From 470fc3817f67c4f13217e14bf8040668d5374e4b Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 20:53:52 +0100
Subject: [PATCH 01/18] Remove the template autoescaping

Ref #1963
---
 lib/template.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/template.php b/lib/template.php
index ce55e58d28..fcf18fee41 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -341,7 +341,6 @@ class OC_Template{
 	 * @brief Assign variables
 	 * @param string $key key
 	 * @param string $value value
-	 * @param bool $sanitizeHTML false, if data shouldn't get passed through htmlentities
 	 * @return bool
 	 *
 	 * This function assigns a variable. It can be accessed via $_[$key] in
@@ -349,8 +348,7 @@ class OC_Template{
 	 *
 	 * If the key existed before, it will be overwritten
 	 */
-	public function assign( $key, $value, $sanitizeHTML=true ) {
-		if($sanitizeHTML == true) $value=OC_Util::sanitizeHTML($value);
+	public function assign( $key, $value) {
 		$this->vars[$key] = $value;
 		return true;
 	}

From 4860d03270a9caa9c5e686c6eeb31fd8adfbedf5 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:14:15 +0100
Subject: [PATCH 02/18] [Files] Use p() instead of echo

---
 apps/files/index.php                     | 16 ++---
 apps/files/templates/admin.php           | 22 +++----
 apps/files/templates/index.php           | 74 ++++++++++++------------
 apps/files/templates/part.breadcrumb.php | 10 ++--
 apps/files/templates/part.list.php       | 42 +++++++-------
 apps/files/templates/upgrade.php         |  2 +-
 6 files changed, 83 insertions(+), 83 deletions(-)

diff --git a/apps/files/index.php b/apps/files/index.php
index 434e98c6ea..579e19cf11 100644
--- a/apps/files/index.php
+++ b/apps/files/index.php
@@ -90,13 +90,13 @@ foreach (explode('/', $dir) as $i) {
 
 // make breadcrumb und filelist markup
 $list = new OCP\Template('files', 'part.list', '');
-$list->assign('files', $files, false);
-$list->assign('baseURL', OCP\Util::linkTo('files', 'index.php') . '?dir=', false);
-$list->assign('downloadURL', OCP\Util::linkToRoute('download', array('file' => '/')), false);
-$list->assign('disableSharing', false);
+$list->assign('files', $files);
+$list->assign('baseURL', OCP\Util::linkTo('files', 'index.php') . '?dir=');
+$list->assign('downloadURL', OCP\Util::linkToRoute('download', array('file' => '/')));
+$list->assign('disableSharing');
 $breadcrumbNav = new OCP\Template('files', 'part.breadcrumb', '');
-$breadcrumbNav->assign('breadcrumb', $breadcrumb, false);
-$breadcrumbNav->assign('baseURL', OCP\Util::linkTo('files', 'index.php') . '?dir=', false);
+$breadcrumbNav->assign('breadcrumb', $breadcrumb);
+$breadcrumbNav->assign('baseURL', OCP\Util::linkTo('files', 'index.php') . '?dir=');
 
 $permissions = OCP\PERMISSION_READ;
 if (\OC\Files\Filesystem::isCreatable($dir . '/')) {
@@ -125,8 +125,8 @@ if ($needUpgrade) {
 	OCP\Util::addscript('files', 'files');
 	OCP\Util::addscript('files', 'keyboardshortcuts');
 	$tmpl = new OCP\Template('files', 'index', 'user');
-	$tmpl->assign('fileList', $list->fetchPage(), false);
-	$tmpl->assign('breadcrumb', $breadcrumbNav->fetchPage(), false);
+	$tmpl->assign('fileList', $list->fetchPage());
+	$tmpl->assign('breadcrumb', $breadcrumbNav->fetchPage());
 	$tmpl->assign('dir', \OC\Files\Filesystem::normalizePath($dir));
 	$tmpl->assign('isCreatable', \OC\Files\Filesystem::isCreatable($dir . '/'));
 	$tmpl->assign('permissions', $permissions);
diff --git a/apps/files/templates/admin.php b/apps/files/templates/admin.php
index ad69b5519d..0ab931a467 100644
--- a/apps/files/templates/admin.php
+++ b/apps/files/templates/admin.php
@@ -2,27 +2,27 @@
 
 <form name="filesForm" action='#' method='post'>
 	<fieldset class="personalblock">
-		<legend><strong><?php echo $l->t('File handling');?></strong></legend>
+		<legend><strong><?php p($l->t('File handling')); ?></strong></legend>
 		<?php if($_['uploadChangable']):?>
-			<label for="maxUploadSize"><?php echo $l->t( 'Maximum upload size' ); ?> </label>
-			<input name='maxUploadSize' id="maxUploadSize" value='<?php echo $_['uploadMaxFilesize'] ?>'/>
+			<label for="maxUploadSize"><?php p($l->t( 'Maximum upload size' )); ?> </label>
+			<input name='maxUploadSize' id="maxUploadSize" value='<?php p($_['uploadMaxFilesize']) ?>'/>
 			<?php if($_['displayMaxPossibleUploadSize']):?>
-				(<?php echo $l->t('max. possible: '); echo $_['maxPossibleUploadSize'] ?>)
+				(<?php p($l->t('max. possible: ')); p($_['maxPossibleUploadSize']) ?>)
 			<?php endif;?>
 			<br/>
 		<?php endif;?>
 		<input type="checkbox" name="allowZipDownload" id="allowZipDownload" value="1"
-			   title="<?php echo $l->t( 'Needed for multi-file and folder downloads.' ); ?>"
+			   title="<?php p($l->t( 'Needed for multi-file and folder downloads.' )); ?>"
 			   <?php if ($_['allowZipDownload']): ?> checked="checked"<?php endif; ?> />
-		<label for="allowZipDownload"><?php echo $l->t( 'Enable ZIP-download' ); ?></label><br/>
+		<label for="allowZipDownload"><?php p($l->t( 'Enable ZIP-download' )); ?></label><br/>
 
-		<input name="maxZipInputSize" id="maxZipInputSize" style="width:180px;" value='<?php echo $_['maxZipInputSize'] ?>'
-			   title="<?php echo $l->t( '0 is unlimited' ); ?>"
+		<input name="maxZipInputSize" id="maxZipInputSize" style="width:180px;" value='<?php p($_['maxZipInputSize']) ?>'
+			   title="<?php p($l->t( '0 is unlimited' )); ?>"
 			   <?php if (!$_['allowZipDownload']): ?> disabled="disabled"<?php endif; ?> /><br />
-		<em><?php echo $l->t( 'Maximum input size for ZIP files' ); ?> </em><br />
+		<em><?php p($l->t( 'Maximum input size for ZIP files' )); ?> </em><br />
 
-		<input type="hidden" value="<?php echo $_['requesttoken']; ?>" name="requesttoken" />
+		<input type="hidden" value="<?php p($_['requesttoken']); ?>" name="requesttoken" />
 		<input type="submit" name="submitFilesAdminSettings" id="submitFilesAdminSettings"
-			   value="<?php echo $l->t( 'Save' ); ?>"/>
+			   value="<?php p($l->t( 'Save' )); ?>"/>
 	</fieldset>
 </form>
diff --git a/apps/files/templates/index.php b/apps/files/templates/index.php
index c7bf0d21c1..ed6dd2f04c 100644
--- a/apps/files/templates/index.php
+++ b/apps/files/templates/index.php
@@ -1,62 +1,62 @@
 <!--[if IE 8]><style>input[type="checkbox"]{padding:0;}table td{position:static !important;}</style><![endif]-->
 <div id="controls">
-	<?php echo($_['breadcrumb']); ?>
+	<?php print_unescaped($_['breadcrumb']); ?>
 	<?php if ($_['isCreatable']):?>
 		<div class="actions <?php if (isset($_['files']) and count($_['files'])==0):?>emptyfolder<?php endif; ?>">
 			<div id="new" class="button">
-				<a><?php echo $l->t('New');?></a>
+				<a><?php p($l->t('New'));?></a>
 				<ul>
-					<li style="background-image:url('<?php echo OCP\mimetype_icon('text/plain') ?>')"
-						data-type='file'><p><?php echo $l->t('Text file');?></p></li>
-					<li style="background-image:url('<?php echo OCP\mimetype_icon('dir') ?>')"
-						data-type='folder'><p><?php echo $l->t('Folder');?></p></li>
-					<li style="background-image:url('<?php echo OCP\image_path('core', 'actions/public.png') ?>')"
-						data-type='web'><p><?php echo $l->t('From link');?></p></li>
+					<li style="background-image:url('<?php p(OCP\mimetype_icon('text/plain')) ?>')"
+						data-type='file'><p><?php p($l->t('Text file'));?></p></li>
+					<li style="background-image:url('<?php p(OCP\mimetype_icon('dir')) ?>')"
+						data-type='folder'><p><?php p($l->t('Folder'));?></p></li>
+					<li style="background-image:url('<?php p(OCP\image_path('core', 'actions/public.png')) ?>')"
+						data-type='web'><p><?php p($l->t('From link'));?></p></li>
 				</ul>
 			</div>
 			<div id="upload" class="button"
-				 title="<?php echo $l->t('Upload') . ' max. '.$_['uploadMaxHumanFilesize'] ?>">
+				 title="<?php p($l->t('Upload') . ' max. '.$_['uploadMaxHumanFilesize']) ?>">
 				<form data-upload-id='1'
 					  id="data-upload-form"
 					  class="file_upload_form"
-					  action="<?php echo OCP\Util::linkTo('files', 'ajax/upload.php'); ?>"
+					  action="<?php print_unescaped(OCP\Util::linkTo('files', 'ajax/upload.php')); ?>"
 					  method="post"
 					  enctype="multipart/form-data"
 					  target="file_upload_target_1">
 					<input type="hidden" name="MAX_FILE_SIZE" id="max_upload"
-						   value="<?php echo $_['uploadMaxFilesize'] ?>">
+						   value="<?php p($_['uploadMaxFilesize']) ?>">
 					<!-- Send the requesttoken, this is needed for older IE versions
 						 because they don't send the CSRF token via HTTP header in this case -->
-					<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
+					<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" id="requesttoken">
 					<input type="hidden" class="max_human_file_size"
-						   value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
-					<input type="hidden" name="dir" value="<?php echo $_['dir'] ?>" id="dir">
+						   value="(max <?php p($_['uploadMaxHumanFilesize']); ?>)">
+					<input type="hidden" name="dir" value="<?php p($_['dir']) ?>" id="dir">
 					<input type="file" id="file_upload_start" name='files[]'/>
 					<a href="#" class="svg" onclick="return false;"></a>
 				</form>
 			</div>
 			<?php if ($_['trash'] ): ?>
 			<div id="trash" class="button">
-				<a><?php echo $l->t('Deleted files');?></a>
+				<a><?php p($l->t('Deleted files'));?></a>
 			</div>
 			<?php endif; ?>
 			<div id="uploadprogresswrapper">
 				<div id="uploadprogressbar"></div>
 				<input type="button" class="stop" style="display:none"
-					value="<?php echo $l->t('Cancel upload');?>"
+					value="<?php p($l->t('Cancel upload'));?>"
 					onclick="javascript:Files.cancelUploads();"
 				/>
 			</div>
 		</div>
 		<div id="file_action_panel"></div>
 	<?php else:?>
-		<input type="hidden" name="dir" value="<?php echo $_['dir'] ?>" id="dir">
+		<input type="hidden" name="dir" value="<?php p($_['dir']) ?>" id="dir">
 	<?php endif;?>
-	<input type="hidden" name="permissions" value="<?php echo $_['permissions']; ?>" id="permissions">
+	<input type="hidden" name="permissions" value="<?php p($_['permissions']); ?>" id="permissions">
 </div>
 
 <?php if (isset($_['files']) and $_['isCreatable'] and count($_['files'])==0):?>
-	<div id="emptyfolder"><?php echo $l->t('Nothing in here. Upload something!')?></div>
+	<div id="emptyfolder"><?php p($l->t('Nothing in here. Upload something!'))?></div>
 <?php endif; ?>
 
 <table>
@@ -64,33 +64,33 @@
 		<tr>
 			<th id='headerName'>
 				<input type="checkbox" id="select_all" />
-				<span class='name'><?php echo $l->t( 'Name' ); ?></span>
+				<span class='name'><?php p($l->t( 'Name' )); ?></span>
 				<span class='selectedActions'>
 					<?php if($_['allowZipDownload']) : ?>
 						<a href="" class="download">
 							<img class="svg" alt="Download"
-								 src="<?php echo OCP\image_path("core", "actions/download.svg"); ?>" />
-							<?php echo $l->t('Download')?>
+								 src="<?php print_unescaped(OCP\image_path("core", "actions/download.svg")); ?>" />
+							<?php p($l->t('Download'))?>
 						</a>
 					<?php endif; ?>
 				</span>
 			</th>
-			<th id="headerSize"><?php echo $l->t( 'Size' ); ?></th>
+			<th id="headerSize"><?php p($l->t( 'Size' )); ?></th>
 			<th id="headerDate">
-				<span id="modified"><?php echo $l->t( 'Modified' ); ?></span>
+				<span id="modified"><?php p($l->t( 'Modified' )); ?></span>
 				<?php if ($_['permissions'] & OCP\PERMISSION_DELETE): ?>
 <!-- 					NOTE: Temporary fix to allow unsharing of files in root of Shared folder -->
 					<?php if ($_['dir'] == '/Shared'): ?>
 						<span class="selectedActions"><a href="" class="delete">
-							<?php echo $l->t('Unshare')?>
-							<img class="svg" alt="<?php echo $l->t('Unshare')?>"
-								 src="<?php echo OCP\image_path("core", "actions/delete.svg"); ?>" />
+							<?php p($l->t('Unshare'))?>
+							<img class="svg" alt="<?php p($l->t('Unshare'))?>"
+								 src="<?php print_unescaped(OCP\image_path("core", "actions/delete.svg")); ?>" />
 						</a></span>
 					<?php else: ?>
 						<span class="selectedActions"><a href="" class="delete">
-							<?php echo $l->t('Delete')?>
-							<img class="svg" alt="<?php echo $l->t('Delete')?>"
-								 src="<?php echo OCP\image_path("core", "actions/delete.svg"); ?>" />
+							<?php p($l->t('Delete'))?>
+							<img class="svg" alt="<?php p($l->t('Delete'))?>"
+								 src="<?php print_unescaped(OCP\image_path("core", "actions/delete.svg")); ?>" />
 						</a></span>
 					<?php endif; ?>
 				<?php endif; ?>
@@ -98,24 +98,24 @@
 		</tr>
 	</thead>
 	<tbody id="fileList">
-		<?php echo($_['fileList']); ?>
+		<?php print_unescaped($_['fileList']); ?>
 	</tbody>
 </table>
 <div id="editor"></div>
-<div id="uploadsize-message" title="<?php echo $l->t('Upload too large')?>">
+<div id="uploadsize-message" title="<?php p($l->t('Upload too large'))?>">
 	<p>
-	<?php echo $l->t('The files you are trying to upload exceed the maximum size for file uploads on this server.');?>
+	<?php p($l->t('The files you are trying to upload exceed the maximum size for file uploads on this server.'));?>
 	</p>
 </div>
 <div id="scanning-message">
 	<h3>
-		<?php echo $l->t('Files are being scanned, please wait.');?> <span id='scan-count'></span>
+		<?php p($l->t('Files are being scanned, please wait.'));?> <span id='scan-count'></span>
 	</h3>
 	<p>
-		<?php echo $l->t('Current scanning');?> <span id='scan-current'></span>
+		<?php p($l->t('Current scanning'));?> <span id='scan-current'></span>
 	</p>
 </div>
 
 <!-- config hints for javascript -->
-<input type="hidden" name="allowZipDownload" id="allowZipDownload" value="<?php echo $_['allowZipDownload']; ?>" />
-<input type="hidden" name="usedSpacePercent" id="usedSpacePercent" value="<?php echo $_['usedSpacePercent']; ?>" />
+<input type="hidden" name="allowZipDownload" id="allowZipDownload" value="<?php p($_['allowZipDownload']); ?>" />
+<input type="hidden" name="usedSpacePercent" id="usedSpacePercent" value="<?php p($_['usedSpacePercent']); ?>" />
diff --git a/apps/files/templates/part.breadcrumb.php b/apps/files/templates/part.breadcrumb.php
index f01cb8d212..7ea1755d1d 100644
--- a/apps/files/templates/part.breadcrumb.php
+++ b/apps/files/templates/part.breadcrumb.php
@@ -1,7 +1,7 @@
 <?php if(count($_["breadcrumb"])):?>
 	<div class="crumb">
-		<a href="<?php echo $_['baseURL']; ?>">
-			<img src="<?php echo OCP\image_path('core', 'places/home.svg');?>" class="svg" />
+		<a href="<?php print_unescaped($_['baseURL']); ?>">
+			<img src="<?php print_unescaped(OCP\image_path('core', 'places/home.svg'));?>" class="svg" />
 		</a>
 	</div>
 <?php endif;?>
@@ -9,8 +9,8 @@
 	$crumb = $_["breadcrumb"][$i];
 	$dir = str_replace('+', '%20', urlencode($crumb["dir"]));
 	$dir = str_replace('%2F', '/', $dir); ?>
-	<div class="crumb <?php if($i == count($_["breadcrumb"])-1) echo 'last';?> svg"
-		 data-dir='<?php echo $dir;?>'>
-	<a href="<?php echo $_['baseURL'].$dir; ?>"><?php echo OCP\Util::sanitizeHTML($crumb["name"]); ?></a>
+	<div class="crumb <?php if($i == count($_["breadcrumb"])-1) p('last');?> svg"
+		 data-dir='<?php p($dir);?>'>
+	<a href="<?php p($_['baseURL'].$dir); ?>"><?php p($crumb["name"]); ?></a>
 	</div>
 <?php endfor;
diff --git a/apps/files/templates/part.list.php b/apps/files/templates/part.list.php
index 3c6c5dbd26..25763da57a 100644
--- a/apps/files/templates/part.list.php
+++ b/apps/files/templates/part.list.php
@@ -1,4 +1,4 @@
-<input type="hidden" id="disableSharing" data-status="<?php echo $_['disableSharing']; ?>">
+<input type="hidden" id="disableSharing" data-status="<?php p($_['disableSharing']); ?>">
 
 <?php foreach($_['files'] as $file):
 	$simple_file_size = OCP\simple_file_size($file['size']);
@@ -13,31 +13,31 @@
 	$name = str_replace('%2F', '/', $name);
 	$directory = str_replace('+', '%20', urlencode($file['directory']));
 	$directory = str_replace('%2F', '/', $directory); ?>
-	<tr data-id="<?php echo $file['fileid']; ?>"
-		data-file="<?php echo $name;?>"
-		data-type="<?php echo ($file['type'] == 'dir')?'dir':'file'?>"
-		data-mime="<?php echo $file['mimetype']?>"
-		data-size='<?php echo $file['size'];?>'
-		data-permissions='<?php echo $file['permissions']; ?>'>
+	<tr data-id="<?php p($file['fileid']); ?>"
+		data-file="<?php p($name);?>"
+		data-type="<?php p($file['type'] == 'dir')?'dir':'file'?>"
+		data-mime="<?php p($file['mimetype'])?>"
+		data-size='<?php p($file['size']);?>'
+		data-permissions='<?php p($file['permissions']); ?>'>
 		<td class="filename svg"
 		<?php if($file['type'] == 'dir'): ?>
-			style="background-image:url(<?php echo OCP\mimetype_icon('dir'); ?>)"
+			style="background-image:url(<?php print_unescaped(OCP\mimetype_icon('dir')); ?>)"
 		<?php else: ?>
-			style="background-image:url(<?php echo OCP\mimetype_icon($file['mimetype']); ?>)"
+			style="background-image:url(<?php print_unescaped(OCP\mimetype_icon($file['mimetype'])); ?>)"
 		<?php endif; ?>
 			>
 		<?php if(!isset($_['readonly']) || !$_['readonly']): ?><input type="checkbox" /><?php endif; ?>
 		<?php if($file['type'] == 'dir'): ?>
-			<a class="name" href="<?php echo $_['baseURL'].$directory.'/'.$name; ?>" title="">
+			<a class="name" href="<?php p($_['baseURL'].$directory.'/'.$name); ?>" title="">
 		<?php else: ?>
-			<a class="name" href="<?php echo $_['downloadURL'].$directory.'/'.$name; ?>" title="">
+			<a class="name" href="<?php p($_['downloadURL'].$directory.'/'.$name); ?>" title="">
 		<?php endif; ?>
 			<span class="nametext">
 				<?php if($file['type'] == 'dir'):?>
-					<?php echo htmlspecialchars($file['name']);?>
+					<?php p($file['name']);?>
 				<?php else:?>
-					<?php echo htmlspecialchars($file['basename']);?><span
-						class='extension'><?php echo $file['extension'];?></span>
+					<?php p($file['basename']);?><span
+						class='extension'><?php p($file['extension']);?></span>
 				<?php endif;?>
 			</span>
 			<?php if($file['type'] == 'dir'):?>
@@ -47,17 +47,17 @@
 			</a>
 		</td>
 		<td class="filesize"
-			title="<?php echo OCP\human_file_size($file['size']); ?>"
-			style="color:rgb(<?php echo $simple_size_color.','.$simple_size_color.','.$simple_size_color ?>)">
-				<?php echo $simple_file_size; ?>
+			title="<?php p(OCP\human_file_size($file['size'])); ?>"
+			style="color:rgb(<?php p($simple_size_color.','.$simple_size_color.','.$simple_size_color) ?>)">
+				<?php p($simple_file_size); ?>
 		</td>
 		<td class="date">
 			<span class="modified"
-				  title="<?php echo $file['date']; ?>"
-				  style="color:rgb(<?php echo $relative_date_color.','
+				  title="<?php p($file['date']); ?>"
+				  style="color:rgb(<?php p($relative_date_color.','
 												.$relative_date_color.','
-												.$relative_date_color ?>)">
-				<?php echo $relative_modified_date; ?>
+												.$relative_date_color) ?>)">
+				<?php p($relative_modified_date); ?>
 			</span>
 		</td>
 	</tr>
diff --git a/apps/files/templates/upgrade.php b/apps/files/templates/upgrade.php
index de6cc71302..e03f086e47 100644
--- a/apps/files/templates/upgrade.php
+++ b/apps/files/templates/upgrade.php
@@ -1,4 +1,4 @@
 <div id="upgrade">
-	<?php echo $l->t('Upgrading filesystem cache...');?>
+	<?php p($l->t('Upgrading filesystem cache...'));?>
 	<div id="progressbar" />
 </div>

From 85209287bba82cbc274ac624737248fe27aae8a2 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:19:11 +0100
Subject: [PATCH 03/18] [Files] Use htmlspecialchars()

---
 apps/files/templates/part.list.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/files/templates/part.list.php b/apps/files/templates/part.list.php
index 25763da57a..86c2cc7076 100644
--- a/apps/files/templates/part.list.php
+++ b/apps/files/templates/part.list.php
@@ -34,9 +34,9 @@
 		<?php endif; ?>
 			<span class="nametext">
 				<?php if($file['type'] == 'dir'):?>
-					<?php p($file['name']);?>
+					<?php print_unescaped(htmlspecialchars($file['name']));?>
 				<?php else:?>
-					<?php p($file['basename']);?><span
+					<?php print_unescaped(htmlspecialchars($file['basename']));?><span
 						class='extension'><?php p($file['extension']);?></span>
 				<?php endif;?>
 			</span>

From 7f8eddffe4b728021666d598bd13088e17b7e713 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:20:37 +0100
Subject: [PATCH 04/18] [files_encryption] Use p() instead of echo()

---
 apps/files_encryption/templates/settings-personal.php | 8 ++++----
 apps/files_encryption/templates/settings.php          | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/apps/files_encryption/templates/settings-personal.php b/apps/files_encryption/templates/settings-personal.php
index 8c3bf491d8..5f0accaed5 100644
--- a/apps/files_encryption/templates/settings-personal.php
+++ b/apps/files_encryption/templates/settings-personal.php
@@ -1,19 +1,19 @@
 <form id="encryption">
 	<fieldset class="personalblock">
 		<legend>
-			<?php echo $l->t( 'Encryption' ); ?>
+			<?php p($l->t( 'Encryption' )); ?>
 		</legend>
 		<p>
-			<?php echo $l->t( 'File encryption is enabled.' ); ?>
+			<?php p($l->t( 'File encryption is enabled.' )); ?>
 		</p>
 		<?php if ( ! empty( $_["blacklist"] ) ): ?>
 		<p>
-			<?php echo $l->t( 'The following file types will not be encrypted:' ); ?>
+			<?php p($l->t( 'The following file types will not be encrypted:' )); ?>
 		</p>
 		<ul>
 			<?php foreach( $_["blacklist"] as $type ): ?>
 			<li>
-				<?php echo $type; ?>
+				<?php p($type); ?>
 			</li>
 			<?php endforeach; ?>
 		</ul>
diff --git a/apps/files_encryption/templates/settings.php b/apps/files_encryption/templates/settings.php
index f7ef8a8efe..b873d7f5aa 100644
--- a/apps/files_encryption/templates/settings.php
+++ b/apps/files_encryption/templates/settings.php
@@ -2,17 +2,17 @@
 	<fieldset class="personalblock">
 		
 		<p>
-			<strong><?php echo $l->t( 'Encryption' ); ?></strong>
+			<strong><?php p($l->t( 'Encryption' )); ?></strong>
 			
-			<?php echo $l->t( "Exclude the following file types from encryption:" ); ?>
+			<?php p($l->t( "Exclude the following file types from encryption:" )); ?>
 			<br />
 			
 			<select 
 			id='encryption_blacklist' 
-			title="<?php echo $l->t( 'None' )?>" 
+			title="<?php p($l->t( 'None' ))?>" 
 			multiple="multiple">
 			<?php foreach($_["blacklist"] as $type): ?>
-				<option selected="selected" value="<?php echo $type; ?>"> <?php echo $type; ?> </option>
+				<option selected="selected" value="<?php p($type); ?>"> <?php p($type); ?> </option>
 			<?php endforeach;?>
 			</select>
 		</p>

From 236507a19fe4d541c931944603cd38ec823cb3af Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:31:27 +0100
Subject: [PATCH 05/18] [files_external] From echo to p

---
 apps/files_external/personal.php           |   4 +-
 apps/files_external/settings.php           |   4 +-
 apps/files_external/templates/settings.php | 108 ++++++++++-----------
 3 files changed, 58 insertions(+), 58 deletions(-)

diff --git a/apps/files_external/personal.php b/apps/files_external/personal.php
index 268d188023..90f5e15953 100755
--- a/apps/files_external/personal.php
+++ b/apps/files_external/personal.php
@@ -26,9 +26,9 @@ $backends = OC_Mount_Config::getBackends();
 // Remove local storage
 unset($backends['\OC\Files\Storage\Local']);
 $tmpl = new OCP\Template('files_external', 'settings');
-$tmpl->assign('isAdminPage', false, false);
+$tmpl->assign('isAdminPage', false);
 $tmpl->assign('mounts', OC_Mount_Config::getPersonalMountPoints());
 $tmpl->assign('certs', OC_Mount_Config::getCertificates());
-$tmpl->assign('dependencies', OC_Mount_Config::checkDependencies(), false);
+$tmpl->assign('dependencies', OC_Mount_Config::checkDependencies());
 $tmpl->assign('backends', $backends);
 return $tmpl->fetchPage();
diff --git a/apps/files_external/settings.php b/apps/files_external/settings.php
index cd0bfa9958..1a39affe2e 100644
--- a/apps/files_external/settings.php
+++ b/apps/files_external/settings.php
@@ -27,11 +27,11 @@ OCP\Util::addscript('3rdparty', 'chosen/chosen.jquery.min');
 OCP\Util::addStyle('files_external', 'settings');
 OCP\Util::addStyle('3rdparty', 'chosen/chosen');
 $tmpl = new OCP\Template('files_external', 'settings');
-$tmpl->assign('isAdminPage', true, false);
+$tmpl->assign('isAdminPage', true);
 $tmpl->assign('mounts', OC_Mount_Config::getSystemMountPoints());
 $tmpl->assign('backends', OC_Mount_Config::getBackends());
 $tmpl->assign('groups', OC_Group::getGroups());
 $tmpl->assign('users', OCP\User::getUsers());
-$tmpl->assign('dependencies', OC_Mount_Config::checkDependencies(), false);
+$tmpl->assign('dependencies', OC_Mount_Config::checkDependencies());
 $tmpl->assign('allowUserMounting', OCP\Config::getAppValue('files_external', 'allow_user_mounting', 'yes'));
 return $tmpl->fetchPage();
diff --git a/apps/files_external/templates/settings.php b/apps/files_external/templates/settings.php
index 76d691eedb..76d3db1404 100644
--- a/apps/files_external/templates/settings.php
+++ b/apps/files_external/templates/settings.php
@@ -1,44 +1,44 @@
 <form id="files_external">
 	<fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('External Storage'); ?></strong></legend>
-		<?php if (isset($_['dependencies']) and ($_['dependencies']<>'')) echo ''.$_['dependencies'].''; ?>
-		<table id="externalStorage" data-admin='<?php echo json_encode($_['isAdminPage']); ?>'>
+	<legend><strong><?php p($l->t('External Storage')); ?></strong></legend>
+		<?php if (isset($_['dependencies']) and ($_['dependencies']<>'')) print_unescaped(''.$_['dependencies'].''); ?>
+		<table id="externalStorage" data-admin='<?php print_unescaped(json_encode($_['isAdminPage'])); ?>'>
 			<thead>
 				<tr>
 					<th></th>
-					<th><?php echo $l->t('Folder name'); ?></th>
-					<th><?php echo $l->t('External storage'); ?></th>
-					<th><?php echo $l->t('Configuration'); ?></th>
-					<!--<th><?php echo $l->t('Options'); ?></th> -->
-					<?php if ($_['isAdminPage']) echo '<th>'.$l->t('Applicable').'</th>'; ?>
+					<th><?php p($l->t('Folder name')); ?></th>
+					<th><?php p($l->t('External storage')); ?></th>
+					<th><?php p($l->t('Configuration')); ?></th>
+					<!--<th><?php p($l->t('Options')); ?></th> -->
+					<?php if ($_['isAdminPage']) print_unescaped('<th>'.OC_Util::sanitizeHTML($l->t('Applicable')).'</th>'); ?>
 					<th>&nbsp;</th>
 				</tr>
 			</thead>
 			<tbody width="100%">
 			<?php $_['mounts'] = array_merge($_['mounts'], array('' => array())); ?>
 			<?php foreach ($_['mounts'] as $mountPoint => $mount): ?>
-				<tr <?php echo ($mountPoint != '') ? 'class="'.$mount['class'].'"' : 'id="addMountPoint"'; ?>>
+				<tr <?php print_unescaped(($mountPoint != '') ? 'class="'.OC_Util::sanitizeHTML($mount['class']).'"' : 'id="addMountPoint"'); ?>>
 					<td class="status">
 					<?php if (isset($mount['status'])): ?>
-						<span class="<?php echo ($mount['status']) ? 'success' : 'error'; ?>"></span>
+						<span class="<?php p(($mount['status']) ? 'success' : 'error'); ?>"></span>
 					<?php endif; ?>
 					</td>
 					<td class="mountPoint"><input type="text" name="mountPoint"
 												  value="<?php p($mountPoint); ?>"
-												  placeholder="<?php echo $l->t('Folder name'); ?>" /></td>
+												  placeholder="<?php p($l->t('Folder name')); ?>" /></td>
 					<?php if ($mountPoint == ''): ?>
 						<td class="backend">
-							<select id="selectBackend" data-configurations='<?php echo json_encode($_['backends']); ?>'>
+							<select id="selectBackend" data-configurations='<?php print_unescaped(json_encode($_['backends'])); ?>'>
 								<option value="" disabled selected
-										style="display:none;"><?php echo $l->t('Add storage'); ?></option>
+										style="display:none;"><?php p($l->t('Add storage')); ?></option>
 								<?php foreach ($_['backends'] as $class => $backend): ?>
-									<option value="<?php echo $class; ?>"><?php echo $backend['backend']; ?></option>
+									<option value="<?php p($class); ?>"><?php p($backend['backend']); ?></option>
 								<?php endforeach; ?>
 							</select>
 						</td>
 					<?php else: ?>
 						<td class="backend"
-							data-class="<?php echo $mount['class']; ?>"><?php echo $mount['backend']; ?></td>
+							data-class="<?php p($mount['class']); ?>"><?php p($mount['backend']); ?></td>
 					<?php endif; ?>
 					<td class ="configuration" width="100%">
 						<?php if (isset($mount['configuration'])): ?>
@@ -47,29 +47,29 @@
 									<?php $placeholder = $_['backends'][$mount['class']]['configuration'][$parameter]; ?>
 									<?php if (strpos($placeholder, '*') !== false): ?>
 										<input type="password"
-											   data-parameter="<?php echo $parameter; ?>"
-											   value="<?php echo $value; ?>"
-											   placeholder="<?php echo substr($placeholder, 1); ?>" />
+											   data-parameter="<?php p($parameter); ?>"
+											   value="<?php p($value); ?>"
+											   placeholder="<?php p(substr($placeholder, 1)); ?>" />
 									<?php elseif (strpos($placeholder, '!') !== false): ?>
 										<label><input type="checkbox"
-													  data-parameter="<?php echo $parameter; ?>"
+													  data-parameter="<?php p($parameter); ?>"
 													  <?php if ($value == 'true'): ?> checked="checked"<?php endif; ?>
-													  /><?php echo substr($placeholder, 1); ?></label>
+													  /><?php p(substr($placeholder, 1)); ?></label>
 									<?php elseif (strpos($placeholder, '&') !== false): ?>
 										<input type="text"
 											   class="optional"
-											   data-parameter="<?php echo $parameter; ?>"
-											   value="<?php echo $value; ?>"
-											   placeholder="<?php echo substr($placeholder, 5); ?>" />
+											   data-parameter="<?php p($parameter); ?>"
+											   value="<?php p($value); ?>"
+											   placeholder="<?php p(substr($placeholder, 5)); ?>" />
 									<?php elseif (strpos($placeholder, '#') !== false): ?>
 										<input type="hidden"
-											   data-parameter="<?php echo $parameter; ?>"
-											   value="<?php echo $value; ?>" />
+											   data-parameter="<?php p($parameter); ?>"
+											   value="<?php p($value); ?>" />
 									<?php else: ?>
 										<input type="text"
-											   data-parameter="<?php echo $parameter; ?>"
-											   value="<?php echo $value; ?>"
-											   placeholder="<?php echo $placeholder; ?>" />
+											   data-parameter="<?php p($parameter); ?>"
+											   value="<?php p($value); ?>"
+											   placeholder="<?php p($placeholder); ?>" />
 									<?php endif; ?>
 								<?php endif; ?>
 							<?php endforeach; ?>
@@ -82,27 +82,27 @@
 					<td class="applicable"
 						align="right"
 						data-applicable-groups='<?php if (isset($mount['applicable']['groups']))
-														echo json_encode($mount['applicable']['groups']); ?>'
+														print_unescaped(json_encode($mount['applicable']['groups'])); ?>'
 						data-applicable-users='<?php if (isset($mount['applicable']['users']))
-														echo json_encode($mount['applicable']['users']); ?>'>
+														print_unescaped(json_encode($mount['applicable']['users'])); ?>'>
 							<select class="chzn-select"
 									multiple style="width:20em;"
-									data-placeholder="<?php echo $l->t('None set'); ?>">
-								<option value="all" <?php if (isset($mount['applicable']['users']) && in_array('all', $mount['applicable']['users'])) echo 'selected="selected"';?> ><?php echo $l->t('All Users'); ?></option>
-								<optgroup label="<?php echo $l->t('Groups'); ?>">
+									data-placeholder="<?php p($l->t('None set')); ?>">
+								<option value="all" <?php if (isset($mount['applicable']['users']) && in_array('all', $mount['applicable']['users'])) print_unescaped('selected="selected"');?> ><?php p($l->t('All Users')); ?></option>
+								<optgroup label="<?php p($l->t('Groups')); ?>">
 								<?php foreach ($_['groups'] as $group): ?>
-									<option value="<?php echo $group; ?>(group)"
+									<option value="<?php p($group); ?>(group)"
 									<?php if (isset($mount['applicable']['groups']) && in_array($group, $mount['applicable']['groups'])): ?>
 											selected="selected"
-									<?php endif; ?>><?php echo $group; ?></option>
+									<?php endif; ?>><?php p($group); ?></option>
 								<?php endforeach; ?>
 								</optgroup>
-								<optgroup label="<?php echo $l->t('Users'); ?>">
+								<optgroup label="<?php p($l->t('Users')); ?>">
 								<?php foreach ($_['users'] as $user): ?>
-									<option value="<?php echo $user; ?>"
+									<option value="<?php p($user); ?>"
 									<?php if (isset($mount['applicable']['users']) && in_array($user, $mount['applicable']['users'])): ?>
 											selected="selected"
-									<?php endif; ?>><?php echo $user; ?></option>
+									<?php endif; ?>><?php p($user); ?></option>
 								<?php endforeach; ?>
 								</optgroup>
 							</select>
@@ -110,10 +110,10 @@
 					<?php endif; ?>
 					<td <?php if ($mountPoint != ''): ?>class="remove"
 						<?php else: ?>style="visibility:hidden;"
-						<?php endif ?>><img alt="<?php echo $l->t('Delete'); ?>"
-											title="<?php echo $l->t('Delete'); ?>"
+						<?php endif ?>><img alt="<?php p($l->t('Delete')); ?>"
+											title="<?php p($l->t('Delete')); ?>"
 											class="svg action"
-											src="<?php echo image_path('core', 'actions/delete.svg'); ?>" /></td>
+											src="<?php print_unescaped(image_path('core', 'actions/delete.svg')); ?>" /></td>
 				</tr>
 			<?php endforeach; ?>
 			</tbody>
@@ -125,9 +125,9 @@
 			<input type="checkbox"
 				   name="allowUserMounting"
 				   id="allowUserMounting"
-				   value="1" <?php if ($_['allowUserMounting'] == 'yes') echo ' checked="checked"'; ?> />
-			<label for="allowUserMounting"><?php echo $l->t('Enable User External Storage'); ?></label><br/>
-			<em><?php echo $l->t('Allow users to mount their own external storage'); ?></em>
+				   value="1" <?php if ($_['allowUserMounting'] == 'yes') print_unescaped(' checked="checked"'); ?> />
+			<label for="allowUserMounting"><?php p($l->t('Enable User External Storage')); ?></label><br/>
+			<em><?php p($l->t('Allow users to mount their own external storage')); ?></em>
 		<?php endif; ?>
 	</fieldset>
 </form>
@@ -136,27 +136,27 @@
 <form id="files_external"
 	  method="post"
 	  enctype="multipart/form-data"
-	  action="<?php echo OCP\Util::linkTo('files_external', 'ajax/addRootCertificate.php'); ?>">
+	  action="<?php p(OCP\Util::linkTo('files_external', 'ajax/addRootCertificate.php')); ?>">
 <fieldset class="personalblock">
-		<legend><strong><?php echo $l->t('SSL root certificates');?></strong></legend>
-		<table id="sslCertificate" data-admin='<?php echo json_encode($_['isAdminPage']); ?>'>
+		<legend><strong><?php p($l->t('SSL root certificates'));?></strong></legend>
+		<table id="sslCertificate" data-admin='<?php print_unescaped(json_encode($_['isAdminPage'])); ?>'>
 			<tbody width="100%">
 			<?php foreach ($_['certs'] as $rootCert): ?>
-			<tr id="<?php echo $rootCert ?>">
-			<td class="rootCert"><?php echo $rootCert ?></td>
+			<tr id="<?php p($rootCert) ?>">
+			<td class="rootCert"><?php p($rootCert) ?></td>
 			<td <?php if ($rootCert != ''): ?>class="remove"
 				<?php else: ?>style="visibility:hidden;"
-				<?php endif; ?>><img alt="<?php echo $l->t('Delete'); ?>"
-									 title="<?php echo $l->t('Delete'); ?>"
+				<?php endif; ?>><img alt="<?php p($l->t('Delete')); ?>"
+									 title="<?php p($l->t('Delete')); ?>"
 									 class="svg action"
-									 src="<?php echo image_path('core', 'actions/delete.svg'); ?>" /></td>
+									 src="<?php print_unescaped(image_path('core', 'actions/delete.svg')); ?>" /></td>
 			</tr>
 			<?php endforeach; ?>
 			</tbody>
 		</table>
-		<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken']; ?>">
+		<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']); ?>">
 		<input type="file" id="rootcert_import" name="rootcert_import" style="width:230px;">
-		<input type="submit" name="cert_import" value="<?php echo $l->t('Import Root Certificate'); ?>" />
+		<input type="submit" name="cert_import" value="<?php p($l->t('Import Root Certificate')); ?>" />
 </fieldset>
 </form>
 <?php endif; ?>

From 221ecf63ab92cfbdfe2204dfccbb90ff68e09426 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:37:14 +0100
Subject: [PATCH 06/18] [files_sharing] From echo to p

---
 apps/files_sharing/public.php                 | 17 ++++----
 apps/files_sharing/templates/authenticate.php |  6 +--
 apps/files_sharing/templates/public.php       | 40 +++++++++----------
 3 files changed, 31 insertions(+), 32 deletions(-)

diff --git a/apps/files_sharing/public.php b/apps/files_sharing/public.php
index 243ee668f1..e345b91e29 100644
--- a/apps/files_sharing/public.php
+++ b/apps/files_sharing/public.php
@@ -168,18 +168,17 @@ if (isset($path)) {
 				}
 			}
 			$list = new OCP\Template('files', 'part.list', '');
-			$list->assign('files', $files, false);
+			$list->assign('files', $files);
 			$list->assign('disableSharing', true);
-			$list->assign('baseURL', OCP\Util::linkToPublic('files') . $urlLinkIdentifiers . '&path=', false);
+			$list->assign('baseURL', OCP\Util::linkToPublic('files') . $urlLinkIdentifiers . '&path=');
 			$list->assign('downloadURL',
-				OCP\Util::linkToPublic('files') . $urlLinkIdentifiers . '&download&path=',
-				false);
+				OCP\Util::linkToPublic('files') . $urlLinkIdentifiers . '&download&path=');
 			$breadcrumbNav = new OCP\Template('files', 'part.breadcrumb', '');
-			$breadcrumbNav->assign('breadcrumb', $breadcrumb, false);
-			$breadcrumbNav->assign('baseURL', OCP\Util::linkToPublic('files') . $urlLinkIdentifiers . '&path=', false);
+			$breadcrumbNav->assign('breadcrumb', $breadcrumb);
+			$breadcrumbNav->assign('baseURL', OCP\Util::linkToPublic('files') . $urlLinkIdentifiers . '&path=');
 			$folder = new OCP\Template('files', 'index', '');
-			$folder->assign('fileList', $list->fetchPage(), false);
-			$folder->assign('breadcrumb', $breadcrumbNav->fetchPage(), false);
+			$folder->assign('fileList', $list->fetchPage());
+			$folder->assign('breadcrumb', $breadcrumbNav->fetchPage());
 			$folder->assign('dir', $getPath);
 			$folder->assign('isCreatable', false);
 			$folder->assign('permissions', 0);
@@ -188,7 +187,7 @@ if (isset($path)) {
 			$folder->assign('uploadMaxHumanFilesize', 0);
 			$folder->assign('allowZipDownload', intval(OCP\Config::getSystemValue('allowZipDownload', true)));
 			$folder->assign('usedSpacePercent', 0);
-			$tmpl->assign('folder', $folder->fetchPage(), false);
+			$tmpl->assign('folder', $folder->fetchPage());
 			$tmpl->assign('allowZipDownload', intval(OCP\Config::getSystemValue('allowZipDownload', true)));
 			$tmpl->assign('downloadURL',
 				OCP\Util::linkToPublic('files') . $urlLinkIdentifiers . '&download&path=' . urlencode($getPath));
diff --git a/apps/files_sharing/templates/authenticate.php b/apps/files_sharing/templates/authenticate.php
index 6bce6857ac..b6ef82da6f 100644
--- a/apps/files_sharing/templates/authenticate.php
+++ b/apps/files_sharing/templates/authenticate.php
@@ -1,9 +1,9 @@
-<form action="<?php echo $_['URL']; ?>" method="post">
+<form action="<?php p($_['URL']); ?>" method="post">
 	<fieldset>
 		<p class="infield">
-			<label for="password" class="infield"><?php echo $l->t('Password'); ?></label>
+			<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
 			<input type="password" name="password" id="password" value="" autofocus />
-			<input type="submit" value="<?php echo $l->t('Submit'); ?>" />
+			<input type="submit" value="<?php p($l->t('Submit')); ?>" />
 		</p>
 	</fieldset>
 </form>
\ No newline at end of file
diff --git a/apps/files_sharing/templates/public.php b/apps/files_sharing/templates/public.php
index f9ff12679b..88692445ec 100644
--- a/apps/files_sharing/templates/public.php
+++ b/apps/files_sharing/templates/public.php
@@ -1,43 +1,43 @@
-<input type="hidden" name="dir" value="<?php echo $_['dir'] ?>" id="dir">
-<input type="hidden" name="downloadURL" value="<?php echo $_['downloadURL'] ?>" id="downloadURL">
-<input type="hidden" name="filename" value="<?php echo $_['filename'] ?>" id="filename">
-<input type="hidden" name="mimetype" value="<?php echo $_['mimetype'] ?>" id="mimetype">
+<input type="hidden" name="dir" value="<?php p($_['dir']) ?>" id="dir">
+<input type="hidden" name="downloadURL" value="<?php p($_['downloadURL']) ?>" id="downloadURL">
+<input type="hidden" name="filename" value="<?php p($_['filename']) ?>" id="filename">
+<input type="hidden" name="mimetype" value="<?php p($_['mimetype']) ?>" id="mimetype">
 <header><div id="header">
-	<a href="<?php echo link_to('', 'index.php'); ?>" title="" id="owncloud"><img class="svg"
-		src="<?php echo image_path('', 'logo-wide.svg'); ?>" alt="ownCloud" /></a>
+	<a href="<?php print_unescaped(link_to('', 'index.php')); ?>" title="" id="owncloud"><img class="svg"
+		src="<?php print_unescaped(image_path('', 'logo-wide.svg')); ?>" alt="ownCloud" /></a>
 	<div class="header-right">
 	<?php if (isset($_['folder'])): ?>
-		<span id="details"><?php echo $l->t('%s shared the folder %s with you',
-			array($_['displayName'], $_['fileTarget'])) ?></span>
+		<span id="details"><?php p($l->t('%s shared the folder %s with you',
+			array($_['displayName'], $_['fileTarget']))) ?></span>
 	<?php else: ?>
-		<span id="details"><?php echo $l->t('%s shared the file %s with you',
-			array($_['displayName'], $_['fileTarget'])) ?></span>
+		<span id="details"><?php p($l->t('%s shared the file %s with you',
+			array($_['displayName'], $_['fileTarget']))) ?></span>
 	<?php endif; ?>
 		<?php if (!isset($_['folder']) || $_['allowZipDownload']): ?>
-			<a href="<?php echo $_['downloadURL']; ?>" class="button" id="download"><img
-				class="svg" alt="Download" src="<?php echo OCP\image_path("core", "actions/download.svg"); ?>"
-				/><?php echo $l->t('Download')?></a>
+			<a href="<?php p($_['downloadURL']); ?>" class="button" id="download"><img
+				class="svg" alt="Download" src="<?php print_unescaped(OCP\image_path("core", "actions/download.svg")); ?>"
+				/><?php p($l->t('Download'))?></a>
 		<?php endif; ?>
 	</div>
 </div></header>
 <div id="preview">
 	<?php if (isset($_['folder'])): ?>
-		<?php echo $_['folder']; ?>
+		<?php print_unescaped($_['folder']); ?>
 	<?php else: ?>
 		<?php if (substr($_['mimetype'], 0, strpos($_['mimetype'], '/')) == 'image'): ?>
 			<div id="imgframe">
-				<img src="<?php echo $_['downloadURL']; ?>" />
+				<img src="<?php p($_['downloadURL']); ?>" />
 			</div>
 		<?php endif; ?>
 		<ul id="noPreview">
 			<li class="error">
-				<?php echo $l->t('No preview available for').' '.$_['fileTarget']; ?><br />
-				<a href="<?php echo $_['downloadURL']; ?>" id="download"><img class="svg" alt="Download"
-					src="<?php echo OCP\image_path("core", "actions/download.svg"); ?>"
-					/><?php echo $l->t('Download')?></a>
+				<?php p($l->t('No preview available for').' '.$_['fileTarget']); ?><br />
+				<a href="<?php p($_['downloadURL']); ?>" id="download"><img class="svg" alt="Download"
+					src="<?php print_unescaped(OCP\image_path("core", "actions/download.svg")); ?>"
+					/><?php p($l->t('Download'))?></a>
 			</li>
 		</ul>
 	<?php endif; ?>
 </div>
 <footer><p class="info"><a href="http://owncloud.org/">ownCloud</a> &ndash;
-<?php echo $l->t('web services under your control'); ?></p></footer>
+<?php p($l->t('web services under your control')); ?></p></footer>

From c9415e65299e8588eb4e7fb52838eebcc0cae16f Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:40:06 +0100
Subject: [PATCH 07/18] [files] Unescape file size

---
 apps/files/templates/part.list.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/files/templates/part.list.php b/apps/files/templates/part.list.php
index 86c2cc7076..cdd157b27e 100644
--- a/apps/files/templates/part.list.php
+++ b/apps/files/templates/part.list.php
@@ -49,7 +49,7 @@
 		<td class="filesize"
 			title="<?php p(OCP\human_file_size($file['size'])); ?>"
 			style="color:rgb(<?php p($simple_size_color.','.$simple_size_color.','.$simple_size_color) ?>)">
-				<?php p($simple_file_size); ?>
+				<?php print_unescaped($simple_file_size); ?>
 		</td>
 		<td class="date">
 			<span class="modified"

From 3ba8881bacedf4c1950c6198fca28577814cf807 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:46:37 +0100
Subject: [PATCH 08/18] [files_trashbin] From echo to p

---
 apps/files_trashbin/index.php               | 14 +++----
 apps/files_trashbin/templates/index.php     | 22 +++++-----
 apps/files_trashbin/templates/part.list.php | 46 ++++++++++-----------
 3 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/apps/files_trashbin/index.php b/apps/files_trashbin/index.php
index 2f1fb32f8c..913bac1fbb 100644
--- a/apps/files_trashbin/index.php
+++ b/apps/files_trashbin/index.php
@@ -82,18 +82,18 @@ foreach (explode('/', $dir) as $i) {
 }
 
 $breadcrumbNav = new OCP\Template('files', 'part.breadcrumb', '');
-$breadcrumbNav->assign('breadcrumb', $breadcrumb, false);
-$breadcrumbNav->assign('baseURL', OCP\Util::linkTo('files_trashbin', 'index.php') . '?dir=', false);
+$breadcrumbNav->assign('breadcrumb', $breadcrumb);
+$breadcrumbNav->assign('baseURL', OCP\Util::linkTo('files_trashbin', 'index.php') . '?dir=');
 
 $list = new OCP\Template('files_trashbin', 'part.list', '');
-$list->assign('files', $files, false);
-$list->assign('baseURL', OCP\Util::linkTo('files_trashbin', 'index.php'). '?dir='.$dir, false);
-$list->assign('downloadURL', OCP\Util::linkTo('files_trashbin', 'download.php') . '?file='.$dir, false);
+$list->assign('files', $files);
+$list->assign('baseURL', OCP\Util::linkTo('files_trashbin', 'index.php'). '?dir='.$dir);
+$list->assign('downloadURL', OCP\Util::linkTo('files_trashbin', 'download.php') . '?file='.$dir);
 $list->assign('disableSharing', true);
 $list->assign('dirlisting', $dirlisting);
 $list->assign('disableDownloadActions', true);
-$tmpl->assign('breadcrumb', $breadcrumbNav->fetchPage(), false);
-$tmpl->assign('fileList', $list->fetchPage(), false);
+$tmpl->assign('breadcrumb', $breadcrumbNav->fetchPage());
+$tmpl->assign('fileList', $list->fetchPage());
 $tmpl->assign('files', $files);
 $tmpl->assign('dirlisting', $dirlisting);
 $tmpl->assign('dir', OC_Filesystem::normalizePath($view->getAbsolutePath()));
diff --git a/apps/files_trashbin/templates/index.php b/apps/files_trashbin/templates/index.php
index aaeeb5c6f6..4c865d8981 100644
--- a/apps/files_trashbin/templates/index.php
+++ b/apps/files_trashbin/templates/index.php
@@ -1,12 +1,12 @@
 <!--[if IE 8]><style>input[type="checkbox"]{padding:0;}table td{position:static !important;}</style><![endif]-->
 <div id="controls">
-	<?php echo($_['breadcrumb']); ?>
+	<?php print_unescaped($_['breadcrumb']); ?>
 		<div id="file_action_panel"></div>
 </div>
 <div id='notification'></div>
 
 <?php if (isset($_['files']) && count($_['files'])==0 && $_['dirlisting'] == false):?>
-	<div id="emptyfolder"><?php echo $l->t('Nothing in here. Your trash bin is empty!')?></div>
+	<div id="emptyfolder"><?php p($l->t('Nothing in here. Your trash bin is empty!'))?></div>
 <?php endif; ?>
 
 <table>
@@ -14,28 +14,28 @@
 		<tr>
 			<th id='headerName'>
 				<input type="checkbox" id="select_all" />
-				<span class='name'><?php echo $l->t( 'Name' ); ?></span>
+				<span class='name'><?php p($l->t( 'Name' )); ?></span>
 				<span class='selectedActions'>
 						<a href="" class="undelete">
-							<img class="svg" alt="<?php echo $l->t( 'Restore' ); ?>"
-								 src="<?php echo OCP\image_path("core", "actions/undelete.png"); ?>" />
-							<?php echo $l->t('Restore')?>
+							<img class="svg" alt="<?php p($l->t( 'Restore' )); ?>"
+								 src="<?php print_unescaped(OCP\image_path("core", "actions/undelete.png")); ?>" />
+							<?php p($l->t('Restore'))?>
 						</a>
 				</span>
 			</th>
 			<th id="headerDate">
-				<span id="modified"><?php echo $l->t( 'Deleted' ); ?></span>
+				<span id="modified"><?php p($l->t( 'Deleted' )); ?></span>
 				<span class="selectedActions">
 					<a href="" class="delete">
-						<?php echo $l->t('Delete')?>
-						<img class="svg" alt="<?php echo $l->t('Delete')?>"
-							src="<?php echo OCP\image_path("core", "actions/delete.svg"); ?>" />
+						<?php p($l->t('Delete'))?>
+						<img class="svg" alt="<?php p($l->t('Delete'))?>"
+							src="<?php print_unescaped(OCP\image_path("core", "actions/delete.svg")); ?>" />
 					</a>
 				</span>
 			</th>
 		</tr>
 	</thead>
 	<tbody id="fileList">
-		<?php echo($_['fileList']); ?>
+		<?php print_unescaped($_['fileList']); ?>
 	</tbody>
 </table>
diff --git a/apps/files_trashbin/templates/part.list.php b/apps/files_trashbin/templates/part.list.php
index dea0a43cd4..176ed6f03b 100644
--- a/apps/files_trashbin/templates/part.list.php
+++ b/apps/files_trashbin/templates/part.list.php
@@ -1,4 +1,4 @@
-<input type="hidden" id="disableSharing" data-status="<?php echo $_['disableSharing']; ?>">
+<input type="hidden" id="disableSharing" data-status="<?php p($_['disableSharing']); ?>">
 <?php foreach($_['files'] as $file):
 	$relative_deleted_date = OCP\relative_modified_date($file['timestamp']);
 	// the older the file, the brighter the shade of grey; days*14
@@ -8,48 +8,48 @@
 	$name = str_replace('%2F', '/', $name);
 	$directory = str_replace('+', '%20', urlencode($file['directory']));
 	$directory = str_replace('%2F', '/', $directory); ?>
-	<tr data-filename="<?php echo $file['name'];?>"
-		data-type="<?php echo ($file['type'] == 'dir')?'dir':'file'?>"
-		data-mime="<?php echo $file['mimetype']?>"
-		data-permissions='<?php echo $file['permissions']; ?>'
+	<tr data-filename="<?php p($file['name']);?>"
+		data-type="<?php p(($file['type'] == 'dir')?'dir':'file')?>"
+		data-mime="<?php p($file['mimetype'])?>"
+		data-permissions='<?php p($file['permissions']); ?>'
 		<?php if ( $_['dirlisting'] ): ?>
-		id="<?php echo $file['directory'].'/'.$file['name'];?>"
-		data-file="<?php echo $file['directory'].'/'.$file['name'];?>"
+		id="<?php p($file['directory'].'/'.$file['name']);?>"
+		data-file="<?php p($file['directory'].'/'.$file['name']);?>"
 		data-timestamp=''
 		data-dirlisting=1
 		<?php  else: ?>
-		id="<?php echo $file['name'].'.d'.$file['timestamp'];?>"
-		data-file="<?php echo $file['name'].'.d'.$file['timestamp'];?>"
-		data-timestamp='<?php echo $file['timestamp'];?>'
+		id="<?php p($file['name'].'.d'.$file['timestamp']);?>"
+		data-file="<?php p($file['name'].'.d'.$file['timestamp']);?>"
+		data-timestamp='<?php p($file['timestamp']);?>'
 		data-dirlisting=0
 		<?php endif; ?>>
 		<td class="filename svg"
 		<?php if($file['type'] == 'dir'): ?>
-			style="background-image:url(<?php echo OCP\mimetype_icon('dir'); ?>)"
+			style="background-image:url(<?php print_unescaped(OCP\mimetype_icon('dir')); ?>)"
 		<?php else: ?>
-			style="background-image:url(<?php echo OCP\mimetype_icon($file['mimetype']); ?>)"
+			style="background-image:url(<?php print_unescaped(OCP\mimetype_icon($file['mimetype'])); ?>)"
 		<?php endif; ?>
 			>
 		<?php if(!isset($_['readonly']) || !$_['readonly']): ?><input type="checkbox" /><?php endif; ?>
 		<?php if($file['type'] == 'dir'): ?>
 			<?php if( $_['dirlisting'] ): ?>
-				<a class="name" href="<?php echo $_['baseURL'].'/'.$name; ?>" title="">
+				<a class="name" href="<?php p($_['baseURL'].'/'.$name); ?>" title="">
 			<?php else: ?>
-				<a class="name" href="<?php echo $_['baseURL'].'/'.$name.'.d'.$file['timestamp']; ?>" title="">
+				<a class="name" href="<?php p($_['baseURL'].'/'.$name.'.d'.$file['timestamp']); ?>" title="">
 			<?php endif; ?>
 		<?php else: ?>
 			<?php if( $_['dirlisting'] ): ?>
-				<a class="name" href="<?php echo $_['downloadURL'].'/'.$name; ?>" title="">
+				<a class="name" href="<?php p($_['downloadURL'].'/'.$name); ?>" title="">
 			<?php else: ?>
-				<a class="name" href="<?php echo $_['downloadURL'].'/'.$name.'.d'.$file['timestamp'];?>" title="">
+				<a class="name" href="<?php p($_['downloadURL'].'/'.$name.'.d'.$file['timestamp']);?>" title="">
 			<?php endif; ?>
 		<?php endif; ?>
 			<span class="nametext">
 				<?php if($file['type'] == 'dir'):?>
-					<?php echo htmlspecialchars($file['name']);?>
+					<?php print_unescaped(htmlspecialchars($file['name']));?>
 				<?php else:?>
-					<?php echo htmlspecialchars($file['basename']);?><span
-						class='extension'><?php echo $file['extension'];?></span>
+					<?php print_unescaped(htmlspecialchars($file['basename']));?><span
+						class='extension'><?php p($file['extension']);?></span>
 				<?php endif;?>
 			</span>
 			<?php if($file['type'] == 'dir'):?>
@@ -60,11 +60,11 @@
 		</td>
 		<td class="date">
 			<span class="modified"
-				  title="<?php echo $file['date']; ?>"
-				  style="color:rgb(<?php echo $relative_date_color.','
+				  title="<?php p($file['date']); ?>"
+				  style="color:rgb(<?php p($relative_date_color.','
 												.$relative_date_color.','
-												.$relative_date_color ?>)">
-				<?php echo $relative_deleted_date; ?>
+												.$relative_date_color) ?>)">
+				<?php p($relative_deleted_date); ?>
 			</span>
 		</td>
 	</tr>

From fc5331eaecdcb91073256a058890d22c3f2b093e Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:50:22 +0100
Subject: [PATCH 09/18] [files_versions] From echo to p

---
 apps/files_versions/templates/history.php | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/apps/files_versions/templates/history.php b/apps/files_versions/templates/history.php
index c450af66ad..f728443904 100644
--- a/apps/files_versions/templates/history.php
+++ b/apps/files_versions/templates/history.php
@@ -5,29 +5,29 @@
 if( isset( $_['message'] ) ) {
 
 
-	if( isset($_['path'] ) ) echo('<strong>File: '.$_['path'] ).'</strong><br>';
-	echo('<strong>'.$_['message'] ).'</strong><br>';
+	if( isset($_['path'] ) ) print_unescaped('<strong>File: '.OC_Util::sanitizeHTML($_['path'])).'</strong><br>';
+	print_unescaped('<strong>'.OC_Util::sanitizeHTML($_['message']) ).'</strong><br>';
 
 }else{
 
 	if( isset( $_['outcome_stat'] ) ) {
 
-		echo( '<div id="feedback-messages" class="'.$_['outcome_stat'].'"><h3>'.$_['outcome_msg'] ).'</h3></div><br>';
+		print_unescaped( '<div id="feedback-messages" class="'.OC_Util::sanitizeHTML($_['outcome_stat']).'"><h3>'.OC_Util::sanitizeHTML($_['outcome_msg']) ).'</h3></div><br>';
 
 	}
 
-	echo( '<strong>Versions of '.$_['path'] ).'</strong><br>';
-	echo('<p><em>'.$l->t('Revert a file to a previous version by clicking on its revert button').'</em></p><br />');
+	print_unescaped( '<strong>Versions of '.OC_Util::sanitizeHTML($_['path']) ).'</strong><br>';
+	print_unescaped('<p><em>'.OC_Util::sanitizeHTML($l->t('Revert a file to a previous version by clicking on its revert button')).'</em></p><br />');
 
 	foreach ( $_['versions'] as $v ) {
-		echo ' ';
-		echo OCP\Util::formatDate( doubleval($v['version']) );
-		echo ' <a href="'.OCP\Util::linkTo('files_versions', 'history.php',
-			array('path' => $_['path'], 'revert' => $v['version'])) .'" class="button">Revert</a><br /><br />';
+		p(' ');
+		p(OCP\Util::formatDate( doubleval($v['version'])));
+		print_unescaped(' <a href="'.OCP\Util::linkTo('files_versions', 'history.php',
+			array('path' => $_['path'], 'revert' => $v['version'])) .'" class="button">Revert</a><br /><br />');
 		if ( $v['cur'] ) {
-			echo '  (<b>Current</b>)';
+			print_unescaped('  (<b>Current</b>)');
 		}
-		echo '<br /><br />';
+		print_unescaped('<br /><br />');
 	}
 
 }

From df1d90433dd21699a8a7f4121ceef242b768ec2a Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 22:04:57 +0100
Subject: [PATCH 10/18] [user_ldap] From echo to p

---
 apps/user_ldap/settings.php           |   2 +-
 apps/user_ldap/templates/settings.php | 108 +++++++++++++-------------
 2 files changed, 55 insertions(+), 55 deletions(-)

diff --git a/apps/user_ldap/settings.php b/apps/user_ldap/settings.php
index d5d2f648b3..c55a718a82 100644
--- a/apps/user_ldap/settings.php
+++ b/apps/user_ldap/settings.php
@@ -52,7 +52,7 @@ foreach($prefixes as $prefix) {
 if(count($prefixes) == 0) {
 	$scoHtml .= '<option value="" selected>1. Server</option>';
 }
-$tmpl->assign('serverConfigurationOptions', $scoHtml, false);
+$tmpl->assign('serverConfigurationOptions', $scoHtml);
 
 // assign default values
 if(!isset($ldap)) {
diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php
index a882e5b754..cd004cec4b 100644
--- a/apps/user_ldap/templates/settings.php
+++ b/apps/user_ldap/templates/settings.php
@@ -5,85 +5,85 @@
 		<li><a href="#ldapSettings-2">Advanced</a></li>
 	</ul>
 		<?php if(OCP\App::isEnabled('user_webdavauth')) {
-			echo '<p class="ldapwarning">'.$l->t('<b>Warning:</b> Apps user_ldap and user_webdavauth are incompatible. You may experience unexpected behaviour. Please ask your system administrator to disable one of them.').'</p>';
+			print_unescaped('<p class="ldapwarning">'.$l->t('<b>Warning:</b> Apps user_ldap and user_webdavauth are incompatible. You may experience unexpected behaviour. Please ask your system administrator to disable one of them.').'</p>');
 		}
 		if(!function_exists('ldap_connect')) {
-			echo '<p class="ldapwarning">'.$l->t('<b>Warning:</b> The PHP LDAP module is not installed, the backend will not work. Please ask your system administrator to install it.').'</p>';
+			print_unescaped('<p class="ldapwarning">'.$l->t('<b>Warning:</b> The PHP LDAP module is not installed, the backend will not work. Please ask your system administrator to install it.').'</p>');
 		}
 		?>
 	<fieldset id="ldapSettings-1">
-		<p><label for="ldap_serverconfig_chooser"><?php echo $l->t('Server configuration');?></label>
+		<p><label for="ldap_serverconfig_chooser"><?php p($l->t('Server configuration'));?></label>
 		<select id="ldap_serverconfig_chooser" name="ldap_serverconfig_chooser">
-		<?php echo $_['serverConfigurationOptions']; ?>
-		<option value="NEW"><?php echo $l->t('Add Server Configuration');?></option>
+		<?php p($_['serverConfigurationOptions']); ?>
+		<option value="NEW"><?php p($l->t('Add Server Configuration'));?></option>
 		</select>
 		<button id="ldap_action_delete_configuration"
 			name="ldap_action_delete_configuration">Delete Configuration</button>
 		</p>
-		<p><label for="ldap_host"><?php echo $l->t('Host');?></label>
-		<input type="text" id="ldap_host" name="ldap_host" data-default="<?php echo $_['ldap_host_default']; ?>"
-			title="<?php echo $l->t('You can omit the protocol, except you require SSL. Then start with ldaps://');?>"></p>
-		<p><label for="ldap_base"><?php echo $l->t('Base DN');?></label>
-		<textarea id="ldap_base" name="ldap_base" placeholder="<?php echo $l->t('One Base DN per line');?>"
-			title="<?php echo $l->t('You can specify Base DN for users and groups in the Advanced tab');?>"
-			data-default="<?php echo $_['ldap_base_default']; ?>" ></textarea></p>
-		<p><label for="ldap_dn"><?php echo $l->t('User DN');?></label>
-		<input type="text" id="ldap_dn" name="ldap_dn" data-default="<?php echo $_['ldap_dn_default']; ?>"
-			title="<?php echo $l->t('The DN of the client user with which the bind shall be done, e.g. uid=agent,dc=example,dc=com. For anonymous access, leave DN and Password empty.');?>" /></p>
-		<p><label for="ldap_agent_password"><?php echo $l->t('Password');?></label>
+		<p><label for="ldap_host"><?php p($l->t('Host'));?></label>
+		<input type="text" id="ldap_host" name="ldap_host" data-default="<?php p($_['ldap_host_default']); ?>"
+			title="<?php p($l->t('You can omit the protocol, except you require SSL. Then start with ldaps://'));?>"></p>
+		<p><label for="ldap_base"><?php p($l->t('Base DN'));?></label>
+		<textarea id="ldap_base" name="ldap_base" placeholder="<?php p($l->t('One Base DN per line'));?>"
+			title="<?php p($l->t('You can specify Base DN for users and groups in the Advanced tab'));?>"
+			data-default="<?php p($_['ldap_base_default']); ?>" ></textarea></p>
+		<p><label for="ldap_dn"><?php p($l->t('User DN'));?></label>
+		<input type="text" id="ldap_dn" name="ldap_dn" data-default="<?php p($_['ldap_dn_default']); ?>"
+			title="<?php p($l->t('The DN of the client user with which the bind shall be done, e.g. uid=agent,dc=example,dc=com. For anonymous access, leave DN and Password empty.'));?>" /></p>
+		<p><label for="ldap_agent_password"><?php p($l->t('Password'));?></label>
 		<input type="password" id="ldap_agent_password" name="ldap_agent_password"
-			data-default="<?php echo $_['ldap_agent_password_default']; ?>"
-			title="<?php echo $l->t('For anonymous access, leave DN and Password empty.');?>" /></p>
-		<p><label for="ldap_login_filter"><?php echo $l->t('User Login Filter');?></label>
+			data-default="<?php p($_['ldap_agent_password_default']); ?>"
+			title="<?php p($l->t('For anonymous access, leave DN and Password empty.'));?>" /></p>
+		<p><label for="ldap_login_filter"><?php p($l->t('User Login Filter'));?></label>
 		<input type="text" id="ldap_login_filter" name="ldap_login_filter"
-			data-default="<?php echo $_['ldap_login_filter_default']; ?>"
-			title="<?php echo $l->t('Defines the filter to apply, when login is attempted. %%uid replaces the username in the login action.');?>" />
-				<br /><small><?php echo $l->t('use %%uid placeholder, e.g. "uid=%%uid"');?></small></p>
-		<p><label for="ldap_userlist_filter"><?php echo $l->t('User List Filter');?></label>
+			data-default="<?php p($_['ldap_login_filter_default']); ?>"
+			title="<?php p($l->t('Defines the filter to apply, when login is attempted. %%uid replaces the username in the login action.'));?>" />
+				<br /><small><?php p($l->t('use %%uid placeholder, e.g. "uid=%%uid"'));?></small></p>
+		<p><label for="ldap_userlist_filter"><?php p($l->t('User List Filter'));?></label>
 		<input type="text" id="ldap_userlist_filter" name="ldap_userlist_filter"
-			data-default="<?php echo $_['ldap_userlist_filter_default']; ?>"
-			title="<?php echo $l->t('Defines the filter to apply, when retrieving users.');?>" />
-			<br /><small><?php echo $l->t('without any placeholder, e.g. "objectClass=person".');?></small></p>
-		<p><label for="ldap_group_filter"><?php echo $l->t('Group Filter');?></label>
+			data-default="<?php p($_['ldap_userlist_filter_default']); ?>"
+			title="<?php p($l->t('Defines the filter to apply, when retrieving users.'));?>" />
+			<br /><small><?php p($l->t('without any placeholder, e.g. "objectClass=person".'));?></small></p>
+		<p><label for="ldap_group_filter"><?php p($l->t('Group Filter'));?></label>
 		<input type="text" id="ldap_group_filter" name="ldap_group_filter"
-			data-default="<?php echo $_['ldap_group_filter_default']; ?>"
-			title="<?php echo $l->t('Defines the filter to apply, when retrieving groups.');?>" />
-			<br /><small><?php echo $l->t('without any placeholder, e.g. "objectClass=posixGroup".');?></small></p>
+			data-default="<?php p($_['ldap_group_filter_default']); ?>"
+			title="<?php p($l->t('Defines the filter to apply, when retrieving groups.'));?>" />
+			<br /><small><?php p($l->t('without any placeholder, e.g. "objectClass=posixGroup".'));?></small></p>
 	</fieldset>
 	<fieldset id="ldapSettings-2">
 		<div id="ldapAdvancedAccordion">
-			<h3><?php echo $l->t('Connection Settings');?></h3>
+			<h3><?php p($l->t('Connection Settings'));?></h3>
 			<div>
-				<p><label for="ldap_configuration_active"><?php echo $l->t('Configuration Active');?></label><input type="checkbox" id="ldap_configuration_active" name="ldap_configuration_active" value="1" data-default="<?php echo $_['ldap_configuration_active_default']; ?>"  title="<?php echo $l->t('When unchecked, this configuration will be skipped.');?>" /></p>
-				<p><label for="ldap_port"><?php echo $l->t('Port');?></label><input type="number" id="ldap_port" name="ldap_port" data-default="<?php echo $_['ldap_port_default']; ?>"  /></p>
-				<p><label for="ldap_backup_host"><?php echo $l->t('Backup (Replica) Host');?></label><input type="text" id="ldap_backup_host" name="ldap_backup_host" data-default="<?php echo $_['ldap_backup_host_default']; ?>" title="<?php echo $l->t('Give an optional backup host. It must be a replica of the main LDAP/AD server.');?>"></p>
-				<p><label for="ldap_backup_port"><?php echo $l->t('Backup (Replica) Port');?></label><input type="number" id="ldap_backup_port" name="ldap_backup_port" data-default="<?php echo $_['ldap_backup_port_default']; ?>"  /></p>
-				<p><label for="ldap_override_main_server"><?php echo $l->t('Disable Main Server');?></label><input type="checkbox" id="ldap_override_main_server" name="ldap_override_main_server" value="1" data-default="<?php echo $_['ldap_override_main_server_default']; ?>"  title="<?php echo $l->t('When switched on, ownCloud will only connect to the replica server.');?>" /></p>
-				<p><label for="ldap_tls"><?php echo $l->t('Use TLS');?></label><input type="checkbox" id="ldap_tls" name="ldap_tls" value="1" data-default="<?php echo $_['ldap_tls_default']; ?>" title="<?php echo $l->t('Do not use it additionally for LDAPS connections, it will fail.');?>" /></p>
-				<p><label for="ldap_nocase"><?php echo $l->t('Case insensitve LDAP server (Windows)');?></label><input type="checkbox" id="ldap_nocase" name="ldap_nocase" data-default="<?php echo $_['ldap_nocase_default']; ?>"  value="1"<?php if (isset($_['ldap_nocase']) && ($_['ldap_nocase'])) echo ' checked'; ?>></p>
-				<p><label for="ldap_turn_off_cert_check"><?php echo $l->t('Turn off SSL certificate validation.');?></label><input type="checkbox" id="ldap_turn_off_cert_check" name="ldap_turn_off_cert_check" title="<?php echo $l->t('If connection only works with this option, import the LDAP server\'s SSL certificate in your ownCloud server.');?>" data-default="<?php echo $_['ldap_turn_off_cert_check_default']; ?>" value="1"><br/><small><?php echo $l->t('Not recommended, use for testing only.');?></small></p>
-				<p><label for="ldap_cache_ttl">Cache Time-To-Live</label><input type="number" id="ldap_cache_ttl" name="ldap_cache_ttl" title="<?php echo $l->t('in seconds. A change empties the cache.');?>" data-default="<?php echo $_['ldap_cache_ttl_default']; ?>" /></p>
+				<p><label for="ldap_configuration_active"><?php p($l->t('Configuration Active'));?></label><input type="checkbox" id="ldap_configuration_active" name="ldap_configuration_active" value="1" data-default="<?php p($_['ldap_configuration_active_default']); ?>"  title="<?php p($l->t('When unchecked, this configuration will be skipped.'));?>" /></p>
+				<p><label for="ldap_port"><?php p($l->t('Port'));?></label><input type="number" id="ldap_port" name="ldap_port" data-default="<?php p($_['ldap_port_default']); ?>"  /></p>
+				<p><label for="ldap_backup_host"><?php p($l->t('Backup (Replica) Host'));?></label><input type="text" id="ldap_backup_host" name="ldap_backup_host" data-default="<?php p($_['ldap_backup_host_default']); ?>" title="<?php p($l->t('Give an optional backup host. It must be a replica of the main LDAP/AD server.'));?>"></p>
+				<p><label for="ldap_backup_port"><?php p($l->t('Backup (Replica) Port'));?></label><input type="number" id="ldap_backup_port" name="ldap_backup_port" data-default="<?php p($_['ldap_backup_port_default']); ?>"  /></p>
+				<p><label for="ldap_override_main_server"><?php p($l->t('Disable Main Server'));?></label><input type="checkbox" id="ldap_override_main_server" name="ldap_override_main_server" value="1" data-default="<?php p($_['ldap_override_main_server_default']); ?>"  title="<?php p($l->t('When switched on, ownCloud will only connect to the replica server.'));?>" /></p>
+				<p><label for="ldap_tls"><?php p($l->t('Use TLS'));?></label><input type="checkbox" id="ldap_tls" name="ldap_tls" value="1" data-default="<?php p($_['ldap_tls_default']); ?>" title="<?php p($l->t('Do not use it additionally for LDAPS connections, it will fail.'));?>" /></p>
+				<p><label for="ldap_nocase"><?php p($l->t('Case insensitve LDAP server (Windows)'));?></label><input type="checkbox" id="ldap_nocase" name="ldap_nocase" data-default="<?php p($_['ldap_nocase_default']); ?>"  value="1"<?php if (isset($_['ldap_nocase']) && ($_['ldap_nocase'])) p(' checked'); ?>></p>
+				<p><label for="ldap_turn_off_cert_check"><?php p($l->t('Turn off SSL certificate validation.'));?></label><input type="checkbox" id="ldap_turn_off_cert_check" name="ldap_turn_off_cert_check" title="<?php p($l->t('If connection only works with this option, import the LDAP server\'s SSL certificate in your ownCloud server.'));?>" data-default="<?php p($_['ldap_turn_off_cert_check_default']); ?>" value="1"><br/><small><?php p($l->t('Not recommended, use for testing only.'));?></small></p>
+				<p><label for="ldap_cache_ttl"><?php p($l->t('Cache Time-To-Live'));?></label><input type="number" id="ldap_cache_ttl" name="ldap_cache_ttl" title="<?php p($l->t('in seconds. A change empties the cache.'));?>" data-default="<?php p($_['ldap_cache_ttl_default']); ?>" /></p>
 			</div>
-			<h3><?php echo $l->t('Directory Settings');?></h3>
+			<h3><?php p($l->t('Directory Settings'));?></h3>
 			<div>
-				<p><label for="ldap_display_name"><?php echo $l->t('User Display Name Field');?></label><input type="text" id="ldap_display_name" name="ldap_display_name" data-default="<?php echo $_['ldap_display_name_default']; ?>" title="<?php echo $l->t('The LDAP attribute to use to generate the user`s ownCloud name.');?>" /></p>
-				<p><label for="ldap_base_users"><?php echo $l->t('Base User Tree');?></label><textarea id="ldap_base_users" name="ldap_base_users" placeholder="<?php echo $l->t('One User Base DN per line');?>" data-default="<?php echo $_['ldap_base_users_default']; ?>" title="<?php echo $l->t('Base User Tree');?>"></textarea></p>
-				<p><label for="ldap_attributes_for_user_search"><?php echo $l->t('User Search Attributes');?></label><textarea id="ldap_attributes_for_user_search" name="ldap_attributes_for_user_search" placeholder="<?php echo $l->t('Optional; one attribute per line');?>" data-default="<?php echo $_['ldap_attributes_for_user_search_default']; ?>" title="<?php echo $l->t('User Search Attributes');?>"></textarea></p>
-				<p><label for="ldap_group_display_name"><?php echo $l->t('Group Display Name Field');?></label><input type="text" id="ldap_group_display_name" name="ldap_group_display_name" data-default="<?php echo $_['ldap_group_display_name_default']; ?>" title="<?php echo $l->t('The LDAP attribute to use to generate the groups`s ownCloud name.');?>" /></p>
-				<p><label for="ldap_base_groups"><?php echo $l->t('Base Group Tree');?></label><textarea id="ldap_base_groups" name="ldap_base_groups" placeholder="<?php echo $l->t('One Group Base DN per line');?>" data-default="<?php echo $_['ldap_base_groups_default']; ?>" title="<?php echo $l->t('Base Group Tree');?>"></textarea></p>
-				<p><label for="ldap_attributes_for_group_search"><?php echo $l->t('Group Search Attributes');?></label><textarea id="ldap_attributes_for_group_search" name="ldap_attributes_for_group_search" placeholder="<?php echo $l->t('Optional; one attribute per line');?>" data-default="<?php echo $_['ldap_attributes_for_group_search_default']; ?>" title="<?php echo $l->t('Group Search Attributes');?>"></textarea></p>
-				<p><label for="ldap_group_member_assoc_attribute"><?php echo $l->t('Group-Member association');?></label><select id="ldap_group_member_assoc_attribute" name="ldap_group_member_assoc_attribute" data-default="<?php echo $_['ldap_group_member_assoc_attribute_default']; ?>" ><option value="uniqueMember"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'uniqueMember')) echo ' selected'; ?>>uniqueMember</option><option value="memberUid"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'memberUid')) echo ' selected'; ?>>memberUid</option><option value="member"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'member')) echo ' selected'; ?>>member (AD)</option></select></p>
+				<p><label for="ldap_display_name"><?php p($l->t('User Display Name Field'));?></label><input type="text" id="ldap_display_name" name="ldap_display_name" data-default="<?php p($_['ldap_display_name_default']); ?>" title="<?php p($l->t('The LDAP attribute to use to generate the user`s ownCloud name.'));?>" /></p>
+				<p><label for="ldap_base_users"><?php p($l->t('Base User Tree'));?></label><textarea id="ldap_base_users" name="ldap_base_users" placeholder="<?php p($l->t('One User Base DN per line'));?>" data-default="<?php p($_['ldap_base_users_default']); ?>" title="<?php p($l->t('Base User Tree'));?>"></textarea></p>
+				<p><label for="ldap_attributes_for_user_search"><?php p($l->t('User Search Attributes'));?></label><textarea id="ldap_attributes_for_user_search" name="ldap_attributes_for_user_search" placeholder="<?php p($l->t('Optional; one attribute per line'));?>" data-default="<?php p($_['ldap_attributes_for_user_search_default']); ?>" title="<?php p($l->t('User Search Attributes'));?>"></textarea></p>
+				<p><label for="ldap_group_display_name"><?php p($l->t('Group Display Name Field'));?></label><input type="text" id="ldap_group_display_name" name="ldap_group_display_name" data-default="<?php p($_['ldap_group_display_name_default']); ?>" title="<?php p($l->t('The LDAP attribute to use to generate the groups`s ownCloud name.'));?>" /></p>
+				<p><label for="ldap_base_groups"><?php p($l->t('Base Group Tree'));?></label><textarea id="ldap_base_groups" name="ldap_base_groups" placeholder="<?php p($l->t('One Group Base DN per line'));?>" data-default="<?php p($_['ldap_base_groups_default']); ?>" title="<?php p($l->t('Base Group Tree'));?>"></textarea></p>
+				<p><label for="ldap_attributes_for_group_search"><?php p($l->t('Group Search Attributes'));?></label><textarea id="ldap_attributes_for_group_search" name="ldap_attributes_for_group_search" placeholder="<?php p($l->t('Optional; one attribute per line'));?>" data-default="<?php p($_['ldap_attributes_for_group_search_default']); ?>" title="<?php p($l->t('Group Search Attributes'));?>"></textarea></p>
+				<p><label for="ldap_group_member_assoc_attribute"><?php p($l->t('Group-Member association'));?></label><select id="ldap_group_member_assoc_attribute" name="ldap_group_member_assoc_attribute" data-default="<?php p($_['ldap_group_member_assoc_attribute_default']); ?>" ><option value="uniqueMember"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'uniqueMember')) p(' selected'); ?>>uniqueMember</option><option value="memberUid"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'memberUid')) p(' selected'); ?>>memberUid</option><option value="member"<?php if (isset($_['ldap_group_member_assoc_attribute']) && ($_['ldap_group_member_assoc_attribute'] == 'member')) p(' selected'); ?>>member (AD)</option></select></p>
 			</div>
-			<h3><?php echo $l->t('Special Attributes');?></h3>
+			<h3><?php p($l->t('Special Attributes'));?></h3>
 			<div>
-				<p><label for="ldap_quota_attr">Quota Field</label><input type="text" id="ldap_quota_attr" name="ldap_quota_attr" data-default="<?php echo $_['ldap_quota_attr_default']; ?>"/></p>
-				<p><label for="ldap_quota_def">Quota Default</label><input type="text" id="ldap_quota_def" name="ldap_quota_def" data-default="<?php echo $_['ldap_quota_def_default']; ?>" title="<?php echo $l->t('in bytes');?>" /></p>
-				<p><label for="ldap_email_attr">Email Field</label><input type="text" id="ldap_email_attr" name="ldap_email_attr" data-default="<?php echo $_['ldap_email_attr_default']; ?>" /></p>
-				<p><label for="home_folder_naming_rule">User Home Folder Naming Rule</label><input type="text" id="home_folder_naming_rule" name="home_folder_naming_rule" title="<?php echo $l->t('Leave empty for user name (default). Otherwise, specify an LDAP/AD attribute.');?>" data-default="<?php echo $_['home_folder_naming_rule_default']; ?>" /></p>
+				<p><label for="ldap_quota_attr"><?php p($l->t('Quota Field'));?></label><input type="text" id="ldap_quota_attr" name="ldap_quota_attr" data-default="<?php p($_['ldap_quota_attr_default']); ?>"/></p>
+				<p><label for="ldap_quota_def"><?php p($l->t('Quota Default'));?></label><input type="text" id="ldap_quota_def" name="ldap_quota_def" data-default="<?php p($_['ldap_quota_def_default']); ?>" title="<?php p($l->t('in bytes'));?>" /></p>
+				<p><label for="ldap_email_attr"><?php p($l->t('Email Field'));?></label><input type="text" id="ldap_email_attr" name="ldap_email_attr" data-default="<?php p($_['ldap_email_attr_default']); ?>" /></p>
+				<p><label for="home_folder_naming_rule"><?php p($l->t('User Home Folder Naming Rule'));?></label><input type="text" id="home_folder_naming_rule" name="home_folder_naming_rule" title="<?php p($l->t('Leave empty for user name (default). Otherwise, specify an LDAP/AD attribute.'));?>" data-default="<?php p($_['home_folder_naming_rule_default']); ?>" /></p>
 			</div>
 		</div>
 	</fieldset>
-	<input id="ldap_submit" type="submit" value="Save" /> <button id="ldap_action_test_connection" name="ldap_action_test_connection">Test Configuration</button> <a href="http://doc.owncloud.org/server/5.0/admin_manual/auth_ldap.html" target="_blank"><img src="<?php echo OCP\Util::imagePath('', 'actions/info.png'); ?>" style="height:1.75ex" /> <?php echo $l->t('Help');?></a>
+	<input id="ldap_submit" type="submit" value="Save" /> <button id="ldap_action_test_connection" name="ldap_action_test_connection"><?php p($l->t('Test Configuration'));?></button> <a href="http://doc.owncloud.org/server/5.0/admin_manual/auth_ldap.html" target="_blank"><img src="<?php print_unescaped(OCP\Util::imagePath('', 'actions/info.png')); ?>" style="height:1.75ex" /> <?php p($l->t('Help'));?></a>
 	</div>
 
 </form>

From 0b5b4955357753e63ab1a88a04341836c37c24ae Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 22:06:50 +0100
Subject: [PATCH 11/18] [user_webdavauth] From echo to p

---
 apps/user_webdavauth/templates/settings.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/user_webdavauth/templates/settings.php b/apps/user_webdavauth/templates/settings.php
index 45f4d81aec..ec6524ee4f 100755
--- a/apps/user_webdavauth/templates/settings.php
+++ b/apps/user_webdavauth/templates/settings.php
@@ -1,9 +1,9 @@
 <form id="webdavauth" action="#" method="post">
 	<fieldset class="personalblock">
-		<legend><strong><?php echo $l->t('WebDAV Authentication');?></strong></legend>
-		<p><label for="webdav_url"><?php echo $l->t('URL: http://');?><input type="text" id="webdav_url" name="webdav_url" value="<?php echo $_['webdav_url']; ?>"></label>
-		 <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
+		<legend><strong><?php p($l->t('WebDAV Authentication'));?></strong></legend>
+		<p><label for="webdav_url"><?php p($l->t('URL: http://'));?><input type="text" id="webdav_url" name="webdav_url" value="<?php p($_['webdav_url']); ?>"></label>
+		 <input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" id="requesttoken">
 		<input type="submit" value="Save" />
-		<br /><?php echo $l->t('ownCloud will send the user credentials to this URL. This plugin checks the response and will interpret the HTTP statuscodes 401 and 403 as invalid credentials, and all other responses as valid credentials.'); ?>
+		<br /><?php p($l->t('ownCloud will send the user credentials to this URL. This plugin checks the response and will interpret the HTTP statuscodes 401 and 403 as invalid credentials, and all other responses as valid credentials.')); ?>
 	</fieldset>
 </form>

From 40e51d13d2fd028fa13902b12814532d1de15f5a Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 22:35:37 +0100
Subject: [PATCH 12/18] Remove uneeded file

---
 core/templates/exception.php | 32 --------------------------------
 1 file changed, 32 deletions(-)
 delete mode 100644 core/templates/exception.php

diff --git a/core/templates/exception.php b/core/templates/exception.php
deleted file mode 100644
index 4059c7e047..0000000000
--- a/core/templates/exception.php
+++ /dev/null
@@ -1,32 +0,0 @@
-<ul>
-	<li class='error'>
-		<details>
-		<summary class="error">We're sorry, but something went terribly wrong.<br></summary>
-		<p class="exception">
-		<?php
-		if($_['showsysinfo'] == true) {
-			echo 'If you would like to support ownCloud\'s developers and'
-				.' report this error in our <a href="https://github.com/owncloud/core">bug tracker</a>,'
-				.' please copy the following informations into the description. <br><br><textarea readonly>';
-			echo 'Message: '  . $_['message'] . "\n";
-			echo 'Error Code: '  . $_['code'] . "\n";
-			echo 'File: '  . $_['file'] . "\n";
-			echo 'Line: '  . $_['line'] . "\n\n";
-			echo 'PHP: '  . $_['sysinfo']['phpversion'] . "\n";
-			echo 'OS: '  . $_['sysinfo']['os'] . "\n";
-			echo 'OS Release: '  . $_['sysinfo']['osrelease'] . "\n";
-			echo 'OS Arch.: '  . $_['sysinfo']['osarchitecture'] . "\n";
-			echo 'PHP-Server-Interface: '  . $_['sysinfo']['phpserverinterface'] . "\n";
-			echo 'Protocol: '  . $_['sysinfo']['serverprotocol'] . "\n";
-			echo 'HTTPS: '  . $_['sysinfo']['https'] . "\n";
-			echo 'Request Method: '  . $_['sysinfo']['requestmethod'] . "\n";
-			echo 'Database: '  . $_['sysinfo']['database'] . "\n";
-			echo '</textarea>';
-		} else {
-			echo 'Your administrator has disabled systeminformations.';
-		}
-		?>
-		</p>
-		</details>
-	</li>
-</ul>

From 229c907a57a4a64730e7b58f59cb8f7f627bfaf3 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 22:55:39 +0100
Subject: [PATCH 13/18] [core] From echo to p

---
 core/templates/403.php                     |   4 +-
 core/templates/404.php                     |   4 +-
 core/templates/edit_categories_dialog.php  |   6 +-
 core/templates/error.php                   |   4 +-
 core/templates/installation.php            |  82 +++++++-------
 core/templates/layout.base.php             |  16 +--
 core/templates/layout.guest.php            |  20 ++--
 core/templates/layout.user.php             |  52 ++++-----
 core/templates/login.php                   |  32 +++---
 core/templates/part.pagenavi.php           |   8 +-
 core/templates/update.php                  |   4 +-
 lib/setup.php                              |   2 +-
 lib/template.php                           |   6 +-
 lib/templatelayout.php                     |  10 +-
 settings/apps.php                          |   2 +-
 settings/templates/admin.php               | 118 ++++++++++-----------
 settings/templates/apps.php                |  28 ++---
 settings/templates/help.php                |  18 ++--
 settings/templates/oauth-required-apps.php |   6 +-
 settings/templates/oauth.php               |   4 +-
 settings/templates/personal.php            |  68 ++++++------
 settings/templates/settings.php            |   2 +-
 settings/templates/users.php               | 108 +++++++++----------
 23 files changed, 302 insertions(+), 302 deletions(-)

diff --git a/core/templates/403.php b/core/templates/403.php
index fbf0e64fdb..6e910fd2e8 100644
--- a/core/templates/403.php
+++ b/core/templates/403.php
@@ -9,7 +9,7 @@ if(!isset($_)) {//also provide standalone error page
 ?>
 <ul>
 	<li class='error'>
-		<?php echo $l->t( 'Access forbidden' ); ?><br/>
-		<p class='hint'><?php if(isset($_['file'])) echo $_['file']?></p>
+		<?php p($l->t( 'Access forbidden' )); ?><br/>
+		<p class='hint'><?php if(isset($_['file'])) p($_['file'])?></p>
 	</li>
 </ul>
diff --git a/core/templates/404.php b/core/templates/404.php
index c111fd70fa..ee17f0de8e 100644
--- a/core/templates/404.php
+++ b/core/templates/404.php
@@ -9,7 +9,7 @@ if(!isset($_)) {//also provide standalone error page
 ?>
 <ul>
 	<li class='error'>
-		<?php echo $l->t( 'Cloud not found' ); ?><br/>
-		<p class='hint'><?php if(isset($_['file'])) echo $_['file']?></p>
+		<?php p($l->t( 'Cloud not found' )); ?><br/>
+		<p class='hint'><?php if(isset($_['file'])) p($_['file'])?></p>
 	</li>
 </ul>
diff --git a/core/templates/edit_categories_dialog.php b/core/templates/edit_categories_dialog.php
index d0b7b5ee62..ea155bdf0b 100644
--- a/core/templates/edit_categories_dialog.php
+++ b/core/templates/edit_categories_dialog.php
@@ -1,19 +1,19 @@
 <?php
 $categories = isset($_['categories'])?$_['categories']:array();
 ?>
-<div id="edit_categories_dialog" title="<?php echo $l->t('Edit categories'); ?>">
+<div id="edit_categories_dialog" title="<?php p($l->t('Edit categories')); ?>">
 <!-- ?php print_r($types); ? -->
 	<form method="post" id="categoryform">
 	<div class="scrollarea">
 	<ul id="categorylist">
 	<?php foreach($categories as $category): ?>
-	<li><input type="checkbox" name="categories[]" value="<?php echo $category; ?>" /><?php echo $category; ?></li>
+	<li><input type="checkbox" name="categories[]" value="<?php p($category); ?>" /><?php p($category); ?></li>
 	<?php endforeach; ?>
 	</ul>
 	</div>
 	<div class="bottombuttons">
 		<input type="text" id="category_addinput" name="category" />
-		<button id="category_addbutton" disabled="disabled"><?php echo $l->t('Add'); ?></button>
+		<button id="category_addbutton" disabled="disabled"><?php p($l->t('Add')); ?></button>
 	</div>
 	</form>
 </div>
diff --git a/core/templates/error.php b/core/templates/error.php
index 4f05e008f9..3305f3fba9 100644
--- a/core/templates/error.php
+++ b/core/templates/error.php
@@ -1,8 +1,8 @@
 <ul>
 	<?php foreach($_["errors"] as $error):?>
 		<li class='error'>
-			<?php echo $error['error'] ?><br/>
-			<p class='hint'><?php if(isset($error['hint']))echo $error['hint'] ?></p>
+			<?php p($error['error']) ?><br/>
+			<p class='hint'><?php if(isset($error['hint']))p($error['hint']) ?></p>
 		</li>
 	<?php endforeach ?>
 </ul>
diff --git a/core/templates/installation.php b/core/templates/installation.php
index aca9648d0b..f8c91e37eb 100644
--- a/core/templates/installation.php
+++ b/core/templates/installation.php
@@ -1,8 +1,8 @@
-<input type='hidden' id='hasMySQL' value='<?php echo $_['hasMySQL'] ?>'>
-<input type='hidden' id='hasSQLite' value='<?php echo $_['hasSQLite'] ?>'>
-<input type='hidden' id='hasPostgreSQL' value='<?php echo $_['hasPostgreSQL'] ?>'>
-<input type='hidden' id='hasOracle' value='<?php echo $_['hasOracle'] ?>'>
-<input type='hidden' id='hasMSSQL' value='<?php echo $_['hasMSSQL'] ?>'>
+<input type='hidden' id='hasMySQL' value='<?php p($_['hasMySQL']) ?>'>
+<input type='hidden' id='hasSQLite' value='<?php p($_['hasSQLite']) ?>'>
+<input type='hidden' id='hasPostgreSQL' value='<?php p($_['hasPostgreSQL']) ?>'>
+<input type='hidden' id='hasOracle' value='<?php p($_['hasOracle']) ?>'>
+<input type='hidden' id='hasMSSQL' value='<?php p($_['hasMSSQL']) ?>'>
 <form action="index.php" method="post">
 <input type="hidden" name="install" value="true" />
 	<?php if(count($_['errors']) > 0): ?>
@@ -10,10 +10,10 @@
 		<?php foreach($_['errors'] as $err): ?>
 		<li>
 			<?php if(is_array($err)):?>
-				<?php print $err['error']; ?>
-				<p class='hint'><?php print $err['hint']; ?></p>
+				<?php print_unescaped($err['error']); ?>
+				<p class='hint'><?php print_unescaped($err['hint']); ?></p>
 			<?php else: ?>
-				<?php print $err; ?>
+				<?php print_unescaped($err); ?>
 			<?php endif; ?>
 		</li>
 		<?php endforeach; ?>
@@ -21,54 +21,54 @@
 	<?php endif; ?>
 	<?php if(!$_['secureRNG']): ?>
 	<fieldset class="warning">
-		<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
-		<p><?php echo $l->t('No secure random number generator is available, please enable the PHP OpenSSL extension.');?><br/>
-		<?php echo $l->t('Without a secure random number generator an attacker may be able to predict password reset tokens and take over your account.');?></p>
+		<legend><strong><?php p($l->t('Security Warning'));?></strong></legend>
+		<p><?php p($l->t('No secure random number generator is available, please enable the PHP OpenSSL extension.'));?><br/>
+		<?php p($l->t('Without a secure random number generator an attacker may be able to predict password reset tokens and take over your account.'));?></p>
 	</fieldset>
 	<?php endif; ?>
 	<?php if(!$_['htaccessWorking']): ?>
 	<fieldset class="warning">
-		<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
-		<p><?php echo $l->t('Your data directory and files are probably accessible from the internet because the .htaccess file does not work.');?><br>
-		<?php echo $l->t('For information how to properly configure your server, please see the <a href="http://doc.owncloud.org/server/5.0/admin_manual/installation.html" target="_blank">documentation</a>.');?></p>
+		<legend><strong><?php p($l->t('Security Warning'));?></strong></legend>
+		<p><?php p($l->t('Your data directory and files are probably accessible from the internet because the .htaccess file does not work.'));?><br>
+		<?php print_unescaped($l->t('For information how to properly configure your server, please see the <a href="http://doc.owncloud.org/server/5.0/admin_manual/installation.html" target="_blank">documentation</a>.'));?></p>
 	</fieldset>
 	<?php endif; ?>
 	<fieldset id="adminaccount">
-		<legend><?php echo $l->t( 'Create an <strong>admin account</strong>' ); ?></legend>
+		<legend><?php print_unescaped($l->t( 'Create an <strong>admin account</strong>' )); ?></legend>
 		<p class="infield grouptop">
 			<input type="text" name="adminlogin" id="adminlogin"
-				value="<?php print OC_Helper::init_var('adminlogin'); ?>" autocomplete="off" autofocus required />
-			<label for="adminlogin" class="infield"><?php echo $l->t( 'Username' ); ?></label>
-			<img class="svg" src="<?php echo image_path('', 'actions/user.svg'); ?>" alt="" />
+				value="<?php p(OC_Helper::init_var('adminlogin')); ?>" autocomplete="off" autofocus required />
+			<label for="adminlogin" class="infield"><?php p($l->t( 'Username' )); ?></label>
+			<img class="svg" src="<?php p(image_path('', 'actions/user.svg')); ?>" alt="" />
 		</p>
 		<p class="infield groupbottom">
 			<input type="password" name="adminpass" data-typetoggle="#show" id="adminpass"
-				value="<?php print OC_Helper::init_var('adminpass'); ?>" />
-			<label for="adminpass" class="infield"><?php echo $l->t( 'Password' ); ?></label>
-			<img class="svg" id="adminpass-icon" src="<?php echo image_path('', 'actions/password.svg'); ?>" alt="" />
+				value="<?php p(OC_Helper::init_var('adminpass')); ?>" />
+			<label for="adminpass" class="infield"><?php p($l->t( 'Password' )); ?></label>
+			<img class="svg" id="adminpass-icon" src="<?php print_unescaped(image_path('', 'actions/password.svg')); ?>" alt="" />
 			<input type="checkbox" id="show" name="show" />
 			<label for="show"></label>
 		</p>
 	</fieldset>
 
 	<fieldset id="datadirField">
-		<legend><a id="showAdvanced"><?php echo $l->t( 'Advanced' ); ?> <img class="svg" src="<?php echo image_path('', 'actions/caret-dark.svg'); ?>" /></a></legend>
+		<legend><a id="showAdvanced"><?php p($l->t( 'Advanced' )); ?> <img class="svg" src="<?php print_unescaped(image_path('', 'actions/caret-dark.svg')); ?>" /></a></legend>
 		<div id="datadirContent">
-			<label for="directory"><?php echo $l->t( 'Data folder' ); ?></label>
+			<label for="directory"><?php p($l->t( 'Data folder' )); ?></label>
 			<input type="text" name="directory" id="directory"
-				value="<?php print OC_Helper::init_var('directory', $_['directory']); ?>" />
+				value="<?php p(OC_Helper::init_var('directory', $_['directory'])); ?>" />
 		</div>
 	</fieldset>
 
 	<fieldset id='databaseField'>
 		<?php if($_['hasMySQL'] or $_['hasPostgreSQL'] or $_['hasOracle'] or $_['hasMSSQL'])
 			$hasOtherDB = true; else $hasOtherDB =false; //other than SQLite ?>
-		<legend><?php echo $l->t( 'Configure the database' ); ?></legend>
+		<legend><?php p($l->t( 'Configure the database' ); ?></legend>
 		<div id="selectDbType">
 		<?php if($_['hasSQLite']): ?>
 		<input type='hidden' id='hasSQLite' value="true" />
 		<?php if(!$hasOtherDB): ?>
-		<p>SQLite <?php echo $l->t( 'will be used' ); ?>.</p>
+		<p>SQLite <?php p($l->t( 'will be used' )); ?>.</p>
 		<input type="hidden" id="dbtype" name="dbtype" value="sqlite" />
 		<?php else: ?>
 		<input type="radio" name="dbtype" value="sqlite" id="sqlite"
@@ -80,7 +80,7 @@
 		<?php if($_['hasMySQL']): ?>
 		<input type='hidden' id='hasMySQL' value='true'/>
 		<?php if(!$_['hasSQLite'] and !$_['hasPostgreSQL'] and !$_['hasOracle'] and !$_['hasMSSQL']): ?>
-		<p>MySQL <?php echo $l->t( 'will be used' ); ?>.</p>
+		<p>MySQL <?php p($l->t( 'will be used' )); ?>.</p>
 		<input type="hidden" id="dbtype" name="dbtype" value="mysql" />
 		<?php else: ?>
 		<input type="radio" name="dbtype" value="mysql" id="mysql"
@@ -91,7 +91,7 @@
 
 		<?php if($_['hasPostgreSQL']): ?>
 		<?php if(!$_['hasSQLite'] and !$_['hasMySQL'] and !$_['hasOracle'] and !$_['hasMSSQL']): ?>
-		<p>PostgreSQL <?php echo $l->t( 'will be used' ); ?>.</p>
+		<p>PostgreSQL <?php p($l->t( 'will be used' )); ?>.</p>
 		<input type="hidden" id="dbtype" name="dbtype" value="pgsql" />
 		<?php else: ?>
 		<label class="pgsql" for="pgsql">PostgreSQL</label>
@@ -102,7 +102,7 @@
 
 		<?php if($_['hasOracle']): ?>
 		<?php if(!$_['hasSQLite'] and !$_['hasMySQL'] and !$_['hasPostgreSQL'] and !$_['hasMSSQL']): ?>
-		<p>Oracle <?php echo $l->t( 'will be used' ); ?>.</p>
+		<p>Oracle <?php p($l->t( 'will be used' )); ?>.</p>
 		<input type="hidden" id="dbtype" name="dbtype" value="oci" />
 		<?php else: ?>
 		<label class="oci" for="oci">Oracle</label>
@@ -114,7 +114,7 @@
 		<?php if($_['hasMSSQL']): ?>
 		<input type='hidden' id='hasMSSQL' value='true'/>
 		<?php if(!$_['hasSQLite'] and !$_['hasMySQL'] and !$_['hasPostgreSQL'] and !$_['hasOracle']): ?>
-		<p>MS SQL <?php echo $l->t( 'will be used' ); ?>.</p>
+		<p>MS SQL <?php p($l->t( 'will be used' )); ?>.</p>
 		<input type="hidden" id="dbtype" name="dbtype" value="mssql" />
 		<?php else: ?>
 		<label class="mssql" for="mssql">MS SQL</label>
@@ -126,19 +126,19 @@
 		<?php if($hasOtherDB): ?>
 		<div id="use_other_db">
 			<p class="infield grouptop">
-				<label for="dbuser" class="infield"><?php echo $l->t( 'Database user' ); ?></label>
+				<label for="dbuser" class="infield"><?php p($l->t( 'Database user' )); ?></label>
 				<input type="text" name="dbuser" id="dbuser"
-					value="<?php print OC_Helper::init_var('dbuser'); ?>" autocomplete="off" />
+					value="<?php p(OC_Helper::init_var('dbuser')); ?>" autocomplete="off" />
 			</p>
 			<p class="infield groupmiddle">
-				<label for="dbpass" class="infield"><?php echo $l->t( 'Database password' ); ?></label>
+				<label for="dbpass" class="infield"><?php p($l->t( 'Database password' )); ?></label>
 				<input type="password" name="dbpass" id="dbpass"
-					value="<?php print OC_Helper::init_var('dbpass'); ?>" />
+					value="<?php p(OC_Helper::init_var('dbpass')); ?>" />
 			</p>
 			<p class="infield groupmiddle">
-				<label for="dbname" class="infield"><?php echo $l->t( 'Database name' ); ?></label>
+				<label for="dbname" class="infield"><?php p($l->t( 'Database name' )); ?></label>
 				<input type="text" name="dbname" id="dbname"
-					value="<?php print OC_Helper::init_var('dbname'); ?>"
+					value="<?php p(OC_Helper::init_var('dbname')); ?>"
 					autocomplete="off" pattern="[0-9a-zA-Z$_-]+" />
 			</p>
 		</div>
@@ -146,18 +146,18 @@
 		<?php if($_['hasOracle']): ?>
 		<div id="use_oracle_db">
 			<p class="infield groupmiddle">
-				<label for="dbtablespace" class="infield"><?php echo $l->t( 'Database tablespace' ); ?></label>
+				<label for="dbtablespace" class="infield"><?php p($l->t( 'Database tablespace' )); ?></label>
 				<input type="text" name="dbtablespace" id="dbtablespace"
-					value="<?php print OC_Helper::init_var('dbtablespace'); ?>" autocomplete="off" />
+					value="<?php p(OC_Helper::init_var('dbtablespace')); ?>" autocomplete="off" />
 			</p>
 		</div>
 		<?php endif; ?>
 		<p class="infield groupbottom">
-			<label for="dbhost" class="infield" id="dbhostlabel"><?php echo $l->t( 'Database host' ); ?></label>
+			<label for="dbhost" class="infield" id="dbhostlabel"><?php p($l->t( 'Database host' )); ?></label>
 			<input type="text" name="dbhost" id="dbhost"
-				value="<?php print OC_Helper::init_var('dbhost', 'localhost'); ?>" />
+				value="<?php p(OC_Helper::init_var('dbhost', 'localhost')); ?>" />
 		</p>
 	</fieldset>
 
-	<div class="buttons"><input type="submit" class="primary" value="<?php echo $l->t( 'Finish setup' ); ?>" /></div>
+	<div class="buttons"><input type="submit" class="primary" value="<?php p($l->t( 'Finish setup' )); ?>" /></div>
 </form>
diff --git a/core/templates/layout.base.php b/core/templates/layout.base.php
index 47d552069a..0ada957478 100644
--- a/core/templates/layout.base.php
+++ b/core/templates/layout.base.php
@@ -3,26 +3,26 @@
 	<head>
 		<title>ownCloud</title>
 		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-		<link rel="shortcut icon" href="<?php echo image_path('', 'favicon.png'); ?>" />
-		<link rel="apple-touch-icon-precomposed" href="<?php echo image_path('', 'favicon-touch.png'); ?>" />
+		<link rel="shortcut icon" href="<?php print_unescaped(image_path('', 'favicon.png')); ?>" />
+		<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path('', 'favicon-touch.png')); ?>" />
 		<?php foreach ($_['cssfiles'] as $cssfile): ?>
-			<link rel="stylesheet" href="<?php echo $cssfile; ?>" type="text/css" media="screen" />
+			<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" type="text/css" media="screen" />
 		<?php endforeach; ?>
 		<?php foreach ($_['jsfiles'] as $jsfile): ?>
-			<script type="text/javascript" src="<?php echo $jsfile; ?>"></script>
+			<script type="text/javascript" src="<?php print_unescaped($jsfile); ?>"></script>
 		<?php endforeach; ?>
 		<?php foreach ($_['headers'] as $header): ?>
 			<?php
-				echo '<'.$header['tag'].' ';
+				print_unescaped('<'.$header['tag'].' ');
 				foreach ($header['attributes'] as $name => $value) {
-					echo "$name='$value' ";
+					print_unescaped("$name='$value' ");
 				};
-				echo '/>';
+				print_unescaped('/>)';
 			?>
 		<?php endforeach; ?>
 	</head>
 
 	<body>
-		<?php echo $_['content']; ?>
+		<?php print_unescaped($_['content']); ?>
 	</body>
 </html>
diff --git a/core/templates/layout.guest.php b/core/templates/layout.guest.php
index a84e2b8cef..03d58c9eae 100644
--- a/core/templates/layout.guest.php
+++ b/core/templates/layout.guest.php
@@ -4,22 +4,22 @@
 		<title>ownCloud</title>
 		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 		<meta name="apple-itunes-app" content="app-id=543672169">
-		<link rel="shortcut icon" href="<?php echo image_path('', 'favicon.png'); ?>" />
-		<link rel="apple-touch-icon-precomposed" href="<?php echo image_path('', 'favicon-touch.png'); ?>" />
+		<link rel="shortcut icon" href="<?php print_unescaped(image_path('', 'favicon.png')); ?>" />
+		<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path('', 'favicon-touch.png')); ?>" />
 		<?php foreach($_['cssfiles'] as $cssfile): ?>
-			<link rel="stylesheet" href="<?php echo $cssfile; ?>" type="text/css" media="screen" />
+			<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" type="text/css" media="screen" />
 		<?php endforeach; ?>
 		<?php foreach($_['jsfiles'] as $jsfile): ?>
-			<script type="text/javascript" src="<?php echo $jsfile; ?>"></script>
+			<script type="text/javascript" src="<?php print_unescaped($jsfile); ?>"></script>
 		<?php endforeach; ?>
 	
 		<?php foreach($_['headers'] as $header): ?>
 			<?php
-				echo '<'.$header['tag'].' ';
+				print_unescaped('<'.$header['tag'].' ');
 				foreach($header['attributes'] as $name=>$value) {
-					echo "$name='$value' ";
+					print_unescaped("$name='$value' ");
 				};
-				echo '/>';
+				print_unescaped('/>');
 			?>
 		<?php endforeach; ?>
 	</head>
@@ -27,11 +27,11 @@
 	<body id="body-login">
 		<div id="login">
 			<header><div id="header">
-				<img src="<?php echo image_path('', 'logo.svg'); ?>" class="svg" alt="ownCloud" />
+				<img src="<?php print_unescaped(image_path('', 'logo.svg')); ?>" class="svg" alt="ownCloud" />
 			</div></header>
-			<?php echo $_['content']; ?>
+			<?php print_unescaped($_['content']); ?>
 		</div>
 		<footer><p class="info"><a href="http://owncloud.org/">ownCloud</a> &ndash;
-			<?php echo $l->t( 'web services under your control' ); ?></p></footer>
+			<?php p($l->t( 'web services under your control' )); ?></p></footer>
 	</body>
 </html>
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index 10540cfe36..2b53cc0ae5 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -1,56 +1,56 @@
 <!DOCTYPE html>
 <html class="ng-csp">
 	<head>
-		<title><?php echo !empty($_['application'])?$_['application'].' | ':'' ?>ownCloud
-			<?php echo !empty($_['user_displayname'])?' ('.$_['user_displayname'].') ':'' ?></title>
+		<title><?php p(!empty($_['application'])?$_['application'].' | ':'') ?>ownCloud
+			<?php p(!empty($_['user_displayname'])?' ('.$_['user_displayname'].') ':'') ?></title>
 		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 		<meta name="apple-itunes-app" content="app-id=543672169">
-		<link rel="shortcut icon" href="<?php echo image_path('', 'favicon.png'); ?>" />
-		<link rel="apple-touch-icon-precomposed" href="<?php echo image_path('', 'favicon-touch.png'); ?>" />
+		<link rel="shortcut icon" href="<?php print_unescaped(image_path('', 'favicon.png')); ?>" />
+		<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path('', 'favicon-touch.png')); ?>" />
 		<?php foreach($_['cssfiles'] as $cssfile): ?>
-			<link rel="stylesheet" href="<?php echo $cssfile; ?>" type="text/css" media="screen" />
+			<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" type="text/css" media="screen" />
 		<?php endforeach; ?>
 		<?php foreach($_['jsfiles'] as $jsfile): ?>
-			<script type="text/javascript" src="<?php echo $jsfile; ?>"></script>
+			<script type="text/javascript" src="<?php print_unescaped($jsfile); ?>"></script>
 		<?php endforeach; ?>
 		<?php foreach($_['headers'] as $header): ?>
 			<?php
-				echo '<'.$header['tag'].' ';
+				print_unescaped('<'.$header['tag'].' ');
 				foreach($header['attributes'] as $name=>$value) {
-					echo "$name='$value' ";
+					print_unescaped("$name='$value' ");
 				};
-				echo '/>';
+				print_unescaped('/>');
 			?>
 		<?php endforeach; ?>
 	</head>
 
-	<body id="<?php echo $_['bodyid'];?>">
+	<body id="<?php p($_['bodyid']);?>">
 	<div id="notification-container">
 		<div id="notification"></div>
 	</div>
 	<header><div id="header">
-			<a href="<?php echo link_to('', 'index.php'); ?>" title="" id="owncloud"><img class="svg"
-				src="<?php echo image_path('', 'logo-wide.svg'); ?>" alt="ownCloud" /></a>
+			<a href="<?php print_unescaped(link_to('', 'index.php')); ?>" title="" id="owncloud"><img class="svg"
+				src="<?php print_unescaped(image_path('', 'logo-wide.svg')); ?>" alt="ownCloud" /></a>
 
 			<ul id="settings" class="svg">
 				<span id="expand">
-					<span id="expandDisplayName"><?php echo $_['user_displayname'] ?></span>
-					<img class="svg" src="<?php echo image_path('', 'actions/caret.svg'); ?>" />
+					<span id="expandDisplayName"><?php p($_['user_displayname']) ?></span>
+					<img class="svg" src="<?php print_unescaped(image_path('', 'actions/caret.svg')); ?>" />
 				</span>
 				<div id="expanddiv">
 				<?php foreach($_['settingsnavigation'] as $entry):?>
 					<li>
-						<a href="<?php echo $entry['href']; ?>" title=""
+						<a href="<?php print_unescaped($entry['href']); ?>" title=""
 							<?php if( $entry["active"] ): ?> class="active"<?php endif; ?>>
-							<img class="svg" alt="" src="<?php echo $entry['icon']; ?>">
-							<?php echo $entry['name'] ?>
+							<img class="svg" alt="" src="<?php print_unescaped($entry['icon']); ?>">
+							<?php p($entry['name']) ?>
 						</a>
 					</li>
 				<?php endforeach; ?>
 					<li>
-						<a id="logout" href="<?php echo link_to('', 'index.php'); ?>?logout=true">
-							<img class="svg" alt="" src="<?php echo image_path('', 'actions/logout.svg'); ?>" />
-							<?php echo $l->t('Log out');?>
+						<a id="logout" href="<?php print_unescaped(link_to('', 'index.php')); ?>?logout=true">
+							<img class="svg" alt="" src="<?php print_unescaped(image_path('', 'actions/logout.svg')); ?>" />
+							<?php p($l->t('Log out'));?>
 						</a>
 					</li>
 				</div>
@@ -58,7 +58,7 @@
 
 			<form class="searchbox" action="#" method="post">
 				<input id="searchbox" class="svg" type="search" name="query"
-					value="<?php if(isset($_POST['query'])) {echo OC_Util::sanitizeHTML($_POST['query']);};?>"
+					value="<?php if(isset($_POST['query'])) {p($_POST['query']);};?>"
 					autocomplete="off" x-webkit-speech />
 			</form>
 		</div></header>
@@ -66,11 +66,11 @@
 		<nav><div id="navigation">
 			<ul id="apps" class="svg">
 				<?php foreach($_['navigation'] as $entry): ?>
-					<li data-id="<?php echo $entry['id']; ?>">
-						<a href="<?php echo $entry['href']; ?>" title=""
+					<li data-id="<?php p($entry['id']); ?>">
+						<a href="<?php print_unescaped($entry['href']); ?>" title=""
 							<?php if( $entry['active'] ): ?> class="active"<?php endif; ?>>
-							<img class="icon svg" src="<?php echo $entry['icon']; ?>"/>
-							<?php echo $entry['name']; ?>
+							<img class="icon svg" src="<?php print_unescaped($entry['icon']); ?>"/>
+							<?php p($entry['name']); ?>
 						</a>
 					</li>
 				<?php endforeach; ?>
@@ -79,7 +79,7 @@
 
 		<div id="content-wrapper">
 			<div id="content">
-				<?php echo $_['content']; ?>
+				<?php print_unescaped($_['content']); ?>
 			</div>
 		</div>
 	</body>
diff --git a/core/templates/login.php b/core/templates/login.php
index 3be2b039b0..463b951c80 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -2,54 +2,54 @@
 <form method="post">
 	<fieldset>
 	<?php if (!empty($_['redirect_url'])) {
-		echo '<input type="hidden" name="redirect_url" value="' . $_['redirect_url'] . '" />';
+		print_unescaped('<input type="hidden" name="redirect_url" value="' . OC_Util::sanitizeHTML($_['redirect_url']) . '" />');
 	} ?>
 		<ul>
 			<?php if (isset($_['invalidcookie']) && ($_['invalidcookie'])): ?>
 			<li class="errors">
-				<?php echo $l->t('Automatic logon rejected!'); ?><br>
-				<small><?php echo $l->t('If you did not change your password recently, your account may be compromised!'); ?></small>
+				<?php p($l->t('Automatic logon rejected!')); ?><br>
+				<small><?php p($l->t('If you did not change your password recently, your account may be compromised!')); ?></small>
 				<br>
-				<small><?php echo $l->t('Please change your password to secure your account again.'); ?></small>
+				<small><?php p($l->t('Please change your password to secure your account again.')); ?></small>
 			</li>
 			<?php endif; ?>
 			<?php if (isset($_['invalidpassword']) && ($_['invalidpassword'])): ?>
-			<a href="<?php echo OC_Helper::linkToRoute('core_lostpassword_index') ?>">
+			<a href="<?php print_unescaped(OC_Helper::linkToRoute('core_lostpassword_index')) ?>">
 				<li class="errors">
-					<?php echo $l->t('Lost your password?'); ?>
+					<?php p($l->t('Lost your password?')); ?>
 				</li>
 			</a>
 			<?php endif; ?>
 		</ul>
 		<p class="infield grouptop">
 			<input type="text" name="user" id="user"
-				   value="<?php echo $_['username']; ?>"<?php echo $_['user_autofocus'] ? ' autofocus' : ''; ?>
+				   value="<?php p($_['username']); ?>"<?php p($_['user_autofocus'] ? ' autofocus' : ''); ?>
 				   autocomplete="on" required/>
-			<label for="user" class="infield"><?php echo $l->t('Username'); ?></label>
-			<img class="svg" src="<?php echo image_path('', 'actions/user.svg'); ?>" alt=""/>
+			<label for="user" class="infield"><?php p($l->t('Username')); ?></label>
+			<img class="svg" src="<?php print_unescaped(image_path('', 'actions/user.svg')); ?>" alt=""/>
 		</p>
 
 		<p class="infield groupbottom">
 			<input type="password" name="password" id="password" value="" data-typetoggle="#show"
-				   required<?php echo $_['user_autofocus'] ? '' : ' autofocus'; ?> />
-			<label for="password" class="infield"><?php echo $l->t('Password'); ?></label>
-			<img class="svg" id="password-icon" src="<?php echo image_path('', 'actions/password.svg'); ?>" alt=""/>
+				   required<?php p($_['user_autofocus'] ? '' : ' autofocus'); ?> />
+			<label for="password" class="infield"><?php p($l->t('Password')); ?></label>
+			<img class="svg" id="password-icon" src="<?php print_unescaped(image_path('', 'actions/password.svg')); ?>" alt=""/>
 			<input type="checkbox" id="show" name="show" />
 			<label for="show"></label>
 		</p>
 		<input type="checkbox" name="remember_login" value="1" id="remember_login"/><label
-			for="remember_login"><?php echo $l->t('remember'); ?></label>
+			for="remember_login"><?php p($l->t('remember')); ?></label>
 		<input type="hidden" name="timezone-offset" id="timezone-offset"/>
-		<input type="submit" id="submit" class="login primary" value="<?php echo $l->t('Log in'); ?>"/>
+		<input type="submit" id="submit" class="login primary" value="<?php p($l->t('Log in')); ?>"/>
 	</fieldset>
 </form>
 <?php if (!empty($_['alt_login'])) { ?>
 <form id="alternative-logins">
 	<fieldset>
-		<legend><?php echo $l->t('Alternative Logins') ?></legend>
+		<legend><?php p($l->t('Alternative Logins')) ?></legend>
 		<ul>
 			<?php foreach($_['alt_login'] as $login): ?>
-				<li><a class="button" href="<?php echo $login['href']; ?>" ><?php echo $login['name']; ?></a></li>
+				<li><a class="button" href="<?php print_unescaped($login['href']); ?>" ><?php p($login['name']); ?></a></li>
 			<?php endforeach; ?>
 		</ul>
 	</fieldset>
diff --git a/core/templates/part.pagenavi.php b/core/templates/part.pagenavi.php
index d43023a782..2f5c218376 100644
--- a/core/templates/part.pagenavi.php
+++ b/core/templates/part.pagenavi.php
@@ -1,15 +1,15 @@
 <ol class="pager">
 	<?php if($_['page']>0):?>
-	<li class="pagerbutton1"><a href="<?php echo $_['url'].($_['page']-1);?>"><?php echo $l->t( 'prev' ); ?></a></li>
+	<li class="pagerbutton1"><a href="<?php print_unescaped($_['url'].($_['page']-1));?>"><?php p($l->t( 'prev' )); ?></a></li>
 	<?php endif; ?>
 	<?php if ($_['pagestart']>0):?>
 	&hellip;
 	<?php endif;?>
 	<?php for ($i=$_['pagestart']; $i < $_['pagestop'];$i++):?>
 		<?php if ($_['page']!=$i):?>
-		<li><a href="<?php echo $_['url'].$i;?>"><?php echo $i+1;?></a></li>
+		<li><a href="<?php print_unescaped($_['url'].$i);?>"><?php p($i+1);?></a></li>
 		<?php else:?>
-		<li><?php echo $i+1;?></li>
+		<li><?php p($i+1);?></li>
 		<?php endif?>
 	<?php endfor;?>
 	<?php if ($_['pagestop']<$_['pagecount']):?>
@@ -17,6 +17,6 @@
 	<?php endif;?>
 
 	<?php if(($_['page']+1)<$_['pagecount']):?>
-	<li class="pagerbutton2"><a href="<?php echo $_['url'].($_['page']+1);?>"><?php echo $l->t( 'next' ); ?></a></li>
+	<li class="pagerbutton2"><a href="<?php print_unescaped($_['url'].($_['page']+1));?>"><?php p($l->t( 'next' )); ?></a></li>
 	<?php endif; ?>
 </ol>
diff --git a/core/templates/update.php b/core/templates/update.php
index 685a5536d0..a652d5f195 100644
--- a/core/templates/update.php
+++ b/core/templates/update.php
@@ -1,6 +1,6 @@
 <ul>
 	<li class='update'>
-		<?php echo $l->t('Updating ownCloud to version %s, this may take a while.',
-			array($_['version'])); ?><br /><br />
+		<?php p($l->t('Updating ownCloud to version %s, this may take a while.',
+			array($_['version']))); ?><br /><br />
 	</li>
 </ul>
diff --git a/lib/setup.php b/lib/setup.php
index 8f772e663e..8814447f52 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -851,7 +851,7 @@ class OC_Setup {
 				'http://doc.owncloud.org/server/5.0/admin_manual/installation.html');
 
 			$tmpl = new OC_Template('', 'error', 'guest');
-			$tmpl->assign('errors', array(1 => array('error' => $error, 'hint' => $hint)), false);
+			$tmpl->assign('errors', array(1 => array('error' => $error, 'hint' => $hint)));
 			$tmpl->printPage();
 			exit();
 		}
diff --git a/lib/template.php b/lib/template.php
index fcf18fee41..08ad5764ba 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -482,7 +482,7 @@ class OC_Template{
 	public static function printUserPage( $application, $name, $parameters = array() ) {
 		$content = new OC_Template( $application, $name, "user" );
 		foreach( $parameters as $key => $value ) {
-			$content->assign( $key, $value, false );
+			$content->assign( $key, $value );
 		}
 		print $content->printPage();
 	}
@@ -497,7 +497,7 @@ class OC_Template{
 	public static function printAdminPage( $application, $name, $parameters = array() ) {
 		$content = new OC_Template( $application, $name, "admin" );
 		foreach( $parameters as $key => $value ) {
-			$content->assign( $key, $value, false );
+			$content->assign( $key, $value );
 		}
 		return $content->printPage();
 	}
@@ -512,7 +512,7 @@ class OC_Template{
 	public static function printGuestPage( $application, $name, $parameters = array() ) {
 		$content = new OC_Template( $application, $name, "guest" );
 		foreach( $parameters as $key => $value ) {
-			$content->assign( $key, $value, false );
+			$content->assign( $key, $value );
 		}
 		return $content->printPage();
 	}
diff --git a/lib/templatelayout.php b/lib/templatelayout.php
index afa875b0a6..3d824cdca8 100644
--- a/lib/templatelayout.php
+++ b/lib/templatelayout.php
@@ -13,19 +13,19 @@ class OC_TemplateLayout extends OC_Template {
 		if( $renderas == 'user' ) {
 			parent::__construct( 'core', 'layout.user' );
 			if(in_array(OC_APP::getCurrentApp(), array('settings','admin', 'help'))!==false) {
-				$this->assign('bodyid', 'body-settings', false);
+				$this->assign('bodyid', 'body-settings');
 			}else{
-				$this->assign('bodyid', 'body-user', false);
+				$this->assign('bodyid', 'body-user');
 			}
 
 			// Add navigation entry
 			$this->assign( 'application', '', false );
 			$navigation = OC_App::getNavigation();
-			$this->assign( 'navigation', $navigation, false);
-			$this->assign( 'settingsnavigation', OC_App::getSettingsNavigation(), false);
+			$this->assign( 'navigation', $navigation);
+			$this->assign( 'settingsnavigation', OC_App::getSettingsNavigation());
 			foreach($navigation as $entry) {
 				if ($entry['active']) {
-					$this->assign( 'application', $entry['name'], false );
+					$this->assign( 'application', $entry['name'] );
 					break;
 				}
 			}
diff --git a/settings/apps.php b/settings/apps.php
index b9ed2cac93..44cfff7e3f 100644
--- a/settings/apps.php
+++ b/settings/apps.php
@@ -49,7 +49,7 @@ usort( $combinedApps, 'app_sort' );
 
 $tmpl = new OC_Template( "settings", "apps", "user" );
 
-$tmpl->assign('apps', $combinedApps, false);
+$tmpl->assign('apps', $combinedApps);
 
 $appid = (isset($_GET['appid'])?strip_tags($_GET['appid']):'');
 
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
index f3dc9154bb..dd5e89b8f8 100644
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -12,10 +12,10 @@ $levels = array('Debug', 'Info', 'Warning', 'Error', 'Fatal');
 if (!$_['htaccessworking']) {
 	?>
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
+	<legend><strong><?php p($l->t('Security Warning'));?></strong></legend>
 
 	<span class="securitywarning">
-		<?php echo $l->t('Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.'); ?>
+		<?php p($l->t('Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.')); ?>
 	</span>
 
 </fieldset>
@@ -26,11 +26,11 @@ if (!$_['htaccessworking']) {
 if (!$_['isWebDavWorking']) {
 	?>
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Setup Warning');?></strong></legend>
+	<legend><strong><?php p($l->t('Setup Warning'));?></strong></legend>
 
 	<span class="securitywarning">
-		<?php echo $l->t('Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.'); ?>
-		<?php echo $l->t('Please double check the <a href=\'%s\'>installation guides</a>.', 'http://doc.owncloud.org/server/5.0/admin_manual/installation.html'); ?>
+		<?php p($l->t('Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken.')); ?>
+		<?php print_unescaped($l->t('Please double check the <a href=\'%s\'>installation guides</a>.', 'http://doc.owncloud.org/server/5.0/admin_manual/installation.html')); ?>
 	</span>
 
 </fieldset>
@@ -41,10 +41,10 @@ if (!$_['isWebDavWorking']) {
 if (!$_['has_fileinfo']) {
 	?>
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Module \'fileinfo\' missing');?></strong></legend>
+	<legend><strong><?php p($l->t('Module \'fileinfo\' missing'));?></strong></legend>
 
 		<span class="connectionwarning">
-		<?php echo $l->t('The PHP module \'fileinfo\' is missing. We strongly recommend to enable this module to get best results with mime-type detection.'); ?>
+		<?php p($l->t('The PHP module \'fileinfo\' is missing. We strongly recommend to enable this module to get best results with mime-type detection.')); ?>
 	</span>
 
 </fieldset>
@@ -55,12 +55,12 @@ if (!$_['has_fileinfo']) {
 if (!$_['islocaleworking']) {
 	?>
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Locale not working');?></strong></legend>
+	<legend><strong><?php p($l->t('Locale not working'));?></strong></legend>
 
 		<span class="connectionwarning">
 		<?php
 			$locales = 'en_US.UTF-8/en_US.UTF8';
-			echo $l->t('This ownCloud server can\'t set system locale to %s. This means that there might be problems with certain characters in file names. We strongly suggest to install the required packages on your system to support %s.', array($locales, $locales));
+			p($l->t('This ownCloud server can\'t set system locale to %s. This means that there might be problems with certain characters in file names. We strongly suggest to install the required packages on your system to support %s.', array($locales, $locales)));
 			?>
 	</span>
 
@@ -72,10 +72,10 @@ if (!$_['islocaleworking']) {
 if (!$_['internetconnectionworking']) {
 	?>
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Internet connection not working');?></strong></legend>
+	<legend><strong><?php p($l->t('Internet connection not working'));?></strong></legend>
 
 		<span class="connectionwarning">
-		<?php echo $l->t('This ownCloud server has no working internet connection. This means that some of the features like mounting of external storage, notifications about updates or installation of 3rd party apps don´t work. Accessing files from remote and sending of notification emails might also not work. We suggest to enable internet connection for this server if you want to have all features of ownCloud.'); ?>
+		<?php p($l->t('This ownCloud server has no working internet connection. This means that some of the features like mounting of external storage, notifications about updates or installation of 3rd party apps don´t work. Accessing files from remote and sending of notification emails might also not work. We suggest to enable internet connection for this server if you want to have all features of ownCloud.')); ?>
 	</span>
 
 </fieldset>
@@ -84,106 +84,106 @@ if (!$_['internetconnectionworking']) {
 ?>
 
 <?php foreach ($_['forms'] as $form) {
-	echo $form;
+	print_unescaped($form);
 }
 ;?>
 
 <fieldset class="personalblock" id="backgroundjobs">
-	<legend><strong><?php echo $l->t('Cron');?></strong></legend>
+	<legend><strong><?php p($l->t('Cron'));?></strong></legend>
 	<table class="nostyle">
 		<tr>
 			<td>
 				<input type="radio" name="mode" value="ajax"
 					   id="backgroundjobs_ajax" <?php if ($_['backgroundjobs_mode'] == "ajax") {
-					echo 'checked="checked"';
+					print_unescaped('checked="checked"');
 				} ?>>
 				<label for="backgroundjobs_ajax">AJAX</label><br/>
-				<em><?php echo $l->t("Execute one task with each page loaded"); ?></em>
+				<em><?php p($l->t("Execute one task with each page loaded")); ?></em>
 			</td>
 		</tr>
 		<tr>
 			<td>
 				<input type="radio" name="mode" value="webcron"
 					   id="backgroundjobs_webcron" <?php if ($_['backgroundjobs_mode'] == "webcron") {
-					echo 'checked="checked"';
+					print_unescaped('checked="checked"');
 				} ?>>
 				<label for="backgroundjobs_webcron">Webcron</label><br/>
-				<em><?php echo $l->t("cron.php is registered at a webcron service. Call the cron.php page in the owncloud root once a minute over http."); ?></em>
+				<em><?php p($l->t("cron.php is registered at a webcron service. Call the cron.php page in the owncloud root once a minute over http.")); ?></em>
 			</td>
 		</tr>
 		<tr>
 			<td>
 				<input type="radio" name="mode" value="cron"
 					   id="backgroundjobs_cron" <?php if ($_['backgroundjobs_mode'] == "cron") {
-					echo 'checked="checked"';
+					print_unescaped('checked="checked"');
 				} ?>>
 				<label for="backgroundjobs_cron">Cron</label><br/>
-				<em><?php echo $l->t("Use systems cron service. Call the cron.php file in the owncloud folder via a system cronjob once a minute."); ?></em>
+				<em><?php p($l->t("Use systems cron service. Call the cron.php file in the owncloud folder via a system cronjob once a minute.")); ?></em>
 			</td>
 		</tr>
 	</table>
 </fieldset>
 
 <fieldset class="personalblock" id="shareAPI">
-	<legend><strong><?php echo $l->t('Sharing');?></strong></legend>
+	<legend><strong><?php p($l->t('Sharing'));?></strong></legend>
 	<table class="shareAPI nostyle">
 		<tr>
 			<td id="enable">
 				<input type="checkbox" name="shareapi_enabled" id="shareAPIEnabled"
-					   value="1" <?php if ($_['shareAPIEnabled'] == 'yes') echo 'checked="checked"'; ?> />
-				<label for="shareAPIEnabled"><?php echo $l->t('Enable Share API');?></label><br/>
-				<em><?php echo $l->t('Allow apps to use the Share API'); ?></em>
+					   value="1" <?php if ($_['shareAPIEnabled'] == 'yes') print_unescaped('checked="checked"'); ?> />
+				<label for="shareAPIEnabled"><?php p($l->t('Enable Share API'));?></label><br/>
+				<em><?php p($l->t('Allow apps to use the Share API')); ?></em>
 			</td>
 		</tr>
 		<tr>
-			<td <?php if ($_['shareAPIEnabled'] == 'no') echo 'style="display:none"';?>>
+			<td <?php if ($_['shareAPIEnabled'] == 'no') print_unescaped('style="display:none"');?>>
 				<input type="checkbox" name="shareapi_allow_links" id="allowLinks"
-					   value="1" <?php if ($_['allowLinks'] == 'yes') echo 'checked="checked"'; ?> />
-				<label for="allowLinks"><?php echo $l->t('Allow links');?></label><br/>
-				<em><?php echo $l->t('Allow users to share items to the public with links'); ?></em>
+					   value="1" <?php if ($_['allowLinks'] == 'yes') print_unescaped('checked="checked"'); ?> />
+				<label for="allowLinks"><?php p($l->t('Allow links'));?></label><br/>
+				<em><?php p($l->t('Allow users to share items to the public with links')); ?></em>
 			</td>
 		</tr>
 		<tr>
-			<td <?php if ($_['shareAPIEnabled'] == 'no') echo 'style="display:none"';?>>
+			<td <?php if ($_['shareAPIEnabled'] == 'no') print_unescaped('style="display:none"');?>>
 				<input type="checkbox" name="shareapi_allow_resharing" id="allowResharing"
-					   value="1" <?php if ($_['allowResharing'] == 'yes') echo 'checked="checked"'; ?> />
-				<label for="allowResharing"><?php echo $l->t('Allow resharing');?></label><br/>
-				<em><?php echo $l->t('Allow users to share items shared with them again'); ?></em>
+					   value="1" <?php if ($_['allowResharing'] == 'yes') print_unescaped('checked="checked"'); ?> />
+				<label for="allowResharing"><?php p($l->t('Allow resharing'));?></label><br/>
+				<em><?php p($l->t('Allow users to share items shared with them again')); ?></em>
 			</td>
 		</tr>
 		<tr>
-			<td <?php if ($_['shareAPIEnabled'] == 'no') echo 'style="display:none"';?>>
+			<td <?php if ($_['shareAPIEnabled'] == 'no') print_unescaped('style="display:none"');?>>
 				<input type="radio" name="shareapi_share_policy" id="sharePolicyGlobal"
-					   value="global" <?php if ($_['sharePolicy'] == 'global') echo 'checked="checked"'; ?> />
-				<label for="sharePolicyGlobal"><?php echo $l->t('Allow users to share with anyone'); ?></label><br/>
+					   value="global" <?php if ($_['sharePolicy'] == 'global') print_unescaped('checked="checked"'); ?> />
+				<label for="sharePolicyGlobal"><?php p($l->t('Allow users to share with anyone')); ?></label><br/>
 				<input type="radio" name="shareapi_share_policy" id="sharePolicyGroupsOnly"
-					   value="groups_only" <?php if ($_['sharePolicy'] == 'groups_only') echo 'checked="checked"'; ?> />
-				<label for="sharePolicyGroupsOnly"><?php echo $l->t('Allow users to only share with users in their groups');?></label><br/>
+					   value="groups_only" <?php if ($_['sharePolicy'] == 'groups_only') print_unescaped('checked="checked"'); ?> />
+				<label for="sharePolicyGroupsOnly"><?php p($l->t('Allow users to only share with users in their groups'));?></label><br/>
 			</td>
 		</tr>
 	</table>
 </fieldset>
 
 <fieldset class="personalblock" id="security">
-	<legend><strong><?php echo $l->t('Security');?></strong></legend>
+	<legend><strong><?php p($l->t('Security'));?></strong></legend>
 	<table class="nostyle">
 		<tr>
 			<td id="enable">
 				<input type="checkbox" name="forcessl"  id="enforceHTTPSEnabled"
 					<?php if ($_['enforceHTTPSEnabled']) {
-						echo 'checked="checked" ';
-						echo 'value="false"';
+						print_unescaped('checked="checked" ');
+						print_unescaped('value="false"');
 					}  else {
-						echo 'value="true"';
+						print_unescaped('value="true"');
 					}
 					?>
-					<?php if (!$_['isConnectedViaHTTPS']) echo 'disabled'; ?> />
-				<label for="forcessl"><?php echo $l->t('Enforce HTTPS');?></label><br/>
-				<em><?php echo $l->t('Enforces the clients to connect to ownCloud via an encrypted connection.'); ?></em>
+					<?php if (!$_['isConnectedViaHTTPS']) p('disabled'); ?> />
+				<label for="forcessl"><?php p($l->t('Enforce HTTPS'));?></label><br/>
+				<em><?php p($l->t('Enforces the clients to connect to ownCloud via an encrypted connection.')); ?></em>
 				<?php if (!$_['isConnectedViaHTTPS']) {
-					echo "<br/><em>";
-					echo $l->t('Please connect to this ownCloud instance via HTTPS to enable or disable the SSL enforcement.');
-					echo "</em>";
+					print_unescaped("<br/><em>");
+					p($l->t('Please connect to this ownCloud instance via HTTPS to enable or disable the SSL enforcement.'));
+					print_unescaped("</em>");
 				}
 				?>
 			</td>
@@ -192,12 +192,12 @@ if (!$_['internetconnectionworking']) {
 </fieldset>
 
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Log');?></strong></legend>
-	<?php echo $l->t('Log level');?> <select name='loglevel' id='loglevel'>
-	<option value='<?php echo $_['loglevel']?>'><?php echo $levels[$_['loglevel']]?></option>
+	<legend><strong><?php p($l->t('Log'));?></strong></legend>
+	<?php p($l->t('Log level'));?> <select name='loglevel' id='loglevel'>
+	<option value='<?php p($_['loglevel'])?>'><?php p($levels[$_['loglevel']])?></option>
 	<?php for ($i = 0; $i < 5; $i++):
 	if ($i != $_['loglevel']):?>
-		<option value='<?php echo $i?>'><?php echo $levels[$i]?></option>
+		<option value='<?php p($i)?>'><?php p($levels[$i])?></option>
 		<?php endif;
 endfor;?>
 </select>
@@ -205,31 +205,31 @@ endfor;?>
 		<?php foreach ($_['entries'] as $entry): ?>
 		<tr>
 			<td>
-				<?php echo $levels[$entry->level];?>
+				<?php p($levels[$entry->level]);?>
 			</td>
 			<td>
-				<?php echo $entry->app;?>
+				<?php p($entry->app);?>
 			</td>
 			<td>
-				<?php echo $entry->message;?>
+				<?php p($entry->message);?>
 			</td>
 			<td>
-				<?php echo OC_Util::formatDate($entry->time);?>
+				<?php p(OC_Util::formatDate($entry->time));?>
 			</td>
 		</tr>
 		<?php endforeach;?>
 	</table>
 	<?php if ($_['entriesremain']): ?>
-	<input id='moreLog' type='button' value='<?php echo $l->t('More');?>...'>
+	<input id='moreLog' type='button' value='<?php p($l->t('More'));?>...'>
 	<?php endif; ?>
 
 </fieldset>
 
 
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Version');?></strong></legend>
-	<strong>ownCloud</strong> <?php echo(OC_Util::getVersionString()); ?> <?php echo(OC_Util::getEditionString()); ?>
-	(<?php echo(OC_Updater::ShowUpdatingHint()); ?>)<br/>
-	<?php echo $l->t('Developed by the <a href="http://ownCloud.org/contact" target="_blank">ownCloud community</a>, the <a href="https://github.com/owncloud" target="_blank">source code</a> is licensed under the <a href="http://www.gnu.org/licenses/agpl-3.0.html" target="_blank"><abbr title="Affero General Public License">AGPL</abbr></a>.'); ?>
+	<legend><strong><?php p($l->t('Version'));?></strong></legend>
+	<strong>ownCloud</strong> <?php p(OC_Util::getVersionString()); ?> <?php p(OC_Util::getEditionString()); ?>
+	(<?php p(OC_Updater::ShowUpdatingHint()); ?>)<br/>
+	<?php print_unescaped($l->t('Developed by the <a href="http://ownCloud.org/contact" target="_blank">ownCloud community</a>, the <a href="https://github.com/owncloud" target="_blank">source code</a> is licensed under the <a href="http://www.gnu.org/licenses/agpl-3.0.html" target="_blank"><abbr title="Affero General Public License">AGPL</abbr></a>.')); ?>
 </fieldset>
 
diff --git a/settings/templates/apps.php b/settings/templates/apps.php
index b6e98c41bd..d3639cbab3 100644
--- a/settings/templates/apps.php
+++ b/settings/templates/apps.php
@@ -4,37 +4,37 @@
  * See the COPYING-README file.
  */?>
  <script type="text/javascript"
-	src="<?php echo OC_Helper::linkToRoute('apps_custom');?>?appid=<?php echo $_['appid']; ?>"></script>
- <script type="text/javascript" src="<?php echo OC_Helper::linkTo('settings/js', 'apps.js');?>"></script>
+	src="<?php print_unescaped(OC_Helper::linkToRoute('apps_custom'));?>?appid=<?php p($_['appid']); ?>"></script>
+ <script type="text/javascript" src="<?php print_unescaped(OC_Helper::linkTo('settings/js', 'apps.js'));?>"></script>
 
 <div id="controls">
-	<a class="button" target="_blank" href="http://owncloud.org/dev"><?php echo $l->t('Add your App');?></a>
-	<a class="button" target="_blank" href="http://apps.owncloud.com"><?php echo $l->t('More Apps');?></a>
+	<a class="button" target="_blank" href="http://owncloud.org/dev"><?php p($l->t('Add your App'));?></a>
+	<a class="button" target="_blank" href="http://apps.owncloud.com"><?php p($l->t('More Apps'));?></a>
 </div>
 <ul id="leftcontent" class="applist hascontrols">
 	<?php foreach($_['apps'] as $app):?>
-	<li <?php if($app['active']) echo 'class="active"'?> data-id="<?php echo $app['id'] ?>"
-		<?php if ( isset( $app['ocs_id'] ) ) { echo "data-id-ocs=\"{$app['ocs_id']}\""; } ?>
-			data-type="<?php echo $app['internal'] ? 'internal' : 'external' ?>" data-installed="1">
-		<a class="app<?php if(!$app['internal']) echo ' externalapp' ?>"
-			href="?appid=<?php echo $app['id'] ?>"><?php echo htmlentities($app['name']) ?></a>
+	<li <?php if($app['active']) print_unescaped('class="active"')?> data-id="<?php p($app['id']) ?>"
+		<?php if ( isset( $app['ocs_id'] ) ) { print_unescaped("data-id-ocs=\"{".OC_Util::sanitizeHTML($app['ocs_id'])."}\""); } ?>
+			data-type="<?php p($app['internal'] ? 'internal' : 'external') ?>" data-installed="1">
+		<a class="app<?php if(!$app['internal']) p(' externalapp') ?>"
+			href="?appid=<?php p($app['id']) ?>"><?php p($app['name']) ?></a>
 		<?php  if(!$app['internal'])
-			echo '<small class="'.$app['internalclass'].' list">'.$app['internallabel'].'</small>' ?>
+			print_unescaped('<small class="'.OC_Util::sanitizeHTML($app['internalclass']).' list">'.OC_Util::sanitizeHTML($app['internallabel']).'</small>') ?>
 	</li>
 	<?php endforeach;?>
 </ul>
 <div id="rightcontent">
 	<div class="appinfo">
-	<h3><strong><span class="name"><?php echo $l->t('Select an App');?></span></strong><span
+	<h3><strong><span class="name"><?php p($l->t('Select an App'));?></span></strong><span
 		class="version"></span><small class="externalapp" style="visibility:hidden;"></small></h3>
 	<span class="score"></span>
 	<p class="description"></p>
 	<img src="" class="preview" />
 	<p class="appslink hidden"><a href="#" target="_blank"><?php
-		echo $l->t('See application page at apps.owncloud.com');?></a></p>
+		p($l->t('See application page at apps.owncloud.com'));?></a></p>
 	<p class="license hidden"><?php
-		echo $l->t('<span class="licence"></span>-licensed by <span class="author"></span>');?></p>
+		print_unescaped($l->t('<span class="licence"></span>-licensed by <span class="author"></span>'));?></p>
 	<input class="enable hidden" type="submit" />
-	<input class="update hidden" type="submit" value="<?php echo($l->t('Update')); ?>" />
+	<input class="update hidden" type="submit" value="<?php p($l->t('Update')); ?>" />
 	</div>
 </div>
diff --git a/settings/templates/help.php b/settings/templates/help.php
index 7b2a3321c2..3d227817e6 100644
--- a/settings/templates/help.php
+++ b/settings/templates/help.php
@@ -1,21 +1,21 @@
 <div id="controls">
 	<?php if($_['admin']) { ?>
-		<a class="button newquestion <?php echo($_['style1']); ?>"
-			href="<?php echo($_['url1']); ?>"><?php echo $l->t( 'User Documentation' ); ?></a>
-		<a class="button newquestion <?php echo($_['style2']); ?>"
-			href="<?php echo($_['url2']); ?>"><?php echo $l->t( 'Administrator Documentation' ); ?></a>
+		<a class="button newquestion <?php p($_['style1']); ?>"
+			href="<?php print_unescaped($_['url1']); ?>"><?php p($l->t( 'User Documentation' )); ?></a>
+		<a class="button newquestion <?php p($_['style2']); ?>"
+			href="<?php print_unescaped($_['url2']); ?>"><?php p($l->t( 'Administrator Documentation' )); ?></a>
 	<?php } ?>
 	<a class="button newquestion" href="http://owncloud.org/support" target="_blank"><?php
-		echo $l->t( 'Online Documentation' ); ?></a>
+		p($l->t( 'Online Documentation' )); ?></a>
 	<a class="button newquestion" href="http://forum.owncloud.org" target="_blank"><?php
-		echo $l->t( 'Forum' ); ?></a>
+		p($l->t( 'Forum' )); ?></a>
 	<?php if($_['admin']) { ?>
 		<a class="button newquestion" href="https://github.com/owncloud/core/issues" target="_blank"><?php
-			echo $l->t( 'Bugtracker' ); ?></a>
+			p($l->t( 'Bugtracker' )); ?></a>
 	<?php } ?>
 	<a class="button newquestion" href="http://owncloud.com" target="_blank"><?php
-		echo $l->t( 'Commercial Support' ); ?></a>
+		p($l->t( 'Commercial Support' )); ?></a>
 </div>
 <div class="help-includes">
-	<iframe src="<?php echo($_['url']); ?>" class="help-iframe">abc</iframe>
+	<iframe src="<?php print_unescaped($_['url']); ?>" class="help-iframe">abc</iframe>
 </div>
diff --git a/settings/templates/oauth-required-apps.php b/settings/templates/oauth-required-apps.php
index d4fce54c59..3660f42342 100644
--- a/settings/templates/oauth-required-apps.php
+++ b/settings/templates/oauth-required-apps.php
@@ -6,14 +6,14 @@
  */
 ?>
 <div id="oauth-request" class="guest-container">
-	<p><strong><?php echo $_['consumer']['name'].'</strong> '.$_['message']; ?></p>
+	<p><strong><?php print_unescaped(OC_Util::sanitizeHTML($_['consumer']['name']).'</strong> '.OC_Util::sanitizeHTML($_['message'])); ?></p>
 	<ul>
 		<?php
 		// Foreach requested scope
 		foreach($_['requiredapps'] as $requiredapp){
-			echo '<li>'.$requiredapp.'</li>';
+			print_unescaped('<li>'.OC_Util::sanitizeHTML($requiredapp).'</li>');
 		}
 		?>
 	</ul>
-	<a href="<?php echo OC::$WEBROOT; ?>" id="back-home" class="button">Back to ownCloud</a>
+	<a href="<?php print_unescaped(OC::$WEBROOT); ?>" id="back-home" class="button">Back to ownCloud</a>
 </div>
diff --git a/settings/templates/oauth.php b/settings/templates/oauth.php
index 053a8aee6d..34831ba028 100644
--- a/settings/templates/oauth.php
+++ b/settings/templates/oauth.php
@@ -6,12 +6,12 @@
  */
 ?>
 <div id="oauth-request" class="guest-container">
-	<p><strong><?php echo $_['consumer']['name']; ?></strong> is requesting your permission to read, write, modify and delete data from the following apps:</p>
+	<p><strong><?php p($_['consumer']['name']); ?></strong> is requesting your permission to read, write, modify and delete data from the following apps:</p>
 	<ul>
 		<?php
 		// Foreach requested scope
 		foreach($_['consumer']['scopes'] as $app){
-			echo '<li>'.$app.'</li>';
+			print_unescaped('<li>'.OC_Util:sanitzeHTML($app).'</li>)';
 		}
 		?>
 	</ul>
diff --git a/settings/templates/personal.php b/settings/templates/personal.php
index 3a4a6093e7..f3fd3f1010 100644
--- a/settings/templates/personal.php
+++ b/settings/templates/personal.php
@@ -4,26 +4,26 @@
  * See the COPYING-README file.
  */?>
 
-<div id="quota" class="personalblock"><div style="width:<?php echo $_['usage_relative'];?>%;">
-	<p id="quotatext"><?php echo $l->t('You have used <strong>%s</strong> of the available <strong>%s</strong>',
-		array($_['usage'], $_['total_space']));?></p>
+<div id="quota" class="personalblock"><div style="width:<?php p($_['usage_relative']);?>%;">
+	<p id="quotatext"><?php print_unescaped($l->t('You have used <strong>%s</strong> of the available <strong>%s</strong>',
+		array($_['usage'], $_['total_space'])));?></p>
 </div></div>
 
 
 
 <div class="clientsbox">
-	<h2><?php echo $l->t('Get the apps to sync your files');?></h2>
-	<a href="<?php echo $_['clients']['desktop']; ?>" target="_blank">
-		<img src="<?php echo OCP\Util::imagePath('core', 'desktopapp.png'); ?>" />
+	<h2><?php p($l->t('Get the apps to sync your files'));?></h2>
+	<a href="<?php p($_['clients']['desktop']); ?>" target="_blank">
+		<img src="<?php print_unescaped(OCP\Util::imagePath('core', 'desktopapp.png')); ?>" />
 	</a>
-	<a href="<?php echo $_['clients']['android']; ?>" target="_blank">
-		<img src="<?php echo OCP\Util::imagePath('core', 'googleplay.png'); ?>" />
+	<a href="<?php p($_['clients']['android']); ?>" target="_blank">
+		<img src="<?php print_unescaped(OCP\Util::imagePath('core', 'googleplay.png')); ?>" />
 	</a>
-	<a href="<?php echo $_['clients']['ios']; ?>" target="_blank">
-		<img src="<?php echo OCP\Util::imagePath('core', 'appstore.png'); ?>" />
+	<a href="<?php p($_['clients']['ios']); ?>" target="_blank">
+		<img src="<?php print_unescaped(OCP\Util::imagePath('core', 'appstore.png')); ?>" />
 	</a>
 	<?php if(OC_APP::isEnabled('firstrunwizard')) {?>
-	<center><a class="button" href="#" id="showWizard"><?php echo $l->t('Show First Run Wizard again');?></a></center>
+	<center><a class="button" href="#" id="showWizard"><?php p($l->t('Show First Run Wizard again'));?></a></center>
 	<?php }?>
 </div>
 
@@ -34,7 +34,7 @@ if($_['passwordChangeSupported']) {
 ?>
 <form id="passwordform">
 	<fieldset class="personalblock">
-		<legend><strong><?php echo $l->t('Password');?></strong></legend>
+		<legend><strong><?php p($l->t('Password'));?></strong></legend>
 		<div id="passwordchanged"><?php echo $l->t('Your password was changed');?></div>
 		<div id="passworderror"><?php echo $l->t('Unable to change your password');?></div>
 		<input type="password" id="pass1" name="oldpassword" placeholder="<?php echo $l->t('Current password');?>" />
@@ -54,11 +54,11 @@ if($_['displayNameChangeSupported']) {
 <form id="displaynameform">
 	<fieldset class="personalblock">
 		<legend><strong><?php echo $l->t('Display Name');?></strong></legend>
-		<div id="displaynamechanged"><?php echo $l->t('Your display name was changed');?></div>
-		<div id="displaynameerror"><?php echo $l->t('Unable to change your display name');?></div>
-		<input type="text" id="displayName" name="displayName" value="<?php echo $_['displayName']?>" />
-		<input type="hidden" id="oldDisplayName" name="oldDisplayName" value="<?php echo $_['displayName']?>" />
-		<input id="displaynamebutton" type="submit" value="<?php echo $l->t('Change display name');?>" />
+		<div id="displaynamechanged"><?php p($l->t('Your display name was changed'));?></div>
+		<div id="displaynameerror"><?php p($l->t('Unable to change your display name'));?></div>
+		<input type="text" id="displayName" name="displayName" value="<?php p($_['displayName'])?>" />
+		<input type="hidden" id="oldDisplayName" name="oldDisplayName" value="<?php p($_['displayName'])?>" />
+		<input id="displaynamebutton" type="submit" value="<?php p($l->t('Change display name'));?>" />
 	</fieldset>
 </form>
 <?php
@@ -67,42 +67,42 @@ if($_['displayNameChangeSupported']) {
 
 <form id="lostpassword">
 	<fieldset class="personalblock">
-		<legend><strong><?php echo $l->t('Email');?></strong></legend>
-		<input type="text" name="email" id="email" value="<?php echo $_['email']; ?>"
-			placeholder="<?php echo $l->t('Your email address');?>" /><span class="msg"></span><br />
-		<em><?php echo $l->t('Fill in an email address to enable password recovery');?></em>
+		<legend><strong><?php p($l->t('Email'));?></strong></legend>
+		<input type="text" name="email" id="email" value="<?php p($_['email']); ?>"
+			placeholder="<?php p($l->t('Your email address'));?>" /><span class="msg"></span><br />
+		<em><?php p($l->t('Fill in an email address to enable password recovery'));?></em>
 	</fieldset>
 </form>
 
 <form>
 	<fieldset class="personalblock">
-		<legend><strong><?php echo $l->t('Language');?></strong></legend>
-		<select id="languageinput" class="chzen-select" name="lang" data-placeholder="<?php echo $l->t('Language');?>">
+		<legend><strong><?php p($l->t('Language'));?></strong></legend>
+		<select id="languageinput" class="chzen-select" name="lang" data-placeholder="<?php p($l->t('Language'));?>">
 		<?php foreach($_['languages'] as $language):?>
-			<option value="<?php echo $language['code'];?>"><?php echo $language['name'];?></option>
+			<option value="<?php p($language['code']);?>"><?php p($language['name']);?></option>
 		<?php endforeach;?>
 		</select>
-		<a href="https://www.transifex.net/projects/p/owncloud/team/<?php echo $_['languages'][0]['code'];?>/"
-			target="_blank"><em><?php echo $l->t('Help translate');?></em></a>
+		<a href="https://www.transifex.net/projects/p/owncloud/team/<?php p($_['languages'][0]['code']);?>/"
+			target="_blank"><em><?php p($l->t('Help translate'));?></em></a>
 	</fieldset>
 </form>
 
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('WebDAV');?></strong></legend>
-	<code><?php echo OC_Helper::linkToRemote('webdav'); ?></code><br />
-	<em><?php echo $l->t('Use this address to connect to your ownCloud in your file manager');?></em>
+	<legend><strong><?php p($l->t('WebDAV'));?></strong></legend>
+	<code><?php print_unescaped(OC_Helper::linkToRemote('webdav')); ?></code><br />
+	<em><?php p($l->t('Use this address to connect to your ownCloud in your file manager'));?></em>
 </fieldset>
 
 <?php foreach($_['forms'] as $form) {
-	echo $form;
+	print_unescaped($form);
 };?>
 
 
 <fieldset class="personalblock">
-	<legend><strong><?php echo $l->t('Version');?></strong></legend>
-	<strong>ownCloud</strong> <?php echo(OC_Util::getVersionString()); ?>
-	<?php echo(OC_Util::getEditionString()); ?> <br />
-	<?php echo $l->t('Developed by the <a href="http://ownCloud.org/contact" target="_blank">ownCloud community</a>, the <a href="https://github.com/owncloud" target="_blank">source code</a> is licensed under the <a href="http://www.gnu.org/licenses/agpl-3.0.html" target="_blank"><abbr title="Affero General Public License">AGPL</abbr></a>.'); ?>
+	<legend><strong><?php p($l->t('Version'));?></strong></legend>
+	<strong>ownCloud</strong> <?php p(OC_Util::getVersionString()); ?>
+	<?php p(OC_Util::getEditionString()); ?> <br />
+	<?php print_unescaped($l->t('Developed by the <a href="http://ownCloud.org/contact" target="_blank">ownCloud community</a>, the <a href="https://github.com/owncloud" target="_blank">source code</a> is licensed under the <a href="http://www.gnu.org/licenses/agpl-3.0.html" target="_blank"><abbr title="Affero General Public License">AGPL</abbr></a>.')); ?>
 </fieldset>
 
 
diff --git a/settings/templates/settings.php b/settings/templates/settings.php
index de8092eeaf..48b4e6b323 100644
--- a/settings/templates/settings.php
+++ b/settings/templates/settings.php
@@ -5,5 +5,5 @@
  */?>
 
 <?php foreach($_['forms'] as $form) {
-	echo $form;
+	print_unescaped($form);
 };
diff --git a/settings/templates/users.php b/settings/templates/users.php
index 53a66fb468..deffe16832 100644
--- a/settings/templates/users.php
+++ b/settings/templates/users.php
@@ -14,49 +14,49 @@ unset($items['admin']);
 $_['subadmingroups'] = array_flip($items);
 ?>
 
-<script type="text/javascript" src="<?php echo OC_Helper::linkToRoute('isadmin');?>"></script>
+<script type="text/javascript" src="<?php print_unescaped(OC_Helper::linkToRoute('isadmin'));?>"></script>
 
 <div id="controls">
 	<form id="newuser" autocomplete="off">
-		<input id="newusername" type="text" placeholder="<?php echo $l->t('Login Name')?>" /> <input
+		<input id="newusername" type="text" placeholder="<?php p($l->t('Login Name'))?>" /> <input
 			type="password" id="newuserpassword"
-			placeholder="<?php echo $l->t('Password')?>" /> <select
+			placeholder="<?php p($l->t('Password'))?>" /> <select
 			class="groupsselect"
 			id="newusergroups" data-placeholder="groups"
-			title="<?php echo $l->t('Groups')?>" multiple="multiple">
+			title="<?php p($l->t('Groups'))?>" multiple="multiple">
 			<?php foreach($_["groups"] as $group): ?>
-			<option value="<?php echo $group['name'];?>">
-				<?php echo $group['name'];?>
+			<option value="<?php p($group['name']);?>">
+				<?php p($group['name']);?>
 			</option>
 			<?php endforeach;?>
-		</select> <input type="submit" value="<?php echo $l->t('Create')?>" />
+		</select> <input type="submit" value="<?php p($l->t('Create'))?>" />
 	</form>
 	<div class="quota">
-		<span><?php echo $l->t('Default Storage');?></span>
+		<span><?php p($l->t('Default Storage'));?></span>
 			<?php if((bool) $_['isadmin']): ?>
 			<select class='quota'>
 				<option
-					<?php if($_['default_quota']=='none') echo 'selected="selected"';?>
+					<?php if($_['default_quota']=='none') print_unescaped('selected="selected"');?>
 						value='none'>
-					<?php echo $l->t('Unlimited');?>
+					<?php p($l->t('Unlimited'));?>
 				</option>
 				<?php foreach($_['quota_preset'] as $preset):?>
 				<?php if($preset!='default'):?>
 				<option
-				<?php if($_['default_quota']==$preset) echo 'selected="selected"';?>
-					value='<?php echo $preset;?>'>
-					<?php echo $preset;?>
+				<?php if($_['default_quota']==$preset) print_unescaped('selected="selected"');?>
+					value='<?php p($preset);?>'>
+					<?php p($preset);?>
 				</option>
 				<?php endif;?>
 				<?php endforeach;?>
 				<?php if($_['defaultQuotaIsUserDefined']):?>
 				<option selected="selected"
-					value='<?php echo $_['default_quota'];?>'>
-					<?php echo $_['default_quota'];?>
+					value='<?php p($_['default_quota']);?>'>
+					<?php p($_['default_quota']);?>
 				</option>
 				<?php endif;?>
 				<option value='other'>
-					<?php echo $l->t('Other');?>
+					<?php p($l->t('Other'));?>
 					...
 				</option>
 			</select>
@@ -64,49 +64,49 @@ $_['subadmingroups'] = array_flip($items);
 			<?php if((bool) !$_['isadmin']): ?>
 				<select class='quota' disabled="disabled">
 					<option selected="selected">
-				<?php echo $_['default_quota'];?>
+				<?php p($_['default_quota']);?>
 					</option>
 				</select>
 			<?php endif; ?>
 	</div>
 </div>
 
-<table class="hascontrols" data-groups="<?php echo implode(', ', $allGroups);?>">
+<table class="hascontrols" data-groups="<?php p(implode(', ', $allGroups));?>">
 	<thead>
 		<tr>
-			<th id='headerName'><?php echo $l->t('Login Name')?></th>
-			<th id="headerDisplayName"><?php echo $l->t( 'Display Name' ); ?></th>
-			<th id="headerPassword"><?php echo $l->t( 'Password' ); ?></th>
-			<th id="headerGroups"><?php echo $l->t( 'Groups' ); ?></th>
+			<th id='headerName'><?php p($l->t('Login Name'))?></th>
+			<th id="headerDisplayName"><?php p($l->t( 'Display Name' )); ?></th>
+			<th id="headerPassword"><?php p($l->t( 'Password' )); ?></th>
+			<th id="headerGroups"><?php p($l->t( 'Groups' )); ?></th>
 			<?php if(is_array($_['subadmins']) || $_['subadmins']): ?>
-			<th id="headerSubAdmins"><?php echo $l->t('Group Admin'); ?></th>
+			<th id="headerSubAdmins"><?php p($l->t('Group Admin')); ?></th>
 			<?php endif;?>
-			<th id="headerQuota"><?php echo $l->t('Storage'); ?></th>
+			<th id="headerQuota"><?php p($l->t('Storage')); ?></th>
 			<th id="headerRemove">&nbsp;</th>
 		</tr>
 	</thead>
 	<tbody>
 		<?php foreach($_["users"] as $user): ?>
-		<tr data-uid="<?php echo $user["name"] ?>"
-			data-displayName="<?php echo $user["displayName"] ?>">
-			<td class="name"><?php echo $user["name"]; ?></td>
-			<td class="displayName"><span><?php echo $user["displayName"]; ?></span> <img class="svg action"
-				src="<?php echo image_path('core', 'actions/rename.svg')?>"
-				alt="<?php echo $l->t("change display name")?>" title="<?php echo $l->t("change display name")?>"/>
+		<tr data-uid="<?php p($user["name"]) ?>"
+			data-displayName="<?php p($user["displayName"]) ?>">
+			<td class="name"><?php p($user["name"]); ?></td>
+			<td class="displayName"><span><?php p($user["displayName"]); ?></span> <img class="svg action"
+				src="<?php p(image_path('core', 'actions/rename.svg'))?>"
+				alt="<?php p($l->t("change display name"))?>" title="<?php p($l->t("change display name"))?>"/>
 			</td>
 			<td class="password"><span>●●●●●●●</span> <img class="svg action"
-				src="<?php echo image_path('core', 'actions/rename.svg')?>"
-				alt="<?php echo $l->t("set new password")?>" title="<?php echo $l->t("set new password")?>"/>
+				src="<?php print_unescaped(image_path('core', 'actions/rename.svg'))?>"
+				alt="<?php p($l->t("set new password"))?>" title="<?php p($l->t("set new password"))?>"/>
 			</td>
 			<td class="groups"><select
 				class="groupsselect"
-				data-username="<?php echo $user['name'] ;?>"
-				data-user-groups="<?php echo $user['groups'] ;?>"
-				data-placeholder="groups" title="<?php echo $l->t('Groups')?>"
+				data-username="<?php p($user['name']) ;?>"
+				data-user-groups="<?php p($user['groups']) ;?>"
+				data-placeholder="groups" title="<?php p($l->t('Groups'))?>"
 				multiple="multiple">
 					<?php foreach($_["groups"] as $group): ?>
-					<option value="<?php echo $group['name'];?>">
-						<?php echo $group['name'];?>
+					<option value="<?php p($group['name']);?>">
+						<?php p($group['name']);?>
 					</option>
 					<?php endforeach;?>
 			</select>
@@ -114,13 +114,13 @@ $_['subadmingroups'] = array_flip($items);
 			<?php if(is_array($_['subadmins']) || $_['subadmins']): ?>
 			<td class="subadmins"><select
 				class="subadminsselect"
-				data-username="<?php echo $user['name'] ;?>"
-				data-subadmin="<?php echo $user['subadmin'] ;?>"
-				data-placeholder="subadmins" title="<?php echo $l->t('Group Admin')?>"
+				data-username="<?php p($user['name']) ;?>"
+				data-subadmin="<?php p($user['subadmin']);?>"
+				data-placeholder="subadmins" title="<?php p($l->t('Group Admin'))?>"
 				multiple="multiple">
 					<?php foreach($_["subadmingroups"] as $group): ?>
-					<option value="<?php echo $group;?>">
-						<?php echo $group;?>
+					<option value="<?php p($group);?>">
+						<?php p($group);?>
 					</option>
 					<?php endforeach;?>
 			</select>
@@ -129,37 +129,37 @@ $_['subadmingroups'] = array_flip($items);
 			<td class="quota">
 				<select class='quota-user'>
 					<option
-						<?php if($user['quota']=='default') echo 'selected="selected"';?>
+						<?php if($user['quota']=='default') print_unescaped('selected="selected"');?>
 							value='default'>
-						<?php echo $l->t('Default');?>
+						<?php p($l->t('Default'));?>
 					</option>
 					<option
-					<?php if($user['quota']=='none') echo 'selected="selected"';?>
+					<?php if($user['quota']=='none') print_unescaped('selected="selected"');?>
 							value='none'>
-						<?php echo $l->t('Unlimited');?>
+						<?php p($l->t('Unlimited'));?>
 					</option>
 					<?php foreach($_['quota_preset'] as $preset):?>
 					<option
-					<?php if($user['quota']==$preset) echo 'selected="selected"';?>
-						value='<?php echo $preset;?>'>
-						<?php echo $preset;?>
+					<?php if($user['quota']==$preset) print_unescaped('selected="selected"');?>
+						value='<?php p($preset);?>'>
+						<?php p($preset);?>
 					</option>
 					<?php endforeach;?>
 					<?php if($user['isQuotaUserDefined']):?>
-					<option selected="selected" value='<?php echo $user['quota'];?>'>
-						<?php echo $user['quota'];?>
+					<option selected="selected" value='<?php p($user['quota']);?>'>
+						<?php p($user['quota']);?>
 					</option>
 					<?php endif;?>
 					<option value='other' data-new>
-						<?php echo $l->t('Other');?>
+						<?php p($l->t('Other'));?>
 						...
 					</option>
 				</select>
 			</td>
 			<td class="remove">
 				<?php if($user['name']!=OC_User::getUser()):?>
-					<a href="#" class="action delete" original-title="<?php echo $l->t('Delete')?>">
-						<img src="<?php echo image_path('core', 'actions/delete.svg') ?>" class="svg" />
+					<a href="#" class="action delete" original-title="<?php p($l->t('Delete'))?>">
+						<img src="<?php print_unescaped(image_path('core', 'actions/delete.svg')) ?>" class="svg" />
 					</a>
 				<?php endif;?>
 			</td>

From 6f14bec70afead0a8034926a0b29d21cc556b36a Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 23:15:18 +0100
Subject: [PATCH 14/18] Add a missing )

---
 core/templates/installation.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/templates/installation.php b/core/templates/installation.php
index f8c91e37eb..33b01853fb 100644
--- a/core/templates/installation.php
+++ b/core/templates/installation.php
@@ -63,7 +63,7 @@
 	<fieldset id='databaseField'>
 		<?php if($_['hasMySQL'] or $_['hasPostgreSQL'] or $_['hasOracle'] or $_['hasMSSQL'])
 			$hasOtherDB = true; else $hasOtherDB =false; //other than SQLite ?>
-		<legend><?php p($l->t( 'Configure the database' ); ?></legend>
+		<legend><?php p($l->t( 'Configure the database' )); ?></legend>
 		<div id="selectDbType">
 		<?php if($_['hasSQLite']): ?>
 		<input type='hidden' id='hasSQLite' value="true" />

From 39e28c0170382a780d1f28577205d260e9053bc3 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 23:19:38 +0100
Subject: [PATCH 15/18] Typo...

---
 core/templates/layout.base.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/templates/layout.base.php b/core/templates/layout.base.php
index 0ada957478..c12dc346af 100644
--- a/core/templates/layout.base.php
+++ b/core/templates/layout.base.php
@@ -17,7 +17,7 @@
 				foreach ($header['attributes'] as $name => $value) {
 					print_unescaped("$name='$value' ");
 				};
-				print_unescaped('/>)';
+				print_unescaped('/>');
 			?>
 		<?php endforeach; ?>
 	</head>

From 7311c2bb5d724c7c5e3c5ade6b26e3358597a04e Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 23:26:00 +0100
Subject: [PATCH 16/18] Remove uneeded OAuth files

---
 settings/oauth.php           | 101 -----------------------------------
 settings/templates/oauth.php |  20 -------
 2 files changed, 121 deletions(-)
 delete mode 100644 settings/oauth.php
 delete mode 100644 settings/templates/oauth.php

diff --git a/settings/oauth.php b/settings/oauth.php
deleted file mode 100644
index 8b4759f999..0000000000
--- a/settings/oauth.php
+++ /dev/null
@@ -1,101 +0,0 @@
-<?php
-/**
- * Copyright (c) 2012, Tom Needham <tom@owncloud.com>
- * This file is licensed under the Affero General Public License version 3 or later.
- * See the COPYING-README file.
- */
-
-require_once '../lib/base.php';
-// Logic
-$operation = isset($_GET['operation']) ? $_GET['operation'] : '';
-$server = OC_OAuth_server::init();
-
-switch($operation){
-	
-	case 'register':
-
-		// Here external apps can register with an ownCloud
-		if(empty($_GET['name']) || empty($_GET['url'])) {
-			// Invalid request
-			echo 401;
-		} else {
-			$callbacksuccess = empty($_GET['callback_success']) ? null : $_GET['callback_success'];
-			$callbackfail = empty($_GET['callback_fail']) ? null : $_GET['callback_fail'];
-			$consumer = OC_OAuth_Server::register_consumer($_GET['name'], $_GET['url'], $callbacksuccess, $callbackfail);
-			
-			echo 'Registered consumer successfully! </br></br>Key: ' . $consumer->key
-				. '</br>Secret: ' . $consumer->secret;
-		}
-		break;
-	
-	case 'request_token':
-		
-		try {
-			$request = OAuthRequest::from_request();
-			$token = $server->get_request_token($request);
-			echo $token;
-		} catch (OAuthException $exception) {
-			OC_Log::write('OC_OAuth_Server', $exception->getMessage(), OC_LOG::ERROR);
-			echo $exception->getMessage();
-		}
-	
-		break;
-	case 'authorise';
-	
-		OC_API::checkLoggedIn();
-		// Example
-		$consumer = array(
-			'name' => 'Firefox Bookmark Sync',
-			'scopes' => array('ookmarks'),
-		);
-		
-		// Check that the scopes are real and installed
-		$apps = OC_App::getEnabledApps();
-		$notfound = array();
-		foreach($consumer['scopes'] as $requiredapp){
-			// App scopes are in this format: app_$appname
-			$requiredapp = end(explode('_', $requiredapp));
-			if(!in_array($requiredapp, $apps)) {
-				$notfound[] = $requiredapp;
-			}
-		}
-		if(!empty($notfound)) {
-			// We need more apps :( Show error
-			if(count($notfound)==1) {
-				$message = 'requires that you have an extra app installed on your ownCloud.'
-					.' Please contact your ownCloud administrator and ask them to install the app below.';
-			} else {
-				$message = 'requires that you have some extra apps installed on your ownCloud.'
-					.' Please contract your ownCloud administrator and ask them to install the apps below.';
-			}
-			$t = new OC_Template('settings', 'oauth-required-apps', 'guest');
-			OC_Util::addStyle('settings', 'oauth');
-			$t->assign('requiredapps', $notfound);
-			$t->assign('consumer', $consumer);
-			$t->assign('message', $message);
-			$t->printPage();
-		} else {
-			$t = new OC_Template('settings', 'oauth', 'guest');
-			OC_Util::addStyle('settings', 'oauth');
-			$t->assign('consumer', $consumer);
-			$t->printPage();
-		}
-		break;
-	
-	case 'access_token';
-		try {
-			$request = OAuthRequest::from_request();
-			$token = $server->fetch_access_token($request);
-			echo $token;
-		} catch (OAuthException $exception) {
-			OC_Log::write('OC_OAuth_Server', $exception->getMessage(), OC_LOG::ERROR);
-			echo $exception->getMessage();
-		}
-		
-		break;
-	default:
-		// Something went wrong, we need an operation!
-		OC_Response::setStatus(400);
-		break;
-	
-}
diff --git a/settings/templates/oauth.php b/settings/templates/oauth.php
deleted file mode 100644
index 34831ba028..0000000000
--- a/settings/templates/oauth.php
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-/**
- * Copyright (c) 2012, Tom Needham <tom@owncloud.com>
- * This file is licensed under the Affero General Public License version 3 or later.
- * See the COPYING-README file.
- */
-?>
-<div id="oauth-request" class="guest-container">
-	<p><strong><?php p($_['consumer']['name']); ?></strong> is requesting your permission to read, write, modify and delete data from the following apps:</p>
-	<ul>
-		<?php
-		// Foreach requested scope
-		foreach($_['consumer']['scopes'] as $app){
-			print_unescaped('<li>'.OC_Util:sanitzeHTML($app).'</li>)';
-		}
-		?>
-	</ul>
-	<a href="#" class="button">Allow</a>
-	<a href="#" class="button">Disallow</a>
-</div>

From 5f8bd079272c3e568d80bb984a65d9835a6b4393 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 27 Feb 2013 21:14:15 +0100
Subject: [PATCH 17/18] [Files] Use p() instead of echo

---
 apps/files/templates/part.list.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apps/files/templates/part.list.php b/apps/files/templates/part.list.php
index 712625ce63..50330cc491 100644
--- a/apps/files/templates/part.list.php
+++ b/apps/files/templates/part.list.php
@@ -36,8 +36,7 @@
 				<?php if($file['type'] == 'dir'):?>
 					<?php print_unescaped(htmlspecialchars($file['name']));?>
 				<?php else:?>
-					<?php print_unescaped(htmlspecialchars($file['basename']));?><span
-						class='extension'><?php p($file['extension']);?></span>
+					<?php print_unescaped(htmlspecialchars($file['basename']));?><span class='extension'><?php p($file['extension']);?></span>
 				<?php endif;?>
 			</span>
 			<?php if($file['type'] == 'dir'):?>

From 301d065686b7cb4b49d7662e2edec9ed5fe4115b Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Thu, 28 Feb 2013 20:21:14 +0100
Subject: [PATCH 18/18] Sed was wrong

---
 apps/files/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/files/index.php b/apps/files/index.php
index 579e19cf11..20fbf7f93b 100644
--- a/apps/files/index.php
+++ b/apps/files/index.php
@@ -93,7 +93,7 @@ $list = new OCP\Template('files', 'part.list', '');
 $list->assign('files', $files);
 $list->assign('baseURL', OCP\Util::linkTo('files', 'index.php') . '?dir=');
 $list->assign('downloadURL', OCP\Util::linkToRoute('download', array('file' => '/')));
-$list->assign('disableSharing');
+$list->assign('disableSharing', false);
 $breadcrumbNav = new OCP\Template('files', 'part.breadcrumb', '');
 $breadcrumbNav->assign('breadcrumb', $breadcrumb);
 $breadcrumbNav->assign('baseURL', OCP\Util::linkTo('files', 'index.php') . '?dir=');