}fFolderId={$oFolder->getId()}{/addQS}">{i18n}View permissions overview{/i18n}</a> 
+{i18n}Manage security{/i18n}: <a href="{addQS}fFolderId={$oFolder->getId()}{/addQS}">{i18n}View permissions overview{/i18n}</a>
 {/if}
 <table   class="kt_collection narrow" cellspacing="0" cellpadding="0" border="0">
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Allocate Roles for{/i18n}:<br />{$folderName}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Allocate Roles for{/i18n}:<br />{$folderName|sanitize}</h2>
 <p class="descriptiveText">{i18n}
     In many cases, workflow actions will be assigned to certain <strong>roles</strong>
@@ -14,7 +14,7 @@ role allocations may take a some time, depending on the number of folders below 
     <tr>
         <th>{i18n}Role{/i18n}</th>
         <th>{i18n}Allocated users{/i18n}</th>
-        <th class="centered">{i18n}Edit Users{/i18n}</th> 
+        <th class="centered">{i18n}Edit Users{/i18n}</th>
         <th class="centered">{i18n}Edit Groups{/i18n}</th>
         {if !$is_root}<th class="centered">{i18n}Use Parent{/i18n}</th>{/if}
     </tr>
@@ -29,7 +29,7 @@ role allocations may take a some time, depending on the number of folders below 
               <strong>{i18n}inherited from parent folder.{/i18n}</strong><br />
               <span class="descriptiveText">
            {/if}
-           {if ($aRole.users != null)}<strong>{i18n}Users{/i18n}:</strong> {$aRole.users}<br />{/if} 
+           {if ($aRole.users != null)}<strong>{i18n}Users{/i18n}:</strong> {$aRole.users}<br />{/if}
            {if ($aRole.groups != null)}<strong>{i18n}Groups{/i18n}:</strong> {$aRole.groups}{/if}
            {if ($aRole.allocation_id === null)}
               </span class="descriptiveText">
@@ -41,11 +41,11 @@ role allocations may take a some time, depending on the number of folders below 
         <td class="centered"><a href="{addQS}action=editRoleUsers&alloc_id={$aRole.allocation_id}&fFolderId={$context->oFolder->getId()}&role_id={$role_id}{/addQS}" class="ktAction ktEdit" title="{i18n}Edit Users{/i18n}">{i18n}Edit Users{/i18n}</a></td>
         <td class="centered"><a href="{addQS}action=editRoleGroups&alloc_id={$aRole.allocation_id}&fFolderId={$context->oFolder->getId()}&role_id={$role_id}{/addQS}" class="ktAction ktEdit" title="{i18n}Edit Groups{/i18n}">{i18n}Edit Groups{/i18n}</a></td>
           {if !$is_root}
-            <td class="centered"><a href="{addQS}action=useParent&role_id={$role_id}&fFolderId={$context->oFolder->getId()}{/addQS}" class="ktAction ktDelete" 
-	           kt:deleteMessage="{i18n}Are you sure you wish to remove this role allocation?{/i18n}"	 
+            <td class="centered"><a href="{addQS}action=useParent&role_id={$role_id}&fFolderId={$context->oFolder->getId()}{/addQS}" class="ktAction ktDelete"
+	           kt:deleteMessage="{i18n}Are you sure you wish to remove this role allocation?{/i18n}"
 	           title="{i18n}Use parent's allocation{/i18n}">{i18n}Use parent's allocation{/i18n}</a></td>
           {/if}
-        {/if}        
+        {/if}
     </tr>
 {/foreach}
 {else}
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}View Permissions for{/i18n}:<br />{$context->oFolder->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}View Permissions for{/i18n}:<br />{$context->oFolder->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}This page shows the permissions that apply to
 this specific folder.  Only the roles or groups which have permissions
-assigned are shown.{/i18n}</p> 
+assigned are shown.{/i18n}</p>
 {if $edit}
-{i18n}Manage security{/i18n}: <a href="{addQS context=$context}action=edit{/addQS}">{i18n}Edit permissions{/i18n}</a> 
-| <a href="{addQS context=$context}action=resolved_users{/addQS}">{i18n}View resolved permissions for user{/i18n}</a> 
+{i18n}Manage security{/i18n}: <a href="{addQS context=$context}action=edit{/addQS}">{i18n}Edit permissions{/i18n}</a>
+| <a href="{addQS context=$context}action=resolved_users{/addQS}">{i18n}View resolved permissions for user{/i18n}</a>
 {else}
-{i18n}Manage security{/i18n}: <a href="{addQS context=$context}action=resolved_users{/addQS}">{i18n}View resolved permissions for user{/i18n}</a> 
+{i18n}Manage security{/i18n}: <a href="{addQS context=$context}action=resolved_users{/addQS}">{i18n}View resolved permissions for user{/i18n}</a>
 {/if}
@@ -136,7 +136,7 @@ value=&quot;{$iGroupId}&quot;&gt;&lt;/td&gt;
     <td class="centered"><span class="ktAction ktInline ktAllowed">{i18n}Allowed{/i18n}</span></td>
     { else }
     <td class="centered"><span class="ktAction ktInline ktDenied">{i18n}Denied{/i18n}</span></td>
-  { /if }  
+  { /if }
 {/foreach}
 </tr>
 {/foreach}
@@ -5,7 +5,7 @@
 <link rel="stylesheet" type="text/css" href="{$rootUrl}/resources/css/kt-framing.css" />
 <link rel="stylesheet" type="text/css" href="{$rootUrl}/resources/css/kt-contenttypes.css" />
 <link rel="stylesheet" type="text/css" href="{$rootUrl}/resources/css/kt-headings.css" />
-<!--[if lt IE 7]><style type="text/css" media="all">@import url({$rootUrl}/resources/css/kt-ie-icons.css);</style><![endif]-->    
+<!--[if lt IE 7]><style type="text/css" media="all">@import url({$rootUrl}/resources/css/kt-ie-icons.css);</style><![endif]-->
 <script type="text/javascript" src="{$rootUrl}/thirdpartyjs/MochiKit/Base.js"> </script>
 <script type="text/javascript" src="{$rootUrl}/thirdpartyjs/MochiKit/Iter.js"> </script>
@@ -25,7 +25,7 @@
 <input type="hidden" name="{$targetname}" value="{$folder->getId()}" />
 {foreach from=$breadcrumbs item=breadcrumb name=bc}
-<a href="{$breadcrumb.url}">{$breadcrumb.name}</a>
+<a href="{$breadcrumb.url}">{$breadcrumb.name|sanitize}</a>
 {if !$smarty.foreach.bc.last}
 &raquo;
 {/if}
 <fieldset>
     {if $label}<legend>{$label}</legend>{/if}
-    {if $description}<p class="descriptiveText">{$description}</p>{/if}    
-    
+    {if $description}<p class="descriptiveText">{$description|sanitize}</p>{/if}
+
     {$widgets}
 </fieldset>
-  <input type="hidden" name="{$name}" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value}"{/if}/>
+  <input type="hidden" name="{$name}" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value|sanitize_input}"{/if}/>
-      <input type="password" name="{$name}{if ($context->bConfirm)}[base]{/if}" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value}"{/if}{if ($options.autocomplete === false)}autocomplete="off"{/if}/>
+      <input type="password" name="{$name}{if ($context->bConfirm)}[base]{/if}" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value|sanitize_input}"{/if}{if ($options.autocomplete === false)}autocomplete="off"{/if}/>
     {if ($context->bConfirm)}
     <br />    <br />
       <label for="{$name}">{i18n arg_label=$label}Confirm #label#{/i18n}{if ($required === true)}<span class="required">({i18n}Required{/i18n})</span>{/if}</label>
       <p class="descriptiveText">{$context->sConfirmDescription}</p>
-      
-      <input type="password" name="{$name}[confirm]" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value}"{/if}{if ($options.autocomplete === false)}autocomplete="off"{/if}/>  
+
+      <input type="password" name="{$name}[confirm]" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value|sanitize_input}"{/if}{if ($options.autocomplete === false)}autocomplete="off"{/if}/>
     {/if}
-  <input type="text" name="{$name}" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value}"{/if}{if ($options.autocomplete === false)}autocomplete="off"{/if}  {if $options.width}size="{$options.width}"{/if} />
+  <input type="text" name="{$name}" {if $has_id}id="{$id}"{/if} {if $has_value}value="{$value|sanitize_input}"{/if}{if ($options.autocomplete === false)}autocomplete="off"{/if}  {if $options.width}size="{$options.width}"{/if} />
@@ -2,4 +2,4 @@
         {if $has_id} id="{$id}"{/if}
         {if $options.rows} rows="{$options.rows}"{else} rows="7"{/if}
         {if $options.cols} cols="{$options.cols}"{else} cols="45"{/if}
-      >{if $has_value}{$value}{/if}</textarea>
+      >{if $has_value}{$value|sanitize_input}{/if}</textarea>
@@ -3,12 +3,12 @@
 <html>
 <head>
     <title>{i18n arg_appname="$appname"}Login | #appname#{/i18n}</title>
-    
+
     <link rel="stylesheet" href="{$rootUrl}/resources/css/kt-login.css" type="text/css" />
     <link rel="icon" href="{$rootUrl}/resources/favicon.ico" type="image/x-icon">
-    <link rel="shortcut icon" href="{$rootUrl}/resources/favicon.ico" type="image/x-icon"> 
-    
+    <link rel="shortcut icon" href="{$rootUrl}/resources/favicon.ico" type="image/x-icon">
+
     <link rel="stylesheet" href="{$rootUrl}/resources/css/kt-ie-icons.css" type="text/css" />
     <script type="text/javascript" src="{$rootUrl}/thirdpartyjs/curvycorners/rounded_corners.inc.js"> </script>
@@ -30,13 +30,13 @@
 			        {if ($errorMessage == null)}
 					    <p class="descriptiveText">{i18n}Please enter your details below to login.{/i18n}</p>
 					{else}
-					    <div class="ktErrorMessage"><span>{$errorMessage}</span></div>
+					    <div class="ktErrorMessage"><span>{$errorMessage|sanitize}</span></div>
 					{/if}
 		        	<label for="username">{i18n}Username{/i18n}</label>
 					<input type="text" id="username" name="username"/>
 					<label for="password">{i18n}Password{/i18n}</label>
 					<input type="password" id="password" name="password"/>
-	
+
 					<label for="language">{i18n}Language{/i18n}</label>
 					<select id="language" name="language">
 					{foreach from=$languages key=sLang item=sLanguageName}
@@ -55,7 +55,7 @@
 			{/if}
 			<p class="descriptiveText version">
 				{i18n arg_appname="$appname"}#appname# Version{/i18n}<br />{$versionName}<br/>
-				{i18n}&copy; 2007 <a href="http://www.knowledgetree.com/">The Jam Warehouse Software (Pty) Ltd.</a> All Rights Reserved{/i18n} 
+				{i18n}&copy; 2007 <a href="http://www.knowledgetree.com/">The Jam Warehouse Software (Pty) Ltd.</a> All Rights Reserved{/i18n}
 			</p>
 	        <div id="bottomspacer"></div>
 	        <div class="floatClear"></div>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Workflow for{/i18n}:<br />{$oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Workflow for{/i18n}:<br />{$oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">
 {i18n}Workflow is a description of a document's lifecycle.  It is made up of
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Discussion{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Discussion{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 {if $threads}
 <h3>{i18n}Existing threads{/i18n}</h3>
@@ -20,7 +20,7 @@
   </tbody>
 </table>
 {else}
-    <p class="descriptiveText">    {if ($closed_threads != 0)}    
+    <p class="descriptiveText">    {if ($closed_threads != 0)}
     {i18n arg_closed=$closed_threads}There are #closed# closed threads - use the "View All" option below to view them.{/i18n}
      {else}
 {i18n}There are no open threads for this document.{/i18n}
@@ -5,16 +5,16 @@
 {else}
 <dl class="kt-discussion-comment odd-comment">
 {/if}
-  
-  <dt>{i18n arg_subject=$comment->getSubject() arg_author=$creator->getName() arg_date=$comment->getDate()}
-    <span class="subject">#subject#</span>
+
+  <dt>
+    <span class="subject">{$comment->getSubject()|sanitize_input}</span>
     by
-    <span class="author">#author#</span>
-    <span class="date">(#date#)</span>
-    {/i18n}
+    <span class="author">{$creator->getName()}</span>
+    <span class="date">({$comment->getDate()})</span>
+
   </dt>
-  
-  <dd>{$comment->getBody()}</dd>
+
+  <dd>{$comment->getBody()|sanitize_input}</dd>
 </dl>
 <tr>
-  <td><a href="{addQS}action=viewThread&fDocumentId={$context->oDocument->getId()}&fThreadId={$thread->getId()}{/addQS}">{$first_comment->getSubject()}</a></td>
+  <td><a href="{addQS}action=viewThread&fDocumentId={$context->oDocument->getId()}&fThreadId={$thread->getId()}{/addQS}">{$first_comment->getSubject()|sanitize}</a></td>
   <td>{$creator->getName()}</td>
   <td>{$thread->getNumberOfViews()}</td>
   <td>{$thread->getNumberOfReplies()}</td>
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Links{/i18n}:<br />{$context->oDocument->getName()}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{i18n}Document Links{/i18n}:<br />{$context->oDocument->getName()|sanitize}</h2>
 <p class="descriptiveText">{i18n}The current links to and from this document are displayed below.{/i18n}</p>
@@ -12,15 +12,15 @@
             <th>{i18n}Relationship{/i18n}</th>
         </tr>
     </thead>
-    
+
     <tbody>
-{if $links_from || $links_to}    
-    
+{if $links_from || $links_to}
+
 {foreach from=$links_from item=link}
 {assign var="type" value=$link->getLinkType()}
@@ -35,12 +35,12 @@
             {/if}
             </td>
-            <td><a href="{"viewDocument"|generateControllerUrl}&qs[fDocumentId]={$target->getId()}&qs[action]=main">{$target->getName()}</a></td> 
+            <td><a href="{"viewDocument"|generateControllerUrl}&qs[fDocumentId]={$target->getId()}&qs[action]=main">{$target->getName()|sanitize}</a></td>
             <td>{$type->getName()}</td>
             <td>{i18n}Linked <b>from</b> this document{/i18n}</td>
         </tr>
-        
-{/foreach}      
+
+{/foreach}
 {foreach from=$links_to item=link}
@@ -55,13 +55,13 @@
                 &nbsp;
             {/if}
             </td>
-            
-            <td><a href="{"viewDocument"|generateControllerUrl}&qs[fDocumentId]={$target->getId()}&qs[action]=main">{$target->getName()}</a></td> 
+
+            <td><a href="{"viewDocument"|generateControllerUrl}&qs[fDocumentId]={$target->getId()}&qs[action]=main">{$target->getName()|sanitize}</a></td>
             <td>{$type->getName()}</td>
             <td>{i18n}Links <b>to</b> this document{/i18n}</td>
         </tr>
-        
-{/foreach}      
+
+{/foreach}
 {else}
@@ -3,7 +3,7 @@
     <h3>{i18n}Links from this document{/i18n}</h3>
     <ul>
     {foreach from=$links_from item=info}
-      <li class="descriptiveText">{i18n}from{/i18n} <a href="{$info.url}" title="{$info.description}">{$info.name}</a> ({$info.type})</li>
+      <li class="descriptiveText">{i18n}from{/i18n} <a href="{$info.url}" title="{$info.description}">{$info.name|sanitize}</a> ({$info.type})</li>
     {/foreach}
     </ul>
     {/if}
@@ -12,9 +12,9 @@
     <h3>{i18n}Links to this document{/i18n}</h3>
     <ul>
     {foreach from=$links_to item=info}
-      <li class="descriptiveText">{i18n}to{/i18n} <a href="{$info.url}" title="{$info.description}">{$info.name}</a> ({$info.type})</li>
+      <li class="descriptiveText">{i18n}to{/i18n} <a href="{$info.url}" title="{$info.description}">{$info.name|sanitize}</a> ({$info.type})</li>
     {/foreach}
     </ul>
     {/if}
-    
+
 </div>
+<?php
+
+function smarty_modifier_sanitize($string, $esc_type = 'html', $charset='UTF-8')
+{
+    // based on escape, but with charset
+    switch ($esc_type) {
+        case 'html':
+            return htmlspecialchars($string, ENT_QUOTES,$charset);
+
+        case 'htmlall':
+            return htmlentities($string, ENT_QUOTES,$charset);
+
+        case 'url':
+            return rawurlencode($string);
+
+        case 'quotes':
+            // escape unescaped single quotes
+            return preg_replace("%(?<!\\\\)'%", "\\'", $string);
+
+        case 'hex':
+            // escape every character into hex
+            $return = '';
+            for ($x=0; $x < strlen($string); $x++) {
+                $return .= '%' . bin2hex($string[$x]);
+            }
+            return $return;
+
+        case 'hexentity':
+            $return = '';
+            for ($x=0; $x < strlen($string); $x++) {
+                $return .= '&#x' . bin2hex($string[$x]) . ';';
+            }
+            return $return;
+
+        case 'decentity':
+            $return = '';
+            for ($x=0; $x < strlen($string); $x++) {
+                $return .= '&#' . ord($string[$x]) . ';';
+            }
+            return $return;
+
+        case 'javascript':
+            // escape quotes and backslashes, newlines, etc.
+            return strtr($string, array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n','</'=>'<\/'));
+
+        case 'mail':
+            // safe way to display e-mail address on a web page
+            return str_replace(array('@', '.'),array(' [AT] ', ' [DOT] '), $string);
+
+        case 'nonstd':
+           // escape non-standard chars, such as ms document quotes
+           $_res = '';
+           for($_i = 0, $_len = strlen($string); $_i < $_len; $_i++) {
+               $_ord = ord($string{$_i});
+               // non-standard char, escape it
+               if($_ord >= 126){
+                   $_res .= '&#' . $_ord . ';';
+               }
+               else {
+                   $_res .= $string{$_i};
+               }
+           }
+           return $_res;
+
+        default:
+            return $string;
+    }
+}
+
+
+?>
+<?php
+
+function smarty_modifier_sanitize_input($string, $esc_type = 'html', $charset='UTF-8')
+{
+    $string = mb_ereg_replace("'","&#039;", $string);
+    $string = mb_ereg_replace('"',"&quot;", $string);
+    $string = mb_ereg_replace('<',"&lt;", $string);
+    $string = mb_ereg_replace('>',"&gt;", $string);
+    return $string;
+}
+
+
+?>