diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php
index 5daad1e04..b0251ee02 100644
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@@ -23,6 +23,7 @@ class Custom_Image_Header {
 	function js() {
 
 		if ( isset( $_POST['textcolor'] ) ) {
+			check_admin_referer('custom-header');
 			if ( 'blank' == $_POST['textcolor'] ) {
 				set_theme_mod('header_textcolor', 'blank');
 			} else {
@@ -31,8 +32,10 @@ class Custom_Image_Header {
 					set_theme_mod('header_textcolor', $color);
 			}
 		}
-		if ( isset($_POST['resetheader']) )
+		if ( isset($_POST['resetheader']) ) {
+			check_admin_referer('custom-header');
 			remove_theme_mods();
+		}
 	?>
 <script type="text/javascript">
 
@@ -157,7 +160,7 @@ Event.observe( window, 'load', hide_text );
 <h2><?php _e('Your Header Image'); ?></h2>
 <p><?php _e('This is your header image. You can change the text color or upload and crop a new image.'); ?></p>
 
-<div id="headimg" style="background: url(<?php header_image() ?>) no-repeat;">
+<div id="headimg" style="background: url(<?php clean_url(header_image()) ?>) no-repeat;">
 <h1><a onclick="return false;" href="<?php bloginfo('url'); ?>" title="<?php bloginfo('name'); ?>" id="name"><?php bloginfo('name'); ?></a></h1>
 <div id="desc"><?php bloginfo('description');?></div>
 </div>
@@ -165,7 +168,8 @@ Event.observe( window, 'load', hide_text );
 <form method="post" action="<?php echo get_option('siteurl') ?>/wp-admin/themes.php?page=custom-header&amp;updated=true">
 <input type="button" value="<?php _e('Hide Text'); ?>" onclick="hide_text()" id="hidetext" />
 <input type="button" value="<?php _e('Select a Text Color'); ?>" onclick="colorSelect($('textcolor'), 'pickcolor')" id="pickcolor" /><input type="button" value="<?php _e('Use Original Color'); ?>" onclick="colorDefault()" id="defaultcolor" />
-<input type="hidden" name="textcolor" id="textcolor" value="#<?php header_textcolor() ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> &raquo;" /></form>
+<?php wp_nonce_field('custom-header') ?>
+<input type="hidden" name="textcolor" id="textcolor" value="#<?php attribute_escape(header_textcolor()) ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> &raquo;" /></form>
 <?php } ?>
 
 <div id="colorPickerDiv" style="z-index: 100;background:#eee;border:1px solid #ccc;position:absolute;visibility:hidden;"> </div>
@@ -177,6 +181,7 @@ Event.observe( window, 'load', hide_text );
 <form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;">
 <label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" />
 <input type="hidden" name="action" value="save" />
+<?php wp_nonce_field('custom-header') ?>
 <p class="submit">
 <input type="submit" value="<?php _e('Upload'); ?> &raquo;" />
 </p>
@@ -197,6 +202,7 @@ Event.observe( window, 'load', hide_text );
 	}
 
 	function step_2() {
+		check_admin_referer('custom-header');
 		$overrides = array('test_form' => false);
 		$file = wp_handle_upload($_FILES['import'], $overrides);
 
@@ -222,7 +228,7 @@ Event.observe( window, 'load', hide_text );
 		list($width, $height, $type, $attr) = getimagesize( $file );
 
 		if ( $width == HEADER_IMAGE_WIDTH && $height == HEADER_IMAGE_HEIGHT ) {
-			set_theme_mod('header_image', $url);
+			set_theme_mod('header_image', clean_url($url));
 			$header = apply_filters('wp_create_file_in_uploads', $file, $id); // For replication
 			return $this->finished();
 		} elseif ( $width > HEADER_IMAGE_WIDTH ) {
@@ -256,6 +262,7 @@ Event.observe( window, 'load', hide_text );
 <input type="hidden" name="height" id="height" />
 <input type="hidden" name="attachment_id" id="attachment_id" value="<?php echo $id; ?>" />
 <input type="hidden" name="oitar" id="oitar" value="<?php echo $oitar; ?>" />
+<?php wp_nonce_field('custom-header') ?>
 <input type="submit" value="<?php _e('Crop Header &raquo;'); ?>" />
 </p>
 
@@ -265,6 +272,7 @@ Event.observe( window, 'load', hide_text );
 	}
 
 	function step_3() {
+		check_admin_referer('custom-header');
 		if ( $_POST['oitar'] > 1 ) {
 			$_POST['x1'] = $_POST['x1'] * $_POST['oitar'];
 			$_POST['y1'] = $_POST['y1'] * $_POST['oitar'];
diff --git a/wp-admin/widgets.php b/wp-admin/widgets.php
index 5e06e66b3..169d74f73 100644
--- a/wp-admin/widgets.php
+++ b/wp-admin/widgets.php
@@ -2,6 +2,9 @@
 
 require_once 'admin.php';
 
+if ( ! current_user_can('edit_themes') )
+	wp_die( __( 'Cheatin&#8217; uh?' ));
+
 wp_enqueue_script( 'scriptaculous-effects' );
 wp_enqueue_script( 'scriptaculous-dragdrop' );
 
@@ -350,11 +353,7 @@ if ( isset( $_POST['action'] ) ) {
 			</script>
 		
 			<p class="submit">
-			<?php
-				if ( function_exists( 'wp_nonce_field' ) ) {
-					wp_nonce_field( 'widgets-save-widget-order' );
-				}
-			?>
+			<?php wp_nonce_field( 'widgets-save-widget-order' ); ?>
 				<input type="hidden" name="action" id="action" value="save_widget_order" />
 				<input type="submit" value="<?php _e( 'Save Changes &raquo;' ); ?>" />
 			</p>
diff --git a/wp-content/themes/default/functions.php b/wp-content/themes/default/functions.php
index 9ba153846..34d447ff9 100644
--- a/wp-content/themes/default/functions.php
+++ b/wp-content/themes/default/functions.php
@@ -82,6 +82,7 @@ add_action('admin_menu', 'kubrick_add_theme_page');
 function kubrick_add_theme_page() {
 	if ( $_GET['page'] == basename(__FILE__) ) {
 		if ( 'save' == $_REQUEST['action'] ) {
+			check_admin_referer('kubrick-header');
 			if ( isset($_REQUEST['njform']) ) {
 				if ( isset($_REQUEST['defaults']) ) {
 					delete_option('kubrick_header_image');
@@ -90,9 +91,10 @@ function kubrick_add_theme_page() {
 				} else {
 					if ( '' == $_REQUEST['njfontcolor'] )
 						delete_option('kubrick_header_color');
-					else
-						update_option('kubrick_header_color', $_REQUEST['njfontcolor']);
-
+					else {
+						$fontcolor = preg_replace('/^.*(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['njfontcolor']);
+						update_option('kubrick_header_color', $fontcolor);
+					}
 					if ( preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njuppercolor'], $uc) && preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njlowercolor'], $lc) ) {
 						$uc = ( strlen($uc[0]) == 3 ) ? $uc[0]{0}.$uc[0]{0}.$uc[0]{1}.$uc[0]{1}.$uc[0]{2}.$uc[0]{2} : $uc[0];
 						$lc = ( strlen($lc[0]) == 3 ) ? $lc[0]{0}.$lc[0]{0}.$lc[0]{1}.$lc[0]{1}.$lc[0]{2}.$lc[0]{2} : $lc[0];
@@ -109,20 +111,27 @@ function kubrick_add_theme_page() {
 			} else {
 
 				if ( isset($_REQUEST['headerimage']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['headerimage'] )
 						delete_option('kubrick_header_image');
-					else
-						update_option('kubrick_header_image', $_REQUEST['headerimage']);
+					else {
+						$headerimage = preg_replace('/^.*?(header-img.php\?upper=[0-9a-fA-F]{6}&lower=[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['headerimage']);
+						update_option('kubrick_header_image', $headerimage);
+					}
 				}
 
 				if ( isset($_REQUEST['fontcolor']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['fontcolor'] )
 						delete_option('kubrick_header_color');
-					else
-						update_option('kubrick_header_color', $_REQUEST['fontcolor']);
+					else {
+						$fontcolor = preg_replace('/^.*?(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['fontcolor']);
+						update_option('kubrick_header_color', $fontcolor);
+					}
 				}
 
 				if ( isset($_REQUEST['fontdisplay']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['fontdisplay'] || 'inline' == $_REQUEST['fontdisplay'] )
 						delete_option('kubrick_header_display');
 					else
@@ -233,13 +242,13 @@ function kubrick_theme_page_head() {
 		document.getElementById('headerimg').style.display = document.getElementById('fontdisplay').value;
 	}
 	function kRevert() {
-		document.getElementById('headerimage').value = '<?php echo kubrick_header_image(); ?>';
-		document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo kubrick_upper_color(); ?>';
-		document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo kubrick_lower_color(); ?>';
-		document.getElementById('header').style.background = 'url("<?php echo kubrick_header_image_url(); ?>") center no-repeat';
+		document.getElementById('headerimage').value = '<?php echo js_escape(kubrick_header_image()); ?>';
+		document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo js_escape(kubrick_upper_color()); ?>';
+		document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo js_escape(kubrick_lower_color()); ?>';
+		document.getElementById('header').style.background = 'url("<?php echo js_escape(kubrick_header_image_url()); ?>") center no-repeat';
 		document.getElementById('header').style.color = '';
-		document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo kubrick_header_color_string(); ?>';
-		document.getElementById('fontdisplay').value = '<?php echo kubrick_header_display_string(); ?>';
+		document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo js_escape(kubrick_header_color_string()); ?>';
+		document.getElementById('fontdisplay').value = '<?php echo js_escape(kubrick_header_display_string()); ?>';
 		document.getElementById('headerimg').style.display = document.getElementById('fontdisplay').value;
 	}
 	function kInit() {
@@ -361,11 +370,12 @@ function kubrick_theme_page() {
 		<br />
 		<div id="nonJsForm">
 			<form method="post" action="">
+				<?php wp_nonce_field('kubrick-header'); ?>
 				<div class="zerosize"><input type="submit" name="defaultsubmit" value="Save" /></div>
-				<label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo kubrick_header_color(); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
-				<label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo kubrick_upper_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
-				<label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo kubrick_lower_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
-				<input type="hidden" name="hi" id="hi" value="<?php echo kubrick_header_image(); ?>" />
+				<label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
+				<label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
+				<label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
+				<input type="hidden" name="hi" id="hi" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
 				<input type="submit" name="toggledisplay" id="toggledisplay" value="Toggle Text" />
 				<input type="submit" name="defaults" value="Use Defaults" />
 				<input type="submit" class="defbutton" name="submitform" value="&nbsp;&nbsp;Save&nbsp;&nbsp;" />
@@ -375,25 +385,27 @@ function kubrick_theme_page() {
 		</div>
 		<div id="jsForm">
 			<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
+				<?php wp_nonce_field('kubrick-header'); ?>
 				<input type="button" onclick="tgt=document.getElementById('fontcolor');colorSelect(tgt,'pick1');return false;" name="pick1" id="pick1" value="Font Color"></input>
 				<input type="button" onclick="tgt=document.getElementById('uppercolor');colorSelect(tgt,'pick2');return false;" name="pick2" id="pick2" value="Upper Color"></input>
 				<input type="button" onclick="tgt=document.getElementById('lowercolor');colorSelect(tgt,'pick3');return false;" name="pick3" id="pick3" value="Lower Color"></input>
 				<input type="button" name="revert" value="Revert" onclick="kRevert()" />
 				<input type="button" value="Advanced" onclick="toggleAdvanced()" />
 				<input type="hidden" name="action" value="save" />
-				<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo kubrick_header_display(); ?>" />
-				<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo kubrick_header_color(); ?>" />
-				<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo kubrick_upper_color(); ?>" />
-				<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo kubrick_lower_color(); ?>" />
-				<input type="hidden" name="headerimage" id="headerimage" value="<?php echo kubrick_header_image(); ?>" />
+				<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo attribute_escape(kubrick_header_display()); ?>" />
+				<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" />
+				<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo attribute_escape(kubrick_upper_color()); ?>" />
+				<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo attribute_escape(kubrick_lower_color()); ?>" />
+				<input type="hidden" name="headerimage" id="headerimage" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
 				<p class="submit"><input type="submit" name="submitform" class="defbutton" value="<?php _e('Update Header &raquo;'); ?>" onclick="cp.hidePopup('prettyplease')" /></p>
 			</form>
 			<div id="colorPickerDiv" style="z-index: 100;background:#eee;border:1px solid #ccc;position:absolute;visibility:hidden;"> </div>
 			<div id="advanced">
 				<form id="jsAdvanced" style="display:none;" action="">
-					<label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo kubrick_header_color(); ?>" /><br />
-					<label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo kubrick_upper_color(); ?>" /><br />
-					<label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo kubrick_lower_color(); ?>" /><br />
+					<?php wp_nonce_field('kubrick-header'); ?>
+					<label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /><br />
+					<label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /><br />
+					<label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /><br />
 					<input type="button" name="default" value="Select Default Colors" onclick="kDefaults()" /><br />
 					<input type="button" onclick="toggleDisplay();return false;" name="pick" id="pick" value="Toggle Text Display"></input><br />
 				</form>
