Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.434.2.18
diff -u -p -r1.434.2.18 common.inc
--- includes/common.inc	9 Feb 2006 08:57:47 -0000	1.434.2.18
+++ includes/common.inc	19 Feb 2006 23:41:34 -0000
@@ -884,7 +884,7 @@ function format_name($object) {
       $output = l($name, 'user/'. $object->uid, array('title' => t('View user profile.')));
     }
     else {
-      $output = $name;
+      $output = check_plain($name);
     }
   }
   else if ($object->name) {
@@ -893,10 +893,10 @@ function format_name($object) {
     // aggregator modules). This clause enables modules to display
     // the true author of the content.
     if ($object->homepage) {
-      $output = '<a href="'. $object->homepage .'">'. $object->name .'</a>';
+      $output = '<a href="'. check_url($object->homepage) .'">'. check_plain($object->name) .'</a>';
     }
     else {
-      $output = $object->name;
+      $output = check_plain($object->name);
     }
 
     $output .= ' ('. t('not verified') .')';
Index: modules/book.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/book.module,v
retrieving revision 1.288.2.10
diff -u -p -r1.288.2.10 book.module
--- modules/book.module	29 Jul 2005 07:29:25 -0000	1.288.2.10
+++ modules/book.module	19 Feb 2006 23:41:43 -0000
@@ -417,7 +417,7 @@ function book_view(&$node, $teaser = FAL
   $node = book_content($node, $teaser);
 
   if (!$teaser && $node->moderate) {
-    $node->body .= '<div class="log"><div class="title">'. t('Log') .':</div>'. $node->log .'</div>';
+    $node->body .= '<div class="log"><div class="title">'. t('Log') .':</div>'. check_output($node->log, $node->format) .'</div>';
   }
 }
 
Index: themes/engines/xtemplate/xtemplate.engine
===================================================================
RCS file: /cvs/drupal/drupal/themes/engines/xtemplate/Attic/xtemplate.engine,v
retrieving revision 1.12.2.1
diff -u -p -r1.12.2.1 xtemplate.engine
--- themes/engines/xtemplate/xtemplate.engine	25 Jul 2005 07:01:42 -0000	1.12.2.1
+++ themes/engines/xtemplate/xtemplate.engine	19 Feb 2006 23:41:56 -0000
@@ -183,7 +183,7 @@ function xtemplate_page($content) {
 
   // only parse the mission block if we are on the frontpage ...
   if ($_GET["q"] == variable_get("site_frontpage", "node") && theme_get_setting('toggle_mission') && ($mission = theme_get_setting('mission'))) {
-    $xtemplate->template->assign("mission", $mission);
+    $xtemplate->template->assign("mission", filter_xss($mission));
     $xtemplate->template->parse("header.mission");
   }