diff --git a/doc/tips/yaml_setup_files.mdwn b/doc/tips/yaml_setup_files.mdwn
new file mode 100644
index 0000000..4ae0de4
--- /dev/null
+++ b/doc/tips/yaml_setup_files.mdwn
@@ -0,0 +1,10 @@
+Here's how to convert your existing standard format ikiwiki setup file into
+the new YAML format recently added to ikiwiki.
+
+1. First, make sure you have the [[!cpan YAML]] perl module installed.
+   (Run: `apt-get install libyaml-perl`)
+2. Run: `ikiwiki -setup my.setup -dumpsetup my.setup --set setuptype=Yaml`
+
+The format of the YAML setup file should be fairly self-explanatory.
+
+--[[Joey]]

diff --git a/doc/tips/laptop_wiki_with_git.mdwn b/doc/tips/laptop_wiki_with_git.mdwn
index 85e26c7..cfa565d 100644
--- a/doc/tips/laptop_wiki_with_git.mdwn
+++ b/doc/tips/laptop_wiki_with_git.mdwn
@@ -67,6 +67,5 @@ as many times as you want (thus being able to have a repository which is
 used by the ikiwiki CGI, and another which you can use for updating via
 git).
 
-When you want to update the server from the laptop, do a `git push` from
-within the laptop's bare repository, and likewise do a `git pull` to update
-the laptop from the server.
+Use standard git commands, run in the laptop's bare git repository
+to handle pulling from and pushing to the server.

diff --git a/doc/tips/laptop_wiki_with_git.mdwn b/doc/tips/laptop_wiki_with_git.mdwn
index 8570833..85e26c7 100644
--- a/doc/tips/laptop_wiki_with_git.mdwn
+++ b/doc/tips/laptop_wiki_with_git.mdwn
@@ -68,12 +68,5 @@ used by the ikiwiki CGI, and another which you can use for updating via
 git).
 
 When you want to update the server from the laptop, do a `git push` from
-within the laptop's bare repository.
-
-To update the laptop from the server, add a section for the laptop to the config file of the server's bare repository:
-
-       [remote "laptop"]
-               fetch = +refs/*:refs/*
-               url = me@laptop:/path/to/bare/repository
-
-Then do a `git push laptop` from within the server's bare repository.
+within the laptop's bare repository, and likewise do a `git pull` to update
+the laptop from the server.

diff --git a/doc/todo/ACL.mdwn b/doc/todo/ACL.mdwn
index cac6c9f..dd97932 100644
--- a/doc/todo/ACL.mdwn
+++ b/doc/todo/ACL.mdwn
@@ -93,3 +93,6 @@ Any idea when this is going to be finished?  If you want, I am happy to beta tes
 
 >>> I don't believe this is currently possible. What is missing is the concept
 >>> of page 'ownership'. -- [[Jon]]
+
+>>>> GAH! That is really a shame... Any chance of adding that?  No, I do not really expect it to be added, after all my requirements are pushing the boundary of what a wikiwiki
+ should be.  Nonetheless, thanks for your help! 

diff --git a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
index 473b06b..1c0f8f5 100644
--- a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
+++ b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
@@ -30,3 +30,6 @@ rsync plugin would be perfect but... how would i manage blog post?
 I mean... is it possible to manage ikiwiki blog too with rsync plugin in the way you told me? --Pab
 
 > If you want to allow people to make comments on your blog, no, the rsync plugin will not help, since it will upload a completely static site where nobody can make comments.  Comments require a full IkiWiki setup with CGI enabled, so that people add content (comments) from the web. --[[KathrynAndersen]]
+
+Ok, i understand, thanks.
+Is there any hosting service that permits to have a full installation of iwkiwiki or i am forced to get a vps or to mantain a personal server for that? --Pab

diff --git a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
index 5dcd016..473b06b 100644
--- a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
+++ b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
@@ -28,3 +28,5 @@ Pab
 Thanks a lot for your answer.
 rsync plugin would be perfect but... how would i manage blog post?
 I mean... is it possible to manage ikiwiki blog too with rsync plugin in the way you told me? --Pab
+
+> If you want to allow people to make comments on your blog, no, the rsync plugin will not help, since it will upload a completely static site where nobody can make comments.  Comments require a full IkiWiki setup with CGI enabled, so that people add content (comments) from the web. --[[KathrynAndersen]]

diff --git a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
index 036fe0d..5dcd016 100644
--- a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
+++ b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
@@ -27,6 +27,4 @@ Pab
 
 Thanks a lot for your answer.
 rsync plugin would be perfect but... how would i manage blog post?
-I mean... is it possible to manage ikiwiki blog too with rsync plugin in the way you told me?
-
-Pab
+I mean... is it possible to manage ikiwiki blog too with rsync plugin in the way you told me? --Pab

diff --git a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
index 0b37047..036fe0d 100644
--- a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
+++ b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
@@ -24,3 +24,9 @@ Pab
 > push changes from your local git to git on the remote host to update the
 > wiki. [[tips/Laptop_wiki_with_git]] explains one way to do that.
 > --[[Joey]] 
+
+Thanks a lot for your answer.
+rsync plugin would be perfect but... how would i manage blog post?
+I mean... is it possible to manage ikiwiki blog too with rsync plugin in the way you told me?
+
+Pab

diff --git a/doc/sandbox.mdwn b/doc/sandbox.mdwn
index 8a67807..8cba897 100644
--- a/doc/sandbox.mdwn
+++ b/doc/sandbox.mdwn
@@ -3,7 +3,7 @@ This is the [[SandBox]], a page anyone can edit to try out ikiwiki (version [[!v
 
 # Header
 
-## Subheader
+## Subheader2
 
 > This is a blockquote.
 >

diff --git a/doc/sandbox.mdwn b/doc/sandbox.mdwn
index aef928d..8a67807 100644
--- a/doc/sandbox.mdwn
+++ b/doc/sandbox.mdwn
@@ -77,4 +77,5 @@ bar
 Hmm, can I dig it?
 
 Test
+test2
 

diff --git a/doc/tips/laptop_wiki_with_git.mdwn b/doc/tips/laptop_wiki_with_git.mdwn
index 85e26c7..8570833 100644
--- a/doc/tips/laptop_wiki_with_git.mdwn
+++ b/doc/tips/laptop_wiki_with_git.mdwn
@@ -68,5 +68,12 @@ used by the ikiwiki CGI, and another which you can use for updating via
 git).
 
 When you want to update the server from the laptop, do a `git push` from
-within the laptop's bare repository, and likewise do a `git pull` to update
-the laptop from the server.
+within the laptop's bare repository.
+
+To update the laptop from the server, add a section for the laptop to the config file of the server's bare repository:
+
+       [remote "laptop"]
+               fetch = +refs/*:refs/*
+               url = me@laptop:/path/to/bare/repository
+
+Then do a `git push laptop` from within the server's bare repository.

diff --git a/IkiWiki/Wrapper.pm b/IkiWiki/Wrapper.pm
index 830b048..f175b4a 100644
--- a/IkiWiki/Wrapper.pm
+++ b/IkiWiki/Wrapper.pm
@@ -101,7 +101,6 @@ EOF
 #include <string.h>
 #include <sys/file.h>
 
-extern char **environ;
 char *newenviron[$#envsave+6];
 int i=0;
 
@@ -121,8 +120,13 @@ $check_commit_hook
 $envsave
        newenviron[i++]="HOME=$ENV{HOME}";
        newenviron[i++]="WRAPPED_OPTIONS=$configstring";
-       newenviron[i]=NULL;
-       environ=newenviron;
+
+       if (clearenv() != 0) {
+               perror("clearenv");
+               exit(1);
+       }
+       for (; i>0; i--)
+               putenv(newenviron[i-1]);
 
        if (setregid(getegid(), -1) != 0 &&
            setregid(getegid(), -1) != 0) {
diff --git a/debian/changelog b/debian/changelog
index e5347e2..73f6fcf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ ikiwiki (3.20100313) UNRELEASED; urgency=low
     wiki source files, such as .htaccess, that would normally be skipped
     for security or other reasons. Closes: #447267
     (Thanks to Aaron Wilson for the original patch.)
+  * Allow wrappers to be built using tcc.
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
 
diff --git a/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn b/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
index 4226c02..a8fb198 100644
--- a/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
+++ b/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
@@ -9,6 +9,11 @@ Everything works fine with gcc.
 
 versions: Debian lenny + backports
 
-
-
-
+> Seems that tcc does not respect changing where `environ` points as a way
+> to change the environment seen after `exec`
+> 
+> Given that the man page for `clearenv` suggests using `environ=NULL`
+> if `clearenv` is not available, I would be lerry or using tcc to compile
+> stuff, since that could easily lead to a security compromise of code that
+> expects that to work. However, I have fixed ikiwiki to use `clearenv`.
+> --[[Joey]] [[done]]

diff --git a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
index 862694d..0b37047 100644
--- a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
+++ b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
@@ -9,3 +9,18 @@ Where is specified? Where can i find documentation about it?
 Thanks in advance!
 
 Pab
+
+> There are several ways to accomplish this, depending on what you really
+> want to do.
+> 
+> If your goal is to continue generating the site locally, but then
+> transfer it to the remote host for serving, you could use the 
+> [[plugins/rsync]] plugin.
+> 
+> If your goal is to install and run the ikiwiki software on the remote host,
+> then you would follow a similar path to the ones described in these tips:
+> [[tips/nearlyfreespeech]] [[tips/DreamHost]]. Or even [[install]] ikiwiki
+> from a regular package if you have that kind of access. Then you could
+> push changes from your local git to git on the remote host to update the
+> wiki. [[tips/Laptop_wiki_with_git]] explains one way to do that.
+> --[[Joey]] 

diff --git a/doc/todo/ACL.mdwn b/doc/todo/ACL.mdwn
index c1f5d86..cac6c9f 100644
--- a/doc/todo/ACL.mdwn
+++ b/doc/todo/ACL.mdwn
@@ -90,3 +90,6 @@ Any idea when this is going to be finished?  If you want, I am happy to beta tes
 > >  * Some pages are only viewable by admins. 
 
 > > Is it possible?  If so how?...
+
+>>> I don't believe this is currently possible. What is missing is the concept
+>>> of page 'ownership'. -- [[Jon]]

diff --git a/doc/todo/ACL.mdwn b/doc/todo/ACL.mdwn
index 5797938..c1f5d86 100644
--- a/doc/todo/ACL.mdwn
+++ b/doc/todo/ACL.mdwn
@@ -21,6 +21,11 @@ something, that I think is very valuable.
 >>>> Which would rule out openid, or other fun forms of auth. And routing all access
 >>>> through the CGI sort of defeats the purpose of ikiwiki. --[[Ethan]]
 
+>>>>> I think what Joey is suggesting is to use apache ACLs in conjunction
+>>>>> with basic HTTP auth to control read access, and ikiwiki can use the
+>>>>> information via the httpauth plugin for other ACLs (write, admin). But
+>>>>> yes, that would rule out non-httpauth mechanisms. -- [[Jon]]
+
 Also see [[!debbug 443346]].
 
 > Just a few quick thoughts about this:

diff --git a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
index 9f3f0cd..862694d 100644
--- a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
+++ b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
@@ -6,4 +6,6 @@ I have my source dir and my git dir on my local machine.
 How can i upload my ikiwiki on the remote host and manage it via git as i can do when i test it locally?
 Where is specified? Where can i find documentation about it?
 
-Thanks in advance! 
+Thanks in advance!
+
+Pab

diff --git a/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
new file mode 100644
index 0000000..9f3f0cd
--- /dev/null
+++ b/doc/forum/how_to_setup_ikiwiki_on_a_remote_host.mdwn
@@ -0,0 +1,9 @@
+Hi all!
+I really like ikiwiki and i tested it on my local machine but i have one question that i can't answer reading documentation (my fault of course)...
+I have an account and some space on a free hosting service.
+Now, i want to put my ikiwiki on this remote web space so that i can browse it from wherever i want.
+I have my source dir and my git dir on my local machine.
+How can i upload my ikiwiki on the remote host and manage it via git as i can do when i test it locally?
+Where is specified? Where can i find documentation about it?
+
+Thanks in advance! 

diff --git a/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn b/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
index 1594036..4226c02 100644
--- a/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
+++ b/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
@@ -7,7 +7,7 @@ I installed `tcc` and `libc6-dev` (for `libcrt1`). The wrapper compilation was O
 
 Everything works fine with gcc.
 
-versions: Debian etch+backports
+versions: Debian lenny + backports
 
 
 

diff --git a/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn b/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
new file mode 100644
index 0000000..1594036
--- /dev/null
+++ b/doc/bugs/post-update_hook_can__39__t_be_compiled_with_tcc.mdwn
@@ -0,0 +1,14 @@
+Thinking that any c compiler would do the job, I tried to use tcc with ikiwiki, as explicitely allowed by the Debian package dependencies.
+
+I installed `tcc` and `libc6-dev` (for `libcrt1`). The wrapper compilation was OK, but the wrapper fails to run correctly and dies with
+
+    usage: ikiwiki [options] source dest
+       ikiwiki --setup configfile
+
+Everything works fine with gcc.
+
+versions: Debian etch+backports
+
+
+
+

diff --git a/doc/todo/ACL.mdwn b/doc/todo/ACL.mdwn
index d40701d..5797938 100644
--- a/doc/todo/ACL.mdwn
+++ b/doc/todo/ACL.mdwn
@@ -76,3 +76,12 @@ Any idea when this is going to be finished?  If you want, I am happy to beta tes
 > Example of use to only allow two users to edit the tipjar page:
 >   locked_pages => 'tipjar and !(user(joey) or user(bob))',
 > --[[Joey]] 
+
+> > Thank you for the hint but I am being still confused (read: dense)...  What I am trying to do is this:
+
+> >  * No anonymous access.
+> >  * Logged in users can edit and create pages.
+> >  * Users can set who can edit their pages. 
+> >  * Some pages are only viewable by admins. 
+
+> > Is it possible?  If so how?...

diff --git a/doc/plugins/contrib/highlightcode.mdwn b/doc/plugins/contrib/highlightcode.mdwn
index 8abb765..f1df204 100644
--- a/doc/plugins/contrib/highlightcode.mdwn
+++ b/doc/plugins/contrib/highlightcode.mdwn
@@ -1,6 +1,8 @@
 [[!template id=plugin name=highlightcode author="[[sabr]]"]]
 [[!tag type/format]]
 
+(An alternative to this plugin, [[plugins/highlight]], is now provided with IkiWiki. --[[smcv]])
+
 A small plugin to allow Ikiwiki to display source files complete with syntax highlighting. Files with recognized extensions (i.e. my-file.cpp) are be rendered just like any other Ikiwiki page. You can even edit your source files with Ikiwiki's editor.
 
 It uses the Syntax::Highlight::Engine::Kate Perl module to do the highlighting.

diff --git a/doc/sandbox.mdwn b/doc/sandbox.mdwn
index 1a1b128..aef928d 100644
--- a/doc/sandbox.mdwn
+++ b/doc/sandbox.mdwn
@@ -77,4 +77,4 @@ bar
 Hmm, can I dig it?
 
 Test
-pop
+

diff --git a/doc/users/tschwinge.mdwn b/doc/users/tschwinge.mdwn
index 20d8d16..414612a 100644
--- a/doc/users/tschwinge.mdwn
+++ b/doc/users/tschwinge.mdwn
@@ -99,12 +99,6 @@ page that uses \[[!meta redir]].
 
 ## [[bugs/Broken Parentlinks]]
 
-## Discussion Pages of Discussion Pages of...
-
-Is it useful to have Discussion pages of Discussion pages (etc.)?  -- On
-<http://www.gnu.org/software/hurd/hurd/building/cross-compiling/discussion.html>,
-this possibility is offered.
-
 ## Modifying [[plugins/inline]] for showing only an *appetizer*
 
 Currently ikiwiki's inline plugin will either show the full page or nothing of

diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
index 0c1b0f2..6964cf2 100644
--- a/doc/tips/htaccess_file.mdwn
+++ b/doc/tips/htaccess_file.mdwn
@@ -21,7 +21,7 @@ different way to configure the web server. One way is to not put the
 `.htaccess` file under ikiwiki's control, and just manually install it
 in the destdir. --[[Joey]]
 
-[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
+[Apache's documentation](http://httpd.apache.org/docs/2.2/howto/htaccess.html)
 says:
 > In general, you should never use .htaccess files unless you don't have
 > access to the main server configuration file.

diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
index 7b4b090..0c1b0f2 100644
--- a/doc/tips/htaccess_file.mdwn
+++ b/doc/tips/htaccess_file.mdwn
@@ -19,10 +19,9 @@ shell on your web server.
 If any of these questions have given you pause, I suggest you find a
 different way to configure the web server. One way is to not put the
 `.htaccess` file under ikiwiki's control, and just manually install it
-in the destdir.
+in the destdir. --[[Joey]]
 
 [Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
 says:
 > In general, you should never use .htaccess files unless you don't have
 > access to the main server configuration file.
---[[Joey]]

diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
index 5266eba..7b4b090 100644
--- a/doc/tips/htaccess_file.mdwn
+++ b/doc/tips/htaccess_file.mdwn
@@ -22,9 +22,7 @@ different way to configure the web server. One way is to not put the
 in the destdir.
 
 [Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
-says
+says:
 > In general, you should never use .htaccess files unless you don't have
 > access to the main server configuration file.
-This is good advice -- if you can edit apache's main configuration files,
-then you should not use a htaccess file.
 --[[Joey]]

diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
index c08502b..3b9721d 100644
--- a/doc/todo/enable-htaccess-files.mdwn
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -64,6 +64,11 @@ It should be off by default of course. --Max
 ---
 +1 I want `.htaccess` so I can rewrite some old Wordpress URLs to make feeds work again. --[[hendry]]
 
+> Unless you cannot modify apache's configuration, you do not need htaccess
+> to do that. Apache's documentation recommends against using htaccess
+> unless you're a user who cannot modify the main server configuration.
+> --[[Joey]] 
+
 ---
 +1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]
 

diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
index c895db7..c08502b 100644
--- a/doc/todo/enable-htaccess-files.mdwn
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -12,6 +12,13 @@
                     qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
            wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,
 
+> Note that the above patch is **completely broken**. 
+> It removes the crucial excludes of all files starting with a dot.
+> The negative regexps for htaccess have no effect, so the whole
+> thing only "works" because it allows *any* file starting with a dot.
+> If you applied this patch to your ikiwiki, you opened a huge security
+> hole. --[[Joey]] 
+
 [[!tag patch patch/core]]
 
 This lets the site administrator have a `.htaccess` file in their underlay

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 251ed8c..ee94ce6 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -334,6 +334,15 @@ sub getsetup () {
                safe => 0, # paranoia
                rebuild => 0,
        },
+       include => {
+               type => "string",
+               default => undef,
+               example => '^\.htaccess$',
+               description => "regexp of normally ignored source files to include",
+               advanced => 1,
+               safe => 0, # regexp
+               rebuild => 1,
+       },
        exclude => {
                type => "string",
                default => undef,
@@ -1820,6 +1829,10 @@ sub file_pruned ($;$) {
                $file =~ s#^\Q$base\E/+##;
        }
 
+       if (defined $config{include} && length $config{include}) {
+               return 0 if $file =~ m/$config{include}/;
+       }
+
        my $regexp='('.join('|', @{$config{wiki_file_prune_regexps}}).')';
        return $file =~ m/$regexp/;
 }
diff --git a/debian/changelog b/debian/changelog
index 92afe66..e5347e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,10 @@ ikiwiki (3.20100313) UNRELEASED; urgency=low
     as used by yahoo and google urls.
   * Add complete German basewiki and directives translation done by
     Sebastian Kuhnert.
+  * Add a include setting, which can be used to make ikiwiki process
+    wiki source files, such as .htaccess, that would normally be skipped
+    for security or other reasons. Closes: #447267
+    (Thanks to Aaron Wilson for the original patch.)
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
 
diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
new file mode 100644
index 0000000..5266eba
--- /dev/null
+++ b/doc/tips/htaccess_file.mdwn
@@ -0,0 +1,30 @@
+If you try to include a `.htaccess` file in your wiki's source, in order to
+configure the web server, you'll find that ikiwiki excludes it from
+processing. In fact, ikiwiki excludes any file starting with a dot, as well
+as a lot of other files, for good security reasons.
+
+You can tell ikiwiki not to exclude the .htaccess file by adding this to
+your setup file:
+
+       include => '^\.htaccess$',
+
+Caution! Before you do that, please think for a minute about who can edit
+your wiki. Are attachment uploads enabled? Can users commit changes
+directly to the version control system? Do you trust everyone who can
+make a change to not do Bad Things with the htaccess file? Do you trust
+everyone who *might* be able to make a change in the future? Note that a
+determined attacker who can write to the htaccess file can probably get a
+shell on your web server.
+
+If any of these questions have given you pause, I suggest you find a
+different way to configure the web server. One way is to not put the
+`.htaccess` file under ikiwiki's control, and just manually install it
+in the destdir.
+
+[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
+says
+> In general, you should never use .htaccess files unless you don't have
+> access to the main server configuration file.
+This is good advice -- if you can edit apache's main configuration files,
+then you should not use a htaccess file.
+--[[Joey]]
diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
index 412cb5e..c895db7 100644
--- a/doc/todo/enable-htaccess-files.mdwn
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -61,3 +61,8 @@ It should be off by default of course. --Max
 +1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]
 
 > I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]]
+
+---
+
+[[done]], you can use the `include` setting to override the default
+excludes now. Please use extreme caution when doing so. --[[Joey]] 
diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index a105d7e..f735170 100644
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -234,6 +234,12 @@ also be configured using a setup file.
   Specifies a rexexp of source files to exclude from processing.
   May be specified multiple times to add to exclude list.
 
+* --include regexp
+
+  Specifies a rexexp of source files, that would normally be excluded,
+  but that you wish to include in processing.
+  May be specified multiple times to add to include list.
+
 * --adminuser name
 
   Specifies a username of a user (or, if openid is enabled, an openid) 
diff --git a/ikiwiki.in b/ikiwiki.in
index ae1251f..da55556 100755
--- a/ikiwiki.in
+++ b/ikiwiki.in
@@ -65,6 +65,9 @@ sub getconfig () {
                        "exclude=s@" => sub {
                                push @{$config{wiki_file_prune_regexps}}, $_[1];
                        },
+                       "include=s@" => sub {
+                               $config{include}=defined $config{include} && length $config{include} ? "$config{include}|$_[1]" : $_[1];
+                       },
                        "adminuser=s@" => sub {
                                push @{$config{adminuser}}, $_[1]
                        },

diff --git a/doc/sandbox/prova_blog.html b/doc/sandbox/prova_blog.html
new file mode 100644
index 0000000..d69937e
--- /dev/null
+++ b/doc/sandbox/prova_blog.html
@@ -0,0 +1,8 @@
+Questa è una prova.
+Vediamo se funziona
+
+<pre>
+#!/bin/bash
+
+echo "ciao"
+</pre>

diff --git a/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
index 9eac8ea..189ba74 100644
--- a/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
@@ -57,4 +57,14 @@ What might be causing this exception and how I might go about debugging exceptio
 >>>>>>> misunderstanding. I've put in a complete fix for this problem.
 >>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 
 
+>>>>>>>> Rather than escaping `$` as an HTML entity, it would be more natural
+>>>>>>>> to escape it as `$$` (since you are escaping it for Omega, not for
+>>>>>>>> the web browser.
+>>>>>>>>
+>>>>>>>> Also if ikiwiki can put arbitrary text inside the parameters of an
+>>>>>>>> OmegaScript command, you should also escape `{`, `}` and `,` as
+>>>>>>>> `$(`, `$)` and `$.`.  It's only necessary to do so inside the
+>>>>>>>> parameters of a command, but it will work and be easier to escape
+>>>>>>>> them in any substituted text. --OllyBetts
+
 [[done]]

diff --git a/doc/todo/avatar.mdwn b/doc/todo/avatar.mdwn
index 3a4e64b..f0599e4 100644
--- a/doc/todo/avatar.mdwn
+++ b/doc/todo/avatar.mdwn
@@ -1,42 +1,60 @@
 [[!tag wishlist]]
 
 It would be nice if ikiwiki, particularly [[plugins/comments]]
-supported user avatar icons.
+(but also, ideally, recentchanges) supported user avatar icons.
 
 Idea is to add a directive that displays a small avatar image for a user.
-Pass it the email address, openid, or wiki username of the user.
+Pass it a user's the email address, openid, username, or the md5 hash
+of their email address:
 
        \[[!avatar user@example.com]]
        \[[!avatar http://joey.kitenet.net/]]
        \[[!avatar user]]
+       \[[!avatar hash]]
 
 These directives can then be hand-inserted onto pages, or more likely,
-included in eg, a comment post via a template. Possibly included in a
-recentchanges page item via that template too?
+included in eg, a comment post via a template.
+
+An optional second parameter can be included, containing additional
+options to pass in the 
+[gravatar url](http://en.gravatar.com/site/implement/url).
+For example, this asks for a smaller gravatar, and if a user does
+not have a gravatar, uses a cute auto-generated "wavatar" avatar.
+
+       \[[!gravatar user@example.com "size=40&default=wavatar"]]
+
+The `gravitar_options` setting in the setup file can be used to
+specify additional options to pass. So for example if you want
+to use wavatars everywhere, set it to "default=wavatar".
 
 The avatars are provided by various sites. For email addresses, it uses a
 [gravatar](http://gravatar.com/). For a wiki username, the
 user's email address is looked up and the gravatar for that user is
 displayed. (Of course, the user has to have filled in their email address
-on their Preferences page for that to work.)
+on their Preferences page for that to work. Also, when the user changes
+their email address in Preferences, the gravatar won't change until the
+wiki is rebuilt.)
 
 For openid, openavatar sucked and is now dead. So we need to use an email
 address instead, I guess. Problem is that the email address of a given
 openid is only known when that user is logged in and making a change.
 And we don't want to leak an openid user's email into a page either.
 Hmm. Suppose the gravatar hash could be calculated from the email address
-and embedded instead of the openid?
+and embedded instead of the openid? That would work for comments,
+but not if the directive were used elsewhere.
 
-Or, for openid, could use <http://paulisageek.com/openidavatar>.
+Or, for openid, could use <http://paulisageek.com/openidavatar>. Which
+works fine, but users are not likely to figure out what they need to do to
+get an avatar associated with their openid.
 
-An optional second parameter can be included, containing additional
-options to pass in the 
-[gravatar url](http://en.gravatar.com/site/implement/url).
-For example, this asks for a smaller gravatar, and if a user does
-not have a gravatar, uses a cute auto-generated "wavatar" avatar.
+---
 
-       \[[!gravatar user@example.com "size=40&default=wavatar"]]
+Alternative, not overdesigned approach:
 
-The `gravitar_options` setting in the setup file can be used to
-specify additional options to pass. So for example if you want
-to use wavatars everywhere, set it to "default=wavatar".
+Modify comments plugin to have an option to display avatars.
+
+When posting a comment, fill in the avatarhash field in the template.
+The hash is calculated from the user's email address. If the user's email
+is not known, skip it. 
+
+End. :P

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 00eadfd..251ed8c 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -1131,7 +1131,7 @@ sub openiduser ($) {
                # Convert "http://somehost.com/user" to "user [somehost.com]".
                # (also "https://somehost.com/user/")
                if ($display !~ /\[/) {
-                       $display=~s/^https?:\/\/(.+)\/([^\/]+)\/?$/$2 [$1]/;
+                       $display=~s/^https?:\/\/(.+)\/([^\/#?]+)\/?(?:[#?].*)?$/$2 [$1]/;
                }
                $display=~s!^https?://!!; # make sure this is removed
                eval q{use CGI 'escapeHTML'};
diff --git a/debian/changelog b/debian/changelog
index 854d831..0a96796 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ ikiwiki (3.20100313) UNRELEASED; urgency=low
     as unsafe.
   * openid: Use Openid Simple Registration or OpenID Attribute Exchange
     to get the user's email address and username.
+  * Improve openid url munging; do not display anchors and cgi parameters,
+    as used by yahoo and google urls.
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
 
diff --git a/doc/forum/google_openid_broken__63__.mdwn b/doc/forum/google_openid_broken__63__.mdwn
index 4ca5cac..96ba2d7 100644
--- a/doc/forum/google_openid_broken__63__.mdwn
+++ b/doc/forum/google_openid_broken__63__.mdwn
@@ -59,6 +59,12 @@ points to a fairly useless xml document, rather than a web page. --[[Joey]]
 
 > Using the Google profile page as the OpenID is really orthogonal to the above. --[[kaol]]
 
+>> First, I don't accept that the openid google returns from their 
+>> generic signin url *has* to be so freaking ugly. For contrast, 
+>> look at the openid you log in as if you use the yahoo url.
+>> <https://me.yahoo.com/joeyhess#35f22>. Nice and clean, now
+>> munged by ikiwiki to "joeyhess [me.yahoo.com]".
+>> 
 >> Displaying email addresses is not really an option, because ikiwiki
 >> can't leak user email addresses like that. Displaying nicknames or
 >> usernames is, see [[todo/Separate_OpenIDs_and_usernames]].
diff --git a/t/openiduser.t b/t/openiduser.t
index 52d8794..caabbce 100755
--- a/t/openiduser.t
+++ b/t/openiduser.t
@@ -10,7 +10,7 @@ BEGIN {
                eval q{use Test::More skip_all => "Net::OpenID::VerifiedIdentity not available"};
        }
        else {
-               eval q{use Test::More tests => 9};
+               eval q{use Test::More tests => 11};
        }
        use_ok("IkiWiki::Plugin::openid");
 }
@@ -28,6 +28,11 @@ $^W=1;
 is(IkiWiki::openiduser('http://yam655.livejournal.com/'), 'yam655 [livejournal.com]');
 is(IkiWiki::openiduser('http://id.mayfirst.org/jamie/'), 'jamie [id.mayfirst.org]');
 
+# yahoo has an anchor in the url
+is(IkiWiki::openiduser('https://me.yahoo.com/joeyhess#35f22'), 'joeyhess [me.yahoo.com]');
+# google urls are horrendous, but the worst bit is after a ?, so can be dropped
+is(IkiWiki::openiduser('https://www.google.com/accounts/o8/id?id=AItOawm-ebiIfxbKD3KNa-Cu9LvvD9edMLW7BAo'), 'id [www.google.com/accounts/o8]');
+
 # and some less typical ones taken from the ikiwiki commit history
 
 is(IkiWiki::openiduser('http://thm.id.fedoraproject.org/'), 'thm [id.fedoraproject.org]');

diff --git a/doc/forum/google_openid_broken__63__.mdwn b/doc/forum/google_openid_broken__63__.mdwn
index 0e41d4c..4ca5cac 100644
--- a/doc/forum/google_openid_broken__63__.mdwn
+++ b/doc/forum/google_openid_broken__63__.mdwn
@@ -58,3 +58,16 @@ points to a fairly useless xml document, rather than a web page. --[[Joey]]
 > I've added buttons that submit the two above URLs for logging in with a Google and Yahoo OpenID, respectively, to my locally changed OpenID login plugin.
 
 > Using the Google profile page as the OpenID is really orthogonal to the above. --[[kaol]]
+
+>> Displaying email addresses is not really an option, because ikiwiki
+>> can't leak user email addresses like that. Displaying nicknames or
+>> usernames is, see [[todo/Separate_OpenIDs_and_usernames]].
+>>
+>> It would probably be good if the openid plugin could be configured with
+>> a list of generic openid urls, so it can add quick login buttons using
+>> those urls.
+>>
+>> The ugly google url will still be exposed here and there where
+>> a unique user id is needed. That can be avoided by not using the generic
+>> <https://www.google.com/accounts/o8/id>, but instead your own profile
+>> like <http://www.google.com/profiles/joeyhess>. --[[Joey]] 
diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index 7cfe49a..fcdb49f 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -26,6 +26,13 @@ A slightly more complex next step would be to request sreg from the provider and
 > 
 >   Author: Joey Hess &lt;http://joey.kitenet.net/@web&gt;
 > 
+> Only problem with the above is that the openid will still be displayed
+> by CIA. Other option is this, which solves that, but at the expense of
+> having to munge the username to fit inside the email address,
+> and generally seems backwards: --[[Joey]] 
+> 
+>   Author: http://joey.kitenet.net/ &lt;Joey_Hess@web&gt;
+> 
 > So, what needs to be done:
 > 
 > * Change `rcs_commit` and `rcs_commit_staged` to take a session object,

diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index 3fb952f..7cfe49a 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -18,15 +18,25 @@ A slightly more complex next step would be to request sreg from the provider and
 > page).
 > 
 > I am considering displaying the userid or fullname, if available,
-> instead of the munged openid url in recentchanges. It would be nice
-> for those nasty [[google_openids|forum/google_openid_broken?]]. But,
-> I first have to find a way to encode the name in the VCS commit log,
+> instead of the munged openid url in recentchanges and comments.
+> It would be nice for those nasty [[google_openids|forum/google_openid_broken?]].
+> But, I first have to find a way to encode the name in the VCS commit log,
 > while still keeping the openid of the committer in there too.
 > Perhaps something like this (for git): --[[Joey]] 
 > 
 >   Author: Joey Hess <http://joey.kitenet.net/@web>
 > 
+> So, what needs to be done:
 > 
+> * Change `rcs_commit` and `rcs_commit_staged` to take a session object,
+>   instead of just a userid. (For back-compat, if the parameter is 
+>   not an object, it's a userid.) Bump ikiwiki plugin interface version.
+> * Modify all RCS plugins to include the session username somewhere
+>   in the commit, and parse it back out in `rcs_recentchanges`.
+> * Modify recentchanges plugin to display the username instead of the
+>   `openiduser`.
+> * Modify comment plugin to put the session username in the comment
+>   template instead of the `openiduser`.
 
 Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat.
 

diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index ae427d5..3fb952f 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -13,8 +13,9 @@ A slightly more complex next step would be to request sreg from the provider and
 > implemented as a badly-done wart on the side of their regular login
 > system.
 > 
-> Openid Simple Registration is now used to populate the userdb with the
-> email address for openid users.
+> The openid plugin now attempts to get an email and a username, and stores
+> them in the session database for later use (ie, when the user edits a
+> page).
 > 
 > I am considering displaying the userid or fullname, if available,
 > instead of the munged openid url in recentchanges. It would be nice
@@ -23,7 +24,9 @@ A slightly more complex next step would be to request sreg from the provider and
 > while still keeping the openid of the committer in there too.
 > Perhaps something like this (for git): --[[Joey]] 
 > 
->   Author: Joey Hess <http://joey.kitenet.net/@web>
+>   Author: Joey Hess &lt;http://joey.kitenet.net/@web&gt;
+> 
+> 
 
 Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat.
 
diff --git a/doc/todo/avatar.mdwn b/doc/todo/avatar.mdwn
index 4409e7b..3a4e64b 100644
--- a/doc/todo/avatar.mdwn
+++ b/doc/todo/avatar.mdwn
@@ -15,14 +15,20 @@ included in eg, a comment post via a template. Possibly included in a
 recentchanges page item via that template too?
 
 The avatars are provided by various sites. For email addresses, it uses a
-[gravatar](http://gravatar.com/). For openid,
-[openavatar](http://www.openvatar.com/) could used, but I am not very happy
-with it; probably better to just get the email via SREG (as is done now for
-openid), and use that. For a wiki username, the
+[gravatar](http://gravatar.com/). For a wiki username, the
 user's email address is looked up and the gravatar for that user is
 displayed. (Of course, the user has to have filled in their email address
 on their Preferences page for that to work.)
 
+For openid, openavatar sucked and is now dead. So we need to use an email
+address instead, I guess. Problem is that the email address of a given
+openid is only known when that user is logged in and making a change.
+And we don't want to leak an openid user's email into a page either.
+Hmm. Suppose the gravatar hash could be calculated from the email address
+and embedded instead of the openid?
+
+Or, for openid, could use <http://paulisageek.com/openidavatar>.
+
 An optional second parameter can be included, containing additional
 options to pass in the 
 [gravatar url](http://en.gravatar.com/site/implement/url).

diff --git a/doc/todo/git_attribution/discussion.mdwn b/doc/todo/git_attribution/discussion.mdwn
index dfb490b..6905d9b 100644
--- a/doc/todo/git_attribution/discussion.mdwn
+++ b/doc/todo/git_attribution/discussion.mdwn
@@ -72,7 +72,7 @@ no determination of uniqueness)
 > GIT_AUTHOR_EMAIL can also be set.
 > 
 > There is one thing yet to be solved, and that is how to tell the
-> difference between a web commit by 'Joey Hess <joey@kitenet.net>',
+> difference between a web commit by 'Joey Hess <joey\@kitenet.net>',
 > and a git commit by the same. I think we do want to differentiate these,
 > and the best way to do it seems to be to add a line to the end of the
 > commit message. Something like: "\n\nWeb-commit: true"
@@ -94,5 +94,5 @@ no determination of uniqueness)
 > * github pushes to twitter ;-)
 > 
 > So while I tried that way at first, I'm now leaning toward encoding the
-> username in the email address. Like "user <user@web>", or
-> "joey <http://joey.kitenet.net/@web>".
+> username in the email address. Like "user <user\@web>", or
+> "joey <http://joey.kitenet.net/\@web>".

diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index 2cd52e8..ae427d5 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -6,6 +6,25 @@ I see this being implemented in one of two possible ways. The easiest seems like
 
 A slightly more complex next step would be to request sreg from the provider and, if provided, automatically set the identity's username and email address from the provided persona. If username login to accounts with blank passwords is disabled, then you have the best of both worlds. Passwordless signin, human-friendly attribution, automatic setting of preferences.
 
+> Given that openids are a global user identifier, that can look as pretty
+> as the user cares to make it look via delegation, I am not a fan of 
+> having a site-local identifier that layered on top of that. Perhaps
+> partly because every site that I have seen that does that has openid
+> implemented as a badly-done wart on the side of their regular login
+> system.
+> 
+> Openid Simple Registration is now used to populate the userdb with the
+> email address for openid users.
+> 
+> I am considering displaying the userid or fullname, if available,
+> instead of the munged openid url in recentchanges. It would be nice
+> for those nasty [[google_openids|forum/google_openid_broken?]]. But,
+> I first have to find a way to encode the name in the VCS commit log,
+> while still keeping the openid of the committer in there too.
+> Perhaps something like this (for git): --[[Joey]] 
+> 
+>   Author: Joey Hess <http://joey.kitenet.net/@web>
+
 Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat.
 
 [[!tag wishlist]]

diff --git a/doc/todo/avatar.mdwn b/doc/todo/avatar.mdwn
index b8aa232..4409e7b 100644
--- a/doc/todo/avatar.mdwn
+++ b/doc/todo/avatar.mdwn
@@ -1,35 +1,24 @@
 [[!tag wishlist]]
 
 It would be nice if ikiwiki, particularly [[plugins/comments]]
-supported user avatar icons. I was considering adding a directive for this,
-as designed below.
+supported user avatar icons.
 
-However, there is no *good* service for mapping openids to avatars --
-openavatar has many issues, including not supporting delegated openids, and
-after trying it, I don't trust it to push users toward. 
-Perhaps instead ikiwiki could get the email address from the openid
-provider, though I think the perl openid modules don't support the openid
-2.x feature that allows that.
-
-At the moment, working on this doesn't feel like a good use of my time.
---[[Joey]]
-
-Hmm.. unless is just always used a single provider (gravatar) and hashed
-the openid. Then wavatars could be used to get a unique avatar per openid
-at least. --[[Joey]] 
-
-----
-
-The directive displays a small avatar image for a user. Pass it the
-email address, openid, or wiki username of the user.
+Idea is to add a directive that displays a small avatar image for a user.
+Pass it the email address, openid, or wiki username of the user.
 
        \[[!avatar user@example.com]]
        \[[!avatar http://joey.kitenet.net/]]
        \[[!avatar user]]
 
+These directives can then be hand-inserted onto pages, or more likely,
+included in eg, a comment post via a template. Possibly included in a
+recentchanges page item via that template too?
+
 The avatars are provided by various sites. For email addresses, it uses a
 [gravatar](http://gravatar.com/). For openid,
-[openavatar](http://www.openvatar.com/) is used. For a wiki username, the
+[openavatar](http://www.openvatar.com/) could used, but I am not very happy
+with it; probably better to just get the email via SREG (as is done now for
+openid), and use that. For a wiki username, the
 user's email address is looked up and the gravatar for that user is
 displayed. (Of course, the user has to have filled in their email address
 on their Preferences page for that to work.)

diff --git a/doc/forum/google_openid_broken__63__.mdwn b/doc/forum/google_openid_broken__63__.mdwn
index 68b44f2..0e41d4c 100644
--- a/doc/forum/google_openid_broken__63__.mdwn
+++ b/doc/forum/google_openid_broken__63__.mdwn
@@ -50,3 +50,11 @@ The openid is
 <https://www.google.com/accounts/o8/id?id=AItOawltlTwUCL_Fr1siQn94GV65-XwQH5XSku4>
 (what a mouthfull!), and I don't know who that is or how to use it since it
 points to a fairly useless xml document, rather than a web page. --[[Joey]]
+
+> That string is what's received via the discovery protocol. The user logging in with a Google account is not supposed to write that when logging in, but rather <https://www.google.com/accounts/o8/id>. The OpenID client library will accept that and redirect the user to a sign in page, which will return that string as the OpenID. It's not really usable as an identifier for edits and whatnots, but an alternative would be to use the attribute exchange extension to get the email address and display that. See <http://code.google.com/apis/accounts/docs/OpenID.html#Parameters>.
+
+> Yahoo's OpenID implementation works alike, but I haven't looked at it as much. It uses <https://me.yahoo.com/> to receive the endpoint.
+
+> I've added buttons that submit the two above URLs for logging in with a Google and Yahoo OpenID, respectively, to my locally changed OpenID login plugin.
+
+> Using the Google profile page as the OpenID is really orthogonal to the above. --[[kaol]]

diff --git a/IkiWiki/Plugin/websetup.pm b/IkiWiki/Plugin/websetup.pm
index 5c19c9b..d444c0a 100644
--- a/IkiWiki/Plugin/websetup.pm
+++ b/IkiWiki/Plugin/websetup.pm
@@ -27,6 +27,13 @@ sub getsetup () {
                        safe => 0,
                        rebuild => 0,
                },
+               websetup_unsafe => {
+                       type => "string",
+                       example => [],
+                       description => "list of additional setup field keys to treat as unsafe",
+                       safe => 0,
+                       rebuild => 0,
+               },
                websetup_show_unsafe => {
                        type => "boolean",
                        example => 1,
@@ -57,6 +64,12 @@ sub formatexample ($$) {
        }
 }
 
+sub issafe ($) {
+       my $key=shift;
+
+       return ! grep { $_ eq $key } @{$config{websetup_unsafe}};
+}
+
 sub showfields ($$$@) {
        my $form=shift;
        my $plugin=shift;
@@ -78,7 +91,8 @@ sub showfields ($$$@) {
                # XXX hashes not handled yet
                next if ref $config{$key} && ref $config{$key} eq 'HASH' || ref $info{example} eq 'HASH';
                # maybe skip unsafe settings
-               next if ! $info{safe} && ! ($config{websetup_show_unsafe} && $config{websetup_advanced});
+               next if ! ($config{websetup_show_unsafe} && $config{websetup_advanced}) &&
+                       (! $info{safe} || ! issafe($key));
                # maybe skip advanced settings
                next if $info{advanced} && ! $config{websetup_advanced};
                # these are handled specially, so don't show
@@ -156,7 +170,7 @@ sub showfields ($$$@) {
 
                if (ref $value eq 'ARRAY' || ref $info{example} eq 'ARRAY') {
                        $value=[(ref $value eq 'ARRAY' ? map { Encode::encode_utf8($_) }  @{$value} : "")];
-                       push @$value, "", "" if $info{safe}; # blank items for expansion
+                       push @$value, "", "" if $info{safe} && issafe($key); # blank items for expansion
                }
                else {
                        $value=Encode::encode_utf8($value);
@@ -210,7 +224,7 @@ sub showfields ($$$@) {
                        }
                }
                
-               if (! $info{safe}) {
+               if (! $info{safe} || ! issafe($key)) {
                        $form->field(name => $name, disabled => 1);
                }
                else {
@@ -346,7 +360,7 @@ sub showform ($$) {
                                @value=0;
                        }
                
-                       if (! $info{safe}) {
+                       if (! $info{safe} || ! issafe($key)) {
                                error("unsafe field $key"); # should never happen
                        }
                
diff --git a/debian/changelog b/debian/changelog
index 7fdbbcb..9e779bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20100313) UNRELEASED; urgency=low
+
+  * websetup: Add websetup_unsafe to allow marking other settings
+    as unsafe.
+
+ -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
+
 ikiwiki (3.20100312) unstable; urgency=HIGH
 
   * Fix utf8 issues in calls to md5_hex.
diff --git a/doc/plugins/websetup.mdwn b/doc/plugins/websetup.mdwn
index f1756ba..b4d23ba 100644
--- a/doc/plugins/websetup.mdwn
+++ b/doc/plugins/websetup.mdwn
@@ -16,7 +16,8 @@ enabled and disabled using it too. Some settings are not considered safe
 enough to be manipulated over the web; these are still shown, by default,
 but cannot be modified. To hide them, set `websetup_show_unsafe` to false
 in the setup file. A few settings have too complex a data type to be
-configured via the web.
+configured via the web. To mark additional settings as unsafe, you can
+list them in `websetup_unsafe`.
 
 Plugins that should not be enabled/disabled via the web interface can be
 listed in `websetup_force_plugins` in the setup file.

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index 0ca9499..50c4d43 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -57,10 +57,23 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 >> `usemap`) should make `object` almost as harmless as, say, `img`.
 
 >>> But with local data, one could not embed youtube videos, which surely
->>> is the most obvious use case? Note that youtube embedding uses an
+>>> is the most obvious use case?
+
+>>>> Allowing a “remote” object to render on one's page is a
+     security issue by itself.
+     Though, of course, having an explicit whitelist of URI's may make
+     this issue more tolerable.
+     — [[Ivan_Shmakov]], 2010-03-12Z.
+
+>>> Note that youtube embedding uses an
 >>> object element with no classid. The swf file is provided via an
 >>> enclosed param element. --[[Joey]]
 
+>>>> I've just checked a random video on YouTube and I see that the
+     `.swf` file is provided via an enclosed `embed` element.  Whether
+     to allow those or not is a different issue.
+     — [[Ivan_Shmakov]], 2010-03-12Z.
+
 >> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
 >> restricted in such a way.)
 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index c37d052..0ca9499 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -56,6 +56,11 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 >> (i. e., only *local* and certain `data:` ones for `data` and
 >> `usemap`) should make `object` almost as harmless as, say, `img`.
 
+>>> But with local data, one could not embed youtube videos, which surely
+>>> is the most obvious use case? Note that youtube embedding uses an
+>>> object element with no classid. The swf file is provided via an
+>>> enclosed param element. --[[Joey]]
+
 >> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
 >> restricted in such a way.)
 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index ac4b555..c37d052 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -27,13 +27,43 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 
 [[wishlist]]
 
-> SVG can contain embedded javascript. The spec that you link to contains
+> SVG can contain embedded javascript.
+
+>> Indeed.
+
+>> So, a more general tool (`XML::Scrubber`?) will be necessary to
+>> refine both [XHTML][] and SVG.
+
+>> … And to leave [MathML][] as is (?.)
+
+>> — [[Ivan_Shmakov]], 2010-03-12Z.
+
+> The spec that you link to contains
 > examples of objects that contain python scripts, Microsoft OLE 
 > objects, and Java. And then there's flash. I don't think ikiwiki can
 > assume all the possibilities are handled securely, particularly WRT XSS
 > attacks.
 > --[[Joey]]
 
+>> I've scanned over all the `object` examples in the specification and
+>> all of those that hold references to code (as opposed to data) have a
+>> distinguishing `classid` attribute.
+
+>> While I won't assert that it's impossible to reference code with
+>> `data` (and, thanks to `text/xhtml+xml` and `image/svg+xml`, it is
+>> *not* impossible), throwing away any of the “insecure”
+>> attributes listed above together with limiting the possible URI's
+>> (i. e., only *local* and certain `data:` ones for `data` and
+>> `usemap`) should make `object` almost as harmless as, say, `img`.
+
+>> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
+>> restricted in such a way.)
+
+>> Of the remaining issues I could only think of recursive
+>> `object` — the one that references its container document.
+
+>> — [[Ivan_Shmakov]], 2010-03-12Z.
+
 ## See also
 
 * [Objects, Images, and Applets in HTML documents][objects-html]
@@ -43,6 +73,8 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 * [Uniform Resource Identifier — the free encyclopedia][URI]
 
 [HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm
+[MathML]: http://en.wikipedia.org/wiki/MathML
 [objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html
 [RFC 2397]: http://tools.ietf.org/html/rfc2397
 [URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier
+[XHTML]: http://en.wikipedia.org/wiki/XHTML

diff --git a/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
new file mode 100644
index 0000000..9eac8ea
--- /dev/null
+++ b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
@@ -0,0 +1,60 @@
+I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
+
+What might be causing this exception and how I might go about debugging exceptions?
+
+> Appears to be coming from your xapian omega cgi binary. If you
+> run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
+> "Exception: " in it, and I have found some similar (but not identical)
+> error messages from xapian in a web search.
+> 
+> I don´t know what to suggest, other than upgrade/downgrade/reinstall
+> xapian-omega, and contacting the xapian developers for debugging.
+> You could try rebuilding your wiki in case it is somehow
+> caused by a problem with the xapian database. Failing everything, you
+> could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
+
+>> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `$this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]
+
+>>> Sounds like a bug in omega, and one that probably would affect other
+>>> users of omega too. Ikiwiki could work around it by pre-escaping
+>>> data before passing it to xapian. I have not quite managed to reproduce it though;
+>>> tried setting a page title to '$this' and 'foo $this'.
+>>> That's with version 1.0.18 of omega.
+>>> --[[Joey]]
+
+>>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]
+
+>>>>> I don't see how that's relevant. It would help if you showed me
+>>>>> exactly something that could be inserted into a page to cause the
+>>>>> problem. --[[Joey]] 
+
+>>>>>> Correct me if I'm wrong: ikiwiki generates an Omega template from its own templates, such as searchquery.tmpl and puts it into {$srcdir}/.ikiwiki/xapian/templates/query. Omega has its own template syntax, where function names are prefixed with dollar signs (`$`). So, when I call my wiki `$foobar`, ikiwiki generates an Omega template that looks like this snippet:
+
+    <div id="container">
+        <div class="pageheader">
+            <div class="header">
+            <span>
+            <a href="http://example.com">$foobar</    a>/search
+            </span>
+            </div>
+        </div> <!-- .pageheader -->
+    
+        <div id="content">
+            $setmap{prefix,title,S}
+    $setmap{prefix,link,XLINK}
+    $set{thousand,$.}$set{decimal,.}$setmap{BN,,Any Country,uk,England,fr,France}
+    ${
+    $def{PREV,
+    $if{$ne{$topdoc,0},<INPUT TYPE=image NAME="&lt;" ALT="&lt;"
+    SRC="/images/xapian-omega/prev.png" BORDER=0 HEIGHT=30 WIDTH=30>,
+    <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
+
+>>>>>> So `$foobar` clashes with Omega's template tags. Does this help?
+
+>>>>>>> Ahh. I had somehow gotten it into my head that you were talking
+>>>>>>> about the title of a single page, not of the whole wiki. But
+>>>>>>> you were clear all along it was the wiki title. Sorry for
+>>>>>>> misunderstanding. I've put in a complete fix for this problem.
+>>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 
+
+[[done]]
diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
deleted file mode 100644
index 0352471..0000000
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ /dev/null
@@ -1,58 +0,0 @@
-I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
-
-What might be causing this exception and how I might go about debugging exceptions?
-
-> Appears to be coming from your xapian omega cgi binary. If you
-> run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
-> "Exception: " in it, and I have found some similar (but not identical)
-> error messages from xapian in a web search.
-> 
-> I don´t know what to suggest, other than upgrade/downgrade/reinstall
-> xapian-omega, and contacting the xapian developers for debugging.
-> You could try rebuilding your wiki in case it is somehow
-> caused by a problem with the xapian database. Failing everything, you
-> could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
-
->> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `&#36;this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]
-
->>> Sounds like a bug in omega, and one that probably would affect other
->>> users of omega too. Ikiwiki could work around it by pre-escaping
->>> data before passing it to xapian. I have not quite managed to reproduce it though;
->>> tried setting a page title to '$this' and 'foo $this'.
->>> That's with version 1.0.18 of omega.
->>> --[[Joey]]
-
->>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]
-
->>>>> I don't see how that's relevant. It would help if you showed me
->>>>> exactly something that could be inserted into a page to cause the
->>>>> problem. --[[Joey]] 
-
->>>>>> Correct me if I'm wrong: ikiwiki generates an Omega template from its own templates, such as searchquery.tmpl and puts it into {$srcdir}/.ikiwiki/xapian/templates/query. Omega has its own template syntax, where function names are prefixed with dollar signs (`$`). So, when I call my wiki `$foobar`, ikiwiki generates an Omega template that looks like this snippet:
-
-    <div id="container">
-        <div class="pageheader">
-            <div class="header">
-            <span>
-            <a href="http://example.com">$foobar</    a>/search
-            </span>
-            </div>
-        </div> <!-- .pageheader -->
-    
-        <div id="content">
-            $setmap{prefix,title,S}
-    $setmap{prefix,link,XLINK}
-    $set{thousand,$.}$set{decimal,.}$setmap{BN,,Any Country,uk,England,fr,France}
-    ${
-    $def{PREV,
-    $if{$ne{$topdoc,0},<INPUT TYPE=image NAME="&lt;" ALT="&lt;"
-    SRC="/images/xapian-omega/prev.png" BORDER=0 HEIGHT=30 WIDTH=30>,
-    <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
-
->>>>>> So `$foobar` clashes with Omega's template tags. Does this help?
-
->>>>>>> Ahh. I had somehow gotten it into my head that you were talking
->>>>>>> about the title of a single page, not of the whole wiki. But
->>>>>>> you were clear all along it was the wiki title. Sorry for
->>>>>>> misunderstanding. I've put in a complete fix for this problem.
->>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index 714f5ae..ac4b555 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -27,6 +27,13 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 
 [[wishlist]]
 
+> SVG can contain embedded javascript. The spec that you link to contains
+> examples of objects that contain python scripts, Microsoft OLE 
+> objects, and Java. And then there's flash. I don't think ikiwiki can
+> assume all the possibilities are handled securely, particularly WRT XSS
+> attacks.
+> --[[Joey]]
+
 ## See also
 
 * [Objects, Images, and Applets in HTML documents][objects-html]

diff --git a/doc/news/version_3.20091218.mdwn b/doc/news/version_3.20091218.mdwn
deleted file mode 100644
index 224e81c..0000000
--- a/doc/news/version_3.20091218.mdwn
+++ /dev/null
@@ -1,11 +0,0 @@
-ikiwiki 3.20091218 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Add complete Spanish basewiki translation done by Fernando Gonzalez de
-     Requena.
-   * Improve javascript onload handling.
-   * monotone: Deal with format change in version 0.45.
-     (Thanks, Richard Levitte)
-   * cvs: Add missing bit to Automator.
-   * attachment: Fix reversion in attachment sorting by age.
-   * Fix utf-8 problems in rename, remove, attachment, 404, sourcepage, and
-     goto."""]]
\ No newline at end of file
diff --git a/doc/news/version_3.20100312.mdwn b/doc/news/version_3.20100312.mdwn
new file mode 100644
index 0000000..10c3442
--- /dev/null
+++ b/doc/news/version_3.20100312.mdwn
@@ -0,0 +1,16 @@
+ikiwiki 3.20100312 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix utf8 issues in calls to md5\_hex.
+   * moderatedcomments: Added moderate\_pagespec that can be used
+     to control which users or comment locations are moderated.
+     This can be used, just for example, to moderate "user(http://myopenid.com/*)"
+     if you're getting a lot of spammers from one particular openid
+     provider (who should perhaps answer your emails about them),
+     while not moderating other users.
+   * moderatedcomments: The moderate\_users setting is deprecated. Instead,
+     set moderate\_pagespec to "!admin()" or "user(*)".
+   * Fix missing span on recentchanges page template.
+   * search: Avoid '$' in the wikiname appearing unescaped on omega's
+     query template, where it might crash omega.
+   * htmlscrubber: Security fix: In data:image/* uris, only allow a few
+     whitelisted image types. No svg."""]]
\ No newline at end of file

diff --git a/doc/todo/mercurial.mdwn b/doc/todo/mercurial.mdwn
index e71c810..de1f148 100644
--- a/doc/todo/mercurial.mdwn
+++ b/doc/todo/mercurial.mdwn
@@ -119,3 +119,11 @@ I have a few notes on mercurial usage after trying it out for a while:
 >> I think the ideal solution would be to build `$destdir/recentchanges/*` directly from the output of `hg log`. --[[buo]]
 
 >>>> That would be 100 times as slow, so I chose not to do that. --[[Joey]]
+
+>>>> Since this is confusing people, allow me to clarify: Ikiwiki's
+>>>> recentchanges generation pulls log information directly out of the VCS as
+>>>> needed. It caches it in recentchanges/* in the `scrdir`. These cache
+>>>> files need not be preserved, should never be checked into VCS, and if
+>>>> you want to you can configure your VCSignore file to ignore them,
+>>>> just as you can configure it to ignore the `.ikiwiki` directory in the
+>>>> `scrdir`. --[[Joey]] 

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index ee284a4..26e18ff 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -30,9 +30,9 @@ sub import {
                "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
                "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
        );
-       # data is a special case. Allow data:image/*, but
-       # disallow data:text/javascript and everything else.
-       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+       # data is a special case. Allow a few data:image/ types,
+       # but disallow data:text/javascript and everything else.
+       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
 }
 
 sub getsetup () {
diff --git a/debian/changelog b/debian/changelog
index bae0e7e..7fdbbcb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20100303) UNRELEASED; urgency=low
+ikiwiki (3.20100312) unstable; urgency=HIGH
 
   * Fix utf8 issues in calls to md5_hex.
   * moderatedcomments: Added moderate_pagespec that can be used
@@ -12,6 +12,8 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
   * Fix missing span on recentchanges page template.
   * search: Avoid '$' in the wikiname appearing unescaped on omega's
     query template, where it might crash omega.
+  * htmlscrubber: Security fix: In data:image/* uris, only allow a few
+    whitelisted image types. No svg.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 3924186..21aef31 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -427,3 +427,15 @@ enabling TeX configuration options that disallow unsafe TeX commands.
 The fix was released on 30 Aug 2009 in version 3.1415926, and was
 backported to stable in version 2.53.4. If you use the teximg plugin,
 I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.

diff --git a/doc/todo/svg.mdwn b/doc/todo/svg.mdwn
index 2099751..274ebf3 100644
--- a/doc/todo/svg.mdwn
+++ b/doc/todo/svg.mdwn
@@ -58,6 +58,8 @@ in the trunk if other people think it's useful.
 [htmlscrubber.pm]:http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blob;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hb=fe333c8e5b4a5f374a059596ee698dacd755182d
 [diff]: http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blobdiff;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hp=3bdaccea119ec0e1b289a0da2f6d90e2219b8d66;hb=fe333c8e5b4a5f374a059596ee698dacd755182d;hpb=be0b4f603f918444b906e42825908ddac78b7073
 
+> Unfortuantly these links are broken. --[[Joey]]
+
 * * *
 
 Actually, there's a way to embed SVG into MarkDown sources using the [data: URI scheme][rfc2397], [like this](data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8c3ZnIHdpZHRoPSIxOTIiIGhlaWdodD0iMTkyIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KIDwhLS0gQ3JlYXRlZCB3aXRoIFNWRy1lZGl0IC0gaHR0cDovL3N2Zy1lZGl0Lmdvb2dsZWNvZGUuY29tLyAtLT4KIDx0aXRsZT5IZWxsbywgd29ybGQhPC90aXRsZT4KIDxnPgogIDx0aXRsZT5MYXllciAxPC90aXRsZT4KICA8ZyB0cmFuc2Zvcm09InJvdGF0ZSgtNDUsIDk3LjY3MTksIDk3LjY2OCkiIGlkPSJzdmdfNyI+CiAgIDxyZWN0IHN0cm9rZS13aWR0aD0iNSIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjRkYwMDAwIiBpZD0ic3ZnXzUiIGhlaWdodD0iNTYuMDAwMDAzIiB3aWR0aD0iMTc1IiB5PSI2OS42Njc5NjkiIHg9IjEwLjE3MTg3NSIvPgogICA8dGV4dCB4bWw6c3BhY2U9InByZXNlcnZlIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LWZhbWlseT0ic2VyaWYiIGZvbnQtc2l6ZT0iMjQiIHN0cm9rZS13aWR0aD0iMCIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjZmZmZjAwIiBpZD0ic3ZnXzYiIHk9IjEwNS42NjgiIHg9Ijk5LjY3MTkiPkhlbGxvLCB3b3JsZCE8L3RleHQ+CiAgPC9nPgogPC9nPgo8L3N2Zz4=).
@@ -65,3 +67,11 @@ Of course, this way to display an image one needs to click a link, but it may be
 — [[Ivan_Shmakov]], 2010-03-12Z.
 
 [rfc2397]: http://tools.ietf.org/html/rfc2397
+
+> You can do the same with img src actually.
+> 
+> If svg markup allows unsafe elements (ie, javascript),
+> which it appears to, 
+> then this is a security hole, and the htmlscrubber
+> needs to lock it down more. Darn, now I have to spend my afternoon making
+> security releases! --[[Joey]] 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
new file mode 100644
index 0000000..714f5ae
--- /dev/null
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -0,0 +1,41 @@
+IIUC, the current version of [HTML::Scrubber][] allows for the `object` tags to be either enabled or disabled entirely.  However, while `object` can be used to add *code* (which is indeed a potential security hole) to a document, reading [Objects, Images, and Applets in HTML documents][objects-html] reveals that the “dangerous” are not all the `object`s, but rather those having the following attributes:
+
+    classid     %URI;          #IMPLIED  -- identifies an implementation --
+    codebase    %URI;          #IMPLIED  -- base URI for classid, data, archive--
+    codetype    %ContentType;  #IMPLIED  -- content type for code --
+    archive     CDATA          #IMPLIED  -- space-separated list of URIs --
+
+It seems that the following attributes are, OTOH, safe:
+
+    declare     (declare)      #IMPLIED  -- declare but don't instantiate flag --
+    data        %URI;          #IMPLIED  -- reference to object's data --
+    type        %ContentType;  #IMPLIED  -- content type for data --
+    standby     %Text;         #IMPLIED  -- message to show while loading --
+    height      %Length;       #IMPLIED  -- override height --
+    width       %Length;       #IMPLIED  -- override width --
+    usemap      %URI;          #IMPLIED  -- use client-side image map --
+    name        CDATA          #IMPLIED  -- submit as part of form --
+    tabindex    NUMBER         #IMPLIED  -- position in tabbing order --
+
+Should the former attributes be *scrubbed* while the latter left intact, the use of the `object` tag would seemingly become safe.
+
+Note also that allowing `object` (either restricted in such a way or not) automatically solves the [[/todo/svg]] issue.
+
+For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by the `data` and `usemap` attributes) to, say, relative and `data:` (as per [RFC 2397][]) ones as well, though it requires some more consideration.
+
+— [[Ivan_Shmakov]], 2010-03-12Z.
+
+[[wishlist]]
+
+## See also
+
+* [Objects, Images, and Applets in HTML documents][objects-html]
+* [[plugins/htmlscrubber|/plugins/htmlscrubber]]
+* [[todo/svg|/todo/svg]]
+* [RFC 2397: The “data” URL scheme. L. Masinter. August 1998.][RFC 2397]
+* [Uniform Resource Identifier — the free encyclopedia][URI]
+
+[HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm
+[objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html
+[RFC 2397]: http://tools.ietf.org/html/rfc2397
+[URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier

diff --git a/doc/todo/svg.mdwn b/doc/todo/svg.mdwn
index 89b183d..2099751 100644
--- a/doc/todo/svg.mdwn
+++ b/doc/todo/svg.mdwn
@@ -57,3 +57,11 @@ in the trunk if other people think it's useful.
 
 [htmlscrubber.pm]:http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blob;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hb=fe333c8e5b4a5f374a059596ee698dacd755182d
 [diff]: http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blobdiff;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hp=3bdaccea119ec0e1b289a0da2f6d90e2219b8d66;hb=fe333c8e5b4a5f374a059596ee698dacd755182d;hpb=be0b4f603f918444b906e42825908ddac78b7073
+
+* * *
+
+Actually, there's a way to embed SVG into MarkDown sources using the [data: URI scheme][rfc2397], [like this](data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8c3ZnIHdpZHRoPSIxOTIiIGhlaWdodD0iMTkyIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KIDwhLS0gQ3JlYXRlZCB3aXRoIFNWRy1lZGl0IC0gaHR0cDovL3N2Zy1lZGl0Lmdvb2dsZWNvZGUuY29tLyAtLT4KIDx0aXRsZT5IZWxsbywgd29ybGQhPC90aXRsZT4KIDxnPgogIDx0aXRsZT5MYXllciAxPC90aXRsZT4KICA8ZyB0cmFuc2Zvcm09InJvdGF0ZSgtNDUsIDk3LjY3MTksIDk3LjY2OCkiIGlkPSJzdmdfNyI+CiAgIDxyZWN0IHN0cm9rZS13aWR0aD0iNSIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjRkYwMDAwIiBpZD0ic3ZnXzUiIGhlaWdodD0iNTYuMDAwMDAzIiB3aWR0aD0iMTc1IiB5PSI2OS42Njc5NjkiIHg9IjEwLjE3MTg3NSIvPgogICA8dGV4dCB4bWw6c3BhY2U9InByZXNlcnZlIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LWZhbWlseT0ic2VyaWYiIGZvbnQtc2l6ZT0iMjQiIHN0cm9rZS13aWR0aD0iMCIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjZmZmZjAwIiBpZD0ic3ZnXzYiIHk9IjEwNS42NjgiIHg9Ijk5LjY3MTkiPkhlbGxvLCB3b3JsZCE8L3RleHQ+CiAgPC9nPgogPC9nPgo8L3N2Zz4=).
+Of course, this way to display an image one needs to click a link, but it may be considered a feature.
+— [[Ivan_Shmakov]], 2010-03-12Z.
+
+[rfc2397]: http://tools.ietf.org/html/rfc2397

diff --git a/doc/users/ivan_shmakov.mdwn b/doc/users/ivan_shmakov.mdwn
new file mode 100644
index 0000000..41bf9b0
--- /dev/null
+++ b/doc/users/ivan_shmakov.mdwn
@@ -0,0 +1,3 @@
+… To put it short: an Ikiwiki newbie.
+
+I run an Ikiwiki instance at <http://gray.am-1.org/~ivan/lhc/> (though the DNS servers seem to be temporarily out of smoke as of 2010-03-12Z.)

diff --git a/IkiWiki/Plugin/search.pm b/IkiWiki/Plugin/search.pm
index fb68396..c0e8703 100644
--- a/IkiWiki/Plugin/search.pm
+++ b/IkiWiki/Plugin/search.pm
@@ -110,6 +110,7 @@ sub index (@) {
        # data used by omega
        # Decode html entities in it, since omega re-encodes them.
        eval q{use HTML::Entities};
+       error $@ if $@;
        $doc->set_data(
                "url=".urlto($params{page}, "")."\n".
                "sample=".decode_entities($sample)."\n".
@@ -214,9 +215,19 @@ sub setupfiles () {
                writefile("omega.conf", $config{wikistatedir}."/xapian",
                        "database_dir .\n".
                        "template_dir ./templates\n");
+               
+               # Avoid omega interpreting anything in the misctemplate
+               # as an omegascript command.
+               my $misctemplate=IkiWiki::misctemplate(gettext("search"), "\0");
+               eval q{use HTML::Entities};
+               error $@ if $@;
+               $misctemplate=encode_entities($misctemplate, '\$');
+
+               my $querytemplate=readfile(IkiWiki::template_file("searchquery.tmpl"));
+               $misctemplate=~s/\0/$querytemplate/;
+
                writefile("query", $config{wikistatedir}."/xapian/templates",
-                       IkiWiki::misctemplate(gettext("search"),
-                               readfile(IkiWiki::template_file("searchquery.tmpl"))));
+                       $misctemplate);
                $setup=1;
        }
 }
diff --git a/debian/changelog b/debian/changelog
index 6b5671e..6828e6b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,8 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
   * moderatedcomments: The moderate_users setting is deprecated. Instead,
     set moderate_pagespec to "!admin()" or "user(*)" instead.
   * Fix missing span on recentchanges page template.
+  * search: Avoid '$' in the wikiname appearing unescaped on omega's
+    query template, where it might crash omega.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 4f94b77..0352471 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -50,3 +50,9 @@ What might be causing this exception and how I might go about debugging exceptio
     <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
 
 >>>>>> So `$foobar` clashes with Omega's template tags. Does this help?
+
+>>>>>>> Ahh. I had somehow gotten it into my head that you were talking
+>>>>>>> about the title of a single page, not of the whole wiki. But
+>>>>>>> you were clear all along it was the wiki title. Sorry for
+>>>>>>> misunderstanding. I've put in a complete fix for this problem.
+>>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 

diff --git a/debian/changelog b/debian/changelog
index c58e612..6b5671e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
     while not moderating other users.
   * moderatedcomments: The moderate_users setting is deprecated. Instead,
     set moderate_pagespec to "!admin()" or "user(*)" instead.
+  * Fix missing span on recentchanges page template.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
index 536af34..5c32299 100644
--- a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -22,3 +22,5 @@ PS: I have fixed the template by hand on my server, so it will validate, however
 > markup like this; using [[plugins/comments]] without having one or other of those is a bad idea
 > from the point of view of avoiding comment forgery, which is probably why icanttype.org works
 > correctly. Anyway, I've fixed this in a branch: Joey, care to review smcv/trivia? --[[smcv]]
+
+[[done]], thanks guys --[[Joey]]

diff --git a/IkiWiki/Plugin/moderatedcomments.pm b/IkiWiki/Plugin/moderatedcomments.pm
index afe1cee..b0a328a 100644
--- a/IkiWiki/Plugin/moderatedcomments.pm
+++ b/IkiWiki/Plugin/moderatedcomments.pm
@@ -17,10 +17,11 @@ sub getsetup () {
                        rebuild => 0,
                        section => "auth",
                },
-               moderate_users => {
-                       type => 'boolean',
-                       example => 1,
-                       description => 'Moderate comments of logged-in users?',
+               moderate_pagespec => {
+                       type => 'pagespec',
+                       example => 'user(http://*)',
+                       description => 'PageSpec matching users or comment locations to moderate',
+                       link => 'ikiwiki/PageSpec',
                        safe => 1,
                        rebuild => 0,
                },
@@ -32,14 +33,32 @@ sub checkcontent (@) {
        # only handle comments  
        return undef unless pagespec_match($params{page}, "postcomment(*)",
                                location => $params{page});
+       
+       # backwards compatability
+       if (exists $config{moderate_users} &&
+           ! exists $config{moderate_pagespec}) {
+               $config{moderate_pagespec} = $config{moderate_users}
+                       ? "!admin()"
+                       : "!user(*)";
+       }
+
+       # default is to moderate all except admins
+       if (! exists $config{moderate_pagespec}) {
+               $config{moderate_pagespec}="!admin()";
+       }
 
-       # admins and maybe users can comment w/o moderation
        my $session=$params{session};
        my $user=$session->param("name") if $session;
-       return undef if defined $user && (IkiWiki::is_admin($user) ||
-               (exists $config{moderate_users} && ! $config{moderate_users}));
-
-       return gettext("comment needs moderation");
+       if (pagespec_match($params{page}, $config{moderate_pagespec},
+                       location => $params{page},
+                       (defined $user ? (user => $user) : ()),
+                       (defined $ENV{REMOTE_ADDR} ? (ip => $ENV{REMOTE_ADDR}) : ()),
+       )) {
+               return gettext("comment needs moderation");
+       }
+       else {
+               return undef;
+       }
 }
 
 1
diff --git a/debian/changelog b/debian/changelog
index d1253c0..c58e612 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,14 @@
 ikiwiki (3.20100303) UNRELEASED; urgency=low
 
   * Fix utf8 issues in calls to md5_hex.
+  * moderatedcomments: Added moderate_pagespec that can be used
+    to control which users or comment locations are moderated.
+    This can be used, just for example, to moderate http://myopenid.com/*
+    if you're getting a lot of spammers from one particular openid
+    provider (who should perhaps answer your emails about them),
+    while not moderating other users.
+  * moderatedcomments: The moderate_users setting is deprecated. Instead,
+    set moderate_pagespec to "!admin()" or "user(*)" instead.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/plugins/moderatedcomments.mdwn b/doc/plugins/moderatedcomments.mdwn
index 97924d7..c29b0b0 100644
--- a/doc/plugins/moderatedcomments.mdwn
+++ b/doc/plugins/moderatedcomments.mdwn
@@ -5,6 +5,8 @@ This plugin causes [[comments]] to be held for manual moderation.
 Admins can access the comment moderation queue via their preferences page.
 
 By default, all comments made by anyone who is not an admin will be held
-for moderation. The `moderate_users` setting can be set to false to avoid
-moderating comments of logged-in users, while still moderating anonymous
-comments.
+for moderation. The `moderate_pagespec` setting can be used to specify a
+[[ikiwiki/PageSpec]] to match comments and users who should be moderated.
+For example, to avoid moderating comments from logged-in users, set
+`moderate_pagespec` to "!user(*)". Or to moderate everyone except for
+admins, set it to "!admin(*)".

diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
index 007d763..536af34 100644
--- a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -16,3 +16,9 @@ Thanks,
 David
 
 PS: I have fixed the template by hand on my server, so it will validate, however ikiwiki.info will not.
+
+> [[!template id="gitbranch" branch=smcv/trivia author="[[smcv]]"]] [[!tag patch]]
+> Enabling either [[plugins/htmltidy]] or [[plugins/htmlbalance]] will automatically fix unbalanced
+> markup like this; using [[plugins/comments]] without having one or other of those is a bad idea
+> from the point of view of avoiding comment forgery, which is probably why icanttype.org works
+> correctly. Anyway, I've fixed this in a branch: Joey, care to review smcv/trivia? --[[smcv]]

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index bd9bee3..8e567ec 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -53,6 +53,7 @@ Projects & Organizations
 * [IPOL Image Processing On Line](http://www.ipol.im)
 * [Debian Costa Rica](http://cr.debian.net/)
 * [Fvwm Wiki](http://fvwmwiki.xteddy.org)
+* [Serialist](http://serialist.net/)'s static pages (documentation, blog).  We actually have ikiwiki generate its static content as HTML fragments using a modified page.tmpl template, and then the FastCGI powering our site grabs those fragments and embeds them in the standard dynamic site template.
 
 Personal sites and blogs
 ========================

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 345604c..bd9bee3 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -141,6 +141,7 @@ Personal sites and blogs
 * [Mukund's homepage](http://www.mukund.org/)
 * [Andreas's homepage](http://0x7.ch/) - Ikiwiki, Subversion and CSS template
 * [Chris Dombroski's boring bliki](https://www.icanttype.org/)
+* [Josh Triplett's homepage](http://joshtriplett.org/) - Git backend with the CGI disabled, to publish a static site with the convenience of ikiwiki.
 
 Please feel free to add your own ikiwiki site!
 

diff --git a/doc/plugins/getsource/discussion.mdwn b/doc/plugins/getsource/discussion.mdwn
new file mode 100644
index 0000000..45a1d62
--- /dev/null
+++ b/doc/plugins/getsource/discussion.mdwn
@@ -0,0 +1 @@
+It would be very cool if this plugin was enabled by default.  One of the best ways to learn how to do various advanced things is to be able to "view source" on other wiki's which do things you like.  -- [[AdamShand]]

diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
index 4c81981..007d763 100644
--- a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -14,3 +14,5 @@ This results in the recentchanges/ page being invalid and rendering quite horrif
 
 Thanks,
 David
+
+PS: I have fixed the template by hand on my server, so it will validate, however ikiwiki.info will not.

diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
new file mode 100644
index 0000000..4c81981
--- /dev/null
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -0,0 +1,16 @@
+In the template for ikiwiki's recent changes page
+
+     /usr/share/ikiwiki/templates/change.tmpl
+
+there is a missing </span> tag after the
+
+     <span class="changedate"><TMPL_VAR COMMITDATE>
+
+This results in the recentchanges/ page being invalid and rendering quite horrifyingly in Internet Exploder.
+
+[I'm running](http://wiki.shlrm.org) (linked so you can see the one I'm running if you need to) the latest version of ikiwiki, and I note that it's broken on [ikiwiki.info](http://validator.w3.org/check?uri=http%3A%2F%2Fikiwiki.info%2Frecentchanges%2F&charset=%28detect+automatically%29&doctype=Inline&group=0&user-agent=W3C_Validator%2F1.767) too :)
+
+[This one on debian](https://www.icanttype.org/recentchanges/) is somehow [valid](http://validator.w3.org/check?uri=https%3A%2F%2Fwww.icanttype.org%2F%2Frecentchanges%2F&charset=%28detect+automatically%29&doctype=Inline&group=0&user-agent=W3C_Validator%2F1.767), although it's using the same template. Perhaps there's an additional scrubbing going on his end.
+
+Thanks,
+David

diff --git a/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
index 98e4280..49c55e2 100644
--- a/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
+++ b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
@@ -9,3 +9,7 @@ Maybe even with parsing of the content and preselecting the tags, that are given
 
 this would need a bit JS-work and somehow on compiletime we need to put the list of tags somewhere, where the cgi could read them from.
 This way, even a pagespec would suffice to determine the usable list of tags and not only the tagbase-variable.
+
+> I think this would be very hard to achieve with the current tag plugin, due to the nature of its implementation.
+> 
+> I've had a "tag2" plugin on the go for a while which supports this. It's in a very rough stage but I'll try to find it and upload it somewhere. -- [[Jon]]

diff --git a/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
new file mode 100644
index 0000000..98e4280
--- /dev/null
+++ b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
@@ -0,0 +1,11 @@
+# How about:
+
+having a list of all existing tags in the Edit-Formular as a selectionbox?
+
+Assume I have tagbase=/tags/ and for every tag I have given to articles an existing page there.
+
+Would it be possible to list all these tags together with the Formular, as selectionbox.
+Maybe even with parsing of the content and preselecting the tags, that are given in the article and vice-versa when selecting the fields then also generating the \[\[\!tag\]\]-sourcecode ?
+
+this would need a bit JS-work and somehow on compiletime we need to put the list of tags somewhere, where the cgi could read them from.
+This way, even a pagespec would suffice to determine the usable list of tags and not only the tagbase-variable.

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index ac4d7ed..4f94b77 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -27,3 +27,26 @@ What might be causing this exception and how I might go about debugging exceptio
 >>>>> I don't see how that's relevant. It would help if you showed me
 >>>>> exactly something that could be inserted into a page to cause the
 >>>>> problem. --[[Joey]] 
+
+>>>>>> Correct me if I'm wrong: ikiwiki generates an Omega template from its own templates, such as searchquery.tmpl and puts it into {$srcdir}/.ikiwiki/xapian/templates/query. Omega has its own template syntax, where function names are prefixed with dollar signs (`$`). So, when I call my wiki `$foobar`, ikiwiki generates an Omega template that looks like this snippet:
+
+    <div id="container">
+        <div class="pageheader">
+            <div class="header">
+            <span>
+            <a href="http://example.com">$foobar</    a>/search
+            </span>
+            </div>
+        </div> <!-- .pageheader -->
+    
+        <div id="content">
+            $setmap{prefix,title,S}
+    $setmap{prefix,link,XLINK}
+    $set{thousand,$.}$set{decimal,.}$setmap{BN,,Any Country,uk,England,fr,France}
+    ${
+    $def{PREV,
+    $if{$ne{$topdoc,0},<INPUT TYPE=image NAME="&lt;" ALT="&lt;"
+    SRC="/images/xapian-omega/prev.png" BORDER=0 HEIGHT=30 WIDTH=30>,
+    <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
+
+>>>>>> So `$foobar` clashes with Omega's template tags. Does this help?

diff --git a/doc/bugs.mdwn b/doc/bugs.mdwn
index f44cfdc..f634b6e 100644
--- a/doc/bugs.mdwn
+++ b/doc/bugs.mdwn
@@ -1,5 +1,5 @@
 If you've found a bug in ikiwiki, post about it here. [[TODO]] items go
-elsewhere. Link <a href="http://www.college-paper.org/custom-essay.html">college essay</a> items to [[bugs/done]] when done.
+elsewhere. Link items to [[bugs/done]] when done.
 
 Also see the [Debian bugs](http://bugs.debian.org/ikiwiki).
 
diff --git a/doc/bugs/bestlink_returns_deleted_pages.mdwn b/doc/bugs/bestlink_returns_deleted_pages.mdwn
index d3c5c80..874f18e 100644
--- a/doc/bugs/bestlink_returns_deleted_pages.mdwn
+++ b/doc/bugs/bestlink_returns_deleted_pages.mdwn
@@ -28,7 +28,7 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
 > maybe by keeping a copy of the old backlinks info, then that fix could be
 > applied here too. --[[Joey]]
 
->> Cool that was fast! Well at least half the <a href="http://www.college-paper.org/custom-essay.html college essay">college essay</a> bug is solved :) For now I'll
+>> Cool that was fast! Well at least half the bug is solved :) For now I'll
 >> probably try using a workaround if using bestlink within the needsbuild
 >> or scan hooks. Maybe by testing if pagemtime equals zero. --[[harishcm]]
 
@@ -48,8 +48,8 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
     use IkiWiki 3.00;
     
     sub import {
-       hook(type => "getsetup", id => "bestlinkbug", call => &getsetup);
-       hook(type => "needsbuild", id => "bestlinkbug", call => &needsbuild);
+       hook(type => "getsetup", id => "bestlinkbug", call => \&getsetup);
+       hook(type => "needsbuild", id => "bestlinkbug", call => \&needsbuild);
     }
     
     sub getsetup () {

diff --git a/doc/bugs.mdwn b/doc/bugs.mdwn
index f634b6e..f44cfdc 100644
--- a/doc/bugs.mdwn
+++ b/doc/bugs.mdwn
@@ -1,5 +1,5 @@
 If you've found a bug in ikiwiki, post about it here. [[TODO]] items go
-elsewhere. Link items to [[bugs/done]] when done.
+elsewhere. Link <a href="http://www.college-paper.org/custom-essay.html">college essay</a> items to [[bugs/done]] when done.
 
 Also see the [Debian bugs](http://bugs.debian.org/ikiwiki).
 

diff --git a/doc/bugs/bestlink_returns_deleted_pages.mdwn b/doc/bugs/bestlink_returns_deleted_pages.mdwn
index 874f18e..d3c5c80 100644
--- a/doc/bugs/bestlink_returns_deleted_pages.mdwn
+++ b/doc/bugs/bestlink_returns_deleted_pages.mdwn
@@ -28,7 +28,7 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
 > maybe by keeping a copy of the old backlinks info, then that fix could be
 > applied here too. --[[Joey]]
 
->> Cool that was fast! Well at least half the bug is solved :) For now I'll
+>> Cool that was fast! Well at least half the <a href="http://www.college-paper.org/custom-essay.html college essay">college essay</a> bug is solved :) For now I'll
 >> probably try using a workaround if using bestlink within the needsbuild
 >> or scan hooks. Maybe by testing if pagemtime equals zero. --[[harishcm]]
 
@@ -48,8 +48,8 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
     use IkiWiki 3.00;
     
     sub import {
-       hook(type => "getsetup", id => "bestlinkbug", call => \&getsetup);
-       hook(type => "needsbuild", id => "bestlinkbug", call => \&needsbuild);
+       hook(type => "getsetup", id => "bestlinkbug", call => &getsetup);
+       hook(type => "needsbuild", id => "bestlinkbug", call => &needsbuild);
     }
     
     sub getsetup () {

diff --git a/doc/plugins/conditional/discussion.mdwn b/doc/plugins/conditional/discussion.mdwn
index 09e3df9..6e84fdf 100644
--- a/doc/plugins/conditional/discussion.mdwn
+++ b/doc/plugins/conditional/discussion.mdwn
@@ -8,6 +8,19 @@ Using \[\[!if test="tagged(plugin)" then="= Tagged as plugin =" else="*No plugin
 > so tagging a large number of pages with a tag that doesn't exist (which change has
 > been reverted) doesn't make the pagespec match. It would if the tag's page existed. --[[Joey]]
 
+>> So if I understand this correctly... Assuming the tags Tag_A and Tag_B, the existence of 
+>> @wiki-home@/tags/Tag_A.creole, and a number of files with a \[\[!tag Tag_A Tag_B]] the 
+>> following is correct?
+>>
+>> * \[\[!if test="tagged(Tag_A)" then="OK" else="Fail"]] => OK
+>> * \[\[!if test="tagged(Tag_B)" then="OK" else="Fail"]] => Fail
+>> * \[\[!if test="tagged(Tag_A) and tagged(Tag_B)" then="OK" else="Fail"]] => Fail
+>>
+>> Is that the expected behaviour? If so, that's not what I'm seeing here since they all result 
+>> in a Fail. If not, what exactly is wrong with those conditionals? Thanks.
+>>
+>> -- Thiana 
+
 ----
 
 Would there be a way for this plugin to emit fewer blank lines (i.e. *none at all*)?

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index cb75895..ac4d7ed 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -23,3 +23,7 @@ What might be causing this exception and how I might go about debugging exceptio
 >>> --[[Joey]]
 
 >>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]
+
+>>>>> I don't see how that's relevant. It would help if you showed me
+>>>>> exactly something that could be inserted into a page to cause the
+>>>>> problem. --[[Joey]] 

diff --git a/doc/plugins/conditional/discussion.mdwn b/doc/plugins/conditional/discussion.mdwn
index e34df70..09e3df9 100644
--- a/doc/plugins/conditional/discussion.mdwn
+++ b/doc/plugins/conditional/discussion.mdwn
@@ -4,6 +4,10 @@ Using \[\[!if test="tagged(plugin)" then="= Tagged as plugin =" else="*No plugin
 
 -- Thiana
 
+> This wiki has no page named "plugin", so nothing links to it; tags are a species of link
+> so tagging a large number of pages with a tag that doesn't exist (which change has
+> been reverted) doesn't make the pagespec match. It would if the tag's page existed. --[[Joey]]
+
 ----
 
 Would there be a way for this plugin to emit fewer blank lines (i.e. *none at all*)?

diff --git a/doc/templates/plugin.mdwn b/doc/templates/plugin.mdwn
index d62c879..c1d1974 100644
--- a/doc/templates/plugin.mdwn
+++ b/doc/templates/plugin.mdwn
@@ -6,7 +6,6 @@ Enabled by default: <TMPL_IF core>yes<TMPL_ELSE>no</TMPL_IF><br />
 Included in [[/plugins/goodstuff]]: [[!if test="backlink(plugins/goodstuff)" all=no then="""yes""" else="""no"""]]<br />
 Currently enabled: [[!if test="enabled(<TMPL_VAR name>)" then="yes" else="no"]]<br />
 </span>
-[[!tag plugin <TMPL_VAR name>]]
 [[!if test="sourcepage(plugins/contrib/*)" then="""[[!meta title="<TMPL_VAR name> (third party plugin)"]]"""]]
 <TMPL_IF core>[[!tag plugins/type/core]]</TMPL_IF>
 <TMPL_UNLESS NAME="name">

diff --git a/doc/ikiwiki/directive/map/discussion.mdwn b/doc/ikiwiki/directive/map/discussion.mdwn
index 075b91b..f6eaa6b 100644
--- a/doc/ikiwiki/directive/map/discussion.mdwn
+++ b/doc/ikiwiki/directive/map/discussion.mdwn
@@ -5,6 +5,8 @@ Thanks
 
 -- Thiana
 
+> [[bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used]] --[[Joey]] 
+
 ----
 
 Question: Is there a way to generate a listing that shows *both* title and description meta information? Currently, a \[\[!map ...]] shows only one of the two, but I'd like to generate a navigation that looks like a description list. For example:

diff --git a/doc/plugins/conditional/discussion.mdwn b/doc/plugins/conditional/discussion.mdwn
index 629d059..e34df70 100644
--- a/doc/plugins/conditional/discussion.mdwn
+++ b/doc/plugins/conditional/discussion.mdwn
@@ -1,3 +1,11 @@
+## Conditional broken?
+
+Using \[\[!if test="tagged(plugin)" then="= Tagged as plugin =" else="*No plugins found*"]] on this wiki *should* present the 'Tagged as plugin' heading, instead it emits 'no plugins found'. Is the conditional plugin currently broken for tags or am I misusing it? Thanks.
+
+-- Thiana
+
+----
+
 Would there be a way for this plugin to emit fewer blank lines (i.e. *none at all*)?
 
 For example, having a look at [this page](http://www.bddebian.com/~wiki/Hurd/)'s sidebar.

diff --git a/doc/templates/plugin.mdwn b/doc/templates/plugin.mdwn
index c1d1974..d62c879 100644
--- a/doc/templates/plugin.mdwn
+++ b/doc/templates/plugin.mdwn
@@ -6,6 +6,7 @@ Enabled by default: <TMPL_IF core>yes<TMPL_ELSE>no</TMPL_IF><br />
 Included in [[/plugins/goodstuff]]: [[!if test="backlink(plugins/goodstuff)" all=no then="""yes""" else="""no"""]]<br />
 Currently enabled: [[!if test="enabled(<TMPL_VAR name>)" then="yes" else="no"]]<br />
 </span>
+[[!tag plugin <TMPL_VAR name>]]
 [[!if test="sourcepage(plugins/contrib/*)" then="""[[!meta title="<TMPL_VAR name> (third party plugin)"]]"""]]
 <TMPL_IF core>[[!tag plugins/type/core]]</TMPL_IF>
 <TMPL_UNLESS NAME="name">

diff --git a/doc/ikiwiki/directive/map/discussion.mdwn b/doc/ikiwiki/directive/map/discussion.mdwn
index 062b426..075b91b 100644
--- a/doc/ikiwiki/directive/map/discussion.mdwn
+++ b/doc/ikiwiki/directive/map/discussion.mdwn
@@ -1,3 +1,12 @@
+### Sorting
+
+Is there a way to have the generated maps sorted by *title* instead of *filename* when show=title is used?
+Thanks 
+
+-- Thiana
+
+----
+
 Question: Is there a way to generate a listing that shows *both* title and description meta information? Currently, a \[\[!map ...]] shows only one of the two, but I'd like to generate a navigation that looks like a description list. For example:
 
  * This is the title meta information.

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 7db12c3..cb75895 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -21,3 +21,5 @@ What might be causing this exception and how I might go about debugging exceptio
 >>> tried setting a page title to '$this' and 'foo $this'.
 >>> That's with version 1.0.18 of omega.
 >>> --[[Joey]]
+
+>>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 94de18c..7db12c3 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -14,3 +14,10 @@ What might be causing this exception and how I might go about debugging exceptio
 > could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
 
 >> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `$this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]
+
+>>> Sounds like a bug in omega, and one that probably would affect other
+>>> users of omega too. Ikiwiki could work around it by pre-escaping
+>>> data before passing it to xapian. I have not quite managed to reproduce it though;
+>>> tried setting a page title to '$this' and 'foo $this'.
+>>> That's with version 1.0.18 of omega.
+>>> --[[Joey]]

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 3cbcdc4..94de18c 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -12,3 +12,5 @@ What might be causing this exception and how I might go about debugging exceptio
 > You could try rebuilding your wiki in case it is somehow
 > caused by a problem with the xapian database. Failing everything, you
 > could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
+
+>> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `$this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]

diff --git a/doc/sandbox.mdwn b/doc/sandbox.mdwn
index afd7dbe..1a1b128 100644
--- a/doc/sandbox.mdwn
+++ b/doc/sandbox.mdwn
@@ -77,3 +77,4 @@ bar
 Hmm, can I dig it?
 
 Test
+pop

diff --git a/doc/sandbox/danc.mdwn b/doc/sandbox/danc.mdwn
new file mode 100644
index 0000000..9766475
--- /dev/null
+++ b/doc/sandbox/danc.mdwn
@@ -0,0 +1 @@
+ok

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 628276b..3cbcdc4 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -4,9 +4,11 @@ What might be causing this exception and how I might go about debugging exceptio
 
 > Appears to be coming from your xapian omega cgi binary. If you
 > run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
-> "Exception: " in it.
+> "Exception: " in it, and I have found some similar (but not identical)
+> error messages from xapian in a web search.
 > 
 > I don´t know what to suggest, other than upgrade/downgrade/reinstall
-> xapian-omega. You could try rebuilding your wiki in case it is somehow
+> xapian-omega, and contacting the xapian developers for debugging.
+> You could try rebuilding your wiki in case it is somehow
 > caused by a problem with the xapian database. Failing everything, you
 > could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 05d4e3a..628276b 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -1,3 +1,12 @@
 I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
 
 What might be causing this exception and how I might go about debugging exceptions?
+
+> Appears to be coming from your xapian omega cgi binary. If you
+> run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
+> "Exception: " in it.
+> 
+> I don´t know what to suggest, other than upgrade/downgrade/reinstall
+> xapian-omega. You could try rebuilding your wiki in case it is somehow
+> caused by a problem with the xapian database. Failing everything, you
+> could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
new file mode 100644
index 0000000..05d4e3a
--- /dev/null
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -0,0 +1,3 @@
+I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
+
+What might be causing this exception and how I might go about debugging exceptions?

diff --git a/doc/index.mdwn b/doc/index.mdwn
index 88eafa1..732cf7a 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -19,7 +19,6 @@ ikiwiki [[!version ]].
 
 ## developer resources
 
-
 The [[RoadMap]] describes where the project is going.
 The [[forum]] is open for discussions.
 [[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
@@ -27,5 +26,3 @@ can be submitted and tracked using this wiki.
 
 ikiwiki is developed by [[Joey]] and many contributors,
 and is [[FreeSoftware]].
-
-

diff --git a/doc/TourBusStop.mdwn b/doc/TourBusStop.mdwn
index 5317c67..8e382bd 100644
--- a/doc/TourBusStop.mdwn
+++ b/doc/TourBusStop.mdwn
@@ -9,7 +9,7 @@ This wiki serves as the home for the ikiwiki wiki engine, providing collaborativ
 * You can turn any set of pages into a [[blog]] or similar news feed,
 * complete with RSS and Atom support.  You can run your weblog on ikiwiki (and [[many_people_do|ikiwikiusers]]), run a Planet-like [[aggregator|plugins/aggregate]] for external feeds, or keep a [[TODO]] and [[bug|bugs]] list with tags for completed items.
 
-* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your [site](http://dessouse.net) will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
+* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your site will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
 
 ![Picture of the TourBus](http://www.wikiservice.at/image/wikibus.gif)
 

diff --git a/doc/TourBusStop.mdwn b/doc/TourBusStop.mdwn
index 8e382bd..5317c67 100644
--- a/doc/TourBusStop.mdwn
+++ b/doc/TourBusStop.mdwn
@@ -9,7 +9,7 @@ This wiki serves as the home for the ikiwiki wiki engine, providing collaborativ
 * You can turn any set of pages into a [[blog]] or similar news feed,
 * complete with RSS and Atom support.  You can run your weblog on ikiwiki (and [[many_people_do|ikiwikiusers]]), run a Planet-like [[aggregator|plugins/aggregate]] for external feeds, or keep a [[TODO]] and [[bug|bugs]] list with tags for completed items.
 
-* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your site will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
+* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your [site](http://dessouse.net) will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
 
 ![Picture of the TourBus](http://www.wikiservice.at/image/wikibus.gif)
 

diff --git a/doc/index.mdwn b/doc/index.mdwn
index b1ef36b..88eafa1 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -19,7 +19,6 @@ ikiwiki [[!version ]].
 
 ## developer resources
 
-[jup](http://www.google.de)
 
 The [[RoadMap]] describes where the project is going.
 The [[forum]] is open for discussions.

diff --git a/doc/index.mdwn b/doc/index.mdwn
index 732cf7a..b1ef36b 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -19,6 +19,8 @@ ikiwiki [[!version ]].
 
 ## developer resources
 
+[jup](http://www.google.de)
+
 The [[RoadMap]] describes where the project is going.
 The [[forum]] is open for discussions.
 [[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
@@ -26,3 +28,5 @@ can be submitted and tracked using this wiki.
 
 ikiwiki is developed by [[Joey]] and many contributors,
 and is [[FreeSoftware]].
+
+

diff --git a/doc/todo/salmon_protocol_for_comment_sharing.mdwn b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
index f4fa0c5..1e56b0a 100644
--- a/doc/todo/salmon_protocol_for_comment_sharing.mdwn
+++ b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
@@ -1,3 +1,21 @@
-The <a href="http://www.salmon-protocol.org/home">Salmon protocol</a> provides for aggregating comments across sites.  If a site that syndicates a feed receives a comment on an item in that feed, it can re-post the comment to the original source.
+The <a href="http://www.salmon-protocol.org/home">Salmon protocol</a>
+provides for aggregating comments across sites.  If a site that syndicates
+a feed receives a comment on an item in that feed, it can re-post the
+comment to the original source.
+
+> Ikiwiki does not allow comments to be posted on items it aggregates.
+> So salmon protocol support would only need to handle the comment
+> receiving side of the protocol.
+> 
+> The current draft protocol document confuses me when it starts talking
+> about using OAuth in the abuse prevention section, since their example
+> does not show use of OAuth, and it's not at all clear to me where the
+> OAuth relationship between aggregator and original source is supposed
+> to come from.
+> 
+> Their security model, which goes on to include Webfinger,
+> thirdparty validation services, XRD, and Magic Signatures, looks sorta
+> like they kept throwing technology,  at it, hoping something will stick. :-P
+> --[[Joey]]
 
 [[!tag wishlist]]

diff --git a/doc/todo/salmon_protocol_for_comment_sharing.mdwn b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
new file mode 100644
index 0000000..f4fa0c5
--- /dev/null
+++ b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
@@ -0,0 +1,3 @@
+The <a href="http://www.salmon-protocol.org/home">Salmon protocol</a> provides for aggregating comments across sites.  If a site that syndicates a feed receives a comment on an item in that feed, it can re-post the comment to the original source.
+
+[[!tag wishlist]]

diff --git a/doc/news/version_3.20091202.mdwn b/doc/news/version_3.20091202.mdwn
deleted file mode 100644
index 60f17fe..0000000
--- a/doc/news/version_3.20091202.mdwn
+++ /dev/null
@@ -1,17 +0,0 @@
-ikiwiki 3.20091202 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * meta: Generate meta description tags even when the html scrubber is
-     enabled.
-   * meta: Allow use of DESCRIPTION in templates to get at the meta description
-     value. (Thanks, NicolasLimare)
-   * inline: Use caching of inlined pages to speed up builds of inlines that
-     include feeds. Speedup of about 25% for small inlines; could be much
-     larger for inlines of many, or complex pages.
-   * Added (incomplete) Turkish po file. Closes: #[556744](http://bugs.debian.org/556744)
-     Thanks, Recai Oktaş
-   * date: New plugin that allows inserting date directives that expand to
-     pretty-printed dates, using the same formatting as used for page
-     modification date display, etc.
-   * htmllink: Allow a title attribute to be specified.
-   * calendar: Add title attributes for all links in the calendars.
-   * calendar: Fix month wraparound error that broke in December."""]]
\ No newline at end of file
diff --git a/doc/news/version_3.20100302.mdwn b/doc/news/version_3.20100302.mdwn
new file mode 100644
index 0000000..f439b1b
--- /dev/null
+++ b/doc/news/version_3.20100302.mdwn
@@ -0,0 +1,12 @@
+ikiwiki 3.20100302 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * comments: Display number of comments in comment action link.
+   * Rebuild wikis on upgrade to this version to get the comment counts
+     added to existing pages.
+   * Loosen regexp, to allow empty quoted parameters in directives.
+   * Add force\_overwrite setting to make setup automator overwrite existing
+     files/directories.
+   * Fix admin openid detection in setup automator, and avoid prompting
+     for a password.
+   * Add new --clean option; this makes ikiwiki remove all built
+     files in the destdir, as well as wrappers and the .ikiwiki directory."""]]
\ No newline at end of file

diff --git a/doc/bugs/404_plugin_and_lighttpd.mdwn b/doc/bugs/404_plugin_and_lighttpd.mdwn
index 29ca107..ffbad8a 100644
--- a/doc/bugs/404_plugin_and_lighttpd.mdwn
+++ b/doc/bugs/404_plugin_and_lighttpd.mdwn
@@ -11,3 +11,25 @@ This is with lighttpd 1.4.19 on Debian.
 > I originally wrote the plugin for Apache; [[weakish]] contributed the
 > lighttpd docs and might know more about how to make it work there.
 > --[[smcv]]
+
+>> As I said, I got it working for me, but somebody who knows perl should probably look at it with the aim of making it work for everyone.
+>> I considered having lighttpd construct a proper url for the 404 redirect itself, but I don't know if it can do something like that or not.
+>> For what it's worth, here's the change I made to the module:
+
+    sub cgi ($) {
+            my $cgi=shift;
+            if ($ENV{REQUEST_URI} !~ /ikiwiki\.cgi/) {
+                    my $page = cgi_page_from_404(
+                            Encode::decode_utf8($ENV{SERVER_NAME} . $ENV{REQUEST_URI}),
+                            $config{url}, $config{usedirs});
+                    IkiWiki::Plugin::goto::cgi_goto($cgi, $page);
+            }
+    
+    #       if (exists $ENV{REDIRECT_STATUS} &&
+    #           $ENV{REDIRECT_STATUS} eq '404') {
+    #               my $page = cgi_page_from_404(
+    #                       Encode::decode_utf8($ENV{REDIRECT_URL}),
+    #                       $config{url}, $config{usedirs});
+    #               IkiWiki::Plugin::goto::cgi_goto($cgi, $page);
+    #       }
+    }

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 12d6929..345604c 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -140,6 +140,7 @@ Personal sites and blogs
 * [Alex Ghitza homepage and blog](http://aghitza.org/)
 * [Mukund's homepage](http://www.mukund.org/)
 * [Andreas's homepage](http://0x7.ch/) - Ikiwiki, Subversion and CSS template
+* [Chris Dombroski's boring bliki](https://www.icanttype.org/)
 
 Please feel free to add your own ikiwiki site!