Index: wp-admin/admin-functions.php
===================================================================
--- wp-admin/admin-functions.php	(revision 5538)
+++ wp-admin/admin-functions.php	(working copy)
@@ -1007,6 +1007,7 @@
 		$key_js = js_escape( $entry['meta_key'] );
 		$entry['meta_key']   = attribute_escape($entry['meta_key']);
 		$entry['meta_value'] = attribute_escape($entry['meta_value']);
+		$entry['meta_id'] = (int) $entry['meta_id'];
 		$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
 		$r .= "\n\t\t<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>";
 		$r .= "\n\t\t<td><textarea name='meta[{$entry['meta_id']}][value]' tabindex='6' rows='2' cols='30'>{$entry['meta_value']}</textarea></td>";
@@ -1059,7 +1060,7 @@
 <?php
 
 	foreach ( $keys as $key ) {
-		$key = attribute_escape( $key);
+		$key = attribute_escape( $key );
 		echo "\n\t<option value='$key'>$key</option>";
 	}
 ?>
Index: wp-admin/edit-page-form.php
===================================================================
--- wp-admin/edit-page-form.php	(revision 5538)
+++ wp-admin/edit-page-form.php	(working copy)
@@ -8,6 +8,7 @@
 	$temp_ID = -1 * time(); // don't change this formula without looking at wp_write_post()
 	$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
 } else {
+	$post_ID = (int) $post_ID;
 	$form_action = 'editpost';
 	$nonce_action = 'update-page_' . $post_ID;
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
@@ -28,7 +29,7 @@
 	echo '<input type="hidden" name="mode" value="bookmarklet" />';
 }
 ?>
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" id="hiddenaction" name="action" value='<?php echo $form_action ?>' />
 <input type="hidden" id="originalaction" name="originalaction" value="<?php echo $form_action ?>" />
 <?php echo $form_extra ?>
@@ -68,7 +69,7 @@
 
 <fieldset id="passworddiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Page Password') ?></h3>
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape( $post->post_password ); ?>" /></div>
 </fieldset>
 
 <fieldset id="pageparent" class="dbx-box">
@@ -93,7 +94,7 @@
 
 <fieldset id="slugdiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Page Slug') ?></h3>
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" /></div>
 </fieldset>
 
 <?php if ( $authors = get_editable_authors( $current_user->id ) ) : // TODO: ROLE SYSTEM ?>
@@ -106,6 +107,8 @@
 $o = get_userdata( $o->ID );
 if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
 else $selected = '';
+$o->ID = (int) $o->ID;
+$o->display_name = wp_specialchars( $o->display_name );
 echo "<option value='$o->ID' $selected>$o->display_name</option>";
 endforeach;
 ?>
@@ -116,7 +119,7 @@
 
 <fieldset id="pageorder" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Page Order') ?></h3>
-<div class="dbx-content"><p><input name="menu_order" type="text" size="4" id="menu_order" value="<?php echo $post->menu_order ?>" /></p></div>
+<div class="dbx-content"><p><input name="menu_order" type="text" size="4" id="menu_order" value="<?php echo (int) $post->menu_order ?>" /></p></div>
 </fieldset>
 
 <?php do_action('dbx_page_sidebar'); ?>
@@ -126,7 +129,7 @@
 
 <fieldset id="titlediv">
   <legend><?php _e('Page Title') ?></legend>
-  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( $post->post_title ); ?>" id="title" /></div>
 </fieldset>
 
 
@@ -159,7 +162,7 @@
 
 <?php
 if (current_user_can('upload_files')) {
-	$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
+	$uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID);
 	$uploading_iframe_src = wp_nonce_url("upload.php?style=inline&amp;tab=upload&amp;post_id=$uploading_iframe_ID", 'inlineuploading');
 	$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
 	if ( false != $uploading_iframe_src )
Index: wp-admin/comment.php
===================================================================
--- wp-admin/comment.php	(revision 5538)
+++ wp-admin/comment.php	(working copy)
@@ -72,26 +72,26 @@
 <?php if ( 'spam' == $_GET['dt'] ) { ?>
 <input type='hidden' name='dt' value='spam' />
 <?php } ?>
-<input type='hidden' name='p' value='<?php echo $comment->comment_post_ID; ?>' />
-<input type='hidden' name='c' value='<?php echo $comment->comment_ID; ?>' />
+<input type='hidden' name='p' value='<?php echo (int) $comment->comment_post_ID; ?>' />
+<input type='hidden' name='c' value='<?php echo (int) $comment->comment_ID; ?>' />
 <input type='hidden' name='noredir' value='1' />
 </form>
 
 <table class="editform" cellpadding="5">
 <tr class="alt">
 <th scope="row"><?php _e('Author:'); ?></th>
-<td><?php echo $comment->comment_author; ?></td>
+<td><?php echo wp_specialchars( $comment->comment_author ); ?></td>
 </tr>
 <?php if ( $comment->comment_author_email ) { ?>
 <tr>
 <th scope="row"><?php _e('E-mail:'); ?></th>
-<td><?php echo $comment->comment_author_email; ?></td>
+<td><?php echo wp_specialchars( $comment->comment_author_email ); ?></td>
 </tr>
 <?php } ?>
 <?php if ( $comment->comment_author_url ) { ?>
 <tr>
 <th scope="row"><?php _e('URL:'); ?></th>
-<td><?php echo "<a href='$comment->comment_author_url'>$comment->comment_author_url</a>"; ?></td>
+<td><a href='<?php echo clean_url( $comment->comment_author_url ); ?>'><?php echo wp_specialchars( $comment->comment_author_url ); ?></a></td>
 </tr>
 <?php } ?>
 <tr>
@@ -155,7 +155,7 @@
 	if ((wp_get_referer() != "") && (false == $noredir)) {
 		wp_redirect(wp_get_referer());
 	} else {
-		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='.$comment->comment_post_ID.'&c=1#comments');
+		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p=' . (int) $comment->comment_post_ID.'&c=1#comments');
 	}
 	exit();
 	break;
@@ -185,7 +185,7 @@
 	if ((wp_get_referer() != "") && (false == $noredir)) {
 		wp_redirect(wp_get_referer());
 	} else {
-		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='.$comment->comment_post_ID.'&c=1#comments');
+		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p=' . (int) $comment->comment_post_ID.'&c=1#comments');
 	}
 	exit();
 	break;
Index: wp-admin/edit-form.php
===================================================================
--- wp-admin/edit-form.php	(revision 5538)
+++ wp-admin/edit-form.php	(working copy)
@@ -6,7 +6,7 @@
 <?php if (isset($mode) && 'bookmarklet' == $mode) : ?>
 <input type="hidden" name="mode" value="bookmarklet" />
 <?php endif; ?>
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value='post' />
 
 <script type="text/javascript">
@@ -21,7 +21,7 @@
 <div id="poststuff">
     <fieldset id="titlediv">
       <legend><a href="http://wordpress.org/docs/reference/post/#title" title="<?php _e('Help on titles') ?>"><?php _e('Title') ?></a></legend> 
-	  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+	  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( $post->post_title ); ?>" id="title" /></div>
     </fieldset>
 
     <fieldset id="categorydiv">
@@ -49,7 +49,7 @@
 //-->
 </script>
 
-<input type="hidden" name="post_pingback" value="<?php echo get_option('default_pingback_flag') ?>" id="post_pingback" />
+<input type="hidden" name="post_pingback" value="<?php echo (int) get_option('default_pingback_flag') ?>" id="post_pingback" />
 
 <p><label for="trackback"> <?php printf(__('<a href="%s" title="Help on trackbacks"><strong>TrackBack</strong> a <abbr title="Universal Resource Locator">URL</abbr></a>:</label> (Separate multiple <abbr title="Universal Resource Locator">URL</abbr>s with spaces.)'), 'http://wordpress.org/docs/reference/post/#trackback'); echo '<br />'; ?>
 	<input type="text" name="trackback_url" style="width: 360px" id="trackback" tabindex="7" /></p>
@@ -64,7 +64,7 @@
 <?php if ('bookmarklet' != $mode) {
 		echo '<input name="advanced" type="submit" id="advancededit" tabindex="7" value="' .  __('Advanced Editing &raquo;') . '" />';
 	} ?>
-	<input name="referredby" type="hidden" id="referredby" value="<?php if ( wp_get_referer() ) echo urlencode(wp_get_referer()); ?>" />
+	<input name="referredby" type="hidden" id="referredby" value="<?php if ( $refby = wp_get_referer() ) echo urlencode($refby); ?>" />
 </p>
 
 <?php do_action('simple_edit_form', ''); ?>
Index: wp-admin/edit-form-comment.php
===================================================================
--- wp-admin/edit-form-comment.php	(revision 5538)
+++ wp-admin/edit-form-comment.php	(working copy)
@@ -2,13 +2,13 @@
 $submitbutton_text = __('Edit Comment &raquo;');
 $toprow_title = sprintf(__('Editing Comment # %s'), $comment->comment_ID);
 $form_action = 'editedcomment';
-$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment->comment_ID . "' />\n<input type='hidden' name='comment_post_ID' value='".$comment->comment_post_ID;
+$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . (int) $comment->comment_ID . "' />\n<input type='hidden' name='comment_post_ID' value='" . (int) $comment->comment_post_ID;
 ?>
 
 <form name="post" action="comment.php" method="post" id="post">
 <?php wp_nonce_field('update-comment_' . $comment->comment_ID) ?>
 <div class="wrap">
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
 
 <script type="text/javascript">
@@ -20,19 +20,19 @@
 <fieldset id="namediv">
     <legend><label for="name"><?php _e('Name:') ?></label></legend>
 	<div>
-	  <input type="text" name="newcomment_author" size="25" value="<?php echo $comment->comment_author ?>" tabindex="1" id="name" />
+	  <input type="text" name="newcomment_author" size="25" value="<?php echo attribute_escape( $comment->comment_author ); ?>" tabindex="1" id="name" />
     </div>
 </fieldset>
 <fieldset id="emaildiv">
         <legend><label for="email"><?php _e('E-mail:') ?></label></legend>
 		<div>
-		  <input type="text" name="newcomment_author_email" size="20" value="<?php echo $comment->comment_author_email ?>" tabindex="2" id="email" />
+		  <input type="text" name="newcomment_author_email" size="20" value="<?php echo attribute_escape( $comment->comment_author_email ); ?>" tabindex="2" id="email" />
     </div>
 </fieldset>
 <fieldset id="uridiv">
         <legend><label for="newcomment_author_url"><?php _e('URL:') ?></label></legend>
 		<div>
-		  <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo $comment->comment_author_url ?>" tabindex="3" />
+		  <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo attribute_escape( $comment->comment_author_url ); ?>" tabindex="3" />
     </div>
 </fieldset>
 
@@ -68,8 +68,8 @@
 	<tr>
 		<th scope="row" valign="top"><?php _e('Delete'); $delete_nonce = wp_create_nonce( 'delete-comment_' . $comment->comment_ID ); ?>:</th>
 		<td><input name="deletecomment" class="button delete" type="submit" id="deletecomment" tabindex="10" value="<?php _e('Delete this comment') ?>" <?php echo "onclick=\"if ( confirm('" . js_escape(__("You are about to delete this comment. \n  'Cancel' to stop, 'OK' to delete.")) . "') ) { document.forms.post._wpnonce.value = '$delete_nonce'; return true; } return false;\""; ?> /> 
-		<input type="hidden" name="c" value="<?php echo $comment->comment_ID ?>" />
-		<input type="hidden" name="p" value="<?php echo $comment->comment_post_ID ?>" />
+		<input type="hidden" name="c" value="<?php echo (int) $comment->comment_ID ?>" />
+		<input type="hidden" name="p" value="<?php echo (int) $comment->comment_post_ID ?>" />
 		<input type="hidden" name="noredir" value="1" />
 	</td>
 	</tr>
Index: wp-admin/edit-form-advanced.php
===================================================================
--- wp-admin/edit-form-advanced.php	(revision 5538)
+++ wp-admin/edit-form-advanced.php	(working copy)
@@ -1,10 +1,12 @@
 <?php
+if ( isset($_GET['message']) )
+	$_GET['message'] = (int) $_GET['message'];
 $messages[1] = __('Post updated');
 $messages[2] = __('Custom field updated');
 $messages[3] = __('Custom field deleted.');
 ?>
 <?php if (isset($_GET['message'])) : ?>
-<div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div>
+<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div>
 <?php endif; ?>
 
 <form name="post" action="post.php" method="post" id="post">
@@ -21,16 +23,17 @@
 	$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
 	wp_nonce_field('add-post');
 } else {
+	$post_ID = (int) $post_ID;
 	$form_action = 'editpost';
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
 	wp_nonce_field('update-post_' .  $post_ID);
 }
 
-$form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
+$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />';
 
-$form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />';
+$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />';
 
-$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />';
+$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />';
 
 if ('' != $post->pinged) {
 	$pings = '<p>'. __('Already pinged:') . '</p><ul>';
@@ -41,16 +44,16 @@
 	$pings .= '</ul>';
 }
 
-$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />';
+$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape( __('Save and Continue Editing') ) . '" />';
 
 if (empty($post->post_status)) $post->post_status = 'draft';
 
 ?>
 
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" id="hiddenaction" name="action" value="<?php echo $form_action ?>" />
 <input type="hidden" id="originalaction" name="originalaction" value="<?php echo $form_action ?>" />
-<input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" />
+<input type="hidden" name="post_author" value="<?php echo attribute_escape( $post->post_author ); ?>" />
 <input type="hidden" id="post_type" name="post_type" value="post" />
 
 <?php echo $form_extra ?>
@@ -88,12 +91,12 @@
 
 <fieldset id="passworddiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Post Password') ?></h3> 
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape( $post->post_password ); ?>" /></div>
 </fieldset>
 
 <fieldset id="slugdiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Post Slug') ?></h3> 
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" /></div>
 </fieldset>
 
 <fieldset id="poststatusdiv" class="dbx-box">
@@ -125,7 +128,7 @@
 $o = get_userdata( $o->ID );
 if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
 else $selected = '';
-echo "<option value='$o->ID' $selected>$o->display_name</option>";
+echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars( $o->display_name ) . "</option>";
 endforeach;
 ?>
 </select>
@@ -140,7 +143,7 @@
 
 <fieldset id="titlediv">
 	<legend><?php _e('Title') ?></legend>
-	<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+	<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
 </fieldset>
 
 <fieldset id="<?php echo user_can_richedit() ? 'postdivrich' : 'postdiv'; ?>">
@@ -167,7 +170,7 @@
 <p class="submit">
 <span id="autosave"></span>
 <?php echo $saveasdraft; ?>
-<input type="submit" name="submit" value="<?php _e('Save') ?>" style="font-weight: bold;" tabindex="4" /> 
+<input type="submit" name="submit" value="<?php _e('Save'); ?>" style="font-weight: bold;" tabindex="4" /> 
 <?php 
 if ('publish' != $post->post_status || 0 == $post_ID) {
 ?>
@@ -190,7 +193,7 @@
 
 <?php
 if (current_user_can('upload_files')) {
-	$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
+	$uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID);
 	$uploading_iframe_src = wp_nonce_url("upload.php?style=inline&amp;tab=upload&amp;post_id=$uploading_iframe_ID", 'inlineuploading');
 	$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
 	if ( false != $uploading_iframe_src )
Index: wp-admin/edit-category-form.php
===================================================================
--- wp-admin/edit-category-form.php	(revision 5538)
+++ wp-admin/edit-category-form.php	(working copy)
@@ -21,7 +21,7 @@
 <div id="ajax-response"></div>
 <?php echo $form ?>
 <input type="hidden" name="action" value="<?php echo $action ?>" />
-<input type="hidden" name="cat_ID" value="<?php echo $category->term_id ?>" />
+<input type="hidden" name="cat_ID" value="<?php echo (int) $category->term_id ?>" />
 <?php wp_nonce_field($nonce_action); ?>
 	<table class="editform" width="100%" cellspacing="2" cellpadding="5">
 		<tr>
@@ -35,7 +35,7 @@
 		<tr>
 			<th scope="row" valign="top"><label for="category_parent"><?php _e('Category parent:') ?></label></th>
 			<td>        
-	  			<?php wp_dropdown_categories('hide_empty=0&name=category_parent&orderby=name&selected=' . $category->parent . '&hierarchical=1&show_option_none=' . __('None')); ?>
+	  			<?php wp_dropdown_categories('hide_empty=0&name=category_parent&orderby=name&selected=' . (int) $category->parent . '&hierarchical=1&show_option_none=' . __('None')); ?>
 	  		</td>
 		</tr>
 		<tr>


	comment_author; ?>	comment_author ); ?>
	comment_author_email; ?>	comment_author_email ); ?>
	comment_author_url'>$comment->comment_author_url"; ?>	comment_author_url ); ?>