Index: includes/database.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/database.inc,v
retrieving revision 1.95
diff -u -r1.95 database.inc
--- includes/database.inc	1 Jul 2008 20:36:40 -0000	1.95
+++ includes/database.inc	9 Jul 2008 23:32:31 -0000
@@ -216,6 +216,11 @@
       return (int) array_shift($args); // We don't need db_escape_string as numbers are db-safe
     case '%s':
       return db_escape_string(array_shift($args));
+    case '%n':
+      // Numeric values have arbitrary precision, so can't be treated as float.
+      // is_numeric() allows hex values (0xFF), but they are not valid.
+      $value = trim(array_shift($args));
+      return is_numeric($value) && !preg_match('/x/i', $value) ? $value : '0';
     case '%%':
       return '%';
     case '%f':
@@ -244,7 +249,7 @@
 /**
  * Indicates the place holders that should be replaced in _db_query_callback().
  */
-define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b)/');
+define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b|%n)/');
 
 /**
  * Helper function for db_rewrite_sql.
@@ -546,16 +551,14 @@
     case 'char':
     case 'text':
     case 'datetime':
-      return '\'%s\'';
+      return "'%s'";
 
     case 'numeric':
-      // For 'numeric' values, we use '%s', not '\'%s\'' as with
-      // string types, because numeric values should not be enclosed
-      // in quotes in queries (though they can be, at least on mysql
-      // and pgsql).  Numerics should only have [0-9.+-] and
-      // presumably no db's "escape string" function will mess with
-      // those characters.
-      return '%s';
+      // Numeric values are arbitrary precision numbers.  Syntacically, numerics
+      // should be specified directly in SQL. However, without single quotes
+      // the %s placeholder does not protect against non-numeric characters such
+      // as spaces which would expose us to SQL injection.
+      return '%n';
 
     case 'serial':
     case 'int':
Index: includes/locale.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/locale.inc,v
retrieving revision 1.176
diff -u -r1.176 locale.inc
--- includes/locale.inc	26 May 2008 17:12:54 -0000	1.176
+++ includes/locale.inc	9 Jul 2008 23:32:32 -0000
@@ -871,16 +871,36 @@
  */
 
 /**
- * Delete a language string.
+ * String deletion confirmation page.
  */
-function locale_translate_delete($lid) {
-  db_query('DELETE FROM {locales_source} WHERE lid = %d', $lid);
-  db_query('DELETE FROM {locales_target} WHERE lid = %d', $lid);
+function locale_translate_delete_page($lid) {
+  if ($source = db_fetch_object(db_query('SELECT * FROM {locales_source} WHERE lid = %d', $lid))) {
+    return drupal_get_form('locale_translate_delete_form', $source);
+  }
+  else {
+    return drupal_not_found();
+  }
+}
+
+/**
+ * User interface for the string deletion confirmation screen.
+ */
+function locale_translate_delete_form(&$form_state, $source) {
+  $form['lid'] = array('#type' => 'value', '#value' => $source->lid);
+  return confirm_form($form, t('Are you sure you want to delete the string "%source"?', array('%source' => $source->source)), 'admin/build/translate/search', t('Deleting the string will remove all translations of this string in all languages. This action cannot be undone.'), t('Delete'), t('Cancel'));
+}
+
+/**
+ * Process string deletion submissions.
+ */
+function locale_translate_delete_form_submit($form, &$form_state) {
+  db_query('DELETE FROM {locales_source} WHERE lid = %d', $form_state['values']['lid']);
+  db_query('DELETE FROM {locales_target} WHERE lid = %d', $form_state['values']['lid']);
   // Force JavaScript translation file recreation for all languages.
   _locale_invalidate_js();
   cache_clear_all('locale:', 'cache', TRUE);
   drupal_set_message(t('The string has been removed.'));
-  drupal_goto('admin/build/translate/search');
+  $form_state['redirect'] = 'admin/build/translate/search';
 }
 /**
  * @} End of "locale-translate-delete"
Index: includes/theme.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/theme.inc,v
retrieving revision 1.429
diff -u -r1.429 theme.inc
--- includes/theme.inc	1 Jul 2008 20:22:22 -0000	1.429
+++ includes/theme.inc	9 Jul 2008 23:32:32 -0000
@@ -1119,7 +1119,7 @@
       if (isset($link['href']) && ($link['href'] == $_GET['q'] || ($link['href'] == '<front>' && drupal_is_front_page()))) {
         $class .= ' active';
       }
-      $output .= '<li class="' . $class . '">';
+      $output .= '<li' . drupal_attributes(array('class' => $class)) . '>';
 
       if (isset($link['href'])) {
         // Pass in $link as $options, they share the same keys.
Index: modules/filter/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v
retrieving revision 1.213
diff -u -r1.213 filter.module
--- modules/filter/filter.module	6 May 2008 12:18:47 -0000	1.213
+++ modules/filter/filter.module	9 Jul 2008 23:32:32 -0000
@@ -916,7 +916,7 @@
  * for scripts and styles.
  */
 function filter_xss_admin($string) {
-  return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'object', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
+  return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
 }
 
 /**
Index: modules/locale/locale.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/locale/locale.module,v
retrieving revision 1.218
diff -u -r1.218 locale.module
--- modules/locale/locale.module	1 Jul 2008 20:36:40 -0000	1.218
+++ modules/locale/locale.module	9 Jul 2008 23:32:32 -0000
@@ -173,7 +173,7 @@
   $items['admin/build/translate/delete/%'] = array(
     'title' => 'Delete string',
     'page callback' => 'locale_inc_callback',
-    'page arguments' => array('locale_translate_delete', 4),  // directly deletes, no confirmation
+    'page arguments' => array('locale_translate_delete_page', 4),
     'access arguments' => array('translate interface'),
     'type' => MENU_CALLBACK,
   );
Index: modules/openid/openid.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/openid/openid.module,v
retrieving revision 1.25
diff -u -r1.25 openid.module
--- modules/openid/openid.module	6 May 2008 12:18:48 -0000	1.25
+++ modules/openid/openid.module	9 Jul 2008 23:32:32 -0000
@@ -26,8 +26,8 @@
   );
   $items['user/%user/openid/delete'] = array(
     'title' => 'Delete OpenID',
-    'page callback' => 'openid_user_delete',
-    'page arguments' => array(1),
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('openid_user_delete_form', 1),
     'access callback' => 'user_edit_access',
     'access arguments' => array(1),
     'type' => MENU_CALLBACK,
Index: modules/openid/openid.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/openid/openid.pages.inc,v
retrieving revision 1.6
diff -u -r1.6 openid.pages.inc
--- modules/openid/openid.pages.inc	14 Apr 2008 17:48:38 -0000	1.6
+++ modules/openid/openid.pages.inc	9 Jul 2008 23:32:32 -0000
@@ -44,7 +44,7 @@
 
   $result = db_query("SELECT * FROM {authmap} WHERE module='openid' AND uid=%d", $account->uid);
   while ($identity = db_fetch_object($result)) {
-    $rows[] = array($identity->authname, l(t('Delete'), 'user/' . $account->uid . '/openid/delete/' . $identity->aid));
+    $rows[] = array(check_plain($identity->authname), l(t('Delete'), 'user/' . $account->uid . '/openid/delete/' . $identity->aid));
   }
 
   $output = theme('table', $header, $rows);
@@ -80,12 +80,33 @@
 }
 
 /**
- * Menu callback; Delete the specified OpenID identity from the system.
+ * Present a confirmation form to delete the specified OpenID identity from the system.
+ *
+ * @ingroup forms
+ * @see openid_user_delete_form_submit()
  */
-function openid_user_delete($account, $aid = 0) {
-  db_query("DELETE FROM {authmap} WHERE uid=%d AND aid=%d AND module='openid'", $account->uid, $aid);
+function openid_user_delete_form($form_state, $account, $aid = 0) {
+  $authname = db_result(db_query('SELECT authname FROM {authmap} WHERE uid = %d AND aid = %d', $account->uid, $aid));
+
+  $form = array();
+
+  $form['uid'] = array(
+    '#type' => 'value',
+    '#value' => $account->uid,
+  );
+
+  $form['aid'] = array(
+    '#type' => 'value',
+    '#value' => $aid,
+  );
+
+  return confirm_form($form, t('Are you sure you want to delete the OpenID %authname for %user?', array('%authname' => $authname, '%user' => $account->name)), 'user/' . $account->uid . '/openid');
+}
+
+function openid_user_delete_form_submit($form, &$form_state) {
+  db_query("DELETE FROM {authmap} WHERE uid = %d AND aid = %d AND module = 'openid'", $form_state['values']['uid'], $form_state['values']['aid']);
   if (db_affected_rows()) {
     drupal_set_message(t('OpenID deleted.'));
   }
-  drupal_goto('user/' . $account->uid . '/openid');
+  $form_state['redirect'] = 'user/' . $form_state['values']['uid'] . '/openid';
 }
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.911
diff -u -r1.911 user.module
--- modules/user/user.module	27 Jun 2008 07:25:11 -0000	1.911
+++ modules/user/user.module	9 Jul 2008 23:32:33 -0000
@@ -1341,8 +1341,10 @@
   // This is also used to invalidate one-time login links.
   $user->login = time();
   db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  user_module_invoke('login', $edit, $user);
+
+  // Regenerate the session ID to prevent against session fixation attacks.
   sess_regenerate();
+  user_module_invoke('login', $edit, $user);
 }
 
 /**
