diff --git a/class2.php b/class2.php
index ab6dd6045..454661f72 100644
--- a/class2.php
+++ b/class2.php
@@ -724,6 +724,7 @@ if (!class_exists('e107table', false))
 
 		function tablerender($caption, $text, $mode = 'default', $return = false)
 		{
+		
 			/*
 			# Render style table
 			# - parameter #1:                string $caption, caption text
@@ -1559,6 +1560,12 @@ function init_session()
 		$currentUser['user_realname'] = $user->get('user_login'); // Used by force_userupdate
 		$e107->currentUser = &$currentUser;
 
+		// if(defined('SETTHEME')) //override - within e_module for example. 
+		// {
+			// $_POST['sitetheme'] = SETTHEME;
+			// $_POST['settheme'] = 1;
+		// }
+
 		// XXX could go to e_user class as well
 		if ($user->checkClass(e107::getPref('allow_theme_select', false), false))
 		{	// User can set own theme
@@ -1595,9 +1602,11 @@ function init_session()
    				->save(false);
 		}
 		// XXX could go to e_user class as well END
-
-		define('USERTHEME', ($user->getPref('sitetheme') && file_exists(e_THEME.$user->getPref('sitetheme')."/theme.php") ? $user->getPref('sitetheme') : false));
-
+		if(!defined("USERTHEME"	))
+		{
+			define('USERTHEME', ($user->getPref('sitetheme') && file_exists(e_THEME.$user->getPref('sitetheme')."/theme.php") ? $user->getPref('sitetheme') : false));				
+		}
+		
 		$user_pref = $user->getPref();
 	}
 
diff --git a/e107_core/bbcodes/link.bb b/e107_core/bbcodes/link.bb
index 6b4bfee77..c1f4b8861 100644
--- a/e107_core/bbcodes/link.bb
+++ b/e107_core/bbcodes/link.bb
@@ -1,4 +1,5 @@
 // $Id$
+//<?
 global $pref;
 
 /**
@@ -23,8 +24,8 @@ global $pref;
 	[link=external=http://mysite.com]My text[/link]
 */
 
-
-	$parm = trim($parm);
+	$tp = e107::getParser();
+	$parm =  $tp->dataFilter(trim($parm),'link');
 
 	/* Fix for people using link=external= */
 	if(strpos($parm,"external=") !== FALSE)
diff --git a/e107_handlers/e107_class.php b/e107_handlers/e107_class.php
index e4962dbec..2e3b4f3ce 100644
--- a/e107_handlers/e107_class.php
+++ b/e107_handlers/e107_class.php
@@ -2013,29 +2013,82 @@ class e107
 	 * @param string $type	array type _SESSION, _GET etc.
 	 * @return
 	 */
-	public static function filter_request($input,$key,$type)
+	public static function filter_request($input,$key,$type,$base64=FALSE)
 	{
+		if(is_string($input) && trim($input)=="")
+		{
+			return;
+		}
+		
 		if (is_array($input))
 		{
 			return array_walk($input, array('self', 'filter_request'), $type);
 		}
 
+				
+		if($type == "_POST" || ($type == "_SERVER" && ($key == "QUERY_STRING")))
+		{
+			if($type == "_POST" && ($base64 == FALSE))
+			{
+				$input = preg_replace("/(\[code\])(.*?)(\[\/code\])/is","",$input);
+			}
+		
+			$regex = "/(document\.location|document\.write|base64_decode|chr|php_uname|fwrite|fopen|fputs|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo) *?\((.*) ?\;?/i";
+			if(preg_match($regex,$input))
+			{
+				header('HTTP/1.0 400 Bad Request', true, 400);
+				exit();
+			}
+			
+			if(preg_match("/system *?\((.*);.*\)/i",$input))
+			{
+				header('HTTP/1.0 400 Bad Request', true, 400);
+				exit();	
+			}
+			
+			$regex = "/(wget |curl -o |fetch |lwp-download|onmouse)/i";
+			if(preg_match($regex,$input))
+			{
+				header('HTTP/1.0 400 Bad Request', true, 400);
+				exit();
+			}
+		
+		}
+		
 		if($type == "_SERVER")
 		{
-			if(($key == "QUERY_STRING") && strpos(strtolower($input),"=http")!==FALSE)
+			if(($key == "QUERY_STRING") && (
+				strpos(strtolower($input),"../../")!==FALSE 
+				|| strpos(strtolower($input),"=http")!==FALSE 
+				|| strpos(strtolower($input),strtolower("http%3A%2F%2F"))!==FALSE
+				|| strpos(strtolower($input),"php:")!==FALSE  
+				|| strpos(strtolower($input),"data:")!==FALSE
+				|| strpos(strtolower($input),strtolower("%3Cscript"))!==FALSE
+				))
 			{
+	
+				header('HTTP/1.0 400 Bad Request', true, 400);
 				exit();
 			}
-
+						
 			if(($key == "HTTP_USER_AGENT") && strpos($input,"libwww-perl")!==FALSE)
 			{
-				exit();
+				header('HTTP/1.0 400 Bad Request', true, 400);
+				exit();	
 			}
+			
+							
 		}
-
+			
 		if(strpos(str_replace('.', '', $input), '22250738585072011') !== FALSE) // php-bug 53632
 		{
+			header('HTTP/1.0 400 Bad Request', true, 400);
 			exit();
+		} 
+		
+		if($base64 != TRUE)
+		{
+			self::filter_request(base64_decode($input),$key,$type,TRUE);
 		}
 	}
 
diff --git a/e107_handlers/e_parse_class.php b/e107_handlers/e_parse_class.php
index 0f0e2a54c..bec71794a 100644
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -564,12 +564,14 @@ class e_parse
 	 *	Checks a string for potentially dangerous HTML tags, including malformed tags
 	 *
 	 */
-	public function dataFilter($data)
+	public function dataFilter($data,$mode='bbcode')
 	{
 		$ans = '';
-		$vetWords = array('<applet', '<body', '<embed', '<frame', '<script', '<frameset', '<html', '<iframe',
-					'<style', '<layer', '<link', '<ilayer', '<meta', '<object', '<plaintext', 'javascript:', 'vbscript:');
-
+		$vetWords = array('<applet', '<body', '<embed', '<frame', '<script','%3Cscript',
+						 '<frameset', '<html', '<iframe', '<style', '<layer', '<link',
+						 '<ilayer', '<meta', '<object', '<plaintext', 'javascript:',
+						 'vbscript:','data:text/html');
+		
 		$ret = preg_split('#(\[code.*?\[/code.*?])#mis', $data, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
 
 		foreach ($ret as $s)
@@ -605,6 +607,12 @@ class e_parse
 			$s = preg_replace_callback('#base64([,\(])(.+?)([\)\'\"])#mis', array($this, 'proc64'), $s);
 			$ans .= $s;
 		}
+		
+		if($mode == 'link' && count($vl))
+		{
+			return "#sanitized";
+		}
+		
 		return $ans;
 	}