Index: branches/5.2.x/units/gateways/gw_tag_processor.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/gateways/gw_tag_processor.php	(.../gw_tag_processor.php)	(revision 15600)
+++ branches/5.2.x/units/gateways/gw_tag_processor.php	(.../gw_tag_processor.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: gw_tag_processor.php 15600 2012-11-02 14:17:28Z alex $
+* @version	$Id: gw_tag_processor.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -50,7 +50,7 @@
 
 		$value = isset($this->ConfigValues[$id]) ? $this->ConfigValues[$id] : '';
 		if ( !array_key_exists('no_special', $params) || !$params['no_special'] ) {
-			$value = htmlspecialchars($value, null, CHARSET);
+			$value = kUtil::escape($value);
 		}
 
 		if ( getArrayValue($params, 'checked') ) {
Index: branches/5.2.x/units/gateways/gw_classes/ideal_nl.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/gateways/gw_classes/ideal_nl.php	(.../ideal_nl.php)	(revision 15600)
+++ branches/5.2.x/units/gateways/gw_classes/ideal_nl.php	(.../ideal_nl.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: ideal_nl.php 15600 2012-11-02 14:17:28Z alex $
+* @version	$Id: ideal_nl.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -103,7 +103,7 @@
 				$error_msg = $trans_data->FindChildValue('message');
 				$this->parsed_responce['XML'] = $transaction_xml;
 				$this->Application->SetVar('failure_template', $this->Application->RecallVar('gw_cancel_template'));
-				$this->parsed_responce['MESSAGE'] = $error_msg ? $error_msg : 'Unknown gateway error ('.htmlspecialchars($transaction_xml, null, CHARSET).')';
+				$this->parsed_responce['MESSAGE'] = $error_msg ? $error_msg : 'Unknown gateway error ('.kUtil::escape($transaction_xml, kUtil::ESCAPE_HTML).')';
 				return false;
 			}
 
Index: branches/5.2.x/units/shipping_quote_engines/usps.php
===================================================================
diff -u -N -r15568 -r15854
--- branches/5.2.x/units/shipping_quote_engines/usps.php	(.../usps.php)	(revision 15568)
+++ branches/5.2.x/units/shipping_quote_engines/usps.php	(.../usps.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: usps.php 15568 2012-10-10 13:27:55Z alex $
+* @version	$Id: usps.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -734,7 +734,7 @@
 			            '</IntlRateRequest>';
 			$api_query = 'IntlRate';
 		}
-		$request = 'API='.$api_query.'&XML=' . urlencode($request);
+		$request = 'API='.$api_query.'&XML=' . kUtil::escape($request, kUtil::ESCAPE_URL);
 		$body = $this->PostQuery($request);
 		$body = str_replace(chr(146), '', $body); // for bad `
 
@@ -937,7 +937,7 @@
 
 		// die($request);
 
-		$request = 'API='.$api_query.'&XML='.urlencode($request);
+		$request = 'API='.$api_query.'&XML='.kUtil::escape($request, kUtil::ESCAPE_URL);
 
 		$body = $this->PostQuery($request, 1);
 
@@ -1079,7 +1079,7 @@
 
 			$request = '<TrackRequest USERID="'.$this->usps_userid.'"><TrackID ID="'.$TrackingNumber.'"></TrackID></TrackRequest>';
 			$api_query = 'TrackV2';
-			$request = 'API='.$api_query.'&XML='.urlencode($request);
+			$request = 'API='.$api_query.'&XML='.kUtil::escape($request, kUtil::ESCAPE_URL);
 			$body = $this->PostQuery($request);
 
 			// check for errors
Index: branches/5.2.x/units/gateways/gw_classes/google_checkout.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/gateways/gw_classes/google_checkout.php	(.../google_checkout.php)	(revision 15600)
+++ branches/5.2.x/units/gateways/gw_classes/google_checkout.php	(.../google_checkout.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: google_checkout.php 15600 2012-11-02 14:17:28Z alex $
+* @version	$Id: google_checkout.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -80,8 +80,8 @@
 			$cart_xml = Array ();
 			foreach ($order_items as $order_item) {
 				$cart_xml[] = '	<item>
-					        		<item-name>'.htmlspecialchars($order_item['ProductName'], null, CHARSET).'</item-name>
-					        		<item-description>'.htmlspecialchars($order_item[$ml_formatter->LangFieldName('DescriptionExcerpt')], null, CHARSET).'</item-description>'.
+					        		<item-name>'.kUtil::escape($order_item['ProductName'], kUtil::ESCAPE_HTML).'</item-name>
+					        		<item-description>'.kUtil::escape($order_item[$ml_formatter->LangFieldName('DescriptionExcerpt')], kUtil::ESCAPE_HTML).'</item-description>'.
 									$this->getPriceXML('unit-price', $order_item['Price']).'
 					        		<quantity>'.$order_item['Quantity'].'</quantity>
 								</item>';
@@ -102,7 +102,7 @@
 
 			$shipping_xml = '';
 			foreach ($shipping_types as $shipping_name) {
-				$shipping_xml .= '	<merchant-calculated-shipping name="'.htmlspecialchars($shipping_name, null, CHARSET).'">
+				$shipping_xml .= '	<merchant-calculated-shipping name="'.kUtil::escape($shipping_name, kUtil::ESCAPE_HTML).'">
 										<price currency="USD">0.00</price>
 									</merchant-calculated-shipping>';
 			}
@@ -390,7 +390,7 @@
 				$shipping_name = $shipping_type['ShippingName'];
 				$processable_shipping_index = array_search($shipping_name, $process_shippings);
 				if ($processable_shipping_index !== false) {
-					$shipping_types_xml .= '<result shipping-name="'.htmlspecialchars($shipping_name, null, CHARSET).'" address-id="'.$address_id.'">
+					$shipping_types_xml .= '<result shipping-name="'.kUtil::escape($shipping_name, kUtil::ESCAPE_HTML).'" address-id="'.$address_id.'">
 				    	        				<shipping-rate currency="USD">'.sprintf('%01.2f', $shipping_type['TotalCost']).'</shipping-rate>
 				        	    				<shippable>true</shippable>
 				        					</result>';
@@ -402,7 +402,7 @@
 
 			// add unavailable shipping types
 			foreach ($process_shippings as $shipping_name) {
-				$shipping_types_xml .= '<result shipping-name="'.htmlspecialchars($shipping_name, null, CHARSET).'" address-id="'.$address_id.'">
+				$shipping_types_xml .= '<result shipping-name="'.kUtil::escape($shipping_name, kUtil::ESCAPE_HTML).'" address-id="'.$address_id.'">
 											<shipping-rate currency="USD">0.00</shipping-rate>
 				            				<shippable>false</shippable>
 				        				</result>';
Index: branches/5.2.x/units/shipping_quote_engines/intershipper.php
===================================================================
diff -u -N -r15141 -r15854
--- branches/5.2.x/units/shipping_quote_engines/intershipper.php	(.../intershipper.php)	(revision 15141)
+++ branches/5.2.x/units/shipping_quote_engines/intershipper.php	(.../intershipper.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: intershipper.php 15141 2012-03-04 08:08:18Z alex $
+* @version	$Id: intershipper.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -56,8 +56,8 @@
 		foreach($params['carriers'] as $carrier)
 		{
 			$i++;
-			$uri .= '&CarrierCode'.$i.'='.	rawurlencode($carrier['name']).
-			'&CarrierAccount'.$i.'='.		rawurlencode($carrier['account']).
+			$uri .= '&CarrierCode'.$i.'='.	kUtil::escape($carrier['name'], kUtil::ESCAPE_URL).
+			'&CarrierAccount'.$i.'='.		kUtil::escape($carrier['account'], kUtil::ESCAPE_URL).
 			'&CarrierInvoiced'.$i.'='.		$carrier['invoiced'];
 		}
 
@@ -71,21 +71,21 @@
 		$uri .= '&DeliveryType='.	'COM'.
 			'&ShipMethod='.			$params['ShipMethod'].
 
-			'&OriginationName='.	rawurlencode( $params['orig_name'] ).
-			'&OriginationAddress1='.rawurlencode( $params['orig_addr1'] ).
-			'&OriginationAddress2='.rawurlencode( $params['orig_addr2'] ).
-			'&OriginationCity='.	rawurlencode( $params['orig_city'] ).
-			'&OriginationState='.	rawurlencode( $params['orig_state'] ).
-			'&OriginationPostal='.	rawurlencode( $params['orig_postal'] ).
-			'&OriginationCountry='.	rawurlencode( $params['orig_country'] ).
+			'&OriginationName='.	kUtil::escape( $params['orig_name'], kUtil::ESCAPE_URL ).
+			'&OriginationAddress1='.kUtil::escape( $params['orig_addr1'], kUtil::ESCAPE_URL ).
+			'&OriginationAddress2='.kUtil::escape( $params['orig_addr2'], kUtil::ESCAPE_URL ).
+			'&OriginationCity='.	kUtil::escape( $params['orig_city'], kUtil::ESCAPE_URL ).
+			'&OriginationState='.	kUtil::escape( $params['orig_state'], kUtil::ESCAPE_URL ).
+			'&OriginationPostal='.	kUtil::escape( $params['orig_postal'], kUtil::ESCAPE_URL ).
+			'&OriginationCountry='.	kUtil::escape( $params['orig_country'], kUtil::ESCAPE_URL ).
 
-			'&DestinationName='.	rawurlencode( $params['dest_name'] ).
-			'&DestinationAddress1='.rawurlencode( $params['dest_addr1'] ).
-			'&DestinationAddress2='.rawurlencode( $params['dest_addr2'] ).
-			'&DestinationCity='.	rawurlencode( $params['dest_city'] ).
-			'&DestinationState='.	rawurlencode( $params['dest_state'] ).
-			'&DestinationPostal='.	rawurlencode( $params['dest_postal'] ).
-			'&DestinationCountry='.	rawurlencode( $params['dest_country'] ).
+			'&DestinationName='.	kUtil::escape( $params['dest_name'], kUtil::ESCAPE_URL ).
+			'&DestinationAddress1='.kUtil::escape( $params['dest_addr1'], kUtil::ESCAPE_URL ).
+			'&DestinationAddress2='.kUtil::escape( $params['dest_addr2'], kUtil::ESCAPE_URL ).
+			'&DestinationCity='.	kUtil::escape( $params['dest_city'], kUtil::ESCAPE_URL ).
+			'&DestinationState='.	kUtil::escape( $params['dest_state'], kUtil::ESCAPE_URL ).
+			'&DestinationPostal='.	kUtil::escape( $params['dest_postal'], kUtil::ESCAPE_URL ).
+			'&DestinationCountry='.	kUtil::escape( $params['dest_country'], kUtil::ESCAPE_URL ).
 
 			'&Currency='.			'USD'.
 			'&TotalPackages='.		count($params['packages']);
@@ -94,7 +94,7 @@
 		foreach($params['packages'] as $package)
 		{
 			$i++;
-			$uri .=	'&BoxID'.$i.'='.	urlencode( $package['package_key'] ).
+			$uri .=	'&BoxID'.$i.'='.	kUtil::escape( $package['package_key'] , kUtil::ESCAPE_URL ).
 			'&Weight'.$i.'='.			$package['weight'].
 			'&WeightUnit'.$i.'='.		$package['weight_unit'].
 			'&Length'.$i.'='.			$package['length'].
Index: branches/5.2.x/units/gateways/gw_classes/sella_guestpay.php
===================================================================
diff -u -N -r15596 -r15854
--- branches/5.2.x/units/gateways/gw_classes/sella_guestpay.php	(.../sella_guestpay.php)	(revision 15596)
+++ branches/5.2.x/units/gateways/gw_classes/sella_guestpay.php	(.../sella_guestpay.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: sella_guestpay.php 15596 2012-10-26 16:09:33Z alex $
+* @version	$Id: sella_guestpay.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -63,7 +63,7 @@
 			$separator = '*P1*';
 			$b = array();
 			foreach ($params as $key=>$val) {
-				$b[] = $key.'='.urlencode(trim($val));
+				$b[] = $key.'='.kUtil::escape(trim($val), kUtil::ESCAPE_URL);
 			}
 			//the last one is CUSTOMINFO according to GW specs, passing the atosorigin-style 'caddie'
 			$b = join($separator, $b);
Index: branches/5.2.x/units/product_options/product_options_tag_processor.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/product_options/product_options_tag_processor.php	(.../product_options_tag_processor.php)	(revision 15600)
+++ branches/5.2.x/units/product_options/product_options_tag_processor.php	(.../product_options_tag_processor.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: product_options_tag_processor.php 15600 2012-11-02 14:17:28Z alex $
+* @version	$Id: product_options_tag_processor.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -60,12 +60,12 @@
 			$val = $option;
 
 			if ( getArrayValue($params, 'js') ) {
-				$block_params['id'] = addslashes($val);
-				$block_params['value'] = htmlspecialchars($val, null, CHARSET);
+				$block_params['id'] = kUtil::escape($val, kUtil::ESCAPE_JS);
+				$block_params['value'] = kUtil::escape($val);
 			}
 			else {
-				$block_params['id'] = htmlspecialchars($val, null, CHARSET);
-				$block_params['value'] = htmlspecialchars($val, null, CHARSET);
+				$block_params['id'] = kUtil::escape($val);
+				$block_params['value'] = kUtil::escape($val);
 			}
 
 			if ( $conv_prices[$val] ) {
@@ -105,7 +105,7 @@
 				$option_value = array_key_exists($object->GetID(), $options) ? $options[$object->GetID()] : '';
 
 				if ( $object->GetDBField('OptionType') == OptionType::CHECKBOX ) {
-					$selected = is_array($option_value) && in_array(htmlspecialchars($val, null, CHARSET), $option_value);
+					$selected = is_array($option_value) && in_array(kUtil::escape($val), $option_value);
 				}
 				else { // radio buttons ?
 					$selected = htmlspecialchars_decode($option_value) == $val;
Index: branches/5.2.x/units/products/products_tag_processor.php
===================================================================
diff -u -N -r15540 -r15854
--- branches/5.2.x/units/products/products_tag_processor.php	(.../products_tag_processor.php)	(revision 15540)
+++ branches/5.2.x/units/products/products_tag_processor.php	(.../products_tag_processor.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: products_tag_processor.php 15540 2012-09-14 15:37:53Z alex $
+* @version	$Id: products_tag_processor.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -836,7 +836,7 @@
 	 */
 	protected function CompareLink($params)
 	{
-		$params['continue'] = urlencode($this->Application->HREF('__default__', '', Array ('pass_category' => 1)));
+		$params['continue'] = kUtil::escape($this->Application->HREF('__default__', '', Array ('pass_category' => 1)), kUtil::ESCAPE_URL);
 
 		return $this->Application->ProcessParsedTag('m', 'Link', $params);
 	}
Index: branches/5.2.x/units/order_items/order_items_tag_processor.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/order_items/order_items_tag_processor.php	(.../order_items_tag_processor.php)	(revision 15600)
+++ branches/5.2.x/units/order_items/order_items_tag_processor.php	(.../order_items_tag_processor.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: order_items_tag_processor.php 15600 2012-11-02 14:17:28Z alex $
+* @version	$Id: order_items_tag_processor.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -126,7 +126,9 @@
 						$block_params['price_type'] = $price_type;
 						$block_params['sign'] = $price >= 0 ? '+' : '-';
 					}
-					$block_params['value'] = htmlspecialchars($val, null, CHARSET);
+
+					// TODO: consider escaping in template instead
+					$block_params['value'] = kUtil::escape($val);
 					$block_params['type'] = $key_data['OptionType'];
 				}
 				$o .= $this->Application->ParseBlock($block_params, 1);
@@ -176,7 +178,10 @@
 		foreach ($values as $val) {
 			$i++;
 			$val = htmlspecialchars_decode($val);
-			$block_params['value'] = htmlspecialchars($val, null, CHARSET);
+
+			// TODO: consider escaping in template instead
+			$block_params['value'] = kUtil::escape($val);
+
 			if ($price_types[$val] == '$') {
 				$iso = $this->GetISO($params['currency']);
 				$value = $this->AddCurrencySymbol(sprintf("%.2f", $this->ConvertCurrency($prices[$val], $iso)), $iso, true); // true to force sign