diff -r 32be5ac4a7b0 wordpress/wp-includes/formatting.php
--- a/wordpress/wp-includes/formatting.php	Thu Feb 10 20:11:14 2011 +0100
+++ b/wordpress/wp-includes/formatting.php	Sun Feb 20 16:44:57 2011 +0100
@@ -769,6 +769,31 @@
 }
 
 /**
+ * Sanitize "object" name, stripping out unsafe characters.
+ *
+ * Leaves only alphanumeric caracters, underscore and dash 
+ * (a.k.a. 'identifier'); Preserves case
+ *
+ * @since 3.1.0
+ *
+ * @param string $name The name to be sanitized.
+ * @return string The sanitized object name.
+ */
+function sanitize_objectname( $name ) {
+	$name = wp_strip_all_tags( $name );
+	$name = remove_accents( $name );
+	// Kill octets
+	$name = preg_replace( '|%([a-fA-F0-9][a-fA-F0-9])|', '', $name );
+	$name = preg_replace( '/&.+?;/', '', $name ); // Kill entities
+	// ensure only "alnum"
+	$name = preg_replace('|[^A-Za-z0-9_]|', '', $name );
+	
+	// Remove extra spaces and return
+	return trim( $name );
+}
+
+
+/**
  * Sanitize a string key.
  *
  * Keys are used as internal identifiers. Lowercase alphanumeric characters, dashes and underscores are allowed.
diff -r 32be5ac4a7b0 wordpress/wp-includes/post.php
--- a/wordpress/wp-includes/post.php	Thu Feb 10 20:11:14 2011 +0100
+++ b/wordpress/wp-includes/post.php	Sun Feb 20 16:44:57 2011 +0100
@@ -808,6 +808,7 @@
 function get_post_type_object( $post_type ) {
 	global $wp_post_types;
 
+	$post_type = sanitize_objectname($post_type);
 	if ( empty($wp_post_types[$post_type]) )
 		return null;
 
@@ -912,7 +913,7 @@
 	$args = wp_parse_args($args, $defaults);
 	$args = (object) $args;
 
-	$post_type = sanitize_key($post_type);
+	$post_type = sanitize_objectname($post_type);
 	$args->name = $post_type;
 
 	if ( strlen( $post_type ) > 20 )
@@ -1224,6 +1225,7 @@
 function add_post_type_support( $post_type, $feature ) {
 	global $_wp_post_type_features;
 
+	$post_type = sanitize_objectname($post_type);
 	$features = (array) $feature;
 	foreach ($features as $feature) {
 		if ( func_num_args() == 2 )
@@ -1243,6 +1245,7 @@
 function remove_post_type_support( $post_type, $feature ) {
 	global $_wp_post_type_features;
 
+	$post_type=sanitize_objectname($post_type);
 	if ( !isset($_wp_post_type_features[$post_type]) )
 		return;
 
@@ -1262,6 +1265,7 @@
 function post_type_supports( $post_type, $feature ) {
 	global $_wp_post_type_features;
 
+	$post_type=sanitize_objectname($post_type);
 	if ( !isset( $_wp_post_type_features[$post_type][$feature] ) )
 		return false;
 
diff -r 32be5ac4a7b0 wordpress/wp-includes/taxonomy.php
--- a/wordpress/wp-includes/taxonomy.php	Thu Feb 10 20:11:14 2011 +0100
+++ b/wordpress/wp-includes/taxonomy.php	Sun Feb 20 16:44:57 2011 +0100
@@ -295,6 +295,8 @@
 	if ( ! is_array($wp_taxonomies) )
 		$wp_taxonomies = array();
 
+	$taxonomy = sanitize_objectname($taxonomy);
+
 	$defaults = array(	'hierarchical' => false,
 						'update_count_callback' => '',
 						'rewrite' => true,
@@ -352,7 +354,10 @@
 	unset( $args['capabilities'] );
 
 	$args['name'] = $taxonomy;
-	$args['object_type'] = (array) $object_type;
+
+	// Setup object types this applies to, sanitizing names
+	$ot = (array) $object_type;
+	$args['object_type'] = array_map('sanitize_objectname',$ot);
 
 	$args['labels'] = get_taxonomy_labels( (object) $args );
 	$args['label'] = $args['labels']->name;
@@ -429,9 +434,11 @@
 function register_taxonomy_for_object_type( $taxonomy, $object_type) {
 	global $wp_taxonomies;
 
+	$taxonomy = sanitize_objectname($taxonomy);
 	if ( !isset($wp_taxonomies[$taxonomy]) )
 		return false;
 
+	$object_type = sanitize_objectname($object_type);
 	if ( ! get_post_type_object($object_type) )
 		return false;