From c561c6b562030ec76dc74c876ccb1a165347bc46 Mon Sep 17 00:00:00 2001
From: kevin_fourie <kevin_fourie@c91229c3-7414-0410-bfa2-8a42b809f60b>
Date: Fri, 8 Jun 2007 14:54:53 +0000
Subject: [PATCH] KTS-2076 "Character encoding issue with document titles" Fixed this issue. Working on other encoding issues.

---
 lib/documentmanagement/documentmetadataversion.inc.php                       |  4 ++--
 lib/sanitize.inc                                                             | 53 -----------------------------------------------------
 lib/util/sanitize.inc                                                        | 67 ++++++++++++++++++++++++++++++++++++++++++-------------------------
 plugins/ktcore/document/edit.php                                             |  5 +++--
 templates/kt3/document/view.smarty                                           |  1 -
 templates/kt3/fieldsets/simple_versioned.smarty                              |  4 ++--
 templates/kt3/standard_page.smarty                                           |  4 ++--
 templates/ktcore/action/checkout_final.smarty                                |  2 +-
 templates/ktcore/document/cleanup.smarty                                     |  2 +-
 templates/ktcore/document/cleanup_script.smarty                              |  2 +-
 templates/ktcore/document/edit.smarty                                        |  2 +-
 templates/ktcore/document/view.smarty                                        |  2 +-
 templates/ktcore/documenttypes/edit.smarty                                   |  2 +-
 templates/ktcore/fields/edit.smarty                                          |  8 ++++----
 templates/ktcore/login.smarty                                                |  2 +-
 templates/ktcore/manage_help_item.smarty                                     |  4 ++--
 templates/ktcore/metadata/admin/basic_overview.smarty                        |  2 +-
 templates/ktcore/metadata/admin/manage_lookups.smarty                        |  2 +-
 templates/ktcore/metadata/chooseFromMetadataLookup.smarty                    |  2 +-
 templates/ktcore/metadata/conditional/ajax_complex_get_behaviour_list.smarty |  2 +-
 templates/ktcore/metadata/conditional/conditional_admin_overview.smarty      |  2 +-
 templates/ktcore/metadata/conditional/editsimple.smarty                      |  2 +-
 templates/ktcore/metadata/conditional/manageConditional.smarty               |  6 +++---
 templates/ktcore/metadata/conditional/manage_ordering.smarty                 |  4 ++--
 templates/ktcore/metadata/edit.smarty                                        |  8 ++++----
 templates/ktcore/metadata/editField.smarty                                   | 12 ++++++------
 templates/ktcore/metadata/editFieldset.smarty                                |  8 ++++----
 templates/ktcore/workflow/editState.smarty                                   |  4 ++--
 templates/ktcore/workflow/editTransition.smarty                              |  2 +-
 templates/ktcore/workflow/editWorkflow.smarty                                |  2 +-
 templates/ktstandard/disclaimers/manage_disclaimers_item.smarty              |  4 ++--
 thirdparty/Smarty/plugins/modifier.mb_truncate.php                           | 38 ++++++++++++++++++++++++++++++++++++++
 thirdparty/Smarty/plugins/modifier.mb_wordwrap.php                           | 33 +++++++++++++++++++++++++++++++++
 33 files changed, 166 insertions(+), 131 deletions(-)
 delete mode 100644 lib/sanitize.inc
 create mode 100644 thirdparty/Smarty/plugins/modifier.mb_truncate.php
 create mode 100644 thirdparty/Smarty/plugins/modifier.mb_wordwrap.php

diff --git a/lib/documentmanagement/documentmetadataversion.inc.php b/lib/documentmanagement/documentmetadataversion.inc.php
index 12ed6d9..0d39e50 100644
--- a/lib/documentmanagement/documentmetadataversion.inc.php
+++ b/lib/documentmanagement/documentmetadataversion.inc.php
@@ -95,8 +95,8 @@ class KTDocumentMetadataVersion extends KTEntity {
     function setContentVersion($iNewValue) { $this->iContentVersion = $iNewValue; }
     function getDocumentTypeId() { return $this->iDocumentTypeId; }
     function setDocumentTypeId($iNewValue) { $this->iDocumentTypeId = $iNewValue; }
-    function getName() { return $this->sName; }
-    function setName($sNewValue) { $this->sName = $sNewValue; }
+    function getName() { return sanitizeForSQLtoHTML($this->sName); }
+    function setName($sNewValue) { $this->sName = sanitizeForSQL($sNewValue); }
     function getDescription() { return $this->sDescription; }
     function setDescription($sNewValue) { $this->sDescription = $sNewValue; }
     function getStatusId() { return $this->iStatusId; }
diff --git a/lib/sanitize.inc b/lib/sanitize.inc
deleted file mode 100644
index ae283f3..0000000
--- a/lib/sanitize.inc
+++ /dev/null
@@ -1,53 +0,0 @@
-<?php
-/**
- * $Id$
- *
- * This page is meant to provide functions to prevent XSS cracks.
- *
- * The contents of this file are subject to the KnowledgeTree Public
- * License Version 1.1.2 ("License"); You may not use this file except in
- * compliance with the License. You may obtain a copy of the License at
- * http://www.knowledgetree.com/KPL
- * 
- * Software distributed under the License is distributed on an "AS IS"
- * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied.
- * See the License for the specific language governing rights and
- * limitations under the License.
- *
- * All copies of the Covered Code must include on each user interface screen:
- *    (i) the "Powered by KnowledgeTree" logo and
- *    (ii) the KnowledgeTree copyright notice
- * in the same form as they appear in the distribution.  See the License for
- * requirements.
- * 
- * The Original Code is: KnowledgeTree Open Source
- * 
- * The Initial Developer of the Original Code is The Jam Warehouse Software
- * (Pty) Ltd, trading as KnowledgeTree.
- * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright
- * (C) 2007 The Jam Warehouse Software (Pty) Ltd;
- * All Rights Reserved.
- * Contributor( s): ______________________________________
- */
-
-/**
- * Accepts a web encoded string and outputs a "clean" string.
- */
-
-function sanitize($string) {
-	// This should be set if you've read the INSTALL instructions.
-	// Better to be safe though.
-	if (get_magic_quotes_gpc()) {
-        	$string = strip_tags(urldecode(trim($string)));
- 	} else {
-        	$string = addslashes(strip_tags(urldecode(trim($string))));
-	}
-
-	// This might be a little too aggressive
-	//$pattern = "([^[:alpha:]|^_\.\ \:-])";
-	// Allow numeric characters
-	$pattern = "([^[:alnum:]|^_\.\ \:-])";
-	return ereg_replace($pattern, '', $string);
-}
-
-?>
diff --git a/lib/util/sanitize.inc b/lib/util/sanitize.inc
index e8b7b1c..96a169b 100644
--- a/lib/util/sanitize.inc
+++ b/lib/util/sanitize.inc
@@ -52,11 +52,12 @@ function sanitize($string) {
 
 function sanitizeForSQL($string, $min='', $max='') {
     
+    $string = trim($string);
+	if(get_magic_quotes_gpc()) $string = stripslashes($string);
+    
     $len = strlen($string);
     if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max))) return false;
     
-    if(get_magic_quotes_gpc()) $string = stripslashes($string);
-    
     if(function_exists("mysql_real_escape_string")) {
         return mysql_real_escape_string($string);
     } else {
@@ -64,38 +65,54 @@ function sanitizeForSQL($string, $min='', $max='') {
     }
 }
 
+function sanitizeForSQLtoHTML($string, $min='', $max='') {
+    
+	return stripslashes(trim($string));
+    
+}
+
 function sanitizeForHTML($string, $min='', $max='')
 {
+    $string = trim($string);
+	if(get_magic_quotes_gpc()) $string = stripslashes($string);
+
     $len = strlen($string);
     if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max))) return false;
     
-    $pattern[0] = '/\&/';
-    $pattern[1] = '/</';
-    $pattern[2] = "/>/";
-    $pattern[3] = '/\n/';
-    $pattern[4] = '/"/';
-    $pattern[5] = "/'/";
-    $pattern[6] = "/%/";
-    $pattern[7] = '/\( /';
-    $pattern[8] = '/\)/';
-    $pattern[9] = '/\+/';
-    $pattern[10] = '/-/';
-    $replacement[0] = '&amp;';
-    $replacement[1] = '&lt;';
-    $replacement[2] = '&gt;';
-    $replacement[3] = '<br>';
-    $replacement[4] = '&quot;';
-    $replacement[5] = '&#39;';
-    $replacement[6] = '&#37;';
-    $replacement[7] = '&#40;';
-    $replacement[8] = '&#41;';
-    $replacement[9] = '&#43;';
-    $replacement[10] = '&#45;';
-    return preg_replace( $pattern, $replacement, $string);
+    if(function_exists("htmlspecialchars")) {
+    	return htmlspecialchars($string);
+    } else {
+    	$pattern[0] = '/\&/';
+    	$pattern[1] = '/</';
+    	$pattern[2] = "/>/";
+    	$pattern[3] = '/\n/';
+    	$pattern[4] = '/"/';
+    	$pattern[5] = "/'/";
+    	$pattern[6] = "/%/";
+    	$pattern[7] = '/\( /';
+    	$pattern[8] = '/\)/';
+    	$pattern[9] = '/\+/';
+    	$pattern[10] = '/-/';
+    	$replacement[0] = '&amp;';
+    	$replacement[1] = '&lt;';
+    	$replacement[2] = '&gt;';
+    	$replacement[3] = '<br>';
+    	$replacement[4] = '&quot;';
+    	$replacement[5] = '&#39;';
+    	$replacement[6] = '&#37;';
+    	$replacement[7] = '&#40;';
+    	$replacement[8] = '&#41;';
+    	$replacement[9] = '&#43;';
+    	$replacement[10] = '&#45;';
+    	return preg_replace( $pattern, $replacement, $string);
+    }
 }
 
 function sanitizeForSYSTEM($string, $min='', $max='')
 {
+    $string = trim($string);
+	if(get_magic_quotes_gpc()) $string = stripslashes($string);
+
     $len = strlen($string);
     if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max))) return false;
     
diff --git a/plugins/ktcore/document/edit.php b/plugins/ktcore/document/edit.php
index dd6863f..f854ebc 100644
--- a/plugins/ktcore/document/edit.php
+++ b/plugins/ktcore/document/edit.php
@@ -96,7 +96,7 @@ class KTDocumentEditAction extends KTDocumentAction {
                 'description' => sprintf(_kt("The document title is used as the main name of a document throughout %s&trade;."), APP_NAME),
                 'name' => 'document_title',
                 'required' => true,
-                'value' => $this->oDocument->getName(),
+                'value' => sanitizeForHTML($this->oDocument->getName()),
             )),
         );
         $validators = array(
@@ -191,7 +191,8 @@ class KTDocumentEditAction extends KTDocumentAction {
         if ($this->oDocument->getDocumentTypeId() != $doctypeid) {
             $this->oDocument->setDocumentTypeId($doctypeid);
         }
-        $this->oDocument->setName(sanitize($data['document_title']));
+        $this->oDocument->setName(($data['document_title']));
+
         $res = $this->oDocument->update();
         if (PEAR::isError($res)) {
             $oForm->handleError(sprintf(_kt("Unexpected failure to update document title: %s"), $res->getMessage()));
diff --git a/templates/kt3/document/view.smarty b/templates/kt3/document/view.smarty
index 39d321a..ef1a4e8 100644
--- a/templates/kt3/document/view.smarty
+++ b/templates/kt3/document/view.smarty
@@ -1,6 +1,5 @@
 <h2>{$document->getName()}</h2>
 
-
 {capture assign=version}
 {$document->getMajorVersionNumber()}.{$document->getMinorVersionNumber()}
 {/capture}
diff --git a/templates/kt3/fieldsets/simple_versioned.smarty b/templates/kt3/fieldsets/simple_versioned.smarty
index dfc279a..0a39a0d 100644
--- a/templates/kt3/fieldsets/simple_versioned.smarty
+++ b/templates/kt3/fieldsets/simple_versioned.smarty
@@ -13,10 +13,10 @@
     <tr class="{cycle values=even,odd} {if $smarty.foreach.fields.first}first{/if}">
         <th>{$aFieldPair.field->getName()}</th>
         <td class="current {if ($aFieldPair.current_value != $aFieldPair.previous_value)}different{/if}">
-            {if ($aFieldPair.current_value !== null)}{$aFieldPair.current_value|escape:"htmlall"}
+            {if ($aFieldPair.current_value !== null)}{$aFieldPair.current_value}
             {else}<span class="descriptiveText">{i18n}no value in this version{/i18n}</span>{/if}</td>
         <td class="previous {if ($aFieldPair.current_value != $aFieldPair.previous_value)}different{/if}">
-            {if ($aFieldPair.previous_value !== null)}{$aFieldPair.previous_value|escape:"htmlall"}
+            {if ($aFieldPair.previous_value !== null)}{$aFieldPair.previous_value}
             {else}<span class="descriptiveText">{i18n}no value in this version{/i18n}</span>{/if}</td>            
     </tr>
       {/foreach}
diff --git a/templates/kt3/standard_page.smarty b/templates/kt3/standard_page.smarty
index e9ace3c..197d5cd 100644
--- a/templates/kt3/standard_page.smarty
+++ b/templates/kt3/standard_page.smarty
@@ -132,9 +132,9 @@
                     {if ($page->breadcrumbs !== false)}
                         {foreach item=aCrumb from=$page->breadcrumbs name=bc}
                             {if ($aCrumb.url) }
-                                <a href="{$aCrumb.url}">{$aCrumb.label|escape}</a> 
+                                <a href="{$aCrumb.url}">{$aCrumb.label}</a> 
                             {else}
-                                <span>{$aCrumb.label|escape|truncate:40:"...":true}</span> 
+                                <span>{$aCrumb.label|mb_truncate:40:"...":true}</span> 
                             {/if}
                             {if (!$smarty.foreach.bc.last)}
                                 &raquo;
diff --git a/templates/ktcore/action/checkout_final.smarty b/templates/ktcore/action/checkout_final.smarty
index 0724945..4006a44 100644
--- a/templates/ktcore/action/checkout_final.smarty
+++ b/templates/ktcore/action/checkout_final.smarty
@@ -3,7 +3,7 @@
 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/Iter.js")}
 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/DOM.js")}
 
-{capture assign=sLocation}action=checkout_final&fDocumentId={$context->oDocument->getId()}&reason={$reason|escape}{/capture}
+{capture assign=sLocation}action=checkout_final&fDocumentId={$context->oDocument->getId()}&reason={$reason}{/capture}
 
 {capture assign=sJavascript}
 function doCheckout () {ldelim}
diff --git a/templates/ktcore/document/cleanup.smarty b/templates/ktcore/document/cleanup.smarty
index 3f95fab..d83d471 100644
--- a/templates/ktcore/document/cleanup.smarty
+++ b/templates/ktcore/document/cleanup.smarty
@@ -28,7 +28,7 @@ which you should investigate.{/i18n}</p>
 <p>{i18n}The following files are present in the repository, but do not exist in the database.{/i18n}:</p>
 <ul>
 {foreach from=$aFilesToRemove item=sFile}
-<li>{$sFile|escape}</li>
+<li>{$sFile}</li>
 {/foreach}
 </ul>
 {/if}
diff --git a/templates/ktcore/document/cleanup_script.smarty b/templates/ktcore/document/cleanup_script.smarty
index ca6e131..90bca9b 100644
--- a/templates/ktcore/document/cleanup_script.smarty
+++ b/templates/ktcore/document/cleanup_script.smarty
@@ -29,7 +29,7 @@
 {i18n}The following files are present in the repository, but do not exist in the database.{/i18n}:
 
 {foreach from=$aFilesToRemove item=sFile}
-     {$sFile|escape}
+     {$sFile}
 {/foreach}
 
 {/if}
diff --git a/templates/ktcore/document/edit.smarty b/templates/ktcore/document/edit.smarty
index 5904675..7b9e420 100644
--- a/templates/ktcore/document/edit.smarty
+++ b/templates/ktcore/document/edit.smarty
@@ -11,7 +11,7 @@
 
 {$context->oPage->requireCSSResource('resources/css/kt-treewidget.css')}
 
-<h2>{i18n}Editing{/i18n}: {$document->getName()}</h2>
+<h2>{i18n}Editing{/i18n}: {$document->getName()|wordwrap:40:"<br />\n":true}</h2>
 
 {capture assign=link}{addQS}action=selectType&fDocumentId={$document->getId()}{/addQS}{/capture}
 <p class="descriptiveText">{i18n arg_link=$link arg_name=$type_name}Change the <strong><a href="#link#">document type</a></strong>. The current type is "#name#"{/i18n}</p>
diff --git a/templates/ktcore/document/view.smarty b/templates/ktcore/document/view.smarty
index 2630cde..4385ab3 100644
--- a/templates/ktcore/document/view.smarty
+++ b/templates/ktcore/document/view.smarty
@@ -1,4 +1,4 @@
-<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{$document->getName()|escape|wordwrap:40:"\n":true}</h2>
+<h2><img src="{if $config->get("ui/morphEnabled") == '1'}{$rootUrl}/skins/kts_{$config->get("ui/morphTo")}/title_bullet.png{else}{$rootUrl}/resources/graphics/title_bullet.png{/if}"/>{$document->getName()|mb_wordwrap:40:"<br />\n":true}</h2>
 
 {if ($document->getIsCheckedOut() == 1)}
 {capture assign=checkout_user}<strong>{$sCheckoutUser}</strong>{/capture}
diff --git a/templates/ktcore/documenttypes/edit.smarty b/templates/ktcore/documenttypes/edit.smarty
index 26d07e1..b46227d 100644
--- a/templates/ktcore/documenttypes/edit.smarty
+++ b/templates/ktcore/documenttypes/edit.smarty
@@ -3,7 +3,7 @@
 <form method="POST" action="{$smarty.server.PHP_SELF}">
 <input type="hidden" name="action" value="editobject">
 <input type="hidden" name="fDocumentTypeId" value="{$oDocumentType->getId()}">
-<input type="textbox" name="name" value="{$oDocumentType->getName()|escape}">
+<input type="textbox" name="name" value="{$oDocumentType->getName()}">
 <input type="submit" name="submit" value="{i18n}Change{/i18n}" />
 </form>
 
diff --git a/templates/ktcore/fields/edit.smarty b/templates/ktcore/fields/edit.smarty
index 0f03b9b..81fa6c0 100644
--- a/templates/ktcore/fields/edit.smarty
+++ b/templates/ktcore/fields/edit.smarty
@@ -1,4 +1,4 @@
-<h2>{i18n}Fieldset{/i18n}: {$oFieldset->getName()|escape}</h2>
+<h2>{i18n}Fieldset{/i18n}: {$oFieldset->getName()}</h2>
 
 
 <form action="{$smarty.server.PHP_SELF}" method="POST">
@@ -9,11 +9,11 @@
 <table class="prettysw" cellpadding="0" cellspacing="0">
   <tr>
     <th>{i18n}Name{/i18n}</th>
-    <td><input type="textbox" name="name" value="{$oFieldset->getName()|escape}" /></td>
+    <td><input type="textbox" name="name" value="{$oFieldset->getName()}" /></td>
   </tr>
   <tr>
     <th>{i18n}Namespace{/i18n}</th>
-    <td><input type="textbox" name="namespace" value="{$oFieldset->getNamespace()|escape}" /></td>
+    <td><input type="textbox" name="namespace" value="{$oFieldset->getNamespace()}" /></td>
   </tr>
 </table>
 <input type="submit" name="submit" value="{i18n}Change{/i18n}" />
@@ -30,7 +30,7 @@
 {foreach from=$oFieldset->getFields() item=oField}
   <li><label><input type="checkbox"
 name="fieldsetids[]"
-value="{$oField->getId()}" />{$oField->getName()|escape}</label></li>
+value="{$oField->getId()}" />{$oField->getName()}</label></li>
 {/foreach}
 </ul>
 <input type="submit" name="submit" value="{i18n}Remove fields{/i18n}" />
diff --git a/templates/ktcore/login.smarty b/templates/ktcore/login.smarty
index d5f9199..aabb741 100644
--- a/templates/ktcore/login.smarty
+++ b/templates/ktcore/login.smarty
@@ -21,7 +21,7 @@
 		    	<form action="{$smarty.server.PHP_SELF}" method="POST" name="login">
 		        	<input type="hidden" name="action" value="login" />
 					<input type="hidden" name="cookieverify" value="{$cookietest}" />
-					<input type="hidden" name="redirect" value="{$redirect|escape}" />
+					<input type="hidden" name="redirect" value="{$redirect}" />
 					{if $config->get("ui/mainLogo") != ''}
 						<img src="{$config->get("ui/mainLogo")}" alt="{$config->get("ui/mainLogoTitle")}" class="logoimage"/><br />
 					{else}
diff --git a/templates/ktcore/manage_help_item.smarty b/templates/ktcore/manage_help_item.smarty
index 5cd539f..d3852c1 100644
--- a/templates/ktcore/manage_help_item.smarty
+++ b/templates/ktcore/manage_help_item.smarty
@@ -13,9 +13,9 @@ tinyMCE.init({
 <input type="hidden" name="id" value="{$help->getId()}">
 <input type="hidden" name="action" value="updateReplacement">
 <h2>{i18n}Title{/i18n}</h2>
-<input type="text" name="title" value="{$help->getTitle()|escape}" />
+<input type="text" name="title" value="{$help->getTitle()}" />
 <h2>{i18n}Help content{/i18n}</h2>
-<textarea cols="60" rows="20" name="description">{$help->getDescription()|escape}</textarea>
+<textarea cols="60" rows="20" name="description">{$help->getDescription()}</textarea>
 <br />
 <input type="submit" name="submit" value="{i18n}Update{/i18n}" />
 </form>
diff --git a/templates/ktcore/metadata/admin/basic_overview.smarty b/templates/ktcore/metadata/admin/basic_overview.smarty
index 8227ca1..f4e39b3 100644
--- a/templates/ktcore/metadata/admin/basic_overview.smarty
+++ b/templates/ktcore/metadata/admin/basic_overview.smarty
@@ -18,7 +18,7 @@ of related information.{/i18n}</p>
       {foreach from=$fields item=oField}
         <tr>
             <td class="title">
-                {$oField->getName()|escape}
+                {$oField->getName()}
             </td>
             <td class="centered">
                 <a href="{addQS context=$context}fieldset_action=managefield&fFieldId={$oField->getId()}{/addQS}" class="ktAction ktEdit">{i18n}edit{/i18n}</a>
diff --git a/templates/ktcore/metadata/admin/manage_lookups.smarty b/templates/ktcore/metadata/admin/manage_lookups.smarty
index 4ec002a..763663d 100644
--- a/templates/ktcore/metadata/admin/manage_lookups.smarty
+++ b/templates/ktcore/metadata/admin/manage_lookups.smarty
@@ -37,7 +37,7 @@ that are possible for a given lookup:{/i18n}</p>
       {foreach from=$lookups item=oLookup}
         <tr>
             <td><input type="checkbox" name="metadata[]" value="{$oLookup->getId()}" /></td>
-            <td>{$oLookup->getName()|escape}</td>
+            <td>{$oLookup->getName()}</td>
             <td class="centered">{if (!$oLookup->getDisabled())}<span class="ktAction ktAllowed">{i18n}Yes{/i18n}</span>{else}<span class="ktAction ktDenied">{i18n}No{/i18n}</span>{/if}</td>
             <td class="centered">{if ($oLookup->getIsStuck())}<span>{i18n}Yes{/i18n}</span>{else}&nbsp;{/if}</td>
         </tr>
diff --git a/templates/ktcore/metadata/chooseFromMetadataLookup.smarty b/templates/ktcore/metadata/chooseFromMetadataLookup.smarty
index 2a7c2b2..65de114 100644
--- a/templates/ktcore/metadata/chooseFromMetadataLookup.smarty
+++ b/templates/ktcore/metadata/chooseFromMetadataLookup.smarty
@@ -3,7 +3,7 @@
 {assign var="aLookups" value=$aFieldInfo.values}
 
 <div class="field ">
-      <label for="condi-field-{$iFieldId}">{$oField->getName()|escape}</label>
+      <label for="condi-field-{$iFieldId}">{$oField->getName()}</label>
       <p class="descriptiveText">FIXME</p>
             <p class="errorMessage"></p>
 
diff --git a/templates/ktcore/metadata/conditional/ajax_complex_get_behaviour_list.smarty b/templates/ktcore/metadata/conditional/ajax_complex_get_behaviour_list.smarty
index e9b629f..55b60ba 100644
--- a/templates/ktcore/metadata/conditional/ajax_complex_get_behaviour_list.smarty
+++ b/templates/ktcore/metadata/conditional/ajax_complex_get_behaviour_list.smarty
@@ -1,5 +1,5 @@
 <behaviourList>
 {foreach from=$aBehaviours item=oBehaviour}
-    <behaviour value="{$oBehaviour->getId()}" label="{$oBehaviour->getName()|escape}" />
+    <behaviour value="{$oBehaviour->getId()}" label="{$oBehaviour->getName()}" />
 {/foreach}
 </behaviourList>
diff --git a/templates/ktcore/metadata/conditional/conditional_admin_overview.smarty b/templates/ktcore/metadata/conditional/conditional_admin_overview.smarty
index 1ace2d8..17aeb48 100644
--- a/templates/ktcore/metadata/conditional/conditional_admin_overview.smarty
+++ b/templates/ktcore/metadata/conditional/conditional_admin_overview.smarty
@@ -71,7 +71,7 @@ ordering!{/i18n}</p>
       {foreach from=$fields item=oField}
         <tr>
             <td class="title">
-                {$oField->getName()|escape}
+                {$oField->getName()}
             </td>
             <td>
                 <a href="{addQS context=$context}fieldset_action=managefield&fFieldId={$oField->getId()}{/addQS}" class="ktAction ktEdit">{i18n}edit{/i18n}</a>
diff --git a/templates/ktcore/metadata/conditional/editsimple.smarty b/templates/ktcore/metadata/conditional/editsimple.smarty
index 13df1a8..48dc91a 100644
--- a/templates/ktcore/metadata/conditional/editsimple.smarty
+++ b/templates/ktcore/metadata/conditional/editsimple.smarty
@@ -96,7 +96,7 @@ refresh the page.{/i18n}</p>
      <div class="lookup_items">
          <select class="item_list" size="5">
   {foreach from=$oField->getEnabledValues() item=oMetaData}
-				<option value="{$oMetaData->getId()}">{$oMetaData->getName()|escape}</option>
+				<option value="{$oMetaData->getId()}">{$oMetaData->getName()}</option>
   {/foreach}
            </select>
 
diff --git a/templates/ktcore/metadata/conditional/manageConditional.smarty b/templates/ktcore/metadata/conditional/manageConditional.smarty
index 4318ea4..c878bc5 100644
--- a/templates/ktcore/metadata/conditional/manageConditional.smarty
+++ b/templates/ktcore/metadata/conditional/manageConditional.smarty
@@ -27,7 +27,7 @@ the issues identified below.{/i18n}</span>
 {if $sIncomplete}
 <div class="ktErrorMessage">
 <span>{i18n}This error prevents this fieldset from being set
-to complete{/i18n}: {$sIncomplete|escape}</span>
+to complete{/i18n}: {$sIncomplete}</span>
 </div>
 {/if}
 {/if}
@@ -127,9 +127,9 @@ $this->assign("oParentField", DocumentField::get($this->_tpl_vars['aRow']['paren
 $this->assign("oChildField", DocumentField::get($this->_tpl_vars['aRow']['child_field_id']));
 {/php}
   <li>
-    {$oParentField->getName()|escape}
+    {$oParentField->getName()}
 <span class="descriptiveText">{i18n}controls the values available in{/i18n}</span> 
-    {$oChildField->getName()|escape}
+    {$oChildField->getName()}
 </li>
 {/foreach}
 </ul>
diff --git a/templates/ktcore/metadata/conditional/manage_ordering.smarty b/templates/ktcore/metadata/conditional/manage_ordering.smarty
index 2ac47fd..2b01bc1 100644
--- a/templates/ktcore/metadata/conditional/manage_ordering.smarty
+++ b/templates/ktcore/metadata/conditional/manage_ordering.smarty
@@ -12,9 +12,9 @@ $this->assign("oParentField", DocumentField::get($this->_tpl_vars['aRow']['paren
 $this->assign("oChildField", DocumentField::get($this->_tpl_vars['aRow']['child_field_id']));
 {/php}
   <li>
-    {$oParentField->getName()|escape}
+    {$oParentField->getName()}
 <span class="descriptiveText">{i18n}controls the values available in{/i18n}</span> 
-    {$oChildField->getName()|escape}
+    {$oChildField->getName()}
 </li>
 {/foreach}
 </ul>
diff --git a/templates/ktcore/metadata/edit.smarty b/templates/ktcore/metadata/edit.smarty
index 96b8b8a..697dad2 100644
--- a/templates/ktcore/metadata/edit.smarty
+++ b/templates/ktcore/metadata/edit.smarty
@@ -1,4 +1,4 @@
-<h2>{i18n}Fieldset{/i18n}: {$oFieldset->getName()|escape}</h2>
+<h2>{i18n}Fieldset{/i18n}: {$oFieldset->getName()}</h2>
 
 <h3>{i18n}Fieldset properties{/i18n}</h3>
 <form action="{$smarty.server.PHP_SELF}" method="POST">
@@ -7,11 +7,11 @@
 <table class="prettysw" cellpadding="0" cellspacing="0">
   <tr>
     <th>{i18n}Name{/i18n}</th>
-    <td><input type="textbox" name="name" value="{$oFieldset->getName()|escape}"></td>
+    <td><input type="textbox" name="name" value="{$oFieldset->getName()}"></td>
   </tr>
   <tr>
     <th>{i18n}Namespace{/i18n}</th>
-    <td><input type="textbox" name="namespace" value="{$oFieldset->getNamespace()|escape}"></td>
+    <td><input type="textbox" name="namespace" value="{$oFieldset->getNamespace()}"></td>
   </tr>
 </table>
 <input type="submit" name="submit" value="{i18n}Change{/i18n}" />
@@ -27,7 +27,7 @@
 {foreach from=$oFieldset->getFields() item=oField}
   <li><label><input type="checkbox"
 name="fieldsetids[]"
-value="{$oField->getId()}">{$oField->getName()|escape}</label></li>
+value="{$oField->getId()}">{$oField->getName()}</label></li>
 {/foreach}
 </ul>
 <input type="submit" name="submit" value="{i18n}Remove fields{/i18n}" />
diff --git a/templates/ktcore/metadata/editField.smarty b/templates/ktcore/metadata/editField.smarty
index 0e05cb1..9cc24a3 100644
--- a/templates/ktcore/metadata/editField.smarty
+++ b/templates/ktcore/metadata/editField.smarty
@@ -1,4 +1,4 @@
-<h2>{i18n}Edit Field{/i18n}: {$oField->getName()|escape}</h2>
+<h2>{i18n}Edit Field{/i18n}: {$oField->getName()}</h2>
 
 <form action="{$smarty.server.PHP_SELF}" method="POST">
 <fieldset>
@@ -9,15 +9,15 @@
 <table class="prettysw" cellpadding="0" cellspacing="0">
   <tr>
     <th>{i18n}Name{/i18n}</th>
-    <td><input type="textbox" name="name" value="{$oField->getName()|escape}"></td>
+    <td><input type="textbox" name="name" value="{$oField->getName()}"></td>
   </tr>
   <tr>
     <th>{i18n}Description{/i18n}</th>
-    <td><textarea name="description">{$oField->getDescription()|escape}</textarea></td>
+    <td><textarea name="description">{$oField->getDescription()}</textarea></td>
   </tr>  
   <tr>
     <th>{i18n}Type{/i18n}</th>
-    <td>{$oField->getType()|escape}</td>
+    <td>{$oField->getType()}</td>
   </tr>
   <tr>
     <th>{i18n}Required{/i18n}</th>
@@ -71,7 +71,7 @@
 <ul>
 {foreach from=$aEnabledMetadata item=oMetaData}
   <li><label><input type="checkbox" name="metadata[]"
-value="{$oMetaData->getId()}">{$oMetaData->getName()|escape} 
+value="{$oMetaData->getId()}">{$oMetaData->getName()} 
 { if $oMetaData->getIsStuck() }
 <span class="helpText">({i18n}stuck, will never be disabled when synchronising
 from another source{/i18n})</span>
@@ -98,7 +98,7 @@ from another source{/i18n})</span>
 <ul>
 {foreach from=$aDisabledMetadata item=oMetaData}
   <li><label><input type="checkbox" name="metadata[]"
-value="{$oMetaData->getId()}">{$oMetaData->getName()|escape} 
+value="{$oMetaData->getId()}">{$oMetaData->getName()} 
 { if $oMetaData->getIsStuck() }
 <span class="helpText">({i18n}stuck, will never be enabled when synchronising
 from another source{/i18n})</span>
diff --git a/templates/ktcore/metadata/editFieldset.smarty b/templates/ktcore/metadata/editFieldset.smarty
index b838a54..8b53e3b 100644
--- a/templates/ktcore/metadata/editFieldset.smarty
+++ b/templates/ktcore/metadata/editFieldset.smarty
@@ -1,9 +1,9 @@
-<h2>{i18n}Fieldset{/i18n}: {$oFieldset->getName()|escape}</h2>
+<h2>{i18n}Fieldset{/i18n}: {$oFieldset->getName()}</h2>
 
 {if $sIncomplete}
 <div class="ktErrorMessage">
 <span><strong>{i18n}Incomplete{/i18n}: </strong>{i18n}This conditional fieldset cannot be used{/i18n}: <br />
-{$sIncomplete|escape}</span>
+{$sIncomplete}</span>
 </div>
 {/if}
 
@@ -66,7 +66,7 @@ field can depend on the user's selections for the others.{/i18n}
 {if $sIncomplete}
 <div class="ktError">
 <p>{i18n}This error prevents this fieldset from being set
-to complete{/i18n}: {$sIncomplete|escape}</p>
+to complete{/i18n}: {$sIncomplete}</p>
 </div> <br />
 {/if}
 
@@ -145,7 +145,7 @@ to complete{/i18n}: {$sIncomplete|escape}</p>
   <tr>
       <td><input type="checkbox" name="fields[]" value="{$oField->getId()}" /></td>
       <td class="title">
-{$oField->getName()|escape}
+{$oField->getName()}
 </td>
 <td>
 <a href="{addQS}action=editField&fFieldId={$oField->getId()}&fFieldsetId={$oFieldset->getId()}{/addQS}" class="ktAction ktEdit">{i18n}edit{/i18n}</a>
diff --git a/templates/ktcore/workflow/editState.smarty b/templates/ktcore/workflow/editState.smarty
index 4c1e4e4..2932ddc 100644
--- a/templates/ktcore/workflow/editState.smarty
+++ b/templates/ktcore/workflow/editState.smarty
@@ -20,7 +20,7 @@ td.false { background-color: #ffaaaa; text-align: centre }
 {/literal}{/capture}
 {$context->oPage->requireCSSStandalone($sCSS)}
 
-<h2>{i18n}State{/i18n}: {$oState->getName()|escape}</h2>
+<h2>{i18n}State{/i18n}: {$oState->getName()}</h2>
 
 <p class="descriptiveText">{i18n}As documents move through their lifecycle, they
 are placed in certain <strong>states</strong>.  For example, an invoice
@@ -106,7 +106,7 @@ with a specific <strong>role</strong> (e.g. Manager) or part of a specific group
   <li><a
 href="{addQS}action=editTransition&fWorkflowId={$oWorkflow->getId()}&fTransitionId={$oTransition->getId()}{/addQS}"
 title="Transition
-{$oTransition->getId()}">{$oTransition->getName()|escape}</a></li>
+{$oTransition->getId()}">{$oTransition->getName()}</a></li>
 {/foreach}
 </ul>
 
diff --git a/templates/ktcore/workflow/editTransition.smarty b/templates/ktcore/workflow/editTransition.smarty
index b5e074b..951e46b 100644
--- a/templates/ktcore/workflow/editTransition.smarty
+++ b/templates/ktcore/workflow/editTransition.smarty
@@ -1,4 +1,4 @@
-<h2>{i18n}Transition{/i18n}: {$oTransition->getName()|escape}</h2>
+<h2>{i18n}Transition{/i18n}: {$oTransition->getName()}</h2>
 
 
 <form action="{$smarty.server.PHP_SELF}" method="POST">
diff --git a/templates/ktcore/workflow/editWorkflow.smarty b/templates/ktcore/workflow/editWorkflow.smarty
index ef4ca98..05aa801 100644
--- a/templates/ktcore/workflow/editWorkflow.smarty
+++ b/templates/ktcore/workflow/editWorkflow.smarty
@@ -1,6 +1,6 @@
 {$context->oPage->requireCSSResource('resources/css/workflow-admin.css')}
 
-<h2>{i18n}Workflow Overview{/i18n}: {$oWorkflow->getName()|escape}</h2>
+<h2>{i18n}Workflow Overview{/i18n}: {$oWorkflow->getName()}</h2>
 
 <form action="{$smarty.server.PHP_SELF}" method="POST">
 <fieldset>
diff --git a/templates/ktstandard/disclaimers/manage_disclaimers_item.smarty b/templates/ktstandard/disclaimers/manage_disclaimers_item.smarty
index 1cb66a6..9c0e59d 100644
--- a/templates/ktstandard/disclaimers/manage_disclaimers_item.smarty
+++ b/templates/ktstandard/disclaimers/manage_disclaimers_item.smarty
@@ -14,7 +14,7 @@ tinyMCE.init({
 <input type="hidden" name="action" value="update">
 <input type="hidden" name="title" value="{$help->getTitle()}">
 
-<h2>{$help->getTitle()|escape}</h2>
-<textarea cols="60" rows="20" name="description">{$help->getDescription()|escape}</textarea>
+<h2>{$help->getTitle()}</h2>
+<textarea cols="60" rows="20" name="description">{$help->getDescription()}</textarea>
 <input type="submit" name="submit" value="{i18n}Update{/i18n}" />
 </form>
diff --git a/thirdparty/Smarty/plugins/modifier.mb_truncate.php b/thirdparty/Smarty/plugins/modifier.mb_truncate.php
new file mode 100644
index 0000000..6118b86
--- /dev/null
+++ b/thirdparty/Smarty/plugins/modifier.mb_truncate.php
@@ -0,0 +1,38 @@
+<?php
+/**
+ * Smarty plugin
+ * @package Smarty
+ * @subpackage plugins
+ */
+
+
+/**
+ * Smarty mb_truncate modifier plugin
+ *
+ * Type:     modifier<br>
+ * Name:     mb_truncate<br>
+ * Purpose:  Truncate a multibyte string to a certain length if necessary,
+ *           optionally splitting in the middle of a word, and
+ *           appending the $etc string.
+ * @param string
+ * @param integer
+ * @param string
+ * @param boolean
+ * @return string
+ */
+function smarty_modifier_mb_truncate($string, $length = 80, $etc = '...',
+                                  $break_words = false)
+{
+    if ($length == 0)
+        return '';
+
+    if (mb_strlen($string) > $length) {
+        $length -= mb_strlen($etc);
+        if (!$break_words)
+            $string = preg_replace('/\s+?(\S+)?$/', '', mb_substr($string, 0, $length+1));
+      
+        return mb_substr($string, 0, $length).$etc;
+    } else
+        return $string;
+}
+?>
\ No newline at end of file
diff --git a/thirdparty/Smarty/plugins/modifier.mb_wordwrap.php b/thirdparty/Smarty/plugins/modifier.mb_wordwrap.php
new file mode 100644
index 0000000..605c23d
--- /dev/null
+++ b/thirdparty/Smarty/plugins/modifier.mb_wordwrap.php
@@ -0,0 +1,33 @@
+<?php
+/**
+ * Smarty plugin
+ * @package Smarty
+ * @subpackage plugins
+ */
+
+
+/**
+ * Smarty mb_wordwrap modifier plugin
+ *
+ * Type:     modifier<br>
+ * Name:     mb_wordwrap<br>
+ * Purpose:  wrap a multibyte string of text at a given length
+ * @param string
+ * @param integer
+ * @param string
+ * @param boolean
+ * @return string
+ */
+function smarty_modifier_mb_wordwrap($string,$length=80,$break="\n",$cut=false)
+{
+    
+	$newString = "";
+	$index = 0;
+	while(mb_strlen($newString) < mb_strlen($string)){
+		$newString .= mb_strcut($string, $index, $length, "UTF8") . $break;
+		$index += $length;
+	}
+	return $newString;
+	
+}
+?>
\ No newline at end of file
--
libgit2 0.21.4