Index: branches/5.2.x/core/kernel/db/db_tag_processor.php
===================================================================
diff -u -N -r15762 -r15856
--- branches/5.2.x/core/kernel/db/db_tag_processor.php	(.../db_tag_processor.php)	(revision 15762)
+++ branches/5.2.x/core/kernel/db/db_tag_processor.php	(.../db_tag_processor.php)	(revision 15856)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: db_tag_processor.php 15762 2013-05-16 16:34:33Z alex $
+* @version	$Id: db_tag_processor.php 15856 2013-07-02 14:56:00Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -100,7 +100,8 @@
 				continue;
 			}
 
-			$block_params['label'] = addslashes( $this->Application->Phrase($filter_params['label']) );
+			$block_params['label'] = $filter_params['label'];
+
 			if (getArrayValue($view_filter,$filter_key)) {
 				$submit = 0;
 				if (isset($params['old_style'])) {
@@ -850,7 +851,7 @@
 		$field = $this->SelectParam($params, 'name,field');
 
 		if (!$this->Application->isAdmin) {
-			// apply htmlspecialchars on all field values on Front-End
+			// don't apply kUtil::escape() on any field value on Front-End
 			$params['no_special'] = 'no_special';
 		}
 
@@ -896,8 +897,7 @@
 		}
 
 		if (!array_key_exists('no_special', $params) || !$params['no_special']) {
-			// when no_special parameter NOT SET apply htmlspecialchars
-			$value = htmlspecialchars($value, null, CHARSET);
+			$value = kUtil::escape($value);
 		}
 
 		if (array_key_exists('checked', $params) && $params['checked']) {
@@ -2282,7 +2282,7 @@
 			}
 
 			if ( !array_key_exists('no_special', $params) || !$params['no_special'] ) {
-				$ret = htmlspecialchars($ret, null, CHARSET);
+				$ret = kUtil::escape($ret);
 			}
 
 			return $ret;
@@ -2718,8 +2718,15 @@
 		}
 
 		$icon_url = $this->Application->BaseURL() . 'core/admin_templates/img/top_frame/icons/' . $button_icon;
-		$button_code = '<button style="background-image: url(' . $icon_url . ');"  onclick="$form_name=\'' . addslashes($form_name) . '\'; std_edit_item(\'' . addslashes($item_prefix) . '\', \'' . addslashes($template) . '\');" class="cms-btn-new ' . $button_class . '">' . $button_title . '</button>';
+		$button_onclick = '$form_name = ' . json_encode($form_name) . '; std_edit_item(' . json_encode($item_prefix) . ', ' . json_encode($template) . ');';
 
+		$button_code = '<button
+			style="background-image: url(' . $icon_url . ');"
+			onclick="' . kUtil::escape($button_onclick, kUtil::ESCAPE_HTML) . '"
+			class="cms-btn-new ' . $button_class . '">' .
+			kUtil::escape($button_title, kUtil::ESCAPE_HTML) . '
+		</button>';
+
 		if ( !isset($params['pass']) ) {
 			$params['pass'] = 'm,' . $item_prefix;
 		}
@@ -2740,8 +2747,9 @@
 		unset($params['button_icon'], $params['button_class'], $params['button_title'], $params['template'], $params['item_prefix'], $params['temp_mode']);
 
 		// link from Front-End to Admin, don't remove "index.php"
-		$edit_url = $this->Application->HREF($template, ADMIN_DIRECTORY, $params, 'index.php');
-		$edit_form = '<form method="POST" style="display: inline; margin: 0px" name="' . $form_name . '" id="' . $form_name . '" action="' . $edit_url . '"></form>';
+		$form_name_escaped = kUtil::escape($form_name, kUtil::ESCAPE_HTML);
+		$edit_url = kUtil::escape($this->Application->HREF($template, ADMIN_DIRECTORY, $params, 'index.php'), kUtil::ESCAPE_HTML);
+		$edit_form = '<form method="POST" style="display: inline; margin: 0px" name="' . $form_name_escaped . '" id="' . $form_name_escaped . '" action="' . $edit_url . '"></form>';
 
 		if ( isset($params['forms_later']) && $params['forms_later'] ) {
 			$all_forms = $this->Application->GetVar('all_forms');
@@ -2950,9 +2958,9 @@
 
 		// always add search buttons
 		array_push($preset_info['toolbar_buttons'], 'search', 'search_reset_alt');
-		$toolbar_buttons = array_map('addslashes', $preset_info['toolbar_buttons']);
+		$toolbar_buttons = $preset_info['toolbar_buttons'];
 
-		return $toolbar_buttons ? "'" . implode("', '", $toolbar_buttons) . "'" : 'false';
+		return $toolbar_buttons ? trim(json_encode($toolbar_buttons), '[]') : 'false';
 	}
 
 	/**