diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 10dcb3b8..542d3086 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -107,7 +107,7 @@ module ApplicationHelper
     text = options.delete(:text) || format_revision(revision)
     rev = revision.respond_to?(:identifier) ? revision.identifier : revision
 
-    link_to(text, {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev},
+    link_to(h(text), {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev},
             :title => l(:label_revision_id, format_revision(revision)))
   end
 
@@ -410,7 +410,7 @@ module ApplicationHelper
   def html_title(*args)
     if args.empty?
       title = []
-      title << @project.name if @project
+      title << h(@project.name) if @project
       title += @html_title if @html_title
       title << Setting.app_title
       title.select {|t| !t.blank? }.join(' - ')
@@ -561,7 +561,7 @@ module ApplicationHelper
               wiki_page_id = page.present? ? Wiki.titleize(page) : nil
               url_for(:only_path => only_path, :controller => 'wiki', :action => 'show', :project_id => link_project, :id => wiki_page_id, :anchor => anchor)
             end
-          link_to((title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new')))
+          link_to(h(title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new')))
         else
           # project or wiki doesn't exist
           all
@@ -615,7 +615,7 @@ module ApplicationHelper
         if prefix.nil? && sep == 'r'
           # project.changesets.visible raises an SQL error because of a double join on repositories
           if project && project.repository && (changeset = Changeset.visible.find_by_repository_id_and_revision(project.repository.id, identifier))
-            link = link_to("#{project_prefix}r#{identifier}", {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
+            link = link_to(h("#{project_prefix}r#{identifier}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
                                       :class => 'changeset',
                                       :title => truncate_single_line(changeset.comments, :length => 100))
           end
@@ -665,7 +665,7 @@ module ApplicationHelper
             if project && project.repository && (changeset = Changeset.visible.find(:first, :conditions => ["repository_id = ? AND scmid LIKE ?", project.repository.id, "#{name}%"]))
               link = link_to h("#{project_prefix}#{name}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.identifier},
                                            :class => 'changeset',
-                                           :title => truncate_single_line(changeset.comments, :length => 100)
+                                           :title => truncate_single_line(h(changeset.comments), :length => 100)
             end
           when 'source', 'export'
             if project && project.repository && User.current.allowed_to?(:browse_repository, project)
@@ -831,7 +831,7 @@ module ApplicationHelper
       options[:class] << ' disabled'
       url = '#'
     end
-    link_to name, url, options
+    link_to h(name), url, options
   end
 
   def calendar_for(field_id)
diff --git a/app/helpers/calendars_helper.rb b/app/helpers/calendars_helper.rb
index b2de58f7..b8f5fcb3 100644
--- a/app/helpers/calendars_helper.rb
+++ b/app/helpers/calendars_helper.rb
@@ -45,6 +45,6 @@ module CalendarsHelper
   end
 
   def link_to_month(link_name, year, month, options={})
-    link_to_content_update(link_name, params.merge(:year => year, :month => month))
+    link_to_content_update(h(link_name), params.merge(:year => year, :month => month))
   end
 end
diff --git a/app/helpers/custom_fields_helper.rb b/app/helpers/custom_fields_helper.rb
index 6fb59ee4..ba3328bb 100644
--- a/app/helpers/custom_fields_helper.rb
+++ b/app/helpers/custom_fields_helper.rb
@@ -53,7 +53,7 @@ module CustomFieldsHelper
 
   # Return custom field label tag
   def custom_field_label_tag(name, custom_value)
-    content_tag "label", custom_value.custom_field.name +
+    content_tag "label", h(custom_value.custom_field.name) +
 	(custom_value.custom_field.is_required? ? " <span class=\"required\">*</span>" : ""),
 	:for => "#{name}_custom_field_values_#{custom_value.custom_field.id}",
 	:class => (custom_value.errors.empty? ? nil : "error" )
diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
index 84b5a63b..4063d763 100644
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@@ -44,11 +44,11 @@ module IssuesHelper
 
     link_to_issue(issue) + "<br /><br />" +
       "<strong>#{@cached_label_project}</strong>: #{link_to_project(issue.project)}<br />" +
-      "<strong>#{@cached_label_status}</strong>: #{issue.status.name}<br />" +
+      "<strong>#{@cached_label_status}</strong>: #{h(issue.status.name)}<br />" +
       "<strong>#{@cached_label_start_date}</strong>: #{format_date(issue.start_date)}<br />" +
       "<strong>#{@cached_label_due_date}</strong>: #{format_date(issue.due_date)}<br />" +
-      "<strong>#{@cached_label_assigned_to}</strong>: #{issue.assigned_to}<br />" +
-      "<strong>#{@cached_label_priority}</strong>: #{issue.priority.name}"
+      "<strong>#{@cached_label_assigned_to}</strong>: #{h(issue.assigned_to)}<br />" +
+      "<strong>#{@cached_label_priority}</strong>: #{h(issue.priority.name)}"
   end
 
   def render_issue_subject_with_tree(issue)
@@ -114,7 +114,7 @@ module IssuesHelper
     # links to #index on issues/show
     url_params = controller_name == 'issues' ? {:controller => 'issues', :action => 'index', :project_id => @project} : params
 
-    content_tag('h3', title) +
+    content_tag('h3', h(title)) +
       queries.collect {|query|
           link_to(h(query.name), url_params.merge(:query_id => query))
         }.join('<br />')
diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb
index b4fd07c3..d468be9a 100644
--- a/app/helpers/queries_helper.rb
+++ b/app/helpers/queries_helper.rb
@@ -20,7 +20,7 @@ module QueriesHelper
   def column_header(column)
     column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption,
                                                         :default_order => column.default_order) :
-                      content_tag('th', column.caption)
+                      content_tag('th', h(column.caption))
   end
 
   def column_content(column, issue)
@@ -41,7 +41,7 @@ module QueriesHelper
       if column.name == :done_ratio
         progress_bar(value, :width => '80px')
       else
-        value.to_s
+        h(value.to_s)
       end
     when 'User'
       link_to_user value
diff --git a/app/helpers/reports_helper.rb b/app/helpers/reports_helper.rb
index 6b965fb4..adf66589 100644
--- a/app/helpers/reports_helper.rb
+++ b/app/helpers/reports_helper.rb
@@ -27,6 +27,6 @@ module ReportsHelper
 
   def aggregate_link(data, criteria, *args)
     a = aggregate data, criteria
-    a > 0 ? link_to(a, *args) : '-'
+    a > 0 ? link_to(h(a), *args) : '-'
   end
 end
diff --git a/app/helpers/repositories_helper.rb b/app/helpers/repositories_helper.rb
index b81778b0..556da589 100644
--- a/app/helpers/repositories_helper.rb
+++ b/app/helpers/repositories_helper.rb
@@ -83,7 +83,7 @@ module RepositoriesHelper
       if s = tree[file][:s]
         style << ' folder'
         path_param = to_path_param(@repository.relative_path(file))
-        text = link_to(text, :controller => 'repositories',
+        text = link_to(h(text), :controller => 'repositories',
                              :action => 'show',
                              :id => @project,
                              :path => path_param,
@@ -93,18 +93,18 @@ module RepositoriesHelper
       elsif c = tree[file][:c]
         style << " change-#{c.action}"
         path_param = to_path_param(@repository.relative_path(c.path))
-        text = link_to(text, :controller => 'repositories',
+        text = link_to(h(text), :controller => 'repositories',
                              :action => 'entry',
                              :id => @project,
                              :path => path_param,
                              :rev => @changeset.identifier) unless c.action == 'D'
-        text << " - #{c.revision}" unless c.revision.blank?
+        text << " - #{h(c.revision)}" unless c.revision.blank?
         text << ' (' + link_to('diff', :controller => 'repositories',
                                        :action => 'diff',
                                        :id => @project,
                                        :path => path_param,
                                        :rev => @changeset.identifier) + ') ' if c.action == 'M'
-        text << ' ' + content_tag('span', c.from_path, :class => 'copied-from') unless c.from_path.blank?
+        text << ' ' + content_tag('span', h(c.from_path), :class => 'copied-from') unless c.from_path.blank?
         output << "<li class='#{style}'>#{text}</li>"
       end
     end
diff --git a/app/helpers/search_helper.rb b/app/helpers/search_helper.rb
index 98fc27fa..6bc9b1d4 100644
--- a/app/helpers/search_helper.rb
+++ b/app/helpers/search_helper.rb
@@ -53,7 +53,7 @@ module SearchHelper
       c = results_by_type[t]
       next if c == 0
       text = "#{type_label(t)} (#{c})"
-      links << link_to(text, :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1)
+      links << link_to(h(text), :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1)
     end
     ('<ul>' + links.map {|link| content_tag('li', link)}.join(' ') + '</ul>') unless links.empty?
   end
diff --git a/app/helpers/sort_helper.rb b/app/helpers/sort_helper.rb
index daea424b..4ba2d5d3 100644
--- a/app/helpers/sort_helper.rb
+++ b/app/helpers/sort_helper.rb
@@ -218,7 +218,7 @@ module SortHelper
      # Add project_id to url_options
     url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id)
 
-    link_to_content_update(caption, url_options, :class => css)
+    link_to_content_update(h(caption), url_options, :class => css)
   end
 
   # Returns a table header <th> tag with a sort link for the named column
diff --git a/app/helpers/timelog_helper.rb b/app/helpers/timelog_helper.rb
index 9e5336b5..af46e6bb 100644
--- a/app/helpers/timelog_helper.rb
+++ b/app/helpers/timelog_helper.rb
@@ -125,7 +125,7 @@ module TimelogHelper
     elsif k = @available_criterias[criteria][:klass]
       obj = k.find_by_id(value.to_i)
       if obj.is_a?(Issue)
-        obj.visible? ? "#{obj.tracker} ##{obj.id}: #{obj.subject}" : "##{obj.id}"
+        obj.visible? ? h("#{obj.tracker} ##{obj.id}: #{obj.subject}") : h("##{obj.id}")
       else
         obj
       end
diff --git a/app/views/activities/index.html.erb b/app/views/activities/index.html.erb
index cb957991..af604a66 100644
--- a/app/views/activities/index.html.erb
+++ b/app/views/activities/index.html.erb
@@ -12,7 +12,7 @@
   <%= content_tag('span', h(e.project), :class => 'project') if @project.nil? || @project != e.project %>
   <%= link_to format_activity_title(e.event_title), e.event_url %></dt>
   <dd><span class="description"><%= format_activity_description(e.event_description) %></span>
-  <span class="author"><%= e.event_author if e.respond_to?(:event_author) %></span></dd>
+  <span class="author"><%= link_to_user(e.event_author) if e.respond_to?(:event_author) %></span></dd>
 <% end -%>
 </dl>
 <% end -%>
diff --git a/app/views/attachments/_links.rhtml b/app/views/attachments/_links.rhtml
index 19ab6734..4f4e2d18 100644
--- a/app/views/attachments/_links.rhtml
+++ b/app/views/attachments/_links.rhtml
@@ -11,7 +11,7 @@
                                          :title => l(:button_delete) %>
   <% end %>
   <% if options[:author] %>
-    <span class="author"><%= attachment.author %>, <%= format_time(attachment.created_on) %></span>
+    <span class="author"><%= h(attachment.author) %>, <%= format_time(attachment.created_on) %></span>
   <% end %>
   </p>
 <% end %>
diff --git a/app/views/attachments/diff.rhtml b/app/views/attachments/diff.rhtml
index 36db0af5..36e47217 100644
--- a/app/views/attachments/diff.rhtml
+++ b/app/views/attachments/diff.rhtml
@@ -2,7 +2,7 @@
 
 <div class="attachments">
 <p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
-   <span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p>
+   <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
 <p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
    <span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
 
@@ -10,7 +10,7 @@
 &nbsp;
 <%= render :partial => 'common/diff', :locals => {:diff => @diff, :diff_type => @diff_type} %>
 
-<% html_title @attachment.filename %>
+<% html_title h(@attachment.filename) %>
 
 <% content_for :header_tags do -%>
     <%= stylesheet_link_tag "scm" -%>
diff --git a/app/views/attachments/file.rhtml b/app/views/attachments/file.rhtml
index c7e7a757..fde551f8 100644
--- a/app/views/attachments/file.rhtml
+++ b/app/views/attachments/file.rhtml
@@ -2,7 +2,7 @@
 
 <div class="attachments">
 <p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
-   <span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p>
+   <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
 <p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
    <span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
 
@@ -10,7 +10,7 @@
 &nbsp;
 <%= render :partial => 'common/file', :locals => {:content => @content, :filename => @attachment.filename} %>
 
-<% html_title @attachment.filename %>
+<% html_title h(@attachment.filename) %>
 
 <% content_for :header_tags do -%>
     <%= stylesheet_link_tag "scm" -%>
diff --git a/app/views/auth_sources/edit.rhtml b/app/views/auth_sources/edit.rhtml
index 165fd4f3..e2c99aa3 100644
--- a/app/views/auth_sources/edit.rhtml
+++ b/app/views/auth_sources/edit.rhtml
@@ -1,4 +1,4 @@
-<h2><%=l(:label_auth_source)%> (<%= @auth_source.auth_method_name %>)</h2>
+<h2><%=l(:label_auth_source)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
 
 <% form_tag({:action => 'update', :id => @auth_source}, :class => "tabular") do %>
   <%= render :partial => 'form' %>
diff --git a/app/views/auth_sources/new.rhtml b/app/views/auth_sources/new.rhtml
index 2d493dc3..d0b9b1d4 100644
--- a/app/views/auth_sources/new.rhtml
+++ b/app/views/auth_sources/new.rhtml
@@ -1,4 +1,4 @@
-<h2><%=l(:label_auth_source_new)%> (<%= @auth_source.auth_method_name %>)</h2>
+<h2><%=l(:label_auth_source_new)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
 
 <% form_tag({:action => 'create'}, :class => "tabular") do %>
   <%= render :partial => 'form' %>
diff --git a/app/views/boards/show.rhtml b/app/views/boards/show.rhtml
index 54c02c81..eb33d880 100644
--- a/app/views/boards/show.rhtml
+++ b/app/views/boards/show.rhtml
@@ -43,7 +43,7 @@
   <% @topics.each do |topic| %>
     <tr class="message <%= cycle 'odd', 'even' %> <%= topic.sticky? ? 'sticky' : '' %> <%= topic.locked? ? 'locked' : '' %>">
       <td class="subject"><%= link_to h(topic.subject), { :controller => 'messages', :action => 'show', :board_id => @board, :id => topic } %></td>
-      <td class="author" align="center"><%= topic.author %></td>
+      <td class="author" align="center"><%= link_to_user(topic.author) %></td>
       <td class="created_on" align="center"><%= format_time(topic.created_on) %></td>
       <td class="replies" align="center"><%= topic.replies_count %></td>
       <td class="last_message">
diff --git a/app/views/common/_diff.rhtml b/app/views/common/_diff.rhtml
index b4327aec..273479f2 100644
--- a/app/views/common/_diff.rhtml
+++ b/app/views/common/_diff.rhtml
@@ -5,7 +5,7 @@
 <% if diff.diff_type == 'sbs' -%>
 <table class="filecontent">
 <thead>
-<tr><th colspan="4" class="filename"><%=to_utf8_for_attachments table_file.file_name %></th></tr>
+<tr><th colspan="4" class="filename"><%= h(to_utf8_for_attachments(table_file.file_name)) %></th></tr>
 </thead>
 <tbody>
 <% table_file.each_line do |spacing, line| -%>
@@ -31,7 +31,7 @@
 <% else -%>
 <table class="filecontent">
 <thead>
-<tr><th colspan="3" class="filename"><%=to_utf8_for_attachments table_file.file_name %></th></tr>
+<tr><th colspan="3" class="filename"><%= h(to_utf8_for_attachments(table_file.file_name)) %></th></tr>
 </thead>
 <tbody>
 <% table_file.each_line do |spacing, line| %>
diff --git a/app/views/common/error.html.erb b/app/views/common/error.html.erb
index 0367b47b..cbded214 100644
--- a/app/views/common/error.html.erb
+++ b/app/views/common/error.html.erb
@@ -3,4 +3,4 @@
 <p id="errorExplanation"><%=h @message %></p>
 <p><a href="javascript:history.back()">Back</a></p>
 
-<% html_title @status %>
+<% html_title h(@status) %>
diff --git a/app/views/custom_fields/_form.rhtml b/app/views/custom_fields/_form.rhtml
index ec265aca..dcaecead 100644
--- a/app/views/custom_fields/_form.rhtml
+++ b/app/views/custom_fields/_form.rhtml
@@ -82,7 +82,7 @@ when "IssueCustomField" %>
 
     <fieldset><legend><%=l(:label_tracker_plural)%></legend>
     <% for tracker in @trackers %>
-        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= tracker.name %>
+        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= h(tracker.name) %>
     <% end %>
 		<%= hidden_field_tag "custom_field[tracker_ids][]", '' %>
     </fieldset>
diff --git a/app/views/custom_fields/_index.rhtml b/app/views/custom_fields/_index.rhtml
index 21ae01be..a6495fbf 100644
--- a/app/views/custom_fields/_index.rhtml
+++ b/app/views/custom_fields/_index.rhtml
@@ -13,7 +13,7 @@
   <tbody>
 	<% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%>
 		<tr class="<%= cycle("odd", "even") %>">
-			<td><%= link_to custom_field.name, :action => 'edit', :id => custom_field %></td>
+			<td><%= link_to h(custom_field.name), :action => 'edit', :id => custom_field %></td>
 			<td align="center"><%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %></td>
 			<td align="center"><%= checked_image custom_field.is_required? %></td>
 			<% if tab[:name] == 'IssueCustomField' %>
diff --git a/app/views/documents/show.rhtml b/app/views/documents/show.rhtml
index 75854357..922fe36b 100644
--- a/app/views/documents/show.rhtml
+++ b/app/views/documents/show.rhtml
@@ -25,7 +25,7 @@
   <% end %>
 <% end %>
 
-<% html_title @document.title -%>
+<% html_title h(@document.title) -%>
 
 <% content_for :header_tags do %>
     <%= stylesheet_link_tag 'scm' %>
diff --git a/app/views/gantts/show.html.erb b/app/views/gantts/show.html.erb
index 0c024528..bfe1dc59 100644
--- a/app/views/gantts/show.html.erb
+++ b/app/views/gantts/show.html.erb
@@ -101,7 +101,7 @@ height = (show_weeks ? header_heigth : header_heigth + g_height)
 	width = ((month_f >> 1) - month_f) * zoom - 1
 	%>
 	<div style="left:<%= left %>px;width:<%= width %>px;height:<%= height %>px;" class="gantt_hdr">
-	<%= link_to "#{month_f.year}-#{month_f.month}", @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
+	<%= link_to h("#{month_f.year}-#{month_f.month}"), @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
 	</div>
 	<%
 	left = left + width + 1
diff --git a/app/views/issue_statuses/index.html.erb b/app/views/issue_statuses/index.html.erb
index 5bc139d8..0d3c1503 100644
--- a/app/views/issue_statuses/index.html.erb
+++ b/app/views/issue_statuses/index.html.erb
@@ -19,7 +19,7 @@
   <tbody>
 <% for status in @issue_statuses %>
   <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to status.name, :action => 'edit', :id => status %></td>
+  <td><%= link_to h(status.name), :action => 'edit', :id => status %></td>
   <% if Issue.use_status_for_done_ratio? %>
   <td align="center"><%= h status.default_done_ratio %></td>
   <% end %>
diff --git a/app/views/issues/_attributes.rhtml b/app/views/issues/_attributes.rhtml
index 7f5151df..499537ef 100644
--- a/app/views/issues/_attributes.rhtml
+++ b/app/views/issues/_attributes.rhtml
@@ -4,7 +4,7 @@
 <% if @issue.new_record? || @allowed_statuses.any? %>
 <p><%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %></p>
 <% else %>
-<p><label><%= l(:field_status) %></label> <%= @issue.status.name %></p>
+<p><label><%= l(:field_status) %></label> <%= h(@issue.status.name) %></p>
 <% end %>
 
 <p><%= f.select :priority_id, (@priorities.collect {|p| [p.name, p.id]}), {:required => true}, :disabled => !@issue.leaf? %></p>
diff --git a/app/views/issues/_list_simple.rhtml b/app/views/issues/_list_simple.rhtml
index 22e61478..09a5097e 100644
--- a/app/views/issues/_list_simple.rhtml
+++ b/app/views/issues/_list_simple.rhtml
@@ -9,10 +9,10 @@
 		</tr></thead>
 		<tbody>
 		<% for issue in issues %>
-		<tr id="issue-<%= issue.id %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>">
+		<tr id="issue-<%= h(issue.id) %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>">
 			<td class="id">
 			  <%= check_box_tag("ids[]", issue.id, false, :style => 'display:none;') %>
-				<%= link_to issue.id, :controller => 'issues', :action => 'show', :id => issue %>
+				<%= link_to(h(issue.id), :controller => 'issues', :action => 'show', :id => issue) %>
 			</td>
 			<td class="project"><%= link_to_project(issue.project) %></td>
 			<td class="tracker"><%=h issue.tracker %></td>
diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml
index e7672dca..3dab155f 100644
--- a/app/views/issues/_relations.rhtml
+++ b/app/views/issues/_relations.rhtml
@@ -14,7 +14,7 @@
     <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %>
     <%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %>
 </td>
-<td><%= relation.other_issue(@issue).status.name %></td>
+<td><%= h(relation.other_issue(@issue).status.name) %></td>
 <td><%= format_date(relation.other_issue(@issue).start_date) %></td>
 <td><%= format_date(relation.other_issue(@issue).due_date) %></td>
 <td><%= link_to_remote(image_tag('delete.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :issue_id => @issue, :id => relation},
diff --git a/app/views/issues/index.rhtml b/app/views/issues/index.rhtml
index 3a5c41c5..18df5a6b 100644
--- a/app/views/issues/index.rhtml
+++ b/app/views/issues/index.rhtml
@@ -6,7 +6,7 @@
 </div>
 
 <h2><%= @query.new_record? ? l(:label_issue_plural) : h(@query.name) %></h2>
-<% html_title(@query.new_record? ? l(:label_issue_plural) : @query.name) %>
+<% html_title(@query.new_record? ? l(:label_issue_plural) : h(@query.name)) %>
 
 <% form_tag({ :controller => 'queries', :action => 'new' }, :id => 'query_form') do %>
     <%= hidden_field_tag('project_id', @project.to_param) if @project %>
diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml
index 8a3b69a3..eddc7da0 100644
--- a/app/views/issues/show.rhtml
+++ b/app/views/issues/show.rhtml
@@ -113,7 +113,7 @@
 	<%= f.link_to 'PDF' %>
 <% end %>
 
-<% html_title "#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}" %>
+<% html_title h("#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}") %>
 
 <% content_for :sidebar do %>
   <%= render :partial => 'issues/sidebar' %>
diff --git a/app/views/mailer/account_activated.text.html.rhtml b/app/views/mailer/account_activated.text.html.rhtml
index 6dc95223..cb8d8caa 100644
--- a/app/views/mailer/account_activated.text.html.rhtml
+++ b/app/views/mailer/account_activated.text.html.rhtml
@@ -1,2 +1,2 @@
 <p><%= l(:notice_account_activated) %></p>
-<p><%= l(:label_login) %>: <%= link_to @login_url, @login_url %></p>
+<p><%= l(:label_login) %>: <%= link_to h(@login_url), @login_url %></p>
diff --git a/app/views/mailer/account_activation_request.text.html.rhtml b/app/views/mailer/account_activation_request.text.html.rhtml
index b19cf321..4450631b 100644
--- a/app/views/mailer/account_activation_request.text.html.rhtml
+++ b/app/views/mailer/account_activation_request.text.html.rhtml
@@ -1,2 +1,2 @@
 <p><%= l(:mail_body_account_activation_request, h(@user.login)) %></p>
-<p><%= link_to @url, @url %></p>
+<p><%= link_to h(@url), @url %></p>
diff --git a/app/views/mailer/attachments_added.text.html.rhtml b/app/views/mailer/attachments_added.text.html.rhtml
index 369834b6..11d1cf54 100644
--- a/app/views/mailer/attachments_added.text.html.rhtml
+++ b/app/views/mailer/attachments_added.text.html.rhtml
@@ -1,4 +1,4 @@
-<%= link_to @added_to, @added_to_url %><br />
+<%= link_to h(@added_to), @added_to_url %><br />
 
 <ul><% @attachments.each do |attachment | %>
 <li><%=h attachment.filename %></li>
diff --git a/app/views/mailer/reminder.text.html.rhtml b/app/views/mailer/reminder.text.html.rhtml
index 62201e50..f011da3e 100644
--- a/app/views/mailer/reminder.text.html.rhtml
+++ b/app/views/mailer/reminder.text.html.rhtml
@@ -2,7 +2,7 @@
 
 <ul>
 <% @issues.each do |issue| -%>
-  <li><%=h issue.project %> - <%=link_to("#{issue.tracker} ##{issue.id}", :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li>
+  <li><%=h issue.project %> - <%=link_to(h("#{issue.tracker} ##{issue.id}"), :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li>
 <% end -%>
 </ul>
 
diff --git a/app/views/mailer/wiki_content_updated.text.html.rhtml b/app/views/mailer/wiki_content_updated.text.html.rhtml
index de173b96..d62d33e1 100644
--- a/app/views/mailer/wiki_content_updated.text.html.rhtml
+++ b/app/views/mailer/wiki_content_updated.text.html.rhtml
@@ -3,4 +3,4 @@
 <em><%=h @wiki_content.comments %></em></p>
 
 <p><%= l(:label_view_diff) %>:<br />
-<%= link_to @wiki_diff_url, @wiki_diff_url %></p>
+<%= link_to h(@wiki_diff_url), @wiki_diff_url %></p>
diff --git a/app/views/news/show.rhtml b/app/views/news/show.rhtml
index 7167a305..fd92e386 100644
--- a/app/views/news/show.rhtml
+++ b/app/views/news/show.rhtml
@@ -63,7 +63,7 @@
 <% end %>
 <% end %>
 
-<% html_title @news.title -%>
+<% html_title h(@news.title) -%>
 
 <% content_for :header_tags do %>
   <%= stylesheet_link_tag 'scm' %>
diff --git a/app/views/projects/_form.rhtml b/app/views/projects/_form.rhtml
index 9772a899..43f9a1b9 100644
--- a/app/views/projects/_form.rhtml
+++ b/app/views/projects/_form.rhtml
@@ -42,7 +42,7 @@
 <% @trackers.each do |tracker| %>
     <label class="floating">
     <%= check_box_tag 'project[tracker_ids][]', tracker.id, @project.trackers.include?(tracker) %>
-    <%= tracker %>
+    <%= h(tracker) %>
     </label>
 <% end %>
 <%= hidden_field_tag 'project[tracker_ids][]', '' %>
@@ -54,7 +54,7 @@
 <% @issue_custom_fields.each do |custom_field| %>
     <label class="floating">
 	<%= check_box_tag 'project[issue_custom_field_ids][]', custom_field.id, (@project.all_issue_custom_fields.include? custom_field), (custom_field.is_for_all? ? {:disabled => "disabled"} : {}) %>
-	<%= custom_field.name %>
+	<%= h(custom_field.name) %>
 	</label>
 <% end %>
 <%= hidden_field_tag 'project[issue_custom_field_ids][]', '' %>
diff --git a/app/views/projects/list_members.rhtml b/app/views/projects/list_members.rhtml
index 7f2ae379..04de1604 100644
--- a/app/views/projects/list_members.rhtml
+++ b/app/views/projects/list_members.rhtml
@@ -4,7 +4,7 @@
 
 <% members = @members.group_by {|m| m.role } %>
 <% members.keys.sort{|x,y| x.position <=> y.position}.each do |role| %>
-<h3><%= role.name %></h3>
+<h3><%= h(role.name) %></h3>
 <ul>
 <% members[role].each do |m| %>
 <li><%= link_to_user m.user %> (<%= format_date m.created_on %>)</li>
diff --git a/app/views/projects/show.rhtml b/app/views/projects/show.rhtml
index 027d9377..b7036a56 100644
--- a/app/views/projects/show.rhtml
+++ b/app/views/projects/show.rhtml
@@ -18,7 +18,7 @@
   <% end %>
 	<% @project.visible_custom_field_values.each do |custom_value| %>
 	<% if !custom_value.value.blank? %>
-	   <li><%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %></li>
+	   <li><%= h(custom_value.custom_field.name) %>: <%=h show_value(custom_value) %></li>
 	<% end %>
 	<% end %>
 	</ul>
@@ -28,7 +28,7 @@
     <h3><%=l(:label_issue_tracking)%></h3>
     <ul>
     <% for tracker in @trackers %>
-      <li><%= link_to tracker.name, :controller => 'issues', :action => 'index', :project_id => @project,
+      <li><%= link_to h(tracker.name), :controller => 'issues', :action => 'index', :project_id => @project,
                                                 :set_filter => 1,
                                                 "tracker_id" => tracker.id %>:
 					<%= l(:label_x_open_issues_abbr_on_total, :count => @open_issues_by_tracker[tracker].to_i,
diff --git a/app/views/queries/index.rhtml b/app/views/queries/index.rhtml
index 7f91399f..066f30ed 100644
--- a/app/views/queries/index.rhtml
+++ b/app/views/queries/index.rhtml
@@ -11,7 +11,7 @@
   <% @queries.each do |query| %>
     <tr class="<%= cycle('odd', 'even') %>">
       <td>
-        <%= link_to query.name, :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %>
+        <%= link_to h(query.name), :controller => 'issues', :action => 'index', :project_id => @project, :query_id => query %>
       </td>
       <td align="right">
         <small>
diff --git a/app/views/reports/_details.rhtml b/app/views/reports/_details.rhtml
index ac9f2b0c..352b06d3 100644
--- a/app/views/reports/_details.rhtml
+++ b/app/views/reports/_details.rhtml
@@ -6,7 +6,7 @@
 <thead><tr>
 <th style="width:25%"></th>
 <% for status in @statuses %>
-<th style="width:<%= col_width %>%"><%= status.name %></th>
+<th style="width:<%= col_width %>%"><%= h(status.name) %></th>
 <% end %>
 <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_open_issues_plural)%></strong></th>
 <th align="center" style="width:<%= col_width %>%"><strong><%=l(:label_closed_issues_plural)%></strong></th>
@@ -15,7 +15,7 @@
 <tbody>
 <% for row in rows %>
 <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
+  <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
                                                 :set_filter => 1,
                                                 :subproject_id => '!*',
                                                 "#{field_name}" => row.id %></td>
@@ -50,4 +50,4 @@
 </tbody>
 </table>
 <% end
-  reset_cycle %>
\ No newline at end of file
+  reset_cycle %>
diff --git a/app/views/reports/_simple.rhtml b/app/views/reports/_simple.rhtml
index 0b097879..46f4a9fd 100644
--- a/app/views/reports/_simple.rhtml
+++ b/app/views/reports/_simple.rhtml
@@ -11,7 +11,7 @@
 <tbody>
 <% for row in rows %>
 <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to row.name, :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
+  <td><%= link_to h(row.name), :controller => 'issues', :action => 'index', :project_id => ((row.is_a?(Project) ? row : @project)),
                                                 :set_filter => 1,
                                                 :subproject_id => '!*',
                                                 "#{field_name}" => row.id %></td>
@@ -38,4 +38,4 @@
 </tbody>
 </table>
 <% end
-  reset_cycle %>
\ No newline at end of file
+  reset_cycle %>
diff --git a/app/views/repositories/_breadcrumbs.rhtml b/app/views/repositories/_breadcrumbs.rhtml
index 0d548176..de3001e0 100644
--- a/app/views/repositories/_breadcrumbs.rhtml
+++ b/app/views/repositories/_breadcrumbs.rhtml
@@ -25,4 +25,4 @@ dirs.each do |dir|
 %>
 <%= "@ #{h rev_text}" unless rev_text.blank? %>
 
-<% html_title(with_leading_slash(path)) -%>
+<% html_title(h(with_leading_slash(path))) -%>
diff --git a/app/views/repositories/_dir_list_content.rhtml b/app/views/repositories/_dir_list_content.rhtml
index f6833c89..5207e3f7 100644
--- a/app/views/repositories/_dir_list_content.rhtml
+++ b/app/views/repositories/_dir_list_content.rhtml
@@ -3,7 +3,7 @@
    depth = params[:depth].to_i %>
 <%  ent_path = replace_invalid_utf8(entry.path)   %>
 <%  ent_name = replace_invalid_utf8(entry.name)   %>
-<tr id="<%= tr_id %>" class="<%= h params[:parent_id] %> entry <%= entry.kind %>">
+<tr id="<%= tr_id %>" class="<%= h params[:parent_id] %> entry <%= h(entry.kind) %>">
 <td style="padding-left: <%=18 * depth%>px;" class="filename">
 <% if entry.is_dir? %>
 <span class="expander" onclick="<%=  remote_function :url => {:action => 'show', :id => @project, :path => to_path_param(ent_path), :rev => @rev, :depth => (depth + 1), :parent_id => tr_id},
@@ -21,7 +21,7 @@
 <% changeset = @project.repository.find_changeset_by_name(entry.lastrev.identifier) if entry.lastrev && entry.lastrev.identifier %>
 <td class="revision"><%= link_to_revision(changeset, @project) if changeset %></td>
 <td class="age"><%= distance_of_time_in_words(entry.lastrev.time, Time.now) if entry.lastrev && entry.lastrev.time %></td>
-<td class="author"><%= changeset.nil? ? h(replace_invalid_utf8(entry.lastrev.author.to_s.split('<').first)) : changeset.author if entry.lastrev %></td>
+<td class="author"><%= changeset.nil? ? h(replace_invalid_utf8(entry.lastrev.author.to_s.split('<').first)) : h(changeset.author) if entry.lastrev %></td>
 <td class="comments"><%=h truncate(Changeset.to_utf8(changeset.comments, changeset.repository.repo_log_encoding), :length => 50) unless changeset.nil? %></td>
 </tr>
 <% end %>
diff --git a/app/views/repositories/diff.rhtml b/app/views/repositories/diff.rhtml
index efb84a44..cb868665 100644
--- a/app/views/repositories/diff.rhtml
+++ b/app/views/repositories/diff.rhtml
@@ -16,7 +16,7 @@
 	<%= f.link_to 'Diff', :url => params, :caption => 'Unified diff' %>
 <% end %>
 
-<% html_title(with_leading_slash(@path), 'Diff') -%>
+<% html_title(h(with_leading_slash(@path)), 'Diff') -%>
 
 <% content_for :header_tags do %>
 <%= stylesheet_link_tag "scm" %>
diff --git a/app/views/repositories/revision.rhtml b/app/views/repositories/revision.rhtml
index 483e358d..ce90a254 100644
--- a/app/views/repositories/revision.rhtml
+++ b/app/views/repositories/revision.rhtml
@@ -21,7 +21,7 @@
 
 <h2><%= l(:label_revision) %> <%= format_revision(@changeset) %></h2>
 
-<p><% if @changeset.scmid %>ID: <%= @changeset.scmid %><br /><% end %>
+<p><% if @changeset.scmid %>ID: <%= h(@changeset.scmid) %><br /><% end %>
 <span class="author"><%= authoring(@changeset.committed_on, @changeset.author) %></span></p>
 
 <%= textilizable @changeset.comments %>
diff --git a/app/views/roles/index.html.erb b/app/views/roles/index.html.erb
index fb5ff5be..b8cea261 100644
--- a/app/views/roles/index.html.erb
+++ b/app/views/roles/index.html.erb
@@ -13,7 +13,7 @@
   <tbody>
 <% for role in @roles %>
   <tr class="<%= cycle("odd", "even") %>">
-  <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(role.name, :action => 'edit', :id => role)) %></td>
+  <td><%= content_tag(role.builtin? ? 'em' : 'span', link_to(h(role.name), :action => 'edit', :id => role)) %></td>
   <td align="center" style="width:15%;">
   <% unless role.builtin? %>
     <%= reorder_links('role', {:action => 'edit', :id => role}) %>
diff --git a/app/views/search/index.rhtml b/app/views/search/index.rhtml
index db9e3b64..02833a5d 100644
--- a/app/views/search/index.rhtml
+++ b/app/views/search/index.rhtml
@@ -31,9 +31,9 @@
       <% @results.each do |e| %>
         <dt class="<%= e.event_type %>">
           <%= content_tag('span', h(e.project), :class => 'project') unless @project == e.project %>
-          <%= link_to highlight_tokens(truncate(e.event_title, :length => 255), @tokens), e.event_url %>
+          <%= link_to highlight_tokens(truncate(h(e.event_title), :length => 255), @tokens), e.event_url %>
         </dt>
-        <dd><span class="description"><%= highlight_tokens(e.event_description, @tokens) %></span>
+        <dd><span class="description"><%= highlight_tokens(h(e.event_description), @tokens) %></span>
         <span class="author"><%= format_time(e.event_datetime) %></span></dd>
       <% end %>
     </dl>
diff --git a/app/views/timelog/_list.rhtml b/app/views/timelog/_list.rhtml
index 28f1f523..6b0f970b 100644
--- a/app/views/timelog/_list.rhtml
+++ b/app/views/timelog/_list.rhtml
@@ -15,9 +15,9 @@
 <% entries.each do |entry| -%>
 <tr class="time-entry <%= cycle("odd", "even") %>">
 <td class="spent_on"><%= format_date(entry.spent_on) %></td>
-<td class="user"><%=h entry.user %></td>
+<td class="user"><%= link_to_user(entry.user) %></td>
 <td class="activity"><%=h entry.activity %></td>
-<td class="project"><%=h entry.project %></td>
+<td class="project"><%= link_to_project(entry.project) %></td>
 <td class="subject">
 <% if entry.issue -%>
 <%= entry.issue.visible? ? link_to_issue(entry.issue, :truncate => 50) : "##{entry.issue.id}" -%>
diff --git a/app/views/trackers/index.html.erb b/app/views/trackers/index.html.erb
index ab6eba57..c4981ccd 100644
--- a/app/views/trackers/index.html.erb
+++ b/app/views/trackers/index.html.erb
@@ -14,7 +14,7 @@
   <tbody>
 <% for tracker in @trackers %>
   <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to tracker.name, :action => 'edit', :id => tracker %></td>
+  <td><%= link_to h(tracker.name), :action => 'edit', :id => tracker %></td>
   <td align="center"><% unless tracker.workflows.count > 0 %><span class="icon icon-warning"><%= l(:text_tracker_no_workflow) %> (<%= link_to l(:button_edit), {:controller => 'workflows', :action => 'edit', :tracker_id => tracker} %>)</span><% end %></td>
   <td align="center" style="width:15%;"><%= reorder_links('tracker', {:action => 'edit', :id => tracker}) %></td>
   <td class="buttons">
diff --git a/app/views/users/edit.rhtml b/app/views/users/edit.rhtml
index 0d9cb013..ccf4489d 100644
--- a/app/views/users/edit.rhtml
+++ b/app/views/users/edit.rhtml
@@ -7,4 +7,4 @@
 
 <%= render_tabs user_settings_tabs %>
 
-<% html_title(l(:label_user), @user.login, l(:label_administration)) -%>
+<% html_title(l(:label_user), h(@user.login), l(:label_administration)) -%>
diff --git a/app/views/users/show.rhtml b/app/views/users/show.rhtml
index ac93ed02..a9cd0100 100644
--- a/app/views/users/show.rhtml
+++ b/app/views/users/show.rhtml
@@ -70,4 +70,4 @@
 <%= call_hook :view_account_right_bottom, :user => @user %>
 </div>
 
-<% html_title @user.name %>
+<% html_title h(@user.name) %>
diff --git a/app/views/versions/_issue_counts.rhtml b/app/views/versions/_issue_counts.rhtml
index 71dc5787..cb957f30 100644
--- a/app/views/versions/_issue_counts.rhtml
+++ b/app/views/versions/_issue_counts.rhtml
@@ -15,7 +15,7 @@
     <% counts.each do |count| %>
     <tr>
         <td width="130px" align="right" >
-            <%= link_to count[:group], {:controller => 'issues',
+            <%= link_to h(count[:group]), {:controller => 'issues',
                                         :action => 'index',
                                         :project_id => version.project,
                                         :set_filter => 1,
diff --git a/app/views/versions/index.html.erb b/app/views/versions/index.html.erb
index 2fded9c6..0d132a73 100644
--- a/app/views/versions/index.html.erb
+++ b/app/views/versions/index.html.erb
@@ -5,7 +5,7 @@
 <% else %>
 <div id="roadmap">
 <% @versions.each do |version| %>
-    <h3 class="version"><%= tag 'a', :name => version.name %><%= link_to_version version %></h3>
+    <h3 class="version"><%= tag 'a', :name => h(version.name) %><%= link_to_version version %></h3>
     <%= render :partial => 'versions/overview', :locals => {:version => version} %>
     <%= render(:partial => "wiki/content", :locals => {:content => version.wiki_page.content}) if version.wiki_page %>
 
diff --git a/app/views/versions/show.rhtml b/app/views/versions/show.rhtml
index 25d93eaf..9741356f 100644
--- a/app/views/versions/show.rhtml
+++ b/app/views/versions/show.rhtml
@@ -46,4 +46,4 @@
 
 <%= call_hook :view_versions_show_bottom, :version => @version %>
 
-<% html_title @version.name %>
+<% html_title h(@version.name) %>
diff --git a/app/views/wiki/annotate.rhtml b/app/views/wiki/annotate.rhtml
index dfea1958..abceb4e7 100644
--- a/app/views/wiki/annotate.rhtml
+++ b/app/views/wiki/annotate.rhtml
@@ -3,11 +3,11 @@
 <%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
 </div>
 
-<h2><%= @page.pretty_title %></h2>
+<h2><%= h(@page.pretty_title) %></h2>
 
 <p>
-<%= l(:label_version) %> <%= link_to @annotate.content.version, :action => 'show', :id => @page.title, :version => @annotate.content.version %>
-<em>(<%= @annotate.content.author ? @annotate.content.author.name : "anonyme" %>, <%= format_time(@annotate.content.updated_on) %>)</em>
+<%= l(:label_version) %> <%= link_to h(@annotate.content.version), :action => 'show', :id => @page.title, :version => @annotate.content.version %>
+<em>(<%= h(@annotate.content.author ? @annotate.content.author.name : "anonyme") %>, <%= format_time(@annotate.content.updated_on) %>)</em>
 </p>
 
 <% colors = Hash.new {|k,v| k[v] = (k.size % 12) } %>
diff --git a/app/views/wiki/date_index.html.erb b/app/views/wiki/date_index.html.erb
index 611f18b2..a5000f29 100644
--- a/app/views/wiki/date_index.html.erb
+++ b/app/views/wiki/date_index.html.erb
@@ -12,7 +12,7 @@
 <h3><%= format_date(date) %></h3>
 <ul>
 <% @pages_by_date[date].each do |page| %>
-    <li><%= link_to page.pretty_title, :action => 'show', :id => page.title, :project_id => page.project %></li>
+    <li><%= link_to h(page.pretty_title), :action => 'show', :id => page.title, :project_id => page.project %></li>
 <% end %>
 </ul>
 <% end %>
diff --git a/app/views/wiki/diff.rhtml b/app/views/wiki/diff.rhtml
index a1006dce..e5f1666a 100644
--- a/app/views/wiki/diff.rhtml
+++ b/app/views/wiki/diff.rhtml
@@ -2,14 +2,14 @@
 <%= link_to(l(:label_history), {:action => 'history', :id => @page.title}, :class => 'icon icon-history') %>
 </div>
 
-<h2><%= @page.pretty_title %></h2>
+<h2><%= h(@page.pretty_title) %></h2>
 
 <p>
 <%= l(:label_version) %> <%= link_to @diff.content_from.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_from.version %>
-<em>(<%= @diff.content_from.author ? @diff.content_from.author.name : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>)</em>
+<em>(<%= @diff.content_from.author ? link_to_user(@diff.content_from.author) : "anonyme" %>, <%= format_time(@diff.content_from.updated_on) %>)</em>
 &#8594;
 <%= l(:label_version) %> <%= link_to @diff.content_to.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => @diff.content_to.version %>/<%= @page.content.version %>
-<em>(<%= @diff.content_to.author ? @diff.content_to.author.name : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>)</em>
+<em>(<%= @diff.content_to.author ? link_to_user(@diff.content_to.author) : "anonyme" %>, <%= format_time(@diff.content_to.updated_on) %>)</em>
 </p>
 
 <div class="text-diff">
diff --git a/app/views/wiki/edit.rhtml b/app/views/wiki/edit.rhtml
index 62933ae8..d858dcff 100644
--- a/app/views/wiki/edit.rhtml
+++ b/app/views/wiki/edit.rhtml
@@ -26,4 +26,4 @@
   <%= robot_exclusion_tag %>
 <% end %>
 
-<% html_title @page.pretty_title %>
+<% html_title h(@page.pretty_title) %>
diff --git a/app/views/wiki/export_multiple.rhtml b/app/views/wiki/export_multiple.rhtml
index 31fa557c..df8f7401 100644
--- a/app/views/wiki/export_multiple.rhtml
+++ b/app/views/wiki/export_multiple.rhtml
@@ -20,13 +20,13 @@ h1:hover a.wiki-anchor, h2:hover a.wiki-anchor, h3:hover a.wiki-anchor { display
 <strong><%= l(:label_index_by_title) %></strong>
 <ul>
 <% @pages.each do |page| %>
-    <li><a href="#<%= page.title %>"><%= page.pretty_title %></a></li>
+    <li><a href="#<%= h(page.title) %>"><%= h(page.pretty_title) %></a></li>
 <% end %>
 </ul>
 
 <% @pages.each do |page| %>
 <hr />
-<a name="<%= page.title %>" />
+<a name="<%= h(page.title) %>" />
 <%= textilizable page.content ,:text, :wiki_links => :anchor %>
 <% end %>
 
diff --git a/app/views/wiki/history.rhtml b/app/views/wiki/history.rhtml
index 78598e3f..7c72242d 100644
--- a/app/views/wiki/history.rhtml
+++ b/app/views/wiki/history.rhtml
@@ -1,4 +1,4 @@
-<h2><%= @page.pretty_title %></h2>
+<h2><%= h(@page.pretty_title) %></h2>
 
 <h3><%= l(:label_history) %></h3>
 
@@ -18,7 +18,7 @@
 <% line_num = 1 %>
 <% @versions.each do |ver| %>
 <tr class="wiki-page-version <%= cycle("odd", "even") %>">
-    <td class="id"><%= link_to ver.version, :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %></td>
+    <td class="id"><%= link_to h(ver.version), :action => 'show', :id => @page.title, :project_id => @page.project, :version => ver.version %></td>
     <td class="checkbox"><%= radio_button_tag('version', ver.version, (line_num==1), :id => "cb-#{line_num}", :onclick => "$('cbto-#{line_num+1}').checked=true;") if show_diff && (line_num < @versions.size) %></td>
     <td class="checkbox"><%= radio_button_tag('version_from', ver.version, (line_num==2), :id => "cbto-#{line_num}") if show_diff && (line_num > 1) %></td>
     <td class="updated_on"><%= format_time(ver.created_at) %></td>
diff --git a/app/views/wiki/rename.rhtml b/app/views/wiki/rename.rhtml
index f94b8bc3..2defff51 100644
--- a/app/views/wiki/rename.rhtml
+++ b/app/views/wiki/rename.rhtml
@@ -1,4 +1,4 @@
-<h2><%= l(:button_rename) %>: <%= @original_title %></h2>
+<h2><%= l(:button_rename) %>: <%= h(@original_title) %></h2>
 
 <%= error_messages_for 'page' %>
 
diff --git a/app/views/wiki/show.rhtml b/app/views/wiki/show.rhtml
index 6cc7fbc0..09d10f58 100644
--- a/app/views/wiki/show.rhtml
+++ b/app/views/wiki/show.rhtml
@@ -21,7 +21,7 @@
     <%= link_to((l(:label_next) + ' &#187;'), :action => 'show', :id => @page.title, :project_id => @page.project, :version => (@content.version + 1)) + " - " if @content.version < @page.content.version %>
     <%= link_to(l(:label_current_version), :action => 'show', :id => @page.title, :project_id => @page.project) %>
     <br />
-    <em><%= @content.author ? @content.author.name : "anonyme" %>, <%= format_time(@content.updated_on) %> </em><br />
+    <em><%= @content.author ? link_to_user(@content.author) : "anonyme" %>, <%= format_time(@content.updated_on) %> </em><br />
     <%=h @content.comments %>
     </p>
     <hr />
@@ -61,4 +61,4 @@
   <%= render :partial => 'wiki/sidebar' %>
 <% end %>
 
-<% html_title @page.pretty_title %>
+<% html_title h(@page.pretty_title) %>
diff --git a/app/views/wikis/destroy.rhtml b/app/views/wikis/destroy.rhtml
index b5b1de11..75c0eac2 100644
--- a/app/views/wikis/destroy.rhtml
+++ b/app/views/wikis/destroy.rhtml
@@ -1,7 +1,7 @@
 <h2><%=l(:label_confirmation)%></h2>
 
 <div class="box"><center>
-<p><strong><%= @project.name %></strong><br /><%=l(:text_wiki_destroy_confirmation)%></p>
+<p><strong><%= h(@project.name) %></strong><br /><%=l(:text_wiki_destroy_confirmation)%></p>
 
 <% form_tag({:controller => 'wikis', :action => 'destroy', :id => @project}) do %>
 <%= hidden_field_tag "confirm", 1 %>
diff --git a/doc/CHANGELOG.rdoc b/doc/CHANGELOG.rdoc
index 16d1b23f..89967937 100644
--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
@@ -1,5 +1,9 @@
 = ChiliProject changelog
 
+== 2011-08-01 v2.1.1
+
+* Bug #547: Multiple XSS vulnerabilities
+
 == 2011-07-29 v2.1.0
 
 * Bug #191: Add Next/Previous links to the top of search results
diff --git a/lib/redmine/version.rb b/lib/redmine/version.rb
index cace954c..92d27f08 100644
--- a/lib/redmine/version.rb
+++ b/lib/redmine/version.rb
@@ -17,7 +17,7 @@ module Redmine
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 1
-    PATCH = 0
+    PATCH = 1
     TINY  = PATCH # Redmine compat
 
     # Used by semver to define the special version (if any).
diff --git a/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/save_hooks.rb b/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/save_hooks.rb
index fdeb60cc..608f2d07 100644
--- a/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/save_hooks.rb
+++ b/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/save_hooks.rb
@@ -66,7 +66,7 @@ module Redmine::Acts::Journalized
           last_journal.update_attribute(:user_id, @journal_user.id)
         end
       end
-      @associations_before_save = @current_journal = @journal_notes = @journal_user = nil
+      @associations_before_save = @current_journal = @journal_notes = @journal_user = @extra_journal_attributes = nil
     end
 
     def save_possible_association(method, options)
diff --git a/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/users.rb b/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/users.rb
index affa925c..910e1c2e 100644
--- a/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/users.rb
+++ b/vendor/plugins/acts_as_journalized/lib/redmine/acts/journalized/users.rb
@@ -57,7 +57,7 @@ module Redmine::Acts::Journalized
         # Overrides the +journal_attributes+ method to include user information passed into the
         # parent object, by way of a +updated_by+ attr_accessor.
         def journal_attributes_with_user
-          journal_attributes_without_user.merge(:user_id => updated_by.try(:id) || User.current.try(:id))
+          journal_attributes_without_user.merge(:user_id => journal_user.try(:id) || updated_by.try(:id) || User.current.try(:id))
         end
     end