diff --git a/doc/users/tschwinge.mdwn b/doc/users/tschwinge.mdwn
index 20d8d16..414612a 100644
--- a/doc/users/tschwinge.mdwn
+++ b/doc/users/tschwinge.mdwn
@@ -99,12 +99,6 @@ page that uses \[[!meta redir]].
 
 ## [[bugs/Broken Parentlinks]]
 
-## Discussion Pages of Discussion Pages of...
-
-Is it useful to have Discussion pages of Discussion pages (etc.)?  -- On
-<http://www.gnu.org/software/hurd/hurd/building/cross-compiling/discussion.html>,
-this possibility is offered.
-
 ## Modifying [[plugins/inline]] for showing only an *appetizer*
 
 Currently ikiwiki's inline plugin will either show the full page or nothing of

diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
index 0c1b0f2..6964cf2 100644
--- a/doc/tips/htaccess_file.mdwn
+++ b/doc/tips/htaccess_file.mdwn
@@ -21,7 +21,7 @@ different way to configure the web server. One way is to not put the
 `.htaccess` file under ikiwiki's control, and just manually install it
 in the destdir. --[[Joey]]
 
-[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
+[Apache's documentation](http://httpd.apache.org/docs/2.2/howto/htaccess.html)
 says:
 > In general, you should never use .htaccess files unless you don't have
 > access to the main server configuration file.

diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
index 7b4b090..0c1b0f2 100644
--- a/doc/tips/htaccess_file.mdwn
+++ b/doc/tips/htaccess_file.mdwn
@@ -19,10 +19,9 @@ shell on your web server.
 If any of these questions have given you pause, I suggest you find a
 different way to configure the web server. One way is to not put the
 `.htaccess` file under ikiwiki's control, and just manually install it
-in the destdir.
+in the destdir. --[[Joey]]
 
 [Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
 says:
 > In general, you should never use .htaccess files unless you don't have
 > access to the main server configuration file.
---[[Joey]]

diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
index 5266eba..7b4b090 100644
--- a/doc/tips/htaccess_file.mdwn
+++ b/doc/tips/htaccess_file.mdwn
@@ -22,9 +22,7 @@ different way to configure the web server. One way is to not put the
 in the destdir.
 
 [Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
-says
+says:
 > In general, you should never use .htaccess files unless you don't have
 > access to the main server configuration file.
-This is good advice -- if you can edit apache's main configuration files,
-then you should not use a htaccess file.
 --[[Joey]]

diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
index c08502b..3b9721d 100644
--- a/doc/todo/enable-htaccess-files.mdwn
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -64,6 +64,11 @@ It should be off by default of course. --Max
 ---
 +1 I want `.htaccess` so I can rewrite some old Wordpress URLs to make feeds work again. --[[hendry]]
 
+> Unless you cannot modify apache's configuration, you do not need htaccess
+> to do that. Apache's documentation recommends against using htaccess
+> unless you're a user who cannot modify the main server configuration.
+> --[[Joey]] 
+
 ---
 +1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]
 

diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
index c895db7..c08502b 100644
--- a/doc/todo/enable-htaccess-files.mdwn
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -12,6 +12,13 @@
                     qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
            wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,
 
+> Note that the above patch is **completely broken**. 
+> It removes the crucial excludes of all files starting with a dot.
+> The negative regexps for htaccess have no effect, so the whole
+> thing only "works" because it allows *any* file starting with a dot.
+> If you applied this patch to your ikiwiki, you opened a huge security
+> hole. --[[Joey]] 
+
 [[!tag patch patch/core]]
 
 This lets the site administrator have a `.htaccess` file in their underlay

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 251ed8c..ee94ce6 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -334,6 +334,15 @@ sub getsetup () {
 		safe => 0, # paranoia
 		rebuild => 0,
 	},
+	include => {
+		type => "string",
+		default => undef,
+		example => '^\.htaccess$',
+		description => "regexp of normally ignored source files to include",
+		advanced => 1,
+		safe => 0, # regexp
+		rebuild => 1,
+	},
 	exclude => {
 		type => "string",
 		default => undef,
@@ -1820,6 +1829,10 @@ sub file_pruned ($;$) {
 		$file =~ s#^\Q$base\E/+##;
 	}
 
+	if (defined $config{include} && length $config{include}) {
+		return 0 if $file =~ m/$config{include}/;
+	}
+
 	my $regexp='('.join('|', @{$config{wiki_file_prune_regexps}}).')';
 	return $file =~ m/$regexp/;
 }
diff --git a/debian/changelog b/debian/changelog
index 92afe66..e5347e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,10 @@ ikiwiki (3.20100313) UNRELEASED; urgency=low
     as used by yahoo and google urls.
   * Add complete German basewiki and directives translation done by
     Sebastian Kuhnert.
+  * Add a include setting, which can be used to make ikiwiki process
+    wiki source files, such as .htaccess, that would normally be skipped
+    for security or other reasons. Closes: #447267
+    (Thanks to Aaron Wilson for the original patch.)
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
 
diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
new file mode 100644
index 0000000..5266eba
--- /dev/null
+++ b/doc/tips/htaccess_file.mdwn
@@ -0,0 +1,30 @@
+If you try to include a `.htaccess` file in your wiki's source, in order to
+configure the web server, you'll find that ikiwiki excludes it from
+processing. In fact, ikiwiki excludes any file starting with a dot, as well
+as a lot of other files, for good security reasons.
+
+You can tell ikiwiki not to exclude the .htaccess file by adding this to
+your setup file:
+
+	include => '^\.htaccess$',
+
+Caution! Before you do that, please think for a minute about who can edit
+your wiki. Are attachment uploads enabled? Can users commit changes
+directly to the version control system? Do you trust everyone who can
+make a change to not do Bad Things with the htaccess file? Do you trust
+everyone who *might* be able to make a change in the future? Note that a
+determined attacker who can write to the htaccess file can probably get a
+shell on your web server.
+
+If any of these questions have given you pause, I suggest you find a
+different way to configure the web server. One way is to not put the
+`.htaccess` file under ikiwiki's control, and just manually install it
+in the destdir.
+
+[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
+says
+> In general, you should never use .htaccess files unless you don't have
+> access to the main server configuration file.
+This is good advice -- if you can edit apache's main configuration files,
+then you should not use a htaccess file.
+--[[Joey]]
diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
index 412cb5e..c895db7 100644
--- a/doc/todo/enable-htaccess-files.mdwn
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -61,3 +61,8 @@ It should be off by default of course. --Max
 +1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]
 
 > I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]]
+
+---
+
+[[done]], you can use the `include` setting to override the default
+excludes now. Please use extreme caution when doing so. --[[Joey]] 
diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index a105d7e..f735170 100644
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -234,6 +234,12 @@ also be configured using a setup file.
   Specifies a rexexp of source files to exclude from processing.
   May be specified multiple times to add to exclude list.
 
+* --include regexp
+
+  Specifies a rexexp of source files, that would normally be excluded,
+  but that you wish to include in processing.
+  May be specified multiple times to add to include list.
+
 * --adminuser name
 
   Specifies a username of a user (or, if openid is enabled, an openid) 
diff --git a/ikiwiki.in b/ikiwiki.in
index ae1251f..da55556 100755
--- a/ikiwiki.in
+++ b/ikiwiki.in
@@ -65,6 +65,9 @@ sub getconfig () {
 			"exclude=s@" => sub {
 				push @{$config{wiki_file_prune_regexps}}, $_[1];
 			},
+			"include=s@" => sub {
+				$config{include}=defined $config{include} && length $config{include} ? "$config{include}|$_[1]" : $_[1];
+			},
 			"adminuser=s@" => sub {
 				push @{$config{adminuser}}, $_[1]
 			},

diff --git a/doc/sandbox/prova_blog.html b/doc/sandbox/prova_blog.html
new file mode 100644
index 0000000..d69937e
--- /dev/null
+++ b/doc/sandbox/prova_blog.html
@@ -0,0 +1,8 @@
+Questa è una prova.
+Vediamo se funziona
+
+<pre>
+#!/bin/bash
+
+echo "ciao"
+</pre>

diff --git a/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
index 9eac8ea..189ba74 100644
--- a/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
@@ -57,4 +57,14 @@ What might be causing this exception and how I might go about debugging exceptio
 >>>>>>> misunderstanding. I've put in a complete fix for this problem.
 >>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 
 
+>>>>>>>> Rather than escaping `$` as an HTML entity, it would be more natural
+>>>>>>>> to escape it as `$$` (since you are escaping it for Omega, not for
+>>>>>>>> the web browser.
+>>>>>>>>
+>>>>>>>> Also if ikiwiki can put arbitrary text inside the parameters of an
+>>>>>>>> OmegaScript command, you should also escape `{`, `}` and `,` as
+>>>>>>>> `$(`, `$)` and `$.`.  It's only necessary to do so inside the
+>>>>>>>> parameters of a command, but it will work and be easier to escape
+>>>>>>>> them in any substituted text. --OllyBetts
+
 [[done]]

diff --git a/doc/todo/avatar.mdwn b/doc/todo/avatar.mdwn
index 3a4e64b..f0599e4 100644
--- a/doc/todo/avatar.mdwn
+++ b/doc/todo/avatar.mdwn
@@ -1,42 +1,60 @@
 [[!tag wishlist]]
 
 It would be nice if ikiwiki, particularly [[plugins/comments]]
-supported user avatar icons.
+(but also, ideally, recentchanges) supported user avatar icons.
 
 Idea is to add a directive that displays a small avatar image for a user.
-Pass it the email address, openid, or wiki username of the user.
+Pass it a user's the email address, openid, username, or the md5 hash
+of their email address:
 
 	\[[!avatar user@example.com]]
 	\[[!avatar http://joey.kitenet.net/]]
 	\[[!avatar user]]
+	\[[!avatar hash]]
 
 These directives can then be hand-inserted onto pages, or more likely,
-included in eg, a comment post via a template. Possibly included in a
-recentchanges page item via that template too?
+included in eg, a comment post via a template.
+
+An optional second parameter can be included, containing additional
+options to pass in the 
+[gravatar url](http://en.gravatar.com/site/implement/url).
+For example, this asks for a smaller gravatar, and if a user does
+not have a gravatar, uses a cute auto-generated "wavatar" avatar.
+
+	\[[!gravatar user@example.com "size=40&default=wavatar"]]
+
+The `gravitar_options` setting in the setup file can be used to
+specify additional options to pass. So for example if you want
+to use wavatars everywhere, set it to "default=wavatar".
 
 The avatars are provided by various sites. For email addresses, it uses a
 [gravatar](http://gravatar.com/). For a wiki username, the
 user's email address is looked up and the gravatar for that user is
 displayed. (Of course, the user has to have filled in their email address
-on their Preferences page for that to work.)
+on their Preferences page for that to work. Also, when the user changes
+their email address in Preferences, the gravatar won't change until the
+wiki is rebuilt.)
 
 For openid, openavatar sucked and is now dead. So we need to use an email
 address instead, I guess. Problem is that the email address of a given
 openid is only known when that user is logged in and making a change.
 And we don't want to leak an openid user's email into a page either.
 Hmm. Suppose the gravatar hash could be calculated from the email address
-and embedded instead of the openid?
+and embedded instead of the openid? That would work for comments,
+but not if the directive were used elsewhere.
 
-Or, for openid, could use <http://paulisageek.com/openidavatar>.
+Or, for openid, could use <http://paulisageek.com/openidavatar>. Which
+works fine, but users are not likely to figure out what they need to do to
+get an avatar associated with their openid.
 
-An optional second parameter can be included, containing additional
-options to pass in the 
-[gravatar url](http://en.gravatar.com/site/implement/url).
-For example, this asks for a smaller gravatar, and if a user does
-not have a gravatar, uses a cute auto-generated "wavatar" avatar.
+---
 
-	\[[!gravatar user@example.com "size=40&default=wavatar"]]
+Alternative, not overdesigned approach:
 
-The `gravitar_options` setting in the setup file can be used to
-specify additional options to pass. So for example if you want
-to use wavatars everywhere, set it to "default=wavatar".
+Modify comments plugin to have an option to display avatars.
+
+When posting a comment, fill in the avatarhash field in the template.
+The hash is calculated from the user's email address. If the user's email
+is not known, skip it. 
+
+End. :P

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 00eadfd..251ed8c 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -1131,7 +1131,7 @@ sub openiduser ($) {
 		# Convert "http://somehost.com/user" to "user [somehost.com]".
 		# (also "https://somehost.com/user/")
 		if ($display !~ /\[/) {
-			$display=~s/^https?:\/\/(.+)\/([^\/]+)\/?$/$2 [$1]/;
+			$display=~s/^https?:\/\/(.+)\/([^\/#?]+)\/?(?:[#?].*)?$/$2 [$1]/;
 		}
 		$display=~s!^https?://!!; # make sure this is removed
 		eval q{use CGI 'escapeHTML'};
diff --git a/debian/changelog b/debian/changelog
index 854d831..0a96796 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ ikiwiki (3.20100313) UNRELEASED; urgency=low
     as unsafe.
   * openid: Use Openid Simple Registration or OpenID Attribute Exchange
     to get the user's email address and username.
+  * Improve openid url munging; do not display anchors and cgi parameters,
+    as used by yahoo and google urls.
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
 
diff --git a/doc/forum/google_openid_broken__63__.mdwn b/doc/forum/google_openid_broken__63__.mdwn
index 4ca5cac..96ba2d7 100644
--- a/doc/forum/google_openid_broken__63__.mdwn
+++ b/doc/forum/google_openid_broken__63__.mdwn
@@ -59,6 +59,12 @@ points to a fairly useless xml document, rather than a web page. --[[Joey]]
 
 > Using the Google profile page as the OpenID is really orthogonal to the above. --[[kaol]]
 
+>> First, I don't accept that the openid google returns from their 
+>> generic signin url *has* to be so freaking ugly. For contrast, 
+>> look at the openid you log in as if you use the yahoo url.
+>> <https://me.yahoo.com/joeyhess#35f22>. Nice and clean, now
+>> munged by ikiwiki to "joeyhess [me.yahoo.com]".
+>> 
 >> Displaying email addresses is not really an option, because ikiwiki
 >> can't leak user email addresses like that. Displaying nicknames or
 >> usernames is, see [[todo/Separate_OpenIDs_and_usernames]].
diff --git a/t/openiduser.t b/t/openiduser.t
index 52d8794..caabbce 100755
--- a/t/openiduser.t
+++ b/t/openiduser.t
@@ -10,7 +10,7 @@ BEGIN {
 		eval q{use Test::More skip_all => "Net::OpenID::VerifiedIdentity not available"};
 	}
 	else {
-		eval q{use Test::More tests => 9};
+		eval q{use Test::More tests => 11};
 	}
 	use_ok("IkiWiki::Plugin::openid");
 }
@@ -28,6 +28,11 @@ $^W=1;
 is(IkiWiki::openiduser('http://yam655.livejournal.com/'), 'yam655 [livejournal.com]');
 is(IkiWiki::openiduser('http://id.mayfirst.org/jamie/'), 'jamie [id.mayfirst.org]');
 
+# yahoo has an anchor in the url
+is(IkiWiki::openiduser('https://me.yahoo.com/joeyhess#35f22'), 'joeyhess [me.yahoo.com]');
+# google urls are horrendous, but the worst bit is after a ?, so can be dropped
+is(IkiWiki::openiduser('https://www.google.com/accounts/o8/id?id=AItOawm-ebiIfxbKD3KNa-Cu9LvvD9edMLW7BAo'), 'id [www.google.com/accounts/o8]');
+
 # and some less typical ones taken from the ikiwiki commit history
 
 is(IkiWiki::openiduser('http://thm.id.fedoraproject.org/'), 'thm [id.fedoraproject.org]');

diff --git a/doc/forum/google_openid_broken__63__.mdwn b/doc/forum/google_openid_broken__63__.mdwn
index 0e41d4c..4ca5cac 100644
--- a/doc/forum/google_openid_broken__63__.mdwn
+++ b/doc/forum/google_openid_broken__63__.mdwn
@@ -58,3 +58,16 @@ points to a fairly useless xml document, rather than a web page. --[[Joey]]
 > I've added buttons that submit the two above URLs for logging in with a Google and Yahoo OpenID, respectively, to my locally changed OpenID login plugin.
 
 > Using the Google profile page as the OpenID is really orthogonal to the above. --[[kaol]]
+
+>> Displaying email addresses is not really an option, because ikiwiki
+>> can't leak user email addresses like that. Displaying nicknames or
+>> usernames is, see [[todo/Separate_OpenIDs_and_usernames]].
+>>
+>> It would probably be good if the openid plugin could be configured with
+>> a list of generic openid urls, so it can add quick login buttons using
+>> those urls.
+>>
+>> The ugly google url will still be exposed here and there where
+>> a unique user id is needed. That can be avoided by not using the generic
+>> <https://www.google.com/accounts/o8/id>, but instead your own profile
+>> like <http://www.google.com/profiles/joeyhess>. --[[Joey]] 
diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index 7cfe49a..fcdb49f 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -26,6 +26,13 @@ A slightly more complex next step would be to request sreg from the provider and
 > 
 >	Author: Joey Hess &lt;http://joey.kitenet.net/@web&gt;
 > 
+> Only problem with the above is that the openid will still be displayed
+> by CIA. Other option is this, which solves that, but at the expense of
+> having to munge the username to fit inside the email address,
+> and generally seems backwards: --[[Joey]] 
+> 
+>	Author: http://joey.kitenet.net/ &lt;Joey_Hess@web&gt;
+> 
 > So, what needs to be done:
 > 
 > * Change `rcs_commit` and `rcs_commit_staged` to take a session object,

diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index 3fb952f..7cfe49a 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -18,15 +18,25 @@ A slightly more complex next step would be to request sreg from the provider and
 > page).
 > 
 > I am considering displaying the userid or fullname, if available,
-> instead of the munged openid url in recentchanges. It would be nice
-> for those nasty [[google_openids|forum/google_openid_broken?]]. But,
-> I first have to find a way to encode the name in the VCS commit log,
+> instead of the munged openid url in recentchanges and comments.
+> It would be nice for those nasty [[google_openids|forum/google_openid_broken?]].
+> But, I first have to find a way to encode the name in the VCS commit log,
 > while still keeping the openid of the committer in there too.
 > Perhaps something like this (for git): --[[Joey]] 
 > 
 >	Author: Joey Hess <http://joey.kitenet.net/@web>
 > 
+> So, what needs to be done:
 > 
+> * Change `rcs_commit` and `rcs_commit_staged` to take a session object,
+>   instead of just a userid. (For back-compat, if the parameter is 
+>   not an object, it's a userid.) Bump ikiwiki plugin interface version.
+> * Modify all RCS plugins to include the session username somewhere
+>   in the commit, and parse it back out in `rcs_recentchanges`.
+> * Modify recentchanges plugin to display the username instead of the
+>   `openiduser`.
+> * Modify comment plugin to put the session username in the comment
+>   template instead of the `openiduser`.
 
 Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat.
 

diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index ae427d5..3fb952f 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -13,8 +13,9 @@ A slightly more complex next step would be to request sreg from the provider and
 > implemented as a badly-done wart on the side of their regular login
 > system.
 > 
-> Openid Simple Registration is now used to populate the userdb with the
-> email address for openid users.
+> The openid plugin now attempts to get an email and a username, and stores
+> them in the session database for later use (ie, when the user edits a
+> page).
 > 
 > I am considering displaying the userid or fullname, if available,
 > instead of the munged openid url in recentchanges. It would be nice
@@ -23,7 +24,9 @@ A slightly more complex next step would be to request sreg from the provider and
 > while still keeping the openid of the committer in there too.
 > Perhaps something like this (for git): --[[Joey]] 
 > 
->	Author: Joey Hess <http://joey.kitenet.net/@web>
+>	Author: Joey Hess &lt;http://joey.kitenet.net/@web&gt;
+> 
+> 
 
 Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat.
 
diff --git a/doc/todo/avatar.mdwn b/doc/todo/avatar.mdwn
index 4409e7b..3a4e64b 100644
--- a/doc/todo/avatar.mdwn
+++ b/doc/todo/avatar.mdwn
@@ -15,14 +15,20 @@ included in eg, a comment post via a template. Possibly included in a
 recentchanges page item via that template too?
 
 The avatars are provided by various sites. For email addresses, it uses a
-[gravatar](http://gravatar.com/). For openid,
-[openavatar](http://www.openvatar.com/) could used, but I am not very happy
-with it; probably better to just get the email via SREG (as is done now for
-openid), and use that. For a wiki username, the
+[gravatar](http://gravatar.com/). For a wiki username, the
 user's email address is looked up and the gravatar for that user is
 displayed. (Of course, the user has to have filled in their email address
 on their Preferences page for that to work.)
 
+For openid, openavatar sucked and is now dead. So we need to use an email
+address instead, I guess. Problem is that the email address of a given
+openid is only known when that user is logged in and making a change.
+And we don't want to leak an openid user's email into a page either.
+Hmm. Suppose the gravatar hash could be calculated from the email address
+and embedded instead of the openid?
+
+Or, for openid, could use <http://paulisageek.com/openidavatar>.
+
 An optional second parameter can be included, containing additional
 options to pass in the 
 [gravatar url](http://en.gravatar.com/site/implement/url).

diff --git a/doc/todo/git_attribution/discussion.mdwn b/doc/todo/git_attribution/discussion.mdwn
index dfb490b..6905d9b 100644
--- a/doc/todo/git_attribution/discussion.mdwn
+++ b/doc/todo/git_attribution/discussion.mdwn
@@ -72,7 +72,7 @@ no determination of uniqueness)
 > GIT_AUTHOR_EMAIL can also be set.
 > 
 > There is one thing yet to be solved, and that is how to tell the
-> difference between a web commit by 'Joey Hess <joey@kitenet.net>',
+> difference between a web commit by 'Joey Hess <joey\@kitenet.net>',
 > and a git commit by the same. I think we do want to differentiate these,
 > and the best way to do it seems to be to add a line to the end of the
 > commit message. Something like: "\n\nWeb-commit: true"
@@ -94,5 +94,5 @@ no determination of uniqueness)
 > * github pushes to twitter ;-)
 > 
 > So while I tried that way at first, I'm now leaning toward encoding the
-> username in the email address. Like "user <user@web>", or
-> "joey <http://joey.kitenet.net/@web>".
+> username in the email address. Like "user <user\@web>", or
+> "joey <http://joey.kitenet.net/\@web>".

diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
index 2cd52e8..ae427d5 100644
--- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn
+++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn
@@ -6,6 +6,25 @@ I see this being implemented in one of two possible ways. The easiest seems like
 
 A slightly more complex next step would be to request sreg from the provider and, if provided, automatically set the identity's username and email address from the provided persona. If username login to accounts with blank passwords is disabled, then you have the best of both worlds. Passwordless signin, human-friendly attribution, automatic setting of preferences.
 
+> Given that openids are a global user identifier, that can look as pretty
+> as the user cares to make it look via delegation, I am not a fan of 
+> having a site-local identifier that layered on top of that. Perhaps
+> partly because every site that I have seen that does that has openid
+> implemented as a badly-done wart on the side of their regular login
+> system.
+> 
+> Openid Simple Registration is now used to populate the userdb with the
+> email address for openid users.
+> 
+> I am considering displaying the userid or fullname, if available,
+> instead of the munged openid url in recentchanges. It would be nice
+> for those nasty [[google_openids|forum/google_openid_broken?]]. But,
+> I first have to find a way to encode the name in the VCS commit log,
+> while still keeping the openid of the committer in there too.
+> Perhaps something like this (for git): --[[Joey]] 
+> 
+>	Author: Joey Hess <http://joey.kitenet.net/@web>
+
 Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat.
 
 [[!tag wishlist]]

diff --git a/doc/todo/avatar.mdwn b/doc/todo/avatar.mdwn
index b8aa232..4409e7b 100644
--- a/doc/todo/avatar.mdwn
+++ b/doc/todo/avatar.mdwn
@@ -1,35 +1,24 @@
 [[!tag wishlist]]
 
 It would be nice if ikiwiki, particularly [[plugins/comments]]
-supported user avatar icons. I was considering adding a directive for this,
-as designed below.
+supported user avatar icons.
 
-However, there is no *good* service for mapping openids to avatars --
-openavatar has many issues, including not supporting delegated openids, and
-after trying it, I don't trust it to push users toward. 
-Perhaps instead ikiwiki could get the email address from the openid
-provider, though I think the perl openid modules don't support the openid
-2.x feature that allows that.
-
-At the moment, working on this doesn't feel like a good use of my time.
---[[Joey]]
-
-Hmm.. unless is just always used a single provider (gravatar) and hashed
-the openid. Then wavatars could be used to get a unique avatar per openid
-at least. --[[Joey]] 
-
-----
-
-The directive displays a small avatar image for a user. Pass it the
-email address, openid, or wiki username of the user.
+Idea is to add a directive that displays a small avatar image for a user.
+Pass it the email address, openid, or wiki username of the user.
 
 	\[[!avatar user@example.com]]
 	\[[!avatar http://joey.kitenet.net/]]
 	\[[!avatar user]]
 
+These directives can then be hand-inserted onto pages, or more likely,
+included in eg, a comment post via a template. Possibly included in a
+recentchanges page item via that template too?
+
 The avatars are provided by various sites. For email addresses, it uses a
 [gravatar](http://gravatar.com/). For openid,
-[openavatar](http://www.openvatar.com/) is used. For a wiki username, the
+[openavatar](http://www.openvatar.com/) could used, but I am not very happy
+with it; probably better to just get the email via SREG (as is done now for
+openid), and use that. For a wiki username, the
 user's email address is looked up and the gravatar for that user is
 displayed. (Of course, the user has to have filled in their email address
 on their Preferences page for that to work.)

diff --git a/doc/forum/google_openid_broken__63__.mdwn b/doc/forum/google_openid_broken__63__.mdwn
index 68b44f2..0e41d4c 100644
--- a/doc/forum/google_openid_broken__63__.mdwn
+++ b/doc/forum/google_openid_broken__63__.mdwn
@@ -50,3 +50,11 @@ The openid is
 <https://www.google.com/accounts/o8/id?id=AItOawltlTwUCL_Fr1siQn94GV65-XwQH5XSku4>
 (what a mouthfull!), and I don't know who that is or how to use it since it
 points to a fairly useless xml document, rather than a web page. --[[Joey]]
+
+> That string is what's received via the discovery protocol. The user logging in with a Google account is not supposed to write that when logging in, but rather <https://www.google.com/accounts/o8/id>. The OpenID client library will accept that and redirect the user to a sign in page, which will return that string as the OpenID. It's not really usable as an identifier for edits and whatnots, but an alternative would be to use the attribute exchange extension to get the email address and display that. See <http://code.google.com/apis/accounts/docs/OpenID.html#Parameters>.
+
+> Yahoo's OpenID implementation works alike, but I haven't looked at it as much. It uses <https://me.yahoo.com/> to receive the endpoint.
+
+> I've added buttons that submit the two above URLs for logging in with a Google and Yahoo OpenID, respectively, to my locally changed OpenID login plugin.
+
+> Using the Google profile page as the OpenID is really orthogonal to the above. --[[kaol]]

diff --git a/IkiWiki/Plugin/websetup.pm b/IkiWiki/Plugin/websetup.pm
index 5c19c9b..d444c0a 100644
--- a/IkiWiki/Plugin/websetup.pm
+++ b/IkiWiki/Plugin/websetup.pm
@@ -27,6 +27,13 @@ sub getsetup () {
 			safe => 0,
 			rebuild => 0,
 		},
+		websetup_unsafe => {
+			type => "string",
+			example => [],
+			description => "list of additional setup field keys to treat as unsafe",
+			safe => 0,
+			rebuild => 0,
+		},
 		websetup_show_unsafe => {
 			type => "boolean",
 			example => 1,
@@ -57,6 +64,12 @@ sub formatexample ($$) {
 	}
 }
 
+sub issafe ($) {
+	my $key=shift;
+
+	return ! grep { $_ eq $key } @{$config{websetup_unsafe}};
+}
+
 sub showfields ($$$@) {
 	my $form=shift;
 	my $plugin=shift;
@@ -78,7 +91,8 @@ sub showfields ($$$@) {
 		# XXX hashes not handled yet
 		next if ref $config{$key} && ref $config{$key} eq 'HASH' || ref $info{example} eq 'HASH';
 		# maybe skip unsafe settings
-		next if ! $info{safe} && ! ($config{websetup_show_unsafe} && $config{websetup_advanced});
+		next if ! ($config{websetup_show_unsafe} && $config{websetup_advanced}) &&
+			(! $info{safe} || ! issafe($key));
 		# maybe skip advanced settings
 		next if $info{advanced} && ! $config{websetup_advanced};
 		# these are handled specially, so don't show
@@ -156,7 +170,7 @@ sub showfields ($$$@) {
 
 		if (ref $value eq 'ARRAY' || ref $info{example} eq 'ARRAY') {
 			$value=[(ref $value eq 'ARRAY' ? map { Encode::encode_utf8($_) }  @{$value} : "")];
-			push @$value, "", "" if $info{safe}; # blank items for expansion
+			push @$value, "", "" if $info{safe} && issafe($key); # blank items for expansion
 		}
 		else {
 			$value=Encode::encode_utf8($value);
@@ -210,7 +224,7 @@ sub showfields ($$$@) {
 			}
 		}
 		
-		if (! $info{safe}) {
+		if (! $info{safe} || ! issafe($key)) {
 			$form->field(name => $name, disabled => 1);
 		}
 		else {
@@ -346,7 +360,7 @@ sub showform ($$) {
 				@value=0;
 			}
 		
-			if (! $info{safe}) {
+			if (! $info{safe} || ! issafe($key)) {
 	 			error("unsafe field $key"); # should never happen
 			}
 		
diff --git a/debian/changelog b/debian/changelog
index 7fdbbcb..9e779bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20100313) UNRELEASED; urgency=low
+
+  * websetup: Add websetup_unsafe to allow marking other settings
+    as unsafe.
+
+ -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
+
 ikiwiki (3.20100312) unstable; urgency=HIGH
 
   * Fix utf8 issues in calls to md5_hex.
diff --git a/doc/plugins/websetup.mdwn b/doc/plugins/websetup.mdwn
index f1756ba..b4d23ba 100644
--- a/doc/plugins/websetup.mdwn
+++ b/doc/plugins/websetup.mdwn
@@ -16,7 +16,8 @@ enabled and disabled using it too. Some settings are not considered safe
 enough to be manipulated over the web; these are still shown, by default,
 but cannot be modified. To hide them, set `websetup_show_unsafe` to false
 in the setup file. A few settings have too complex a data type to be
-configured via the web.
+configured via the web. To mark additional settings as unsafe, you can
+list them in `websetup_unsafe`.
 
 Plugins that should not be enabled/disabled via the web interface can be
 listed in `websetup_force_plugins` in the setup file.

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index 0ca9499..50c4d43 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -57,10 +57,23 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 >> `usemap`) should make `object` almost as harmless as, say, `img`.
 
 >>> But with local data, one could not embed youtube videos, which surely
->>> is the most obvious use case? Note that youtube embedding uses an
+>>> is the most obvious use case?
+
+>>>> Allowing a “remote” object to render on one's page is a
+     security issue by itself.
+     Though, of course, having an explicit whitelist of URI's may make
+     this issue more tolerable.
+     — [[Ivan_Shmakov]], 2010-03-12Z.
+
+>>> Note that youtube embedding uses an
 >>> object element with no classid. The swf file is provided via an
 >>> enclosed param element. --[[Joey]]
 
+>>>> I've just checked a random video on YouTube and I see that the
+     `.swf` file is provided via an enclosed `embed` element.  Whether
+     to allow those or not is a different issue.
+     — [[Ivan_Shmakov]], 2010-03-12Z.
+
 >> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
 >> restricted in such a way.)
 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index c37d052..0ca9499 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -56,6 +56,11 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 >> (i. e., only *local* and certain `data:` ones for `data` and
 >> `usemap`) should make `object` almost as harmless as, say, `img`.
 
+>>> But with local data, one could not embed youtube videos, which surely
+>>> is the most obvious use case? Note that youtube embedding uses an
+>>> object element with no classid. The swf file is provided via an
+>>> enclosed param element. --[[Joey]]
+
 >> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
 >> restricted in such a way.)
 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index ac4b555..c37d052 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -27,13 +27,43 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 
 [[wishlist]]
 
-> SVG can contain embedded javascript. The spec that you link to contains
+> SVG can contain embedded javascript.
+
+>> Indeed.
+
+>> So, a more general tool (`XML::Scrubber`?) will be necessary to
+>> refine both [XHTML][] and SVG.
+
+>> … And to leave [MathML][] as is (?.)
+
+>> — [[Ivan_Shmakov]], 2010-03-12Z.
+
+> The spec that you link to contains
 > examples of objects that contain python scripts, Microsoft OLE 
 > objects, and Java. And then there's flash. I don't think ikiwiki can
 > assume all the possibilities are handled securely, particularly WRT XSS
 > attacks.
 > --[[Joey]]
 
+>> I've scanned over all the `object` examples in the specification and
+>> all of those that hold references to code (as opposed to data) have a
+>> distinguishing `classid` attribute.
+
+>> While I won't assert that it's impossible to reference code with
+>> `data` (and, thanks to `text/xhtml+xml` and `image/svg+xml`, it is
+>> *not* impossible), throwing away any of the “insecure”
+>> attributes listed above together with limiting the possible URI's
+>> (i. e., only *local* and certain `data:` ones for `data` and
+>> `usemap`) should make `object` almost as harmless as, say, `img`.
+
+>> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
+>> restricted in such a way.)
+
+>> Of the remaining issues I could only think of recursive
+>> `object` — the one that references its container document.
+
+>> — [[Ivan_Shmakov]], 2010-03-12Z.
+
 ## See also
 
 * [Objects, Images, and Applets in HTML documents][objects-html]
@@ -43,6 +73,8 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 * [Uniform Resource Identifier — the free encyclopedia][URI]
 
 [HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm
+[MathML]: http://en.wikipedia.org/wiki/MathML
 [objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html
 [RFC 2397]: http://tools.ietf.org/html/rfc2397
 [URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier
+[XHTML]: http://en.wikipedia.org/wiki/XHTML

diff --git a/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
new file mode 100644
index 0000000..9eac8ea
--- /dev/null
+++ b/doc/bugs/Exception:_Unknown_function___96__this__39___.mdwn
@@ -0,0 +1,60 @@
+I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
+
+What might be causing this exception and how I might go about debugging exceptions?
+
+> Appears to be coming from your xapian omega cgi binary. If you
+> run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
+> "Exception: " in it, and I have found some similar (but not identical)
+> error messages from xapian in a web search.
+> 
+> I don´t know what to suggest, other than upgrade/downgrade/reinstall
+> xapian-omega, and contacting the xapian developers for debugging.
+> You could try rebuilding your wiki in case it is somehow
+> caused by a problem with the xapian database. Failing everything, you
+> could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
+
+>> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `$this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]
+
+>>> Sounds like a bug in omega, and one that probably would affect other
+>>> users of omega too. Ikiwiki could work around it by pre-escaping
+>>> data before passing it to xapian. I have not quite managed to reproduce it though;
+>>> tried setting a page title to '$this' and 'foo $this'.
+>>> That's with version 1.0.18 of omega.
+>>> --[[Joey]]
+
+>>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]
+
+>>>>> I don't see how that's relevant. It would help if you showed me
+>>>>> exactly something that could be inserted into a page to cause the
+>>>>> problem. --[[Joey]] 
+
+>>>>>> Correct me if I'm wrong: ikiwiki generates an Omega template from its own templates, such as searchquery.tmpl and puts it into {$srcdir}/.ikiwiki/xapian/templates/query. Omega has its own template syntax, where function names are prefixed with dollar signs (`$`). So, when I call my wiki `$foobar`, ikiwiki generates an Omega template that looks like this snippet:
+
+    <div id="container">
+        <div class="pageheader">
+            <div class="header">
+            <span>
+            <a href="http://example.com">$foobar</    a>/search
+            </span>
+            </div>
+        </div> <!-- .pageheader -->
+    
+        <div id="content">
+            $setmap{prefix,title,S}
+    $setmap{prefix,link,XLINK}
+    $set{thousand,$.}$set{decimal,.}$setmap{BN,,Any Country,uk,England,fr,France}
+    ${
+    $def{PREV,
+    $if{$ne{$topdoc,0},<INPUT TYPE=image NAME="&lt;" ALT="&lt;"
+    SRC="/images/xapian-omega/prev.png" BORDER=0 HEIGHT=30 WIDTH=30>,
+    <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
+
+>>>>>> So `$foobar` clashes with Omega's template tags. Does this help?
+
+>>>>>>> Ahh. I had somehow gotten it into my head that you were talking
+>>>>>>> about the title of a single page, not of the whole wiki. But
+>>>>>>> you were clear all along it was the wiki title. Sorry for
+>>>>>>> misunderstanding. I've put in a complete fix for this problem.
+>>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 
+
+[[done]]
diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
deleted file mode 100644
index 0352471..0000000
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ /dev/null
@@ -1,58 +0,0 @@
-I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
-
-What might be causing this exception and how I might go about debugging exceptions?
-
-> Appears to be coming from your xapian omega cgi binary. If you
-> run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
-> "Exception: " in it, and I have found some similar (but not identical)
-> error messages from xapian in a web search.
-> 
-> I don´t know what to suggest, other than upgrade/downgrade/reinstall
-> xapian-omega, and contacting the xapian developers for debugging.
-> You could try rebuilding your wiki in case it is somehow
-> caused by a problem with the xapian database. Failing everything, you
-> could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
-
->> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `&#36;this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]
-
->>> Sounds like a bug in omega, and one that probably would affect other
->>> users of omega too. Ikiwiki could work around it by pre-escaping
->>> data before passing it to xapian. I have not quite managed to reproduce it though;
->>> tried setting a page title to '$this' and 'foo $this'.
->>> That's with version 1.0.18 of omega.
->>> --[[Joey]]
-
->>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]
-
->>>>> I don't see how that's relevant. It would help if you showed me
->>>>> exactly something that could be inserted into a page to cause the
->>>>> problem. --[[Joey]] 
-
->>>>>> Correct me if I'm wrong: ikiwiki generates an Omega template from its own templates, such as searchquery.tmpl and puts it into {$srcdir}/.ikiwiki/xapian/templates/query. Omega has its own template syntax, where function names are prefixed with dollar signs (`$`). So, when I call my wiki `$foobar`, ikiwiki generates an Omega template that looks like this snippet:
-
-    <div id="container">
-        <div class="pageheader">
-            <div class="header">
-            <span>
-            <a href="http://example.com">$foobar</    a>/search
-            </span>
-            </div>
-        </div> <!-- .pageheader -->
-    
-        <div id="content">
-            $setmap{prefix,title,S}
-    $setmap{prefix,link,XLINK}
-    $set{thousand,$.}$set{decimal,.}$setmap{BN,,Any Country,uk,England,fr,France}
-    ${
-    $def{PREV,
-    $if{$ne{$topdoc,0},<INPUT TYPE=image NAME="&lt;" ALT="&lt;"
-    SRC="/images/xapian-omega/prev.png" BORDER=0 HEIGHT=30 WIDTH=30>,
-    <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
-
->>>>>> So `$foobar` clashes with Omega's template tags. Does this help?
-
->>>>>>> Ahh. I had somehow gotten it into my head that you were talking
->>>>>>> about the title of a single page, not of the whole wiki. But
->>>>>>> you were clear all along it was the wiki title. Sorry for
->>>>>>> misunderstanding. I've put in a complete fix for this problem.
->>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index 714f5ae..ac4b555 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -27,6 +27,13 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 
 [[wishlist]]
 
+> SVG can contain embedded javascript. The spec that you link to contains
+> examples of objects that contain python scripts, Microsoft OLE 
+> objects, and Java. And then there's flash. I don't think ikiwiki can
+> assume all the possibilities are handled securely, particularly WRT XSS
+> attacks.
+> --[[Joey]]
+
 ## See also
 
 * [Objects, Images, and Applets in HTML documents][objects-html]

diff --git a/doc/news/version_3.20091218.mdwn b/doc/news/version_3.20091218.mdwn
deleted file mode 100644
index 224e81c..0000000
--- a/doc/news/version_3.20091218.mdwn
+++ /dev/null
@@ -1,11 +0,0 @@
-ikiwiki 3.20091218 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Add complete Spanish basewiki translation done by Fernando Gonzalez de
-     Requena.
-   * Improve javascript onload handling.
-   * monotone: Deal with format change in version 0.45.
-     (Thanks, Richard Levitte)
-   * cvs: Add missing bit to Automator.
-   * attachment: Fix reversion in attachment sorting by age.
-   * Fix utf-8 problems in rename, remove, attachment, 404, sourcepage, and
-     goto."""]]
\ No newline at end of file
diff --git a/doc/news/version_3.20100312.mdwn b/doc/news/version_3.20100312.mdwn
new file mode 100644
index 0000000..10c3442
--- /dev/null
+++ b/doc/news/version_3.20100312.mdwn
@@ -0,0 +1,16 @@
+ikiwiki 3.20100312 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix utf8 issues in calls to md5\_hex.
+   * moderatedcomments: Added moderate\_pagespec that can be used
+     to control which users or comment locations are moderated.
+     This can be used, just for example, to moderate "user(http://myopenid.com/*)"
+     if you're getting a lot of spammers from one particular openid
+     provider (who should perhaps answer your emails about them),
+     while not moderating other users.
+   * moderatedcomments: The moderate\_users setting is deprecated. Instead,
+     set moderate\_pagespec to "!admin()" or "user(*)".
+   * Fix missing span on recentchanges page template.
+   * search: Avoid '$' in the wikiname appearing unescaped on omega's
+     query template, where it might crash omega.
+   * htmlscrubber: Security fix: In data:image/* uris, only allow a few
+     whitelisted image types. No svg."""]]
\ No newline at end of file

diff --git a/doc/todo/mercurial.mdwn b/doc/todo/mercurial.mdwn
index e71c810..de1f148 100644
--- a/doc/todo/mercurial.mdwn
+++ b/doc/todo/mercurial.mdwn
@@ -119,3 +119,11 @@ I have a few notes on mercurial usage after trying it out for a while:
 >> I think the ideal solution would be to build `$destdir/recentchanges/*` directly from the output of `hg log`. --[[buo]]
 
 >>>> That would be 100 times as slow, so I chose not to do that. --[[Joey]]
+
+>>>> Since this is confusing people, allow me to clarify: Ikiwiki's
+>>>> recentchanges generation pulls log information directly out of the VCS as
+>>>> needed. It caches it in recentchanges/* in the `scrdir`. These cache
+>>>> files need not be preserved, should never be checked into VCS, and if
+>>>> you want to you can configure your VCSignore file to ignore them,
+>>>> just as you can configure it to ignore the `.ikiwiki` directory in the
+>>>> `scrdir`. --[[Joey]] 

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index ee284a4..26e18ff 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -30,9 +30,9 @@ sub import {
 		"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
 		"sftp", "smb", "sms", "snews", "webcal", "ymsgr",
 	);
-	# data is a special case. Allow data:image/*, but
-	# disallow data:text/javascript and everything else.
-	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+	# data is a special case. Allow a few data:image/ types,
+	# but disallow data:text/javascript and everything else.
+	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
 }
 
 sub getsetup () {
diff --git a/debian/changelog b/debian/changelog
index bae0e7e..7fdbbcb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20100303) UNRELEASED; urgency=low
+ikiwiki (3.20100312) unstable; urgency=HIGH
 
   * Fix utf8 issues in calls to md5_hex.
   * moderatedcomments: Added moderate_pagespec that can be used
@@ -12,6 +12,8 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
   * Fix missing span on recentchanges page template.
   * search: Avoid '$' in the wikiname appearing unescaped on omega's
     query template, where it might crash omega.
+  * htmlscrubber: Security fix: In data:image/* uris, only allow a few
+    whitelisted image types. No svg.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 3924186..21aef31 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -427,3 +427,15 @@ enabling TeX configuration options that disallow unsafe TeX commands.
 The fix was released on 30 Aug 2009 in version 3.1415926, and was
 backported to stable in version 2.53.4. If you use the teximg plugin,
 I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.

diff --git a/doc/todo/svg.mdwn b/doc/todo/svg.mdwn
index 2099751..274ebf3 100644
--- a/doc/todo/svg.mdwn
+++ b/doc/todo/svg.mdwn
@@ -58,6 +58,8 @@ in the trunk if other people think it's useful.
 [htmlscrubber.pm]:http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blob;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hb=fe333c8e5b4a5f374a059596ee698dacd755182d
 [diff]: http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blobdiff;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hp=3bdaccea119ec0e1b289a0da2f6d90e2219b8d66;hb=fe333c8e5b4a5f374a059596ee698dacd755182d;hpb=be0b4f603f918444b906e42825908ddac78b7073
 
+> Unfortuantly these links are broken. --[[Joey]]
+
 * * *
 
 Actually, there's a way to embed SVG into MarkDown sources using the [data: URI scheme][rfc2397], [like this](data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8c3ZnIHdpZHRoPSIxOTIiIGhlaWdodD0iMTkyIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KIDwhLS0gQ3JlYXRlZCB3aXRoIFNWRy1lZGl0IC0gaHR0cDovL3N2Zy1lZGl0Lmdvb2dsZWNvZGUuY29tLyAtLT4KIDx0aXRsZT5IZWxsbywgd29ybGQhPC90aXRsZT4KIDxnPgogIDx0aXRsZT5MYXllciAxPC90aXRsZT4KICA8ZyB0cmFuc2Zvcm09InJvdGF0ZSgtNDUsIDk3LjY3MTksIDk3LjY2OCkiIGlkPSJzdmdfNyI+CiAgIDxyZWN0IHN0cm9rZS13aWR0aD0iNSIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjRkYwMDAwIiBpZD0ic3ZnXzUiIGhlaWdodD0iNTYuMDAwMDAzIiB3aWR0aD0iMTc1IiB5PSI2OS42Njc5NjkiIHg9IjEwLjE3MTg3NSIvPgogICA8dGV4dCB4bWw6c3BhY2U9InByZXNlcnZlIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LWZhbWlseT0ic2VyaWYiIGZvbnQtc2l6ZT0iMjQiIHN0cm9rZS13aWR0aD0iMCIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjZmZmZjAwIiBpZD0ic3ZnXzYiIHk9IjEwNS42NjgiIHg9Ijk5LjY3MTkiPkhlbGxvLCB3b3JsZCE8L3RleHQ+CiAgPC9nPgogPC9nPgo8L3N2Zz4=).
@@ -65,3 +67,11 @@ Of course, this way to display an image one needs to click a link, but it may be
 — [[Ivan_Shmakov]], 2010-03-12Z.
 
 [rfc2397]: http://tools.ietf.org/html/rfc2397
+
+> You can do the same with img src actually.
+> 
+> If svg markup allows unsafe elements (ie, javascript),
+> which it appears to, 
+> then this is a security hole, and the htmlscrubber
+> needs to lock it down more. Darn, now I have to spend my afternoon making
+> security releases! --[[Joey]] 

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
new file mode 100644
index 0000000..714f5ae
--- /dev/null
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -0,0 +1,41 @@
+IIUC, the current version of [HTML::Scrubber][] allows for the `object` tags to be either enabled or disabled entirely.  However, while `object` can be used to add *code* (which is indeed a potential security hole) to a document, reading [Objects, Images, and Applets in HTML documents][objects-html] reveals that the “dangerous” are not all the `object`s, but rather those having the following attributes:
+
+    classid     %URI;          #IMPLIED  -- identifies an implementation --
+    codebase    %URI;          #IMPLIED  -- base URI for classid, data, archive--
+    codetype    %ContentType;  #IMPLIED  -- content type for code --
+    archive     CDATA          #IMPLIED  -- space-separated list of URIs --
+
+It seems that the following attributes are, OTOH, safe:
+
+    declare     (declare)      #IMPLIED  -- declare but don't instantiate flag --
+    data        %URI;          #IMPLIED  -- reference to object's data --
+    type        %ContentType;  #IMPLIED  -- content type for data --
+    standby     %Text;         #IMPLIED  -- message to show while loading --
+    height      %Length;       #IMPLIED  -- override height --
+    width       %Length;       #IMPLIED  -- override width --
+    usemap      %URI;          #IMPLIED  -- use client-side image map --
+    name        CDATA          #IMPLIED  -- submit as part of form --
+    tabindex    NUMBER         #IMPLIED  -- position in tabbing order --
+
+Should the former attributes be *scrubbed* while the latter left intact, the use of the `object` tag would seemingly become safe.
+
+Note also that allowing `object` (either restricted in such a way or not) automatically solves the [[/todo/svg]] issue.
+
+For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by the `data` and `usemap` attributes) to, say, relative and `data:` (as per [RFC 2397][]) ones as well, though it requires some more consideration.
+
+— [[Ivan_Shmakov]], 2010-03-12Z.
+
+[[wishlist]]
+
+## See also
+
+* [Objects, Images, and Applets in HTML documents][objects-html]
+* [[plugins/htmlscrubber|/plugins/htmlscrubber]]
+* [[todo/svg|/todo/svg]]
+* [RFC 2397: The “data” URL scheme. L. Masinter. August 1998.][RFC 2397]
+* [Uniform Resource Identifier — the free encyclopedia][URI]
+
+[HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm
+[objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html
+[RFC 2397]: http://tools.ietf.org/html/rfc2397
+[URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier

diff --git a/doc/todo/svg.mdwn b/doc/todo/svg.mdwn
index 89b183d..2099751 100644
--- a/doc/todo/svg.mdwn
+++ b/doc/todo/svg.mdwn
@@ -57,3 +57,11 @@ in the trunk if other people think it's useful.
 
 [htmlscrubber.pm]:http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blob;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hb=fe333c8e5b4a5f374a059596ee698dacd755182d
 [diff]: http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blobdiff;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hp=3bdaccea119ec0e1b289a0da2f6d90e2219b8d66;hb=fe333c8e5b4a5f374a059596ee698dacd755182d;hpb=be0b4f603f918444b906e42825908ddac78b7073
+
+* * *
+
+Actually, there's a way to embed SVG into MarkDown sources using the [data: URI scheme][rfc2397], [like this](data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8c3ZnIHdpZHRoPSIxOTIiIGhlaWdodD0iMTkyIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KIDwhLS0gQ3JlYXRlZCB3aXRoIFNWRy1lZGl0IC0gaHR0cDovL3N2Zy1lZGl0Lmdvb2dsZWNvZGUuY29tLyAtLT4KIDx0aXRsZT5IZWxsbywgd29ybGQhPC90aXRsZT4KIDxnPgogIDx0aXRsZT5MYXllciAxPC90aXRsZT4KICA8ZyB0cmFuc2Zvcm09InJvdGF0ZSgtNDUsIDk3LjY3MTksIDk3LjY2OCkiIGlkPSJzdmdfNyI+CiAgIDxyZWN0IHN0cm9rZS13aWR0aD0iNSIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjRkYwMDAwIiBpZD0ic3ZnXzUiIGhlaWdodD0iNTYuMDAwMDAzIiB3aWR0aD0iMTc1IiB5PSI2OS42Njc5NjkiIHg9IjEwLjE3MTg3NSIvPgogICA8dGV4dCB4bWw6c3BhY2U9InByZXNlcnZlIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LWZhbWlseT0ic2VyaWYiIGZvbnQtc2l6ZT0iMjQiIHN0cm9rZS13aWR0aD0iMCIgc3Ryb2tlPSIjMDAwMDAwIiBmaWxsPSIjZmZmZjAwIiBpZD0ic3ZnXzYiIHk9IjEwNS42NjgiIHg9Ijk5LjY3MTkiPkhlbGxvLCB3b3JsZCE8L3RleHQ+CiAgPC9nPgogPC9nPgo8L3N2Zz4=).
+Of course, this way to display an image one needs to click a link, but it may be considered a feature.
+— [[Ivan_Shmakov]], 2010-03-12Z.
+
+[rfc2397]: http://tools.ietf.org/html/rfc2397

diff --git a/doc/users/ivan_shmakov.mdwn b/doc/users/ivan_shmakov.mdwn
new file mode 100644
index 0000000..41bf9b0
--- /dev/null
+++ b/doc/users/ivan_shmakov.mdwn
@@ -0,0 +1,3 @@
+… To put it short: an Ikiwiki newbie.
+
+I run an Ikiwiki instance at <http://gray.am-1.org/~ivan/lhc/> (though the DNS servers seem to be temporarily out of smoke as of 2010-03-12Z.)

diff --git a/IkiWiki/Plugin/search.pm b/IkiWiki/Plugin/search.pm
index fb68396..c0e8703 100644
--- a/IkiWiki/Plugin/search.pm
+++ b/IkiWiki/Plugin/search.pm
@@ -110,6 +110,7 @@ sub index (@) {
 	# data used by omega
 	# Decode html entities in it, since omega re-encodes them.
 	eval q{use HTML::Entities};
+	error $@ if $@;
 	$doc->set_data(
 		"url=".urlto($params{page}, "")."\n".
 		"sample=".decode_entities($sample)."\n".
@@ -214,9 +215,19 @@ sub setupfiles () {
 		writefile("omega.conf", $config{wikistatedir}."/xapian",
 			"database_dir .\n".
 			"template_dir ./templates\n");
+		
+		# Avoid omega interpreting anything in the misctemplate
+		# as an omegascript command.
+		my $misctemplate=IkiWiki::misctemplate(gettext("search"), "\0");
+		eval q{use HTML::Entities};
+		error $@ if $@;
+		$misctemplate=encode_entities($misctemplate, '\$');
+
+		my $querytemplate=readfile(IkiWiki::template_file("searchquery.tmpl"));
+		$misctemplate=~s/\0/$querytemplate/;
+
 		writefile("query", $config{wikistatedir}."/xapian/templates",
-			IkiWiki::misctemplate(gettext("search"),
-				readfile(IkiWiki::template_file("searchquery.tmpl"))));
+			$misctemplate);
 		$setup=1;
 	}
 }
diff --git a/debian/changelog b/debian/changelog
index 6b5671e..6828e6b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,8 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
   * moderatedcomments: The moderate_users setting is deprecated. Instead,
     set moderate_pagespec to "!admin()" or "user(*)" instead.
   * Fix missing span on recentchanges page template.
+  * search: Avoid '$' in the wikiname appearing unescaped on omega's
+    query template, where it might crash omega.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 4f94b77..0352471 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -50,3 +50,9 @@ What might be causing this exception and how I might go about debugging exceptio
     <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
 
 >>>>>> So `$foobar` clashes with Omega's template tags. Does this help?
+
+>>>>>>> Ahh. I had somehow gotten it into my head that you were talking
+>>>>>>> about the title of a single page, not of the whole wiki. But
+>>>>>>> you were clear all along it was the wiki title. Sorry for
+>>>>>>> misunderstanding. I've put in a complete fix for this problem.
+>>>>>>> if this was in [[bugs]], I'd close it. :) --[[Joey]] 

diff --git a/debian/changelog b/debian/changelog
index c58e612..6b5671e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
     while not moderating other users.
   * moderatedcomments: The moderate_users setting is deprecated. Instead,
     set moderate_pagespec to "!admin()" or "user(*)" instead.
+  * Fix missing span on recentchanges page template.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
index 536af34..5c32299 100644
--- a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -22,3 +22,5 @@ PS: I have fixed the template by hand on my server, so it will validate, however
 > markup like this; using [[plugins/comments]] without having one or other of those is a bad idea
 > from the point of view of avoiding comment forgery, which is probably why icanttype.org works
 > correctly. Anyway, I've fixed this in a branch: Joey, care to review smcv/trivia? --[[smcv]]
+
+[[done]], thanks guys --[[Joey]]

diff --git a/IkiWiki/Plugin/moderatedcomments.pm b/IkiWiki/Plugin/moderatedcomments.pm
index afe1cee..b0a328a 100644
--- a/IkiWiki/Plugin/moderatedcomments.pm
+++ b/IkiWiki/Plugin/moderatedcomments.pm
@@ -17,10 +17,11 @@ sub getsetup () {
 			rebuild => 0,
 			section => "auth",
 		},
-		moderate_users => {
-			type => 'boolean',
-			example => 1,
-			description => 'Moderate comments of logged-in users?',
+		moderate_pagespec => {
+			type => 'pagespec',
+			example => 'user(http://*)',
+			description => 'PageSpec matching users or comment locations to moderate',
+			link => 'ikiwiki/PageSpec',
 			safe => 1,
 			rebuild => 0,
 		},
@@ -32,14 +33,32 @@ sub checkcontent (@) {
 	# only handle comments	
 	return undef unless pagespec_match($params{page}, "postcomment(*)",
 	                	location => $params{page});
+	
+	# backwards compatability
+	if (exists $config{moderate_users} &&
+	    ! exists $config{moderate_pagespec}) {
+		$config{moderate_pagespec} = $config{moderate_users}
+			? "!admin()"
+			: "!user(*)";
+	}
+
+	# default is to moderate all except admins
+	if (! exists $config{moderate_pagespec}) {
+		$config{moderate_pagespec}="!admin()";
+	}
 
-	# admins and maybe users can comment w/o moderation
 	my $session=$params{session};
 	my $user=$session->param("name") if $session;
-	return undef if defined $user && (IkiWiki::is_admin($user) ||
-		(exists $config{moderate_users} && ! $config{moderate_users}));
-
-	return gettext("comment needs moderation");
+	if (pagespec_match($params{page}, $config{moderate_pagespec},
+			location => $params{page},
+			(defined $user ? (user => $user) : ()),
+			(defined $ENV{REMOTE_ADDR} ? (ip => $ENV{REMOTE_ADDR}) : ()),
+	)) {
+		return gettext("comment needs moderation");
+	}
+	else {
+		return undef;
+	}
 }
 
 1
diff --git a/debian/changelog b/debian/changelog
index d1253c0..c58e612 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,14 @@
 ikiwiki (3.20100303) UNRELEASED; urgency=low
 
   * Fix utf8 issues in calls to md5_hex.
+  * moderatedcomments: Added moderate_pagespec that can be used
+    to control which users or comment locations are moderated.
+    This can be used, just for example, to moderate http://myopenid.com/*
+    if you're getting a lot of spammers from one particular openid
+    provider (who should perhaps answer your emails about them),
+    while not moderating other users.
+  * moderatedcomments: The moderate_users setting is deprecated. Instead,
+    set moderate_pagespec to "!admin()" or "user(*)" instead.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/plugins/moderatedcomments.mdwn b/doc/plugins/moderatedcomments.mdwn
index 97924d7..c29b0b0 100644
--- a/doc/plugins/moderatedcomments.mdwn
+++ b/doc/plugins/moderatedcomments.mdwn
@@ -5,6 +5,8 @@ This plugin causes [[comments]] to be held for manual moderation.
 Admins can access the comment moderation queue via their preferences page.
 
 By default, all comments made by anyone who is not an admin will be held
-for moderation. The `moderate_users` setting can be set to false to avoid
-moderating comments of logged-in users, while still moderating anonymous
-comments.
+for moderation. The `moderate_pagespec` setting can be used to specify a
+[[ikiwiki/PageSpec]] to match comments and users who should be moderated.
+For example, to avoid moderating comments from logged-in users, set
+`moderate_pagespec` to "!user(*)". Or to moderate everyone except for
+admins, set it to "!admin(*)".

diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
index 007d763..536af34 100644
--- a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -16,3 +16,9 @@ Thanks,
 David
 
 PS: I have fixed the template by hand on my server, so it will validate, however ikiwiki.info will not.
+
+> [[!template id="gitbranch" branch=smcv/trivia author="[[smcv]]"]] [[!tag patch]]
+> Enabling either [[plugins/htmltidy]] or [[plugins/htmlbalance]] will automatically fix unbalanced
+> markup like this; using [[plugins/comments]] without having one or other of those is a bad idea
+> from the point of view of avoiding comment forgery, which is probably why icanttype.org works
+> correctly. Anyway, I've fixed this in a branch: Joey, care to review smcv/trivia? --[[smcv]]

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index bd9bee3..8e567ec 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -53,6 +53,7 @@ Projects & Organizations
 * [IPOL Image Processing On Line](http://www.ipol.im)
 * [Debian Costa Rica](http://cr.debian.net/)
 * [Fvwm Wiki](http://fvwmwiki.xteddy.org)
+* [Serialist](http://serialist.net/)'s static pages (documentation, blog).  We actually have ikiwiki generate its static content as HTML fragments using a modified page.tmpl template, and then the FastCGI powering our site grabs those fragments and embeds them in the standard dynamic site template.
 
 Personal sites and blogs
 ========================

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 345604c..bd9bee3 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -141,6 +141,7 @@ Personal sites and blogs
 * [Mukund's homepage](http://www.mukund.org/)
 * [Andreas's homepage](http://0x7.ch/) - Ikiwiki, Subversion and CSS template
 * [Chris Dombroski's boring bliki](https://www.icanttype.org/)
+* [Josh Triplett's homepage](http://joshtriplett.org/) - Git backend with the CGI disabled, to publish a static site with the convenience of ikiwiki.
 
 Please feel free to add your own ikiwiki site!
 

diff --git a/doc/plugins/getsource/discussion.mdwn b/doc/plugins/getsource/discussion.mdwn
new file mode 100644
index 0000000..45a1d62
--- /dev/null
+++ b/doc/plugins/getsource/discussion.mdwn
@@ -0,0 +1 @@
+It would be very cool if this plugin was enabled by default.  One of the best ways to learn how to do various advanced things is to be able to "view source" on other wiki's which do things you like.  -- [[AdamShand]]

diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
index 4c81981..007d763 100644
--- a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -14,3 +14,5 @@ This results in the recentchanges/ page being invalid and rendering quite horrif
 
 Thanks,
 David
+
+PS: I have fixed the template by hand on my server, so it will validate, however ikiwiki.info will not.

diff --git a/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
new file mode 100644
index 0000000..4c81981
--- /dev/null
+++ b/doc/bugs/templateForRecentChangesMissingCloseSpan.mdwn
@@ -0,0 +1,16 @@
+In the template for ikiwiki's recent changes page
+
+     /usr/share/ikiwiki/templates/change.tmpl
+
+there is a missing </span> tag after the
+
+     <span class="changedate"><TMPL_VAR COMMITDATE>
+
+This results in the recentchanges/ page being invalid and rendering quite horrifyingly in Internet Exploder.
+
+[I'm running](http://wiki.shlrm.org) (linked so you can see the one I'm running if you need to) the latest version of ikiwiki, and I note that it's broken on [ikiwiki.info](http://validator.w3.org/check?uri=http%3A%2F%2Fikiwiki.info%2Frecentchanges%2F&charset=%28detect+automatically%29&doctype=Inline&group=0&user-agent=W3C_Validator%2F1.767) too :)
+
+[This one on debian](https://www.icanttype.org/recentchanges/) is somehow [valid](http://validator.w3.org/check?uri=https%3A%2F%2Fwww.icanttype.org%2F%2Frecentchanges%2F&charset=%28detect+automatically%29&doctype=Inline&group=0&user-agent=W3C_Validator%2F1.767), although it's using the same template. Perhaps there's an additional scrubbing going on his end.
+
+Thanks,
+David

diff --git a/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
index 98e4280..49c55e2 100644
--- a/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
+++ b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
@@ -9,3 +9,7 @@ Maybe even with parsing of the content and preselecting the tags, that are given
 
 this would need a bit JS-work and somehow on compiletime we need to put the list of tags somewhere, where the cgi could read them from.
 This way, even a pagespec would suffice to determine the usable list of tags and not only the tagbase-variable.
+
+> I think this would be very hard to achieve with the current tag plugin, due to the nature of its implementation.
+> 
+> I've had a "tag2" plugin on the go for a while which supports this. It's in a very rough stage but I'll try to find it and upload it somewhere. -- [[Jon]]

diff --git a/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
new file mode 100644
index 0000000..98e4280
--- /dev/null
+++ b/doc/forum/wishlist-discussion:_Editformular_showing_existing_tags.mdwn
@@ -0,0 +1,11 @@
+# How about:
+
+having a list of all existing tags in the Edit-Formular as a selectionbox?
+
+Assume I have tagbase=/tags/ and for every tag I have given to articles an existing page there.
+
+Would it be possible to list all these tags together with the Formular, as selectionbox.
+Maybe even with parsing of the content and preselecting the tags, that are given in the article and vice-versa when selecting the fields then also generating the \[\[\!tag\]\]-sourcecode ?
+
+this would need a bit JS-work and somehow on compiletime we need to put the list of tags somewhere, where the cgi could read them from.
+This way, even a pagespec would suffice to determine the usable list of tags and not only the tagbase-variable.

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index ac4d7ed..4f94b77 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -27,3 +27,26 @@ What might be causing this exception and how I might go about debugging exceptio
 >>>>> I don't see how that's relevant. It would help if you showed me
 >>>>> exactly something that could be inserted into a page to cause the
 >>>>> problem. --[[Joey]] 
+
+>>>>>> Correct me if I'm wrong: ikiwiki generates an Omega template from its own templates, such as searchquery.tmpl and puts it into {$srcdir}/.ikiwiki/xapian/templates/query. Omega has its own template syntax, where function names are prefixed with dollar signs (`$`). So, when I call my wiki `$foobar`, ikiwiki generates an Omega template that looks like this snippet:
+
+    <div id="container">
+        <div class="pageheader">
+            <div class="header">
+            <span>
+            <a href="http://example.com">$foobar</    a>/search
+            </span>
+            </div>
+        </div> <!-- .pageheader -->
+    
+        <div id="content">
+            $setmap{prefix,title,S}
+    $setmap{prefix,link,XLINK}
+    $set{thousand,$.}$set{decimal,.}$setmap{BN,,Any Country,uk,England,fr,France}
+    ${
+    $def{PREV,
+    $if{$ne{$topdoc,0},<INPUT TYPE=image NAME="&lt;" ALT="&lt;"
+    SRC="/images/xapian-omega/prev.png" BORDER=0 HEIGHT=30 WIDTH=30>,
+    <IMG ALT="" SRC="/images/xapian-omega/prevoff.png" HEIGHT=30 WIDTH=30>}
+
+>>>>>> So `$foobar` clashes with Omega's template tags. Does this help?

diff --git a/doc/bugs.mdwn b/doc/bugs.mdwn
index f44cfdc..f634b6e 100644
--- a/doc/bugs.mdwn
+++ b/doc/bugs.mdwn
@@ -1,5 +1,5 @@
 If you've found a bug in ikiwiki, post about it here. [[TODO]] items go
-elsewhere. Link <a href="http://www.college-paper.org/custom-essay.html">college essay</a> items to [[bugs/done]] when done.
+elsewhere. Link items to [[bugs/done]] when done.
 
 Also see the [Debian bugs](http://bugs.debian.org/ikiwiki).
 
diff --git a/doc/bugs/bestlink_returns_deleted_pages.mdwn b/doc/bugs/bestlink_returns_deleted_pages.mdwn
index d3c5c80..874f18e 100644
--- a/doc/bugs/bestlink_returns_deleted_pages.mdwn
+++ b/doc/bugs/bestlink_returns_deleted_pages.mdwn
@@ -28,7 +28,7 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
 > maybe by keeping a copy of the old backlinks info, then that fix could be
 > applied here too. --[[Joey]]
 
->> Cool that was fast! Well at least half the <a href="http://www.college-paper.org/custom-essay.html college essay">college essay</a> bug is solved :) For now I'll
+>> Cool that was fast! Well at least half the bug is solved :) For now I'll
 >> probably try using a workaround if using bestlink within the needsbuild
 >> or scan hooks. Maybe by testing if pagemtime equals zero. --[[harishcm]]
 
@@ -48,8 +48,8 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
     use IkiWiki 3.00;
     
     sub import {
-    	hook(type => "getsetup", id => "bestlinkbug", call => &getsetup);
-    	hook(type => "needsbuild", id => "bestlinkbug", call => &needsbuild);
+    	hook(type => "getsetup", id => "bestlinkbug", call => \&getsetup);
+    	hook(type => "needsbuild", id => "bestlinkbug", call => \&needsbuild);
     }
     
     sub getsetup () {

diff --git a/doc/bugs.mdwn b/doc/bugs.mdwn
index f634b6e..f44cfdc 100644
--- a/doc/bugs.mdwn
+++ b/doc/bugs.mdwn
@@ -1,5 +1,5 @@
 If you've found a bug in ikiwiki, post about it here. [[TODO]] items go
-elsewhere. Link items to [[bugs/done]] when done.
+elsewhere. Link <a href="http://www.college-paper.org/custom-essay.html">college essay</a> items to [[bugs/done]] when done.
 
 Also see the [Debian bugs](http://bugs.debian.org/ikiwiki).
 

diff --git a/doc/bugs/bestlink_returns_deleted_pages.mdwn b/doc/bugs/bestlink_returns_deleted_pages.mdwn
index 874f18e..d3c5c80 100644
--- a/doc/bugs/bestlink_returns_deleted_pages.mdwn
+++ b/doc/bugs/bestlink_returns_deleted_pages.mdwn
@@ -28,7 +28,7 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
 > maybe by keeping a copy of the old backlinks info, then that fix could be
 > applied here too. --[[Joey]]
 
->> Cool that was fast! Well at least half the bug is solved :) For now I'll
+>> Cool that was fast! Well at least half the <a href="http://www.college-paper.org/custom-essay.html college essay">college essay</a> bug is solved :) For now I'll
 >> probably try using a workaround if using bestlink within the needsbuild
 >> or scan hooks. Maybe by testing if pagemtime equals zero. --[[harishcm]]
 
@@ -48,8 +48,8 @@ won't it make sense for bestlink() to check %pagesources first? --[[harishcm]]
     use IkiWiki 3.00;
     
     sub import {
-    	hook(type => "getsetup", id => "bestlinkbug", call => \&getsetup);
-    	hook(type => "needsbuild", id => "bestlinkbug", call => \&needsbuild);
+    	hook(type => "getsetup", id => "bestlinkbug", call => &getsetup);
+    	hook(type => "needsbuild", id => "bestlinkbug", call => &needsbuild);
     }
     
     sub getsetup () {

diff --git a/doc/plugins/conditional/discussion.mdwn b/doc/plugins/conditional/discussion.mdwn
index 09e3df9..6e84fdf 100644
--- a/doc/plugins/conditional/discussion.mdwn
+++ b/doc/plugins/conditional/discussion.mdwn
@@ -8,6 +8,19 @@ Using \[\[!if test="tagged(plugin)" then="= Tagged as plugin =" else="*No plugin
 > so tagging a large number of pages with a tag that doesn't exist (which change has
 > been reverted) doesn't make the pagespec match. It would if the tag's page existed. --[[Joey]]
 
+>> So if I understand this correctly... Assuming the tags Tag_A and Tag_B, the existence of 
+>> @wiki-home@/tags/Tag_A.creole, and a number of files with a \[\[!tag Tag_A Tag_B]] the 
+>> following is correct?
+>>
+>> * \[\[!if test="tagged(Tag_A)" then="OK" else="Fail"]] => OK
+>> * \[\[!if test="tagged(Tag_B)" then="OK" else="Fail"]] => Fail
+>> * \[\[!if test="tagged(Tag_A) and tagged(Tag_B)" then="OK" else="Fail"]] => Fail
+>>
+>> Is that the expected behaviour? If so, that's not what I'm seeing here since they all result 
+>> in a Fail. If not, what exactly is wrong with those conditionals? Thanks.
+>>
+>> -- Thiana 
+
 ----
 
 Would there be a way for this plugin to emit fewer blank lines (i.e. *none at all*)?

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index cb75895..ac4d7ed 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -23,3 +23,7 @@ What might be causing this exception and how I might go about debugging exceptio
 >>> --[[Joey]]
 
 >>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]
+
+>>>>> I don't see how that's relevant. It would help if you showed me
+>>>>> exactly something that could be inserted into a page to cause the
+>>>>> problem. --[[Joey]] 

diff --git a/doc/plugins/conditional/discussion.mdwn b/doc/plugins/conditional/discussion.mdwn
index e34df70..09e3df9 100644
--- a/doc/plugins/conditional/discussion.mdwn
+++ b/doc/plugins/conditional/discussion.mdwn
@@ -4,6 +4,10 @@ Using \[\[!if test="tagged(plugin)" then="= Tagged as plugin =" else="*No plugin
 
 -- Thiana
 
+> This wiki has no page named "plugin", so nothing links to it; tags are a species of link
+> so tagging a large number of pages with a tag that doesn't exist (which change has
+> been reverted) doesn't make the pagespec match. It would if the tag's page existed. --[[Joey]]
+
 ----
 
 Would there be a way for this plugin to emit fewer blank lines (i.e. *none at all*)?

diff --git a/doc/templates/plugin.mdwn b/doc/templates/plugin.mdwn
index d62c879..c1d1974 100644
--- a/doc/templates/plugin.mdwn
+++ b/doc/templates/plugin.mdwn
@@ -6,7 +6,6 @@ Enabled by default: <TMPL_IF core>yes<TMPL_ELSE>no</TMPL_IF><br />
 Included in [[/plugins/goodstuff]]: [[!if test="backlink(plugins/goodstuff)" all=no then="""yes""" else="""no"""]]<br />
 Currently enabled: [[!if test="enabled(<TMPL_VAR name>)" then="yes" else="no"]]<br />
 </span>
-[[!tag plugin <TMPL_VAR name>]]
 [[!if test="sourcepage(plugins/contrib/*)" then="""[[!meta title="<TMPL_VAR name> (third party plugin)"]]"""]]
 <TMPL_IF core>[[!tag plugins/type/core]]</TMPL_IF>
 <TMPL_UNLESS NAME="name">

diff --git a/doc/ikiwiki/directive/map/discussion.mdwn b/doc/ikiwiki/directive/map/discussion.mdwn
index 075b91b..f6eaa6b 100644
--- a/doc/ikiwiki/directive/map/discussion.mdwn
+++ b/doc/ikiwiki/directive/map/discussion.mdwn
@@ -5,6 +5,8 @@ Thanks
 
 -- Thiana
 
+> [[bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used]] --[[Joey]] 
+
 ----
 
 Question: Is there a way to generate a listing that shows *both* title and description meta information? Currently, a \[\[!map ...]] shows only one of the two, but I'd like to generate a navigation that looks like a description list. For example:

diff --git a/doc/plugins/conditional/discussion.mdwn b/doc/plugins/conditional/discussion.mdwn
index 629d059..e34df70 100644
--- a/doc/plugins/conditional/discussion.mdwn
+++ b/doc/plugins/conditional/discussion.mdwn
@@ -1,3 +1,11 @@
+## Conditional broken?
+
+Using \[\[!if test="tagged(plugin)" then="= Tagged as plugin =" else="*No plugins found*"]] on this wiki *should* present the 'Tagged as plugin' heading, instead it emits 'no plugins found'. Is the conditional plugin currently broken for tags or am I misusing it? Thanks.
+
+-- Thiana
+
+----
+
 Would there be a way for this plugin to emit fewer blank lines (i.e. *none at all*)?
 
 For example, having a look at [this page](http://www.bddebian.com/~wiki/Hurd/)'s sidebar.

diff --git a/doc/templates/plugin.mdwn b/doc/templates/plugin.mdwn
index c1d1974..d62c879 100644
--- a/doc/templates/plugin.mdwn
+++ b/doc/templates/plugin.mdwn
@@ -6,6 +6,7 @@ Enabled by default: <TMPL_IF core>yes<TMPL_ELSE>no</TMPL_IF><br />
 Included in [[/plugins/goodstuff]]: [[!if test="backlink(plugins/goodstuff)" all=no then="""yes""" else="""no"""]]<br />
 Currently enabled: [[!if test="enabled(<TMPL_VAR name>)" then="yes" else="no"]]<br />
 </span>
+[[!tag plugin <TMPL_VAR name>]]
 [[!if test="sourcepage(plugins/contrib/*)" then="""[[!meta title="<TMPL_VAR name> (third party plugin)"]]"""]]
 <TMPL_IF core>[[!tag plugins/type/core]]</TMPL_IF>
 <TMPL_UNLESS NAME="name">

diff --git a/doc/ikiwiki/directive/map/discussion.mdwn b/doc/ikiwiki/directive/map/discussion.mdwn
index 062b426..075b91b 100644
--- a/doc/ikiwiki/directive/map/discussion.mdwn
+++ b/doc/ikiwiki/directive/map/discussion.mdwn
@@ -1,3 +1,12 @@
+### Sorting
+
+Is there a way to have the generated maps sorted by *title* instead of *filename* when show=title is used?
+Thanks 
+
+-- Thiana
+
+----
+
 Question: Is there a way to generate a listing that shows *both* title and description meta information? Currently, a \[\[!map ...]] shows only one of the two, but I'd like to generate a navigation that looks like a description list. For example:
 
  * This is the title meta information.

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 7db12c3..cb75895 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -21,3 +21,5 @@ What might be causing this exception and how I might go about debugging exceptio
 >>> tried setting a page title to '$this' and 'foo $this'.
 >>> That's with version 1.0.18 of omega.
 >>> --[[Joey]]
+
+>>>> I tried it with both omega 1.0.13 and omega 1.0.18 and the issue is present in both. If I view the contents of {$srcdir}/.ikiwiki/xapian/templates/query, I can see that the wiki title is inserted verbatim and there are calls to `$setmap`, `$set` and `$def` etc in the template. --[[dkobozev]]

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 94de18c..7db12c3 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -14,3 +14,10 @@ What might be causing this exception and how I might go about debugging exceptio
 > could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
 
 >> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `$this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]
+
+>>> Sounds like a bug in omega, and one that probably would affect other
+>>> users of omega too. Ikiwiki could work around it by pre-escaping
+>>> data before passing it to xapian. I have not quite managed to reproduce it though;
+>>> tried setting a page title to '$this' and 'foo $this'.
+>>> That's with version 1.0.18 of omega.
+>>> --[[Joey]]

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 3cbcdc4..94de18c 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -12,3 +12,5 @@ What might be causing this exception and how I might go about debugging exceptio
 > You could try rebuilding your wiki in case it is somehow
 > caused by a problem with the xapian database. Failing everything, you
 > could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 
+
+>> Thanks, Joey. With your help I was able to figure out what was wrong. It's a fun little bug (or feature): the title of my wiki had string `$this` in title and that's what was causing the omega binary to choke. My wiki's title was inserted without escaping into the query template used by omega. Omega treated `$this` in the title as a function name and threw an exception because no such function was defined. To avoid this behavior, I used an html entity in the title, so `$this` became `$this`. I don't think that the wiki title should be inserted into the template without escaping - it can produce an error that's not trivial to debug. If users want to modify the html in the title, they should be editing respective templates, not typing html in the wiki title input. What do you think? --[[dkobozev]]

diff --git a/doc/sandbox.mdwn b/doc/sandbox.mdwn
index afd7dbe..1a1b128 100644
--- a/doc/sandbox.mdwn
+++ b/doc/sandbox.mdwn
@@ -77,3 +77,4 @@ bar
 Hmm, can I dig it?
 
 Test
+pop

diff --git a/doc/sandbox/danc.mdwn b/doc/sandbox/danc.mdwn
new file mode 100644
index 0000000..9766475
--- /dev/null
+++ b/doc/sandbox/danc.mdwn
@@ -0,0 +1 @@
+ok

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 628276b..3cbcdc4 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -4,9 +4,11 @@ What might be causing this exception and how I might go about debugging exceptio
 
 > Appears to be coming from your xapian omega cgi binary. If you
 > run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
-> "Exception: " in it.
+> "Exception: " in it, and I have found some similar (but not identical)
+> error messages from xapian in a web search.
 > 
 > I don´t know what to suggest, other than upgrade/downgrade/reinstall
-> xapian-omega. You could try rebuilding your wiki in case it is somehow
+> xapian-omega, and contacting the xapian developers for debugging.
+> You could try rebuilding your wiki in case it is somehow
 > caused by a problem with the xapian database. Failing everything, you
 > could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
index 05d4e3a..628276b 100644
--- a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -1,3 +1,12 @@
 I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
 
 What might be causing this exception and how I might go about debugging exceptions?
+
+> Appears to be coming from your xapian omega cgi binary. If you
+> run `strings /usr/lib/cgi-bin/omega/omega` you can see it has
+> "Exception: " in it.
+> 
+> I don´t know what to suggest, other than upgrade/downgrade/reinstall
+> xapian-omega. You could try rebuilding your wiki in case it is somehow
+> caused by a problem with the xapian database. Failing everything, you
+> could switch to [[google_search_plugin|plugins/google]]. --[[Joey]] 

diff --git a/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
new file mode 100644
index 0000000..05d4e3a
--- /dev/null
+++ b/doc/forum/Exception:_Unknown_function___96__this__39___.mdwn
@@ -0,0 +1,3 @@
+I'm very excited to try out ikiwiki, since it should fit my purposes extremely well, but I'm having trouble with the search plugin. I'm pretty sure that right after I installed ikiwiki and needed dependencies, the search plugin was working fine. However, now when I try to use search, I get "Exception: Unknown function `this'" error on a blank page. I'm not sure how I should go about debugging this issue - my server's (I use Lighttpd 1.4.22) error log has no mention of the exception and there's nothing in /var/log/syslog either.
+
+What might be causing this exception and how I might go about debugging exceptions?

diff --git a/doc/index.mdwn b/doc/index.mdwn
index 88eafa1..732cf7a 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -19,7 +19,6 @@ ikiwiki [[!version ]].
 
 ## developer resources
 
-
 The [[RoadMap]] describes where the project is going.
 The [[forum]] is open for discussions.
 [[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
@@ -27,5 +26,3 @@ can be submitted and tracked using this wiki.
 
 ikiwiki is developed by [[Joey]] and many contributors,
 and is [[FreeSoftware]].
-
-

diff --git a/doc/TourBusStop.mdwn b/doc/TourBusStop.mdwn
index 5317c67..8e382bd 100644
--- a/doc/TourBusStop.mdwn
+++ b/doc/TourBusStop.mdwn
@@ -9,7 +9,7 @@ This wiki serves as the home for the ikiwiki wiki engine, providing collaborativ
 * You can turn any set of pages into a [[blog]] or similar news feed,
 * complete with RSS and Atom support.  You can run your weblog on ikiwiki (and [[many_people_do|ikiwikiusers]]), run a Planet-like [[aggregator|plugins/aggregate]] for external feeds, or keep a [[TODO]] and [[bug|bugs]] list with tags for completed items.
 
-* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your [site](http://dessouse.net) will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
+* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your site will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
 
 ![Picture of the TourBus](http://www.wikiservice.at/image/wikibus.gif)
 

diff --git a/doc/TourBusStop.mdwn b/doc/TourBusStop.mdwn
index 8e382bd..5317c67 100644
--- a/doc/TourBusStop.mdwn
+++ b/doc/TourBusStop.mdwn
@@ -9,7 +9,7 @@ This wiki serves as the home for the ikiwiki wiki engine, providing collaborativ
 * You can turn any set of pages into a [[blog]] or similar news feed,
 * complete with RSS and Atom support.  You can run your weblog on ikiwiki (and [[many_people_do|ikiwikiusers]]), run a Planet-like [[aggregator|plugins/aggregate]] for external feeds, or keep a [[TODO]] and [[bug|bugs]] list with tags for completed items.
 
-* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your site will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
+* ikiwiki provides a wiki compiler, designed to transform your wiki content into a set of static pages.  You can then serve these pages as static content.  ikiwiki will not fall over during a Slashdotting, because page views don't require the ikiwiki CGI; as long as your web server can keep up, your [site](http://dessouse.net) will survive.  Furthermore, you can choose whether you want to run the ikiwiki CGI for web edits or only handle commits to the underlying version control system; you can even run ikiwiki privately and just manually copy the content to another server.  So if you want to put a wiki up on a server without installing any software on that server, try ikiwiki.
 
 ![Picture of the TourBus](http://www.wikiservice.at/image/wikibus.gif)
 

diff --git a/doc/index.mdwn b/doc/index.mdwn
index b1ef36b..88eafa1 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -19,7 +19,6 @@ ikiwiki [[!version ]].
 
 ## developer resources
 
-[jup](http://www.google.de)
 
 The [[RoadMap]] describes where the project is going.
 The [[forum]] is open for discussions.

diff --git a/doc/index.mdwn b/doc/index.mdwn
index 732cf7a..b1ef36b 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -19,6 +19,8 @@ ikiwiki [[!version ]].
 
 ## developer resources
 
+[jup](http://www.google.de)
+
 The [[RoadMap]] describes where the project is going.
 The [[forum]] is open for discussions.
 [[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
@@ -26,3 +28,5 @@ can be submitted and tracked using this wiki.
 
 ikiwiki is developed by [[Joey]] and many contributors,
 and is [[FreeSoftware]].
+
+

diff --git a/doc/todo/salmon_protocol_for_comment_sharing.mdwn b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
index f4fa0c5..1e56b0a 100644
--- a/doc/todo/salmon_protocol_for_comment_sharing.mdwn
+++ b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
@@ -1,3 +1,21 @@
-The <a href="http://www.salmon-protocol.org/home">Salmon protocol</a> provides for aggregating comments across sites.  If a site that syndicates a feed receives a comment on an item in that feed, it can re-post the comment to the original source.
+The <a href="http://www.salmon-protocol.org/home">Salmon protocol</a>
+provides for aggregating comments across sites.  If a site that syndicates
+a feed receives a comment on an item in that feed, it can re-post the
+comment to the original source.
+
+> Ikiwiki does not allow comments to be posted on items it aggregates.
+> So salmon protocol support would only need to handle the comment
+> receiving side of the protocol.
+> 
+> The current draft protocol document confuses me when it starts talking
+> about using OAuth in the abuse prevention section, since their example
+> does not show use of OAuth, and it's not at all clear to me where the
+> OAuth relationship between aggregator and original source is supposed
+> to come from.
+> 
+> Their security model, which goes on to include Webfinger,
+> thirdparty validation services, XRD, and Magic Signatures, looks sorta
+> like they kept throwing technology,  at it, hoping something will stick. :-P
+> --[[Joey]]
 
 [[!tag wishlist]]

diff --git a/doc/todo/salmon_protocol_for_comment_sharing.mdwn b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
new file mode 100644
index 0000000..f4fa0c5
--- /dev/null
+++ b/doc/todo/salmon_protocol_for_comment_sharing.mdwn
@@ -0,0 +1,3 @@
+The <a href="http://www.salmon-protocol.org/home">Salmon protocol</a> provides for aggregating comments across sites.  If a site that syndicates a feed receives a comment on an item in that feed, it can re-post the comment to the original source.
+
+[[!tag wishlist]]

diff --git a/doc/news/version_3.20091202.mdwn b/doc/news/version_3.20091202.mdwn
deleted file mode 100644
index 60f17fe..0000000
--- a/doc/news/version_3.20091202.mdwn
+++ /dev/null
@@ -1,17 +0,0 @@
-ikiwiki 3.20091202 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * meta: Generate meta description tags even when the html scrubber is
-     enabled.
-   * meta: Allow use of DESCRIPTION in templates to get at the meta description
-     value. (Thanks, NicolasLimare)
-   * inline: Use caching of inlined pages to speed up builds of inlines that
-     include feeds. Speedup of about 25% for small inlines; could be much
-     larger for inlines of many, or complex pages.
-   * Added (incomplete) Turkish po file. Closes: #[556744](http://bugs.debian.org/556744)
-     Thanks, Recai Oktaş
-   * date: New plugin that allows inserting date directives that expand to
-     pretty-printed dates, using the same formatting as used for page
-     modification date display, etc.
-   * htmllink: Allow a title attribute to be specified.
-   * calendar: Add title attributes for all links in the calendars.
-   * calendar: Fix month wraparound error that broke in December."""]]
\ No newline at end of file
diff --git a/doc/news/version_3.20100302.mdwn b/doc/news/version_3.20100302.mdwn
new file mode 100644
index 0000000..f439b1b
--- /dev/null
+++ b/doc/news/version_3.20100302.mdwn
@@ -0,0 +1,12 @@
+ikiwiki 3.20100302 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * comments: Display number of comments in comment action link.
+   * Rebuild wikis on upgrade to this version to get the comment counts
+     added to existing pages.
+   * Loosen regexp, to allow empty quoted parameters in directives.
+   * Add force\_overwrite setting to make setup automator overwrite existing
+     files/directories.
+   * Fix admin openid detection in setup automator, and avoid prompting
+     for a password.
+   * Add new --clean option; this makes ikiwiki remove all built
+     files in the destdir, as well as wrappers and the .ikiwiki directory."""]]
\ No newline at end of file

diff --git a/doc/bugs/404_plugin_and_lighttpd.mdwn b/doc/bugs/404_plugin_and_lighttpd.mdwn
index 29ca107..ffbad8a 100644
--- a/doc/bugs/404_plugin_and_lighttpd.mdwn
+++ b/doc/bugs/404_plugin_and_lighttpd.mdwn
@@ -11,3 +11,25 @@ This is with lighttpd 1.4.19 on Debian.
 > I originally wrote the plugin for Apache; [[weakish]] contributed the
 > lighttpd docs and might know more about how to make it work there.
 > --[[smcv]]
+
+>> As I said, I got it working for me, but somebody who knows perl should probably look at it with the aim of making it work for everyone.
+>> I considered having lighttpd construct a proper url for the 404 redirect itself, but I don't know if it can do something like that or not.
+>> For what it's worth, here's the change I made to the module:
+
+    sub cgi ($) {
+            my $cgi=shift;
+            if ($ENV{REQUEST_URI} !~ /ikiwiki\.cgi/) {
+                    my $page = cgi_page_from_404(
+                            Encode::decode_utf8($ENV{SERVER_NAME} . $ENV{REQUEST_URI}),
+                            $config{url}, $config{usedirs});
+                    IkiWiki::Plugin::goto::cgi_goto($cgi, $page);
+            }
+    
+    #       if (exists $ENV{REDIRECT_STATUS} &&
+    #           $ENV{REDIRECT_STATUS} eq '404') {
+    #               my $page = cgi_page_from_404(
+    #                       Encode::decode_utf8($ENV{REDIRECT_URL}),
+    #                       $config{url}, $config{usedirs});
+    #               IkiWiki::Plugin::goto::cgi_goto($cgi, $page);
+    #       }
+    }

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 12d6929..345604c 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -140,6 +140,7 @@ Personal sites and blogs
 * [Alex Ghitza homepage and blog](http://aghitza.org/)
 * [Mukund's homepage](http://www.mukund.org/)
 * [Andreas's homepage](http://0x7.ch/) - Ikiwiki, Subversion and CSS template
+* [Chris Dombroski's boring bliki](https://www.icanttype.org/)
 
 Please feel free to add your own ikiwiki site!
 

diff --git a/doc/bugs/404_plugin_and_lighttpd.mdwn b/doc/bugs/404_plugin_and_lighttpd.mdwn
index e60fd20..29ca107 100644
--- a/doc/bugs/404_plugin_and_lighttpd.mdwn
+++ b/doc/bugs/404_plugin_and_lighttpd.mdwn
@@ -3,3 +3,11 @@ Lighttpd apparently sets REDIRECT_STATUS=200 for the server.error-handler-404 pa
 I was able to fix my server to check the REQUEST_URI for ikiwiki.cgi and to continue processing if it was not found, passing $ENV{SEVER_NAME} . $ENV{REQUEST_URI} as the first parameter to cgi_page_from_404. However, my perl is terrible and I just made it work rather than figuring out exactly what to do to get it to work on both lighttpd and apache.
 
 This is with lighttpd 1.4.19 on Debian.
+
+> /cgi-bin/ikiwiki.cgi?do=goto also provides redirection in the same way,
+> if that's any help? You might need to set the lighttpd 404 handler to
+> that, then compose REDIRECT_URL from other variables if necessary.
+>
+> I originally wrote the plugin for Apache; [[weakish]] contributed the
+> lighttpd docs and might know more about how to make it work there.
+> --[[smcv]]

diff --git a/doc/bugs/404_plugin_and_lighttpd.mdwn b/doc/bugs/404_plugin_and_lighttpd.mdwn
new file mode 100644
index 0000000..e60fd20
--- /dev/null
+++ b/doc/bugs/404_plugin_and_lighttpd.mdwn
@@ -0,0 +1,5 @@
+Lighttpd apparently sets REDIRECT_STATUS=200 for the server.error-handler-404 page. This breaks the 404 plugin which checks this variable for 404 before processing the URI. It also doesn't seem to set REDIRECT_URL.
+
+I was able to fix my server to check the REQUEST_URI for ikiwiki.cgi and to continue processing if it was not found, passing $ENV{SEVER_NAME} . $ENV{REQUEST_URI} as the first parameter to cgi_page_from_404. However, my perl is terrible and I just made it work rather than figuring out exactly what to do to get it to work on both lighttpd and apache.
+
+This is with lighttpd 1.4.19 on Debian.

diff --git a/doc/bugs/External_links_with_Creole.mdwn b/doc/bugs/External_links_with_Creole.mdwn
new file mode 100644
index 0000000..3d800b0
--- /dev/null
+++ b/doc/bugs/External_links_with_Creole.mdwn
@@ -0,0 +1,3 @@
+When using Creole for markup, creating an external link appears to be impossible. Neither \[[Outside URL|http://example.com]] nor <<http://example.com>> nor \[Outside URL]\(http://example.com) work. The first gets rendered as a broken WikiLink, the second get eaten and the last is not parsed in anyway so you end up with that exact text in your page. 
+
+I'd have made this as a Creole page as a practical demonstration, but that doesn't seem possible here. Here's a page with an example: <https://www.icanttype.org//demo/CreoleExternalLinks>

diff --git a/doc/plugins/creole/discussion.mdwn b/doc/plugins/creole/discussion.mdwn
index eab4134..7f47c2c 100644
--- a/doc/plugins/creole/discussion.mdwn
+++ b/doc/plugins/creole/discussion.mdwn
@@ -18,3 +18,5 @@ I've installed Text::WikiCreole 0.05 and enabled the plugin, but I get an error
 I'm moving over a really stinkingly old UseMod and creole seems the nearest match. I've worked out that Bare /Subpage links need to become \[\[Subpage\]\], and Top/Sub links need to be \[\[Top/Sub\]\] (or \[\[Top/Sub|Top/Sub\]\], to display in exactly the same way), but I'm stuck on generic hyperlinks. The creole cheat sheet says I should be able to do \[\[http://url.path/foo|LinkText\]\], but that comes out as a link to create the "linktext" page, and Markdown-style \[Link Text\](http://url.path/foo) just gets rendered as is. Any suggestions? --[[schmonz]]
 
 > Was this problem ever solved? -- Thiana
+
+>> Not by me. If I were looking at the problem now, with fresh eyes, I'd probably bite the bullet and just convert everything to Markdown. --[[schmonz]]

diff --git a/doc/plugins/creole/discussion.mdwn b/doc/plugins/creole/discussion.mdwn
index 38ee2bd..eab4134 100644
--- a/doc/plugins/creole/discussion.mdwn
+++ b/doc/plugins/creole/discussion.mdwn
@@ -12,4 +12,9 @@ I've installed Text::WikiCreole 0.05 and enabled the plugin, but I get an error
 
 >>> forgot, done now --[[Joey]] 
 
+---
+## External Links
+
 I'm moving over a really stinkingly old UseMod and creole seems the nearest match. I've worked out that Bare /Subpage links need to become \[\[Subpage\]\], and Top/Sub links need to be \[\[Top/Sub\]\] (or \[\[Top/Sub|Top/Sub\]\], to display in exactly the same way), but I'm stuck on generic hyperlinks. The creole cheat sheet says I should be able to do \[\[http://url.path/foo|LinkText\]\], but that comes out as a link to create the "linktext" page, and Markdown-style \[Link Text\](http://url.path/foo) just gets rendered as is. Any suggestions? --[[schmonz]]
+
+> Was this problem ever solved? -- Thiana

diff --git a/doc/ikiwiki/directive/inline/discussion.mdwn b/doc/ikiwiki/directive/inline/discussion.mdwn
index 998ba64..6a186cd 100644
--- a/doc/ikiwiki/directive/inline/discussion.mdwn
+++ b/doc/ikiwiki/directive/inline/discussion.mdwn
@@ -1,3 +1,10 @@
+## Combine inline and toggle
+
+Is it possible to combine the behaviour of toggle and inline? ie, have it present of list of 'headlines' which are created from seperate subpages which can be clicked to expand to the body of the inlined page. Thanks.
+
+-- Thiana
+
+---
 ## How do you provide the per post discussion links in your own blog?
 
 > That's configured by the "actions" parameter to the inline directive. See

diff --git a/doc/plugins/rename.mdwn b/doc/plugins/rename.mdwn
index ddaede8..abb3613 100644
--- a/doc/plugins/rename.mdwn
+++ b/doc/plugins/rename.mdwn
@@ -2,7 +2,8 @@
 [[!tag type/web]]
 
 This plugin allows pages or other files to be renamed using the web
-interface.
+interface. Following Unix tradition, renaming also allows moving to a
+different directory.
 
 Users can only rename things that they are allowed to edit or upload.
 

diff --git a/doc/plugins/contrib/report.mdwn b/doc/plugins/contrib/report.mdwn
index e8cbd04..c364d4a 100644
--- a/doc/plugins/contrib/report.mdwn
+++ b/doc/plugins/contrib/report.mdwn
@@ -89,7 +89,7 @@ The "mood_summary" template might be like this:
     ## <TMPL_VAR NAME="HEADER1">
     </TMPL_IF>
     ### <TMPL_VAR NAME="TITLE">
-    (<TMPL_VAR NAME="DATE">) \[[<TMPL_VAR NAME="PAGE"]]
+    (<TMPL_VAR NAME="DATE">) \[[<TMPL_VAR NAME="PAGE">]]
     <TMPL_VAR NAME="DESCRIPTION">
     
 ### Advanced Options

diff --git a/doc/examples/softwaresite.mdwn b/doc/examples/softwaresite.mdwn
index e43a9d1..99f7911 100644
--- a/doc/examples/softwaresite.mdwn
+++ b/doc/examples/softwaresite.mdwn
@@ -14,3 +14,6 @@ Some additional configuration you might want to do:
 
 * Read the [[tips/integrated_issue_tracking_with_ikiwiki]] article for tips
   about how to use ikiwiki as a BTS.
+
+* Read [[tips/spam_and_softwaresites]] for information on how to keep spam
+  and spam-fighting commits out of your main version control history.

diff --git a/doc/tips/spam_and_softwaresites.mdwn b/doc/tips/spam_and_softwaresites.mdwn
new file mode 100644
index 0000000..fe73518
--- /dev/null
+++ b/doc/tips/spam_and_softwaresites.mdwn
@@ -0,0 +1,86 @@
+Any wiki with a form of web-editing enabled will have to deal with
+spam. (See the [[plugins/blogspam]] plugin for one defensive tool you
+can deploy).
+
+If:
+
+ * you are using ikiwiki to manage the website for a [[examples/softwaresite]]
+ * you allow web-based commits, to let people correct documentation, or report
+   bugs, etc.
+ * the documentation is stored in the same revision control repository as your
+   software
+
+It is undesirable to have your software's VCS history tainted by spam and spam
+clean-up commits. Here is one approach you can use to prevent this. This
+example is for the [[git]] version control system, but the principles should
+apply to others.
+
+## Isolate web commits to a specific branch
+
+Create a separate branch to contain web-originated edits (named `doc` in this
+example):
+
+    $ git checkout -b doc
+
+Adjust your setup file accordingly:
+
+    gitmaster_branch => 'doc',
+
+## merging good web commits into the master branch
+
+You will want to periodically merge legitimate web-based commits back into
+your master branch. Ensure that there is no spam in the documentation
+branch. If there is, see 'erase spam from the commit history', below, first.
+
+Once you are confident it's clean:
+
+    # ensure you are on the doc branch
+    $ git branch
+      doc
+    * master
+    $ git merge --ff doc
+
+## removing spam
+
+### short term
+
+In the short term, just revert the spammy commit.
+
+If the spammy commit was the top-most:
+
+    $ git revert HEAD
+
+This will clean the spam out of the files, but it will leave both the spam
+commit and the revert commit in the history.
+
+### erase spam from the commit history
+
+Git allows you to rewrite your commit history.  We will take advantage of this
+to eradicate spam from the history of the doc branch.
+
+This is a useful tool, but it is considered bad practise to rewrite the
+history of public repositories. If your software's repository is public, you
+should make it clear that the history of the `doc` branch in your repository
+is unstable.
+
+Once you have been spammed, use `git rebase` to remove the spam commits from
+the history.  Assuming that your `doc` branch was split off from a branch
+called `master`:
+
+    # ensure you are on the doc branch
+    $ git branch
+    * doc
+      master
+    $ git rebase --interactive master
+
+In your editor session, you will see a series of lines for each commit made to
+the `doc` branch since it was branched from `master` (or since the last merge
+back into `master`). Delete the lines corresponding to spammy commits, then
+save and exit your editor.
+
+Caveat: if there are no commits you want to keep (i.e. all the commits since
+the last merge into master are either spam or spam reverts) then `git rebase`
+will abort. Therefore, this approach only works if you have at least one
+non-spam commit to the documentation since the last merge into `master`. For
+this reason, it's best to tackle spam with reverts until you have at least one
+commit you want merged back into the main history.

diff --git a/doc/plugins/contrib/report.mdwn b/doc/plugins/contrib/report.mdwn
index 7130bcb..e8cbd04 100644
--- a/doc/plugins/contrib/report.mdwn
+++ b/doc/plugins/contrib/report.mdwn
@@ -18,7 +18,7 @@ IkiWiki::Plugin::report - Produce templated reports from page field data.
 
 This plugin provides the **report** directive.  This enables one to report on
 the structured data ("field" values) of multiple pages; the output is formatted
-via a template.  This depends on the "field" plugin.
+via a template.  This depends on the [[plugins/contrib/field]] plugin.
 
 The pages to report on are selected by a PageSpec given by the "pages"
 parameter.  The template is given by the "template" parameter.

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 9df6c90..00eadfd 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -409,6 +409,13 @@ sub getsetup () {
 		safe => 0,
 		rebuild => 0,
 	},
+	clean => {
+		type => "internal",
+		default => 0,
+		description => "running in clean mode",
+		safe => 0,
+		rebuild => 0,
+	},
 	refresh => {
 		type => "internal",
 		default => 0,
diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm
index 3ebb1a3..af24df1 100644
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -683,6 +683,17 @@ sub refresh () {
 	}
 }
 
+sub clean_rendered {
+	lockwiki();
+	loadindex();
+	remove_unrendered();
+	foreach my $page (keys %oldrenderedfiles) {
+		foreach my $file (@{$oldrenderedfiles{$page}}) {
+			prune($config{destdir}."/".$file);
+		}
+	}
+}
+
 sub commandline_render () {
 	lockwiki();
 	loadindex();
diff --git a/Makefile.PL b/Makefile.PL
index 462f736..52421a7 100755
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -51,7 +51,7 @@ docwiki: ikiwiki.out
 	$(PERL) -Iblib/lib $(extramodules) $(tflag) ikiwiki.out -libdir . -setup docwiki.setup -refresh
 
 extra_clean:
-	rm -rf html doc/.ikiwiki
+	$(PERL) -I. $(extramodules) $(tflag) ikiwiki.in -libdir . -setup docwiki.setup -clean
 	rm -f *.man ikiwiki.out ikiwiki.setup plugins/*.pyc
 	$(MAKE) -C po clean
 
diff --git a/debian/changelog b/debian/changelog
index 832bbaa..3b92c59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20100213) UNRELEASED; urgency=low
+ikiwiki (3.20100228) UNRELEASED; urgency=low
 
   * comments: Display number of comments in comment action link.
   * Rebuild wikis on upgrade to this version to get the comment counts
@@ -8,6 +8,8 @@ ikiwiki (3.20100213) UNRELEASED; urgency=low
     files/directories.
   * Fix admin openid detection in setup automator, and avoid prompting
     for a password.
+  * Add new --clean option; this makes ikiwiki remove all built
+    files in the destdir, as well as wrappers and the .ikiwiki directory.
 
  -- Joey Hess <joeyh@debian.org>  Sun, 14 Feb 2010 17:02:10 -0500
 
diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index e4808d4..a105d7e 100644
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -50,6 +50,14 @@ These options control the mode that ikiwiki operates in.
   If used with --setup --refresh, this makes it also update any configured
   wrappers.
 
+* --clean
+
+  This makes ikiwiki clean up by removing any files it denerated in the 
+  `destination` directory, as well as any configured wrappers, and the
+  `.ikiwiki` state directory. This is mostly useful if you're running
+  ikiwiki in a Makefile to build documentation and want a corresponding
+  `clean` target.
+
 * --cgi
 
   Enable [[CGI]] mode. In cgi mode ikiwiki runs as a cgi script, and
diff --git a/ikiwiki.in b/ikiwiki.in
index b8581d8..ae1251f 100755
--- a/ikiwiki.in
+++ b/ikiwiki.in
@@ -37,6 +37,7 @@ sub getconfig () {
 			"syslog!" => \$config{syslog},
 			"rebuild!" => \$config{rebuild},
 			"refresh!" => \$config{refresh},
+			"clean!" => \$config{clean},
 			"post-commit" => \$config{post_commit},
 			"render=s" => \$config{render},
 			"wrappers!" => \$config{genwrappers},
@@ -135,6 +136,7 @@ sub main () {
 
 		if (@{$config{wrappers}} && 
 		    ! $config{render} && ! $config{dumpsetup} &&
+		    ! $config{clean} &&
 		    ((! $config{refresh} && ! $config{post_commit})
 		     || $config{genwrappers})) {
 			debug(gettext("generating wrappers.."));
@@ -159,7 +161,7 @@ sub main () {
 		
 		# setup implies a wiki rebuild by default
 		if (! $config{refresh} && ! $config{render} &&
-		    ! $config{post_commit}) {
+		    ! $config{post_commit} && ! $config{clean}) {
 			$config{rebuild}=1;
 		}
 	}
@@ -190,6 +192,14 @@ sub main () {
 	elsif ($config{post_commit} && ! commit_hook_enabled()) {
 		# do nothing
 	}
+	elsif ($config{clean}) {
+		require IkiWiki::Render;
+		foreach my $wrapper (@{$config{wrappers}}) {
+			prune($wrapper->{wrapper});
+		}
+		clean_rendered();
+		system("rm", "-rf", $config{wikistatedir});
+	}
 	else {
 		if ($config{rebuild}) {
 			debug(gettext("rebuilding wiki.."));
diff --git a/ikiwiki.spec b/ikiwiki.spec
index 865c9a3..1dba9f4 100644
--- a/ikiwiki.spec
+++ b/ikiwiki.spec
@@ -1,5 +1,5 @@
 Name:           ikiwiki
-Version: 3.20100212
+Version: 3.20100228
 Release:        1%{?dist}
 Summary:        A wiki compiler
 

diff --git a/doc/users/jeanprivat.mdwn b/doc/users/jeanprivat.mdwn
new file mode 100644
index 0000000..4d75a98
--- /dev/null
+++ b/doc/users/jeanprivat.mdwn
@@ -0,0 +1 @@
+Jean Privat is <jean@pryen.org>.

diff --git a/doc/todo/beef_up_sidebar_to_allow_for_multiple_sidebars.mdwn b/doc/todo/beef_up_sidebar_to_allow_for_multiple_sidebars.mdwn
index fb942a4..02b8324 100644
--- a/doc/todo/beef_up_sidebar_to_allow_for_multiple_sidebars.mdwn
+++ b/doc/todo/beef_up_sidebar_to_allow_for_multiple_sidebars.mdwn
@@ -13,5 +13,57 @@ those contents instead.
 
 > In mine I just copied sidebar out and made some extra "sidebars", but they go elsewhere. Ugly hack, but it works. --[[simonraven]]
 
+>> Here a simple [[patch]] for multiple sidebars. Not too fancy but better than having multiple copies of the sidebar plugin. --[[jeanprivat]]
+
+<pre>
+--- /usr/share/perl5/IkiWiki/Plugin/sidebar.pm	2010-02-11 22:53:17.000000000 -0500
++++ plugins/IkiWiki/Plugin/sidebar.pm	2010-02-27 09:54:12.524412391 -0500
+@@ -19,12 +19,20 @@
+ 			safe => 1,
+ 			rebuild => 1,
+ 		},
++		active_sidebars => {
++			type => "string",
++			example => qw(sidebar banner footer),
++			description => "Which sidebars must be activated and processed.",
++			safe => 1,
++			rebuild => 1
++		},
+ }
+ 
+-sub sidebar_content ($) {
++sub sidebar_content ($$) {
+ 	my $page=shift;
++	my $sidebar=shift;
+ 	
+-	my $sidebar_page=bestlink($page, "sidebar") || return;
++	my $sidebar_page=bestlink($page, $sidebar) || return;
+ 	my $sidebar_file=$pagesources{$sidebar_page} || return;
+ 	my $sidebar_type=pagetype($sidebar_file);
+ 	
+@@ -49,11 +57,17 @@
+ 
+ 	my $page=$params{page};
+ 	my $template=$params{template};
+-	
+-	if ($template->query(name => "sidebar")) {
+-		my $content=sidebar_content($page);
+-		if (defined $content && length $content) {
+-		        $template->param(sidebar => $content);
++
++	my @sidebars;
++	if (defined $config{active_sidebars} && length $config{active_sidebars}) { @sidebars = @{$config{active_sidebars}}; }
++	else { @sidebars = qw(sidebar); }
++
++	foreach my $sidebar (@sidebars) {
++		if ($template->query(name => $sidebar)) {
++			my $content=sidebar_content($page, $sidebar);
++			if (defined $content && length $content) {
++				$template->param($sidebar => $content);
++			}
+ 		}
+ 	}
+ }
+</pre>
 
 [[!tag wishlist]]

diff --git a/doc/users/Will.mdwn b/doc/users/Will.mdwn
index f5effdb..1956263 100644
--- a/doc/users/Will.mdwn
+++ b/doc/users/Will.mdwn
@@ -13,14 +13,16 @@ Unless otherwise specified, any code that I post to this wiki I release under th
 
 ------
 
+Disabling these as I'm not using them much any more...
+
 ### Open Bugs:
 
-[[!inline pages="link(users/Will) and bugs/* and !bugs/done and !bugs/discussion and !link(patch) and !link(bugs/done) and !bugs/*/*" archive="yes" feeds="no" ]]
+\[[!inline pages="link(users/Will) and bugs/* and !bugs/done and !bugs/discussion and !link(patch) and !link(bugs/done) and !bugs/*/*" archive="yes" feeds="no" ]]
 
 ### Open ToDos:
 
-[[!inline pages="link(users/Will) and todo/* and !todo/done and !todo/discussion and !link(patch) and !link(todo/done) and !bugs/*/*" archive="yes" feeds="no" ]]
+\[[!inline pages="link(users/Will) and todo/* and !todo/done and !todo/discussion and !link(patch) and !link(todo/done) and !bugs/*/*" archive="yes" feeds="no" ]]
 
 ### Unapplied Patches:
 
-[[!inline pages="link(users/Will) and (todo/* or bugs/*) and !bugs/done and !bugs/discussion and !todo/done and !todo/discussion and link(patch) and !link(bugs/done) and !link(todo/done) and !bugs/*/*" archive="yes" feeds="no" ]]
+\[[!inline pages="link(users/Will) and (todo/* or bugs/*) and !bugs/done and !bugs/discussion and !todo/done and !todo/discussion and link(patch) and !link(bugs/done) and !link(todo/done) and !bugs/*/*" archive="yes" feeds="no" ]]

diff --git a/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn b/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn
index bc19e7d..de178d4 100644
--- a/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn
+++ b/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn
@@ -14,3 +14,5 @@ The [[ikiwiki/directive/map]] directive sort by pagename. That looks kind of odd
 >> 1. inline also does sort by pagename even when explicitly told to sort by title.
 >>
 >> 2. I cannot get inline to create a list when the htmltidy plugin is switched on. I have a template which is enclosed in an li tag, and i put the ul tag around the inline manually, but htmltidy breaks this. --martin
+
+>>>> You might want to check if the [[plugins/contrib/report]] plugin solves your problem.  It can sort by title, among other things. --[[KathrynAndersen]]

diff --git a/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn b/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn
index f8e257d..bc19e7d 100644
--- a/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn
+++ b/doc/bugs/map_sorts_by_pagename_and_not_title_when_show__61__title_is_used.mdwn
@@ -1,4 +1,4 @@
-The [[directive/map]] directive sorty by pagename. That looks kind of odd, when used together with show=title. I would expect it to sort by title then.
+The [[ikiwiki/directive/map]] directive sort by pagename. That looks kind of odd, when used together with show=title. I would expect it to sort by title then.
 
 > This would be quite hard to fix. Map sorts the pages it displays by page
 > name, which has the happy effect of making "foo/bar" come after "foo";
@@ -6,3 +6,11 @@ The [[directive/map]] directive sorty by pagename. That looks kind of odd, when
 > it's located in. If sorting by title, that wouldn't hold. So, map
 > would have to be effectively totally rewritten, to build up each group
 > of child pages, and then re-sort those. --[[Joey]] 
+
+>> Ok, you are right, that does would break the tree. This made me think that I do not
+>> need to generate a tree for my particular use case just a list, so i thought i could use [[ikiwiki/directive/inline]] instead.
+>> This created two new issues:
+>>
+>> 1. inline also does sort by pagename even when explicitly told to sort by title.
+>>
+>> 2. I cannot get inline to create a list when the htmltidy plugin is switched on. I have a template which is enclosed in an li tag, and i put the ul tag around the inline manually, but htmltidy breaks this. --martin

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 62064e0..12d6929 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -139,6 +139,7 @@ Personal sites and blogs
 * [Backyard Deer](http://www.backyarddeer.com/)
 * [Alex Ghitza homepage and blog](http://aghitza.org/)
 * [Mukund's homepage](http://www.mukund.org/)
+* [Andreas's homepage](http://0x7.ch/) - Ikiwiki, Subversion and CSS template
 
 Please feel free to add your own ikiwiki site!
 

diff --git a/doc/users/jon.mdwn b/doc/users/jon.mdwn
index 35bdb5d..d5593dc 100644
--- a/doc/users/jon.mdwn
+++ b/doc/users/jon.mdwn
@@ -55,4 +55,4 @@ Penultimately, the following are merely half-formed thoughts:
 Finally, backlinks (since I have issues with the current backlinks
 implementation, see [[bugs/backlinks onhover thing can go weird]]):
 
-[[!map pages="link(users/Jon)"]]
+[[!inline pages="link(users/Jon)" archive="yes" feeds="no"]]

diff --git a/doc/users/jon.mdwn b/doc/users/jon.mdwn
index f08076c..35bdb5d 100644
--- a/doc/users/jon.mdwn
+++ b/doc/users/jon.mdwn
@@ -45,9 +45,14 @@ The following I have been looking at, but are on the back-burner:
   bugs such as [[bugs/tagged() matching wikilinks]]. Code for this lives
   in my github `tag2` branch: <http://github.com/jmtd/ikiwiki>
 
-Finally, the following are merely half-formed thoughts:
+Penultimately, the following are merely half-formed thoughts:
 
  * adding and removing tags to pages via the edit form by ticking and
    unticking checkboxes next to a tag name (rather than entering the 
    directive into the text of the page directly)
  * perhaps the same for meta
+
+Finally, backlinks (since I have issues with the current backlinks
+implementation, see [[bugs/backlinks onhover thing can go weird]]):
+
+[[!map pages="link(users/Jon)"]]

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 958bd54..62064e0 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -52,6 +52,7 @@ Projects & Organizations
 * [Wetknee Books](http://www.wetknee.com/)
 * [IPOL Image Processing On Line](http://www.ipol.im)
 * [Debian Costa Rica](http://cr.debian.net/)
+* [Fvwm Wiki](http://fvwmwiki.xteddy.org)
 
 Personal sites and blogs
 ========================
@@ -138,7 +139,6 @@ Personal sites and blogs
 * [Backyard Deer](http://www.backyarddeer.com/)
 * [Alex Ghitza homepage and blog](http://aghitza.org/)
 * [Mukund's homepage](http://www.mukund.org/)
-* [Fvwm Wiki](http://fvwmwiki.xteddy.org)
 
 Please feel free to add your own ikiwiki site!
 

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index c9dea83..958bd54 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -138,6 +138,7 @@ Personal sites and blogs
 * [Backyard Deer](http://www.backyarddeer.com/)
 * [Alex Ghitza homepage and blog](http://aghitza.org/)
 * [Mukund's homepage](http://www.mukund.org/)
+* [Fvwm Wiki](http://fvwmwiki.xteddy.org)
 
 Please feel free to add your own ikiwiki site!