40 files changed, 1115 insertions, 70 deletions

diff --git a/engine/classes/ElggAttributeLoader.php b/engine/classes/ElggAttributeLoader.php
index 0b770da75..ffc80b02d 100644
--- a/engine/classes/ElggAttributeLoader.php
+++ b/engine/classes/ElggAttributeLoader.php
@@ -4,7 +4,7 @@
  * Loads ElggEntity attributes from DB or validates those passed in via constructor
  *
  * @access private
- * 
+ *
  * @package    Elgg.Core
  * @subpackage DataModel
  */
@@ -69,7 +69,7 @@ class ElggAttributeLoader {
 
 	/**
 	 * Constructor
-	 * 
+	 *
 	 * @param string $class             class of object being loaded
 	 * @param string $required_type     entity type this is being used to populate
 	 * @param array  $initialized_attrs attributes after initializeAttributes() has been run
@@ -94,7 +94,7 @@ class ElggAttributeLoader {
 
 	/**
 	 * Get primary attributes missing that are missing
-	 * 
+	 *
 	 * @param stdClass $row Database row
 	 * @return array
 	 */
@@ -104,7 +104,7 @@ class ElggAttributeLoader {
 
 	/**
 	 * Get secondary attributes that are missing
-	 * 
+	 *
 	 * @param stdClass $row Database row
 	 * @return array
 	 */
@@ -114,7 +114,7 @@ class ElggAttributeLoader {
 
 	/**
 	 * Check that the type is correct
-	 * 
+	 *
 	 * @param stdClass $row Database row
 	 * @return void
 	 * @throws InvalidClassException
@@ -216,7 +216,7 @@ class ElggAttributeLoader {
 		// Note: If there are still missing attributes, we're running on a 1.7 or earlier schema. We let
 		// this pass so the upgrades can run.
 
-		// guid needs to be an int  http://trac.elgg.org/ticket/4111
+		// guid needs to be an int  https://github.com/elgg/elgg/issues/4111
 		$row['guid'] = (int) $row['guid'];
 
 		return $row;
diff --git a/engine/classes/ElggAutoP.php b/engine/classes/ElggAutoP.php
index 71536c433..05842d1b2 100644
--- a/engine/classes/ElggAutoP.php
+++ b/engine/classes/ElggAutoP.php
@@ -110,12 +110,19 @@ class ElggAutoP {
 		// http://www.php.net/manual/en/domdocument.loadhtml.php#95463
 		libxml_use_internal_errors(true);
 
+		// Do not load entities. May be unnecessary, better safe than sorry
+		$disable_load_entities = libxml_disable_entity_loader(true);
+
 		if (!$this->_doc->loadHTML("<html><meta http-equiv='content-type' " 
 				. "content='text/html; charset={$this->encoding}'><body>{$html}</body>"
 				. "</html>")) {
+
+			libxml_disable_entity_loader($disable_load_entities);
 			return false;
 		}
 
+		libxml_disable_entity_loader($disable_load_entities);
+
 		$this->_xpath = new DOMXPath($this->_doc);
 		// start processing recursively at the BODY element
 		$nodeList = $this->_xpath->query('//body[1]');
@@ -135,9 +142,16 @@ class ElggAutoP {
 
 		// re-parse so we can handle new AUTOP elements
 
+		// Do not load entities. May be unnecessary, better safe than sorry
+		$disable_load_entities = libxml_disable_entity_loader(true);
+
 		if (!$this->_doc->loadHTML($html)) {
+			libxml_disable_entity_loader($disable_load_entities);
 			return false;
 		}
+
+		libxml_disable_entity_loader($disable_load_entities);
+
 		// must re-create XPath object after DOM load
 		$this->_xpath = new DOMXPath($this->_doc);
 
diff --git a/engine/classes/ElggCrypto.php b/engine/classes/ElggCrypto.php
new file mode 100644
index 000000000..317d371e4
--- /dev/null
+++ b/engine/classes/ElggCrypto.php
@@ -0,0 +1,208 @@
+<?php
+/**
+ * ElggCrypto
+ *
+ * @package    Elgg.Core
+ * @subpackage Crypto
+ *
+ * @access private
+ */
+class ElggCrypto {
+
+	/**
+	 * Character set for temp passwords (no risk of embedded profanity/glyphs that look similar)
+	 */
+	const CHARS_PASSWORD = 'bcdfghjklmnpqrstvwxyz2346789';
+
+	/**
+	 * Generate a string of highly randomized bytes (over the full 8-bit range).
+	 *
+	 * @param int $length Number of bytes needed
+	 * @return string Random bytes
+	 *
+	 * @author George Argyros <argyros.george@gmail.com>
+	 * @copyright 2012, George Argyros. All rights reserved.
+	 * @license Modified BSD
+	 * @link https://github.com/GeorgeArgyros/Secure-random-bytes-in-PHP/blob/master/srand.php Original
+	 *
+	 * Redistribution and use in source and binary forms, with or without
+	 * modification, are permitted provided that the following conditions are met:
+	 *    * Redistributions of source code must retain the above copyright
+	 *      notice, this list of conditions and the following disclaimer.
+	 *    * Redistributions in binary form must reproduce the above copyright
+	 *      notice, this list of conditions and the following disclaimer in the
+	 *      documentation and/or other materials provided with the distribution.
+	 *    * Neither the name of the <organization> nor the
+	 *      names of its contributors may be used to endorse or promote products
+	 *      derived from this software without specific prior written permission.
+	 *
+	 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+	 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+	 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+	 * DISCLAIMED. IN NO EVENT SHALL GEORGE ARGYROS BE LIABLE FOR ANY
+	 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+	 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+	 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+	 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+	 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+	 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+	 */
+	public function getRandomBytes($length) {
+		/**
+		 * Our primary choice for a cryptographic strong randomness function is
+		 * openssl_random_pseudo_bytes.
+		 */
+		$SSLstr = '4'; // http://xkcd.com/221/
+		if (function_exists('openssl_random_pseudo_bytes')
+				&& (version_compare(PHP_VERSION, '5.3.4') >= 0 || substr(PHP_OS, 0, 3) !== 'WIN')) {
+			$SSLstr = openssl_random_pseudo_bytes($length, $strong);
+			if ($strong) {
+				return $SSLstr;
+			}
+		}
+
+		/**
+		 * If mcrypt extension is available then we use it to gather entropy from
+		 * the operating system's PRNG. This is better than reading /dev/urandom
+		 * directly since it avoids reading larger blocks of data than needed.
+		 * Older versions of mcrypt_create_iv may be broken or take too much time
+		 * to finish so we only use this function with PHP 5.3.7 and above.
+		 * @see https://bugs.php.net/bug.php?id=55169
+		 */
+		if (function_exists('mcrypt_create_iv')
+				&& (version_compare(PHP_VERSION, '5.3.7') >= 0 || substr(PHP_OS, 0, 3) !== 'WIN')) {
+			$str = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
+			if ($str !== false) {
+				return $str;
+			}
+		}
+
+		/**
+		 * No build-in crypto randomness function found. We collect any entropy
+		 * available in the PHP core PRNGs along with some filesystem info and memory
+		 * stats. To make this data cryptographically strong we add data either from
+		 * /dev/urandom or if its unavailable, we gather entropy by measuring the
+		 * time needed to compute a number of SHA-1 hashes.
+		 */
+		$str = '';
+		$bits_per_round = 2; // bits of entropy collected in each clock drift round
+		$msec_per_round = 400; // expected running time of each round in microseconds
+		$hash_len = 20; // SHA-1 Hash length
+		$total = $length; // total bytes of entropy to collect
+
+		$handle = @fopen('/dev/urandom', 'rb');
+		if ($handle && function_exists('stream_set_read_buffer')) {
+			@stream_set_read_buffer($handle, 0);
+		}
+
+		do {
+			$bytes = ($total > $hash_len) ? $hash_len : $total;
+			$total -= $bytes;
+
+			//collect any entropy available from the PHP system and filesystem
+			$entropy = rand() . uniqid(mt_rand(), true) . $SSLstr;
+			$entropy .= implode('', @fstat(@fopen(__FILE__, 'r')));
+			$entropy .= memory_get_usage() . getmypid();
+			$entropy .= serialize($_ENV) . serialize($_SERVER);
+			if (function_exists('posix_times')) {
+				$entropy .= serialize(posix_times());
+			}
+			if (function_exists('zend_thread_id')) {
+				$entropy .= zend_thread_id();
+			}
+
+			if ($handle) {
+				$entropy .= @fread($handle, $bytes);
+			} else {
+				// Measure the time that the operations will take on average
+				for ($i = 0; $i < 3; $i++) {
+					$c1 = microtime(true);
+					$var = sha1(mt_rand());
+					for ($j = 0; $j < 50; $j++) {
+						$var = sha1($var);
+					}
+					$c2 = microtime(true);
+					$entropy .= $c1 . $c2;
+				}
+
+				// Based on the above measurement determine the total rounds
+				// in order to bound the total running time.
+				$rounds = (int) ($msec_per_round * 50 / (int) (($c2 - $c1) * 1000000));
+
+				// Take the additional measurements. On average we can expect
+				// at least $bits_per_round bits of entropy from each measurement.
+				$iter = $bytes * (int) (ceil(8 / $bits_per_round));
+
+				for ($i = 0; $i < $iter; $i++) {
+					$c1 = microtime();
+					$var = sha1(mt_rand());
+					for ($j = 0; $j < $rounds; $j++) {
+						$var = sha1($var);
+					}
+					$c2 = microtime();
+					$entropy .= $c1 . $c2;
+				}
+			}
+
+			// We assume sha1 is a deterministic extractor for the $entropy variable.
+			$str .= sha1($entropy, true);
+
+		} while ($length > strlen($str));
+
+		if ($handle) {
+			@fclose($handle);
+		}
+
+		return substr($str, 0, $length);
+	}
+
+	/**
+	 * Generate a random string of specified length.
+	 *
+	 * Uses supplied character list for generating the new string.
+	 * If no character list provided - uses Base64 URL character set.
+	 *
+	 * @param int         $length Desired length of the string
+	 * @param string|null $chars  Characters to be chosen from randomly. If not given, the Base64 URL
+	 *                            charset will be used.
+	 *
+	 * @return string The random string
+	 *
+	 * @throws InvalidArgumentException
+	 *
+	 * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
+	 * @license   http://framework.zend.com/license/new-bsd New BSD License
+	 *
+	 * @see https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L179
+	 */
+	public static function getRandomString($length, $chars = null) {
+		if ($length < 1) {
+			throw new InvalidArgumentException('Length should be >= 1');
+		}
+
+		if (empty($chars)) {
+			$numBytes = ceil($length * 0.75);
+			$bytes    = self::getRandomBytes($numBytes);
+			$string = substr(rtrim(base64_encode($bytes), '='), 0, $length);
+
+			// Base64 URL
+			return strtr($string, '+/', '-_');
+		}
+
+		$listLen = strlen($chars);
+
+		if ($listLen == 1) {
+			return str_repeat($chars, $length);
+		}
+
+		$bytes  = self::getRandomBytes($length);
+		$pos    = 0;
+		$result = '';
+		for ($i = 0; $i < $length; $i++) {
+			$pos     = ($pos + ord($bytes[$i])) % $listLen;
+			$result .= $chars[$pos];
+		}
+
+		return $result;
+	}
+}
diff --git a/engine/classes/ElggEntity.php b/engine/classes/ElggEntity.php
index dd1c7c114..a563f6fad 100644
--- a/engine/classes/ElggEntity.php
+++ b/engine/classes/ElggEntity.php
@@ -24,7 +24,7 @@
  *
  * @package    Elgg.Core
  * @subpackage DataModel.Entities
- * 
+ *
  * @property string $type           object, user, group, or site (read-only after save)
  * @property string $subtype        Further clarifies the nature of the entity (read-only after save)
  * @property int    $guid           The unique identifier for this entity (read only)
@@ -352,8 +352,8 @@ abstract class ElggEntity extends ElggData implements
 					'limit' => 0
 				);
 				// @todo in 1.9 make this return false if can't add metadata
-				// http://trac.elgg.org/ticket/4520
-				// 
+				// https://github.com/elgg/elgg/issues/4520
+				//
 				// need to remove access restrictions right now to delete
 				// because this is the expected behavior
 				$ia = elgg_set_ignore_access(true);
@@ -379,7 +379,7 @@ abstract class ElggEntity extends ElggData implements
 			// unsaved entity. store in temp array
 			// returning single entries instead of an array of 1 element is decided in
 			// getMetaData(), just like pulling from the db.
-			// 
+			//
 			// if overwrite, delete first
 			if (!$multiple || !isset($this->temp_metadata[$name])) {
 				$this->temp_metadata[$name] = array();
@@ -964,7 +964,7 @@ abstract class ElggEntity extends ElggData implements
 	 *
 	 * @tip Can be overridden by registering for the permissions_check:comment,
 	 * <entity type> plugin hook.
-	 * 
+	 *
 	 * @param int $user_guid User guid (default is logged in user)
 	 *
 	 * @return bool
@@ -1365,7 +1365,7 @@ abstract class ElggEntity extends ElggData implements
 				$this->attributes['tables_loaded']++;
 			}
 
-			// guid needs to be an int  http://trac.elgg.org/ticket/4111
+			// guid needs to be an int  https://github.com/elgg/elgg/issues/4111
 			$this->attributes['guid'] = (int)$this->attributes['guid'];
 
 			// Cache object handle
diff --git a/engine/classes/ElggMenuBuilder.php b/engine/classes/ElggMenuBuilder.php
index 276cb6b2c..b463143d8 100644
--- a/engine/classes/ElggMenuBuilder.php
+++ b/engine/classes/ElggMenuBuilder.php
@@ -165,7 +165,7 @@ class ElggMenuBuilder {
 		// scan looking for a selected item
 		foreach ($this->menu as $menu_item) {
 			if ($menu_item->getHref()) {
-				if (elgg_http_url_is_identical(full_url(), $menu_item->getHref())) {
+				if (elgg_http_url_is_identical(current_page_url(), $menu_item->getHref())) {
 					$menu_item->setSelected(true);
 					return $menu_item;
 				}
diff --git a/engine/classes/ElggPlugin.php b/engine/classes/ElggPlugin.php
index 7bf6eb1df..545b9a53c 100644
--- a/engine/classes/ElggPlugin.php
+++ b/engine/classes/ElggPlugin.php
@@ -299,17 +299,15 @@ class ElggPlugin extends ElggObject {
 
 		$private_settings = get_data($q);
 
-		if ($private_settings) {
-			$return = array();
+		$return = array();
 
+		if ($private_settings) {
 			foreach ($private_settings as $setting) {
 				$return[$setting->name] = $setting->value;
 			}
-
-			return $return;
 		}
 
-		return false;
+		return $return;
 	}
 
 	/**
@@ -423,20 +421,18 @@ class ElggPlugin extends ElggObject {
 
 		$private_settings = get_data($q);
 
-		if ($private_settings) {
-			$return = array();
+		$return = array();
 
+		if ($private_settings) {
 			foreach ($private_settings as $setting) {
 				$name = substr($setting->name, $ps_prefix_len);
 				$value = $setting->value;
 
 				$return[$name] = $value;
 			}
-
-			return $return;
 		}
 
-		return false;
+		return $return;
 	}
 
 	/**
diff --git a/engine/classes/ElggWidget.php b/engine/classes/ElggWidget.php
index c123e5032..66191bf47 100644
--- a/engine/classes/ElggWidget.php
+++ b/engine/classes/ElggWidget.php
@@ -146,10 +146,15 @@ class ElggWidget extends ElggObject {
 			}
 		}
 
+		$bottom_rank = count($widgets);
+		if ($column == $this->column) {
+			$bottom_rank--;
+		}
+		
 		if ($rank == 0) {
 			// top of the column
 			$this->order = reset($widgets)->order - 10;
-		} elseif ($rank == (count($widgets) - 1)) {
+		} elseif ($rank == $bottom_rank) {
 			// bottom of the column of active widgets
 			$this->order = end($widgets)->order + 10;
 		} else {
diff --git a/engine/classes/ElggXMLElement.php b/engine/classes/ElggXMLElement.php
index 6f2633e25..cbd3fc5ce 100644
--- a/engine/classes/ElggXMLElement.php
+++ b/engine/classes/ElggXMLElement.php
@@ -20,7 +20,12 @@ class ElggXMLElement {
 		if ($xml instanceof SimpleXMLElement) {
 			$this->_element = $xml;
 		} else {
+			// do not load entities
+			$disable_load_entities = libxml_disable_entity_loader(true);
+
 			$this->_element = new SimpleXMLElement($xml);
+
+			libxml_disable_entity_loader($disable_load_entities);
 		}
 	}
 
@@ -123,5 +128,4 @@ class ElggXMLElement {
 		}
 		return false;
 	}
-
-}
\ No newline at end of file
+}
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 56936f582..8047914ac 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -364,16 +364,19 @@ function generate_action_token($timestamp) {
 }
 
 /**
- * Initialise the site secret hash.
+ * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
  *
  * Used during installation and saves as a datalist.
  *
+ * Note: Old secrets were hex encoded.
+ *
  * @return mixed The site secret hash or false
  * @access private
  * @todo Move to better file.
  */
 function init_site_secret() {
-	$secret = md5(rand() . microtime());
+	$secret = 'z' . ElggCrypto::getRandomString(31);
+
 	if (datalist_set('__site_secret__', $secret)) {
 		return $secret;
 	}
@@ -400,6 +403,26 @@ function get_site_secret() {
 }
 
 /**
+ * Get the strength of the site secret
+ *
+ * @return string "strong", "moderate", or "weak"
+ * @access private
+ */
+function _elgg_get_site_secret_strength() {
+	$secret = get_site_secret();
+	if ($secret[0] !== 'z') {
+		$rand_max = getrandmax();
+		if ($rand_max < pow(2, 16)) {
+			return 'weak';
+		}
+		if ($rand_max < pow(2, 32)) {
+			return 'moderate';
+		}
+	}
+	return 'strong';
+}
+
+/**
  * Check if an action is registered and its script exists.
  *
  * @param string $action Action name
diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 7f82108c0..f36f29668 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -236,6 +236,7 @@ function admin_init() {
 	elgg_register_action('admin/site/update_advanced', '', 'admin');
 	elgg_register_action('admin/site/flush_cache', '', 'admin');
 	elgg_register_action('admin/site/unlock_upgrade', '', 'admin');
+	elgg_register_action('admin/site/regenerate_secret', '', 'admin');
 
 	elgg_register_action('admin/menu/save', '', 'admin');
 
@@ -291,6 +292,7 @@ function admin_init() {
 	elgg_register_admin_menu_item('configure', 'settings', null, 100);
 	elgg_register_admin_menu_item('configure', 'basic', 'settings', 10);
 	elgg_register_admin_menu_item('configure', 'advanced', 'settings', 20);
+	elgg_register_admin_menu_item('configure', 'advanced/site_secret', 'settings', 25);
 	elgg_register_admin_menu_item('configure', 'menu_items', 'appearance', 30);
 	elgg_register_admin_menu_item('configure', 'profile_fields', 'appearance', 40);
 	// default widgets is added via an event handler elgg_default_widgets_init() in widgets.php
diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index 124e67e0f..5e9b530de 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -249,9 +249,13 @@ function elgg_disable_annotations(array $options) {
 	if (!elgg_is_valid_options_for_batch_operation($options, 'annotations')) {
 		return false;
 	}
+	
+	// if we can see hidden (disabled) we need to use the offset
+	// otherwise we risk an infinite loop if there are more than 50
+	$inc_offset = access_get_show_hidden_status();
 
 	$options['metastring_type'] = 'annotations';
-	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', false);
+	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', $inc_offset);
 }
 
 /**
diff --git a/engine/lib/database.php b/engine/lib/database.php
index 37dfb8f8d..a7949788d 100644
--- a/engine/lib/database.php
+++ b/engine/lib/database.php
@@ -129,7 +129,7 @@ function establish_db_link($dblinkname = "readwrite") {
 	// Set up cache if global not initialized and query cache not turned off
 	if ((!$DB_QUERY_CACHE) && (!$db_cache_off)) {
 		// @todo if we keep this cache in 1.9, expose the size as a config parameter
-		$DB_QUERY_CACHE = new ElggLRUCache(200);		
+		$DB_QUERY_CACHE = new ElggLRUCache(200);
 	}
 }
 
@@ -399,14 +399,14 @@ function elgg_query_runner($query, $callback = null, $single = false) {
 
 	// Since we want to cache results of running the callback, we need to
 	// need to namespace the query with the callback and single result request.
-	// http://trac.elgg.org/ticket/4049
+	// https://github.com/elgg/elgg/issues/4049
 	$hash = (string)$callback . (int)$single . $query;
 
 	// Is cached?
 	if ($DB_QUERY_CACHE) {
 		if (isset($DB_QUERY_CACHE[$hash])) {
 			elgg_log("DB query $query results returned from cache (hash: $hash)", 'NOTICE');
-			return $DB_QUERY_CACHE[$hash];			
+			return $DB_QUERY_CACHE[$hash];
 		}
 	}
 
@@ -524,7 +524,7 @@ function delete_data($query) {
 
 /**
  * Invalidate the query cache
- * 
+ *
  * @access private
  */
 function _elgg_invalidate_query_cache() {
@@ -533,7 +533,7 @@ function _elgg_invalidate_query_cache() {
 		$DB_QUERY_CACHE->clear();
 		elgg_log("Query cache invalidated", 'NOTICE');
 	} elseif ($DB_QUERY_CACHE) {
-		// In case someone sets the cache to an array and primes it with data 
+		// In case someone sets the cache to an array and primes it with data
 		$DB_QUERY_CACHE = array();
 		elgg_log("Query cache invalidated", 'NOTICE');
 	}
@@ -668,7 +668,7 @@ function run_sql_script($scriptlocation) {
 
 /**
  * Format a query string for logging
- * 
+ *
  * @param string $query Query string
  * @return string
  * @access private
diff --git a/engine/lib/deprecated-1.7.php b/engine/lib/deprecated-1.7.php
index 519eea89d..ee95b5611 100644
--- a/engine/lib/deprecated-1.7.php
+++ b/engine/lib/deprecated-1.7.php
@@ -1137,6 +1137,7 @@ function make_register_object($register_name, $register_value, $children_array =
  * @param int $guid GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_object_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
@@ -1154,6 +1155,7 @@ function delete_object_entity($guid) {
  * @param int $guid User GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_user_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
diff --git a/engine/lib/deprecated-1.8.php b/engine/lib/deprecated-1.8.php
index 6aa42a81d..91068d047 100644
--- a/engine/lib/deprecated-1.8.php
+++ b/engine/lib/deprecated-1.8.php
@@ -3414,6 +3414,7 @@ function list_annotations($entity_guid, $name = "", $limit = 25, $asc = true) {
  * @param unknown_type $timeupper
  * @param unknown_type $calculation
  * @internal Don't use this at all.
+ * @deprecated 1.8 Use elgg_get_annotations()
  */
 function elgg_deprecated_annotation_calculation($entity_guid = 0, $entity_type = "", $entity_subtype = "",
 $name = "", $value = "", $value_type = "", $owner_guid = 0, $timelower = 0,
@@ -4667,6 +4668,7 @@ function display_widget(ElggObject $widget) {
  *
  * @param ElggEntity $entity
  * @return int Number of comments
+ * @deprecated 1.8 Use ElggEntity->countComments()
  */
 function elgg_count_comments($entity) {
 	elgg_deprecated_notice('elgg_count_comments() is deprecated by ElggEntity->countComments()', 1.8);
diff --git a/engine/lib/deprecated-1.9.php b/engine/lib/deprecated-1.9.php
new file mode 100644
index 000000000..31d03428f
--- /dev/null
+++ b/engine/lib/deprecated-1.9.php
@@ -0,0 +1,582 @@
+<?php
+/**
+ * Return a timestamp for the start of a given day (defaults today).
+ *
+ * @param int $day   Day
+ * @param int $month Month
+ * @param int $year  Year
+ *
+ * @return int
+ * @access private
+ * @deprecated 1.9
+ */
+function get_day_start($day = null, $month = null, $year = null) {
+	elgg_deprecated_notice('get_day_start() has been deprecated', 1.9);
+	return mktime(0, 0, 0, $month, $day, $year);
+}
+
+/**
+ * Return a timestamp for the end of a given day (defaults today).
+ *
+ * @param int $day   Day
+ * @param int $month Month
+ * @param int $year  Year
+ *
+ * @return int
+ * @access private
+ * @deprecated 1.9
+ */
+function get_day_end($day = null, $month = null, $year = null) {
+	elgg_deprecated_notice('get_day_end() has been deprecated', 1.9);
+	return mktime(23, 59, 59, $month, $day, $year);
+}
+
+/**
+ * Return the notable entities for a given time period.
+ *
+ * @param int     $start_time     The start time as a unix timestamp.
+ * @param int     $end_time       The end time as a unix timestamp.
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param string  $order_by       The field to order by; by default, time_created desc
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param int     $offset         The indexing offset, 0 by default
+ * @param boolean $count          Set to true to get a count instead of entities. Defaults to false.
+ * @param int     $site_guid      Site to get entities for. Default 0 = current site. -1 = any.
+ * @param mixed   $container_guid Container or containers to get entities from (default: any).
+ *
+ * @return array|false
+ * @access private
+ * @deprecated 1.9
+ */
+function get_notable_entities($start_time, $end_time, $type = "", $subtype = "", $owner_guid = 0,
+$order_by = "asc", $limit = 10, $offset = 0, $count = false, $site_guid = 0,
+$container_guid = null) {
+	elgg_deprecated_notice('get_notable_entities() has been deprecated', 1.9);
+	global $CONFIG;
+
+	if ($subtype === false || $subtype === null || $subtype === 0) {
+		return false;
+	}
+
+	$start_time = (int)$start_time;
+	$end_time = (int)$end_time;
+	$order_by = sanitise_string($order_by);
+	$limit = (int)$limit;
+	$offset = (int)$offset;
+	$site_guid = (int) $site_guid;
+	if ($site_guid == 0) {
+		$site_guid = $CONFIG->site_guid;
+	}
+
+	$where = array();
+
+	if (is_array($type)) {
+		$tempwhere = "";
+		if (sizeof($type)) {
+			foreach ($type as $typekey => $subtypearray) {
+				foreach ($subtypearray as $subtypeval) {
+					$typekey = sanitise_string($typekey);
+					if (!empty($subtypeval)) {
+						$subtypeval = (int) get_subtype_id($typekey, $subtypeval);
+					} else {
+						$subtypeval = 0;
+					}
+					if (!empty($tempwhere)) {
+						$tempwhere .= " or ";
+					}
+					$tempwhere .= "(e.type = '{$typekey}' and e.subtype = {$subtypeval})";
+				}
+			}
+		}
+		if (!empty($tempwhere)) {
+			$where[] = "({$tempwhere})";
+		}
+	} else {
+		$type = sanitise_string($type);
+		$subtype = get_subtype_id($type, $subtype);
+
+		if ($type != "") {
+			$where[] = "e.type='$type'";
+		}
+
+		if ($subtype !== "") {
+			$where[] = "e.subtype=$subtype";
+		}
+	}
+
+	if ($owner_guid != "") {
+		if (!is_array($owner_guid)) {
+			$owner_array = array($owner_guid);
+			$owner_guid = (int) $owner_guid;
+			$where[] = "e.owner_guid = '$owner_guid'";
+		} else if (sizeof($owner_guid) > 0) {
+			$owner_array = array_map('sanitise_int', $owner_guid);
+			// Cast every element to the owner_guid array to int
+			$owner_guid = implode(",", $owner_guid);
+			$where[] = "e.owner_guid in ({$owner_guid})";
+		}
+		if (is_null($container_guid)) {
+			$container_guid = $owner_array;
+		}
+	}
+
+	if ($site_guid > 0) {
+		$where[] = "e.site_guid = {$site_guid}";
+	}
+
+	if (!is_null($container_guid)) {
+		if (is_array($container_guid)) {
+			foreach ($container_guid as $key => $val) {
+				$container_guid[$key] = (int) $val;
+			}
+			$where[] = "e.container_guid in (" . implode(",", $container_guid) . ")";
+		} else {
+			$container_guid = (int) $container_guid;
+			$where[] = "e.container_guid = {$container_guid}";
+		}
+	}
+
+	// Add the calendar stuff
+	$cal_join = "
+		JOIN {$CONFIG->dbprefix}metadata cal_start on e.guid=cal_start.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_name on cal_start.name_id=cal_start_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_value on cal_start.value_id=cal_start_value.id
+
+		JOIN {$CONFIG->dbprefix}metadata cal_end on e.guid=cal_end.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_name on cal_end.name_id=cal_end_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_value on cal_end.value_id=cal_end_value.id
+	";
+	$where[] = "cal_start_name.string='calendar_start'";
+	$where[] = "cal_start_value.string>=$start_time";
+	$where[] = "cal_end_name.string='calendar_end'";
+	$where[] = "cal_end_value.string <= $end_time";
+
+
+	if (!$count) {
+		$query = "SELECT e.* from {$CONFIG->dbprefix}entities e $cal_join where ";
+	} else {
+		$query = "SELECT count(e.guid) as total from {$CONFIG->dbprefix}entities e $cal_join where ";
+	}
+	foreach ($where as $w) {
+		$query .= " $w and ";
+	}
+
+	$query .= get_access_sql_suffix('e'); // Add access controls
+
+	if (!$count) {
+		$query .= " order by n.calendar_start $order_by";
+		// Add order and limit
+		if ($limit) {
+			$query .= " limit $offset, $limit";
+		}
+		$dt = get_data($query, "entity_row_to_elggstar");
+
+		return $dt;
+	} else {
+		$total = get_data_row($query);
+		return $total->total;
+	}
+}
+
+/**
+ * Return the notable entities for a given time period based on an item of metadata.
+ *
+ * @param int    $start_time     The start time as a unix timestamp.
+ * @param int    $end_time       The end time as a unix timestamp.
+ * @param mixed  $meta_name      Metadata name
+ * @param mixed  $meta_value     Metadata value
+ * @param string $entity_type    The type of entity to look for, eg 'site' or 'object'
+ * @param string $entity_subtype The subtype of the entity.
+ * @param int    $owner_guid     Owner GUID
+ * @param int    $limit          Limit
+ * @param int    $offset         Offset
+ * @param string $order_by       Optional ordering.
+ * @param int    $site_guid      Site to get entities for. Default 0 = current site. -1 = any.
+ * @param bool   $count          If true, returns count instead of entities. (Default: false)
+ *
+ * @return int|array A list of entities, or a count if $count is set to true
+ * @access private
+ * @deprecated 1.9
+ */
+function get_notable_entities_from_metadata($start_time, $end_time, $meta_name, $meta_value = "",
+$entity_type = "", $entity_subtype = "", $owner_guid = 0, $limit = 10, $offset = 0, $order_by = "",
+$site_guid = 0, $count = false) {
+	elgg_deprecated_notice('get_notable_entities_from_metadata() has been deprecated', 1.9);
+
+	global $CONFIG;
+
+	$meta_n = get_metastring_id($meta_name);
+	$meta_v = get_metastring_id($meta_value);
+
+	$start_time = (int)$start_time;
+	$end_time = (int)$end_time;
+	$entity_type = sanitise_string($entity_type);
+	$entity_subtype = get_subtype_id($entity_type, $entity_subtype);
+	$limit = (int)$limit;
+	$offset = (int)$offset;
+	if ($order_by == "") {
+		$order_by = "e.time_created desc";
+	}
+	$order_by = sanitise_string($order_by);
+	$site_guid = (int) $site_guid;
+	if ((is_array($owner_guid) && (count($owner_guid)))) {
+		foreach ($owner_guid as $key => $guid) {
+			$owner_guid[$key] = (int) $guid;
+		}
+	} else {
+		$owner_guid = (int) $owner_guid;
+	}
+
+	if ($site_guid == 0) {
+		$site_guid = $CONFIG->site_guid;
+	}
+
+	//$access = get_access_list();
+
+	$where = array();
+
+	if ($entity_type != "") {
+		$where[] = "e.type='$entity_type'";
+	}
+
+	if ($entity_subtype) {
+		$where[] = "e.subtype=$entity_subtype";
+	}
+
+	if ($meta_name != "") {
+		$where[] = "m.name_id='$meta_n'";
+	}
+
+	if ($meta_value != "") {
+		$where[] = "m.value_id='$meta_v'";
+	}
+
+	if ($site_guid > 0) {
+		$where[] = "e.site_guid = {$site_guid}";
+	}
+
+	if (is_array($owner_guid)) {
+		$where[] = "e.container_guid in (" . implode(",", $owner_guid) . ")";
+	} else if ($owner_guid > 0) {
+		$where[] = "e.container_guid = {$owner_guid}";
+	}
+
+	// Add the calendar stuff
+	$cal_join = "
+		JOIN {$CONFIG->dbprefix}metadata cal_start on e.guid=cal_start.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_name on cal_start.name_id=cal_start_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_value on cal_start.value_id=cal_start_value.id
+
+		JOIN {$CONFIG->dbprefix}metadata cal_end on e.guid=cal_end.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_name on cal_end.name_id=cal_end_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_value on cal_end.value_id=cal_end_value.id
+	";
+
+	$where[] = "cal_start_name.string='calendar_start'";
+	$where[] = "cal_start_value.string>=$start_time";
+	$where[] = "cal_end_name.string='calendar_end'";
+	$where[] = "cal_end_value.string <= $end_time";
+
+	if (!$count) {
+		$query = "SELECT distinct e.* ";
+	} else {
+		$query = "SELECT count(distinct e.guid) as total ";
+	}
+
+	$query .= "from {$CONFIG->dbprefix}entities e"
+	. " JOIN {$CONFIG->dbprefix}metadata m on e.guid = m.entity_guid $cal_join where";
+
+	foreach ($where as $w) {
+		$query .= " $w and ";
+	}
+
+	// Add access controls
+	$query .= get_access_sql_suffix("e");
+	$query .= ' and ' . get_access_sql_suffix("m");
+
+	if (!$count) {
+		// Add order and limit
+		$query .= " order by $order_by limit $offset, $limit";
+		return get_data($query, "entity_row_to_elggstar");
+	} else {
+		if ($row = get_data_row($query)) {
+			return $row->total;
+		}
+	}
+
+	return false;
+}
+
+/**
+ * Return the notable entities for a given time period based on their relationship.
+ *
+ * @param int     $start_time           The start time as a unix timestamp.
+ * @param int     $end_time             The end time as a unix timestamp.
+ * @param string  $relationship         The relationship eg "friends_of"
+ * @param int     $relationship_guid    The guid of the entity to use query
+ * @param bool    $inverse_relationship Reverse the normal function of the query to say
+ *                                      "give me all entities for whom $relationship_guid is a
+ *                                      $relationship of"
+ * @param string  $type                 Entity type
+ * @param string  $subtype              Entity subtype
+ * @param int     $owner_guid           Owner GUID
+ * @param string  $order_by             Optional Order by
+ * @param int     $limit                Limit
+ * @param int     $offset               Offset
+ * @param boolean $count                If true returns a count of entities (default false)
+ * @param int     $site_guid            Site to get entities for. Default 0 = current site. -1 = any
+ *
+ * @return array|int|false An array of entities, or the number of entities, or false on failure
+ * @access private
+ * @deprecated 1.9
+ */
+function get_noteable_entities_from_relationship($start_time, $end_time, $relationship,
+$relationship_guid, $inverse_relationship = false, $type = "", $subtype = "", $owner_guid = 0,
+$order_by = "", $limit = 10, $offset = 0, $count = false, $site_guid = 0) {
+	elgg_deprecated_notice('get_noteable_entities_from_relationship() has been deprecated', 1.9);
+
+	global $CONFIG;
+
+	$start_time = (int)$start_time;
+	$end_time = (int)$end_time;
+	$relationship = sanitise_string($relationship);
+	$relationship_guid = (int)$relationship_guid;
+	$inverse_relationship = (bool)$inverse_relationship;
+	$type = sanitise_string($type);
+	$subtype = get_subtype_id($type, $subtype);
+	$owner_guid = (int)$owner_guid;
+	if ($order_by == "") {
+		$order_by = "time_created desc";
+	}
+	$order_by = sanitise_string($order_by);
+	$limit = (int)$limit;
+	$offset = (int)$offset;
+	$site_guid = (int) $site_guid;
+	if ($site_guid == 0) {
+		$site_guid = $CONFIG->site_guid;
+	}
+
+	//$access = get_access_list();
+
+	$where = array();
+
+	if ($relationship != "") {
+		$where[] = "r.relationship='$relationship'";
+	}
+	if ($relationship_guid) {
+		$where[] = $inverse_relationship ?
+			"r.guid_two='$relationship_guid'" : "r.guid_one='$relationship_guid'";
+	}
+	if ($type != "") {
+		$where[] = "e.type='$type'";
+	}
+	if ($subtype) {
+		$where[] = "e.subtype=$subtype";
+	}
+	if ($owner_guid != "") {
+		$where[] = "e.container_guid='$owner_guid'";
+	}
+	if ($site_guid > 0) {
+		$where[] = "e.site_guid = {$site_guid}";
+	}
+
+	// Add the calendar stuff
+	$cal_join = "
+		JOIN {$CONFIG->dbprefix}metadata cal_start on e.guid=cal_start.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_name on cal_start.name_id=cal_start_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_start_value on cal_start.value_id=cal_start_value.id
+
+		JOIN {$CONFIG->dbprefix}metadata cal_end on e.guid=cal_end.entity_guid
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_name on cal_end.name_id=cal_end_name.id
+		JOIN {$CONFIG->dbprefix}metastrings cal_end_value on cal_end.value_id=cal_end_value.id
+	";
+	$where[] = "cal_start_name.string='calendar_start'";
+	$where[] = "cal_start_value.string>=$start_time";
+	$where[] = "cal_end_name.string='calendar_end'";
+	$where[] = "cal_end_value.string <= $end_time";
+
+	// Select what we're joining based on the options
+	$joinon = "e.guid = r.guid_one";
+	if (!$inverse_relationship) {
+		$joinon = "e.guid = r.guid_two";
+	}
+
+	if ($count) {
+		$query = "SELECT count(distinct e.guid) as total ";
+	} else {
+		$query = "SELECT distinct e.* ";
+	}
+	$query .= " from {$CONFIG->dbprefix}entity_relationships r"
+	. " JOIN {$CONFIG->dbprefix}entities e on $joinon $cal_join where ";
+
+	foreach ($where as $w) {
+		$query .= " $w and ";
+	}
+	// Add access controls
+	$query .= get_access_sql_suffix("e");
+	if (!$count) {
+		$query .= " order by $order_by limit $offset, $limit"; // Add order and limit
+		return get_data($query, "entity_row_to_elggstar");
+	} else {
+		if ($count = get_data_row($query)) {
+			return $count->total;
+		}
+	}
+	return false;
+}
+
+/**
+ * Get all entities for today.
+ *
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param string  $order_by       The field to order by; by default, time_created desc
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param int     $offset         The indexing offset, 0 by default
+ * @param boolean $count          If true returns a count of entities (default false)
+ * @param int     $site_guid      Site to get entities for. Default 0 = current site. -1 = any
+ * @param mixed   $container_guid Container(s) to get entities from (default: any).
+ *
+ * @return array|false
+ * @access private
+ * @deprecated 1.9
+ */
+function get_todays_entities($type = "", $subtype = "", $owner_guid = 0, $order_by = "",
+$limit = 10, $offset = 0, $count = false, $site_guid = 0, $container_guid = null) {
+	elgg_deprecated_notice('get_todays_entities() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return get_notable_entities($day_start, $day_end, $type, $subtype, $owner_guid, $order_by,
+		$limit, $offset, $count, $site_guid, $container_guid);
+}
+
+/**
+ * Get entities for today from metadata.
+ *
+ * @param mixed  $meta_name      Metadata name
+ * @param mixed  $meta_value     Metadata value
+ * @param string $entity_type    The type of entity to look for, eg 'site' or 'object'
+ * @param string $entity_subtype The subtype of the entity.
+ * @param int    $owner_guid     Owner GUID
+ * @param int    $limit          Limit
+ * @param int    $offset         Offset
+ * @param string $order_by       Optional ordering.
+ * @param int    $site_guid      Site to get entities for. Default 0 = current site. -1 = any.
+ * @param bool   $count          If true, returns count instead of entities. (Default: false)
+ *
+ * @return int|array A list of entities, or a count if $count is set to true
+ * @access private
+ * @deprecated 1.9
+ */
+function get_todays_entities_from_metadata($meta_name, $meta_value = "", $entity_type = "",
+$entity_subtype = "", $owner_guid = 0, $limit = 10, $offset = 0, $order_by = "", $site_guid = 0,
+$count = false) {
+	elgg_deprecated_notice('get_todays_entities_from_metadata() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return get_notable_entities_from_metadata($day_start, $day_end, $meta_name, $meta_value,
+		$entity_type, $entity_subtype, $owner_guid, $limit, $offset, $order_by, $site_guid, $count);
+}
+
+/**
+ * Get entities for today from a relationship
+ *
+ * @param string  $relationship         The relationship eg "friends_of"
+ * @param int     $relationship_guid    The guid of the entity to use query
+ * @param bool    $inverse_relationship Reverse the normal function of the query to say
+ *                                      "give me all entities for whom $relationship_guid is a
+ *                                      $relationship of"
+ * @param string  $type                 Entity type
+ * @param string  $subtype              Entity subtype
+ * @param int     $owner_guid           Owner GUID
+ * @param string  $order_by             Optional Order by
+ * @param int     $limit                Limit
+ * @param int     $offset               Offset
+ * @param boolean $count                If true returns a count of entities (default false)
+ * @param int     $site_guid            Site to get entities for. Default 0 = current site. -1 = any
+ *
+ * @return array|int|false An array of entities, or the number of entities, or false on failure
+ * @access private
+ * @deprecated 1.9
+ */
+function get_todays_entities_from_relationship($relationship, $relationship_guid,
+$inverse_relationship = false, $type = "", $subtype = "", $owner_guid = 0,
+$order_by = "", $limit = 10, $offset = 0, $count = false, $site_guid = 0) {
+	elgg_deprecated_notice('get_todays_entities_from_relationship() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return get_notable_entities_from_relationship($day_start, $day_end, $relationship,
+		$relationship_guid,	$inverse_relationship, $type, $subtype, $owner_guid, $order_by,
+		$limit, $offset, $count, $site_guid);
+}
+
+/**
+ * Returns a viewable list of entities for a given time period.
+ *
+ * @see elgg_view_entity_list
+ *
+ * @param int     $start_time     The start time as a unix timestamp.
+ * @param int     $end_time       The end time as a unix timestamp.
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param boolean $fullview       Whether or not to display the full view (default: true)
+ * @param boolean $listtypetoggle Whether or not to allow gallery view
+ * @param boolean $navigation     Display pagination? Default: true
+ *
+ * @return string A viewable list of entities
+ * @access private
+ * @deprecated 1.9
+ */
+function list_notable_entities($start_time, $end_time, $type= "", $subtype = "", $owner_guid = 0,
+$limit = 10, $fullview = true, $listtypetoggle = false, $navigation = true) {
+	elgg_deprecated_notice('list_notable_entities() has been deprecated', 1.9);
+
+	$offset = (int) get_input('offset');
+	$count = get_notable_entities($start_time, $end_time, $type, $subtype,
+		$owner_guid, "", $limit, $offset, true);
+
+	$entities = get_notable_entities($start_time, $end_time, $type, $subtype,
+		$owner_guid, "", $limit, $offset);
+
+	return elgg_view_entity_list($entities, $count, $offset, $limit,
+		$fullview, $listtypetoggle, $navigation);
+}
+
+/**
+ * Return a list of today's entities.
+ *
+ * @see list_notable_entities
+ *
+ * @param string  $type           The type of entity (eg "user", "object" etc)
+ * @param string  $subtype        The arbitrary subtype of the entity
+ * @param int     $owner_guid     The GUID of the owning user
+ * @param int     $limit          The number of entities to return; 10 by default
+ * @param boolean $fullview       Whether or not to display the full view (default: true)
+ * @param boolean $listtypetoggle Whether or not to allow gallery view
+ * @param boolean $navigation     Display pagination? Default: true
+ *
+ * @return string A viewable list of entities
+ * @access private
+ * @deprecated 1.9
+ */
+function list_todays_entities($type= "", $subtype = "", $owner_guid = 0, $limit = 10,
+$fullview = true, $listtypetoggle = false, $navigation = true) {
+	elgg_deprecated_notice('list_todays_entities() has been deprecated', 1.9);
+
+	$day_start = get_day_start();
+	$day_end = get_day_end();
+
+	return list_notable_entities($day_start, $day_end, $type, $subtype, $owner_guid, $limit,
+		$fullview, $listtypetoggle, $navigation);
+}
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index b5ef7e572..34111c69d 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -746,7 +746,7 @@ function elgg_unregister_event_handler($event, $object_type, $callback) {
  * @tip When referring to events, the preferred syntax is "event, type".
  *
  * @internal Only rarely should events be changed, added, or removed in core.
- * When making changes to events, be sure to first create a ticket in trac.
+ * When making changes to events, be sure to first create a ticket on Github.
  *
  * @internal @tip Think of $object_type as the primary namespace element, and
  * $event as the secondary namespace.
@@ -1350,7 +1350,7 @@ function full_url() {
 		"" : (":" . $_SERVER["SERVER_PORT"]);
 
 	// This is here to prevent XSS in poorly written browsers used by 80% of the population.
-	// {@trac [5813]}
+	// https://github.com/Elgg/Elgg/commit/0c947e80f512cb0a482b1864fd0a6965c8a0cd4a
 	$quotes = array('\'', '"');
 	$encoded = array('%27', '%22');
 
@@ -2249,7 +2249,7 @@ function elgg_api_test($hook, $type, $value, $params) {
  *
  * @warning ACCESS_DEFAULT is a place holder for the input/access view. Do not
  * use it when saving an entity.
- * 
+ *
  * @var int
  */
 define('ACCESS_DEFAULT', -1);
diff --git a/engine/lib/entities.php b/engine/lib/entities.php
index 997db79d2..4fcf1c657 100644
--- a/engine/lib/entities.php
+++ b/engine/lib/entities.php
@@ -791,7 +791,7 @@ function get_entity($guid) {
 
 	if ($shared_cache) {
 		$cached_entity = $shared_cache->load($guid);
-		// @todo store ACLs in memcache http://trac.elgg.org/ticket/3018#comment:3
+		// @todo store ACLs in memcache https://github.com/elgg/elgg/issues/3018#issuecomment-13662617
 		if ($cached_entity) {
 			// @todo use ACL and cached entity access_id to determine if user can see it
 			return $cached_entity;
diff --git a/engine/lib/memcache.php b/engine/lib/memcache.php
index f79fba4a9..79b87e850 100644
--- a/engine/lib/memcache.php
+++ b/engine/lib/memcache.php
@@ -35,3 +35,23 @@ function is_memcache_available() {
 
 	return $memcache_available;
 }
+
+/**
+ * Invalidate an entity in memcache
+ *
+ * @param int $entity_guid The GUID of the entity to invalidate
+ *
+ * @return void
+ * @access private
+ */
+function _elgg_invalidate_memcache_for_entity($entity_guid) {
+	static $newentity_cache;
+	

+	if ((!$newentity_cache) && (is_memcache_available())) {

+		$newentity_cache = new ElggMemcache('new_entity_cache');

+	}
+	

+	if ($newentity_cache) {

+		$newentity_cache->delete($entity_guid);

+	}
+}
\ No newline at end of file
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index d2f8d4cd4..fdb1b85f6 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -333,9 +333,13 @@ function elgg_disable_metadata(array $options) {
 	}
 
 	elgg_get_metadata_cache()->invalidateByOptions('disable', $options);
+	
+	// if we can see hidden (disabled) we need to use the offset
+	// otherwise we risk an infinite loop if there are more than 50
+	$inc_offset = access_get_show_hidden_status();
 
 	$options['metastring_type'] = 'metadata';
-	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', false);
+	return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', $inc_offset);
 }
 
 /**
diff --git a/engine/lib/notification.php b/engine/lib/notification.php
index b6399b3c6..be0c359d4 100644
--- a/engine/lib/notification.php
+++ b/engine/lib/notification.php
@@ -110,12 +110,15 @@ function notify_user($to, $from, $subject, $message, array $params = NULL, $meth
 			// Are we overriding delivery?
 			$methods = $methods_override;
 			if (!$methods) {
-				$tmp = (array)get_user_notification_settings($guid);
+				$tmp = get_user_notification_settings($guid);
 				$methods = array();
-				foreach ($tmp as $k => $v) {
-					// Add method if method is turned on for user!
-					if ($v) {
-						$methods[] = $k;
+				// $tmp may be false. don't cast
+				if (is_object($tmp)) {
+					foreach ($tmp as $k => $v) {
+						// Add method if method is turned on for user!
+						if ($v) {
+							$methods[] = $k;
+						}
 					}
 				}
 			}
@@ -165,7 +168,7 @@ function notify_user($to, $from, $subject, $message, array $params = NULL, $meth
  *
  * @param int $user_guid The user id
  *
- * @return stdClass
+ * @return stdClass|false
  */
 function get_user_notification_settings($user_guid = 0) {
 	$user_guid = (int)$user_guid;
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 6172a5c8d..de4f911fb 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -421,6 +421,25 @@ function _elgg_html_decode($string) {
 }
 
 /**
+ * Prepares query string for output to prevent CSRF attacks.
+ * 
+ * @param string $string
+ * @return string
+ *
+ * @access private
+ */
+function _elgg_get_display_query($string) {
+	//encode <,>,&, quotes and characters above 127
+	if (function_exists('mb_convert_encoding')) {

+		$display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');

+	} else {

+		// if no mbstring extension, we just strip characters

+		$display_query = preg_replace("/[^\x01-\x7F]/", "", $string);

+	}

+	return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+}
+
+/**
  * Unit tests for Output
  *
  * @param string  $hook   unit_test
diff --git a/engine/lib/plugins.php b/engine/lib/plugins.php
index 74bce45fd..d5d3db466 100644
--- a/engine/lib/plugins.php
+++ b/engine/lib/plugins.php
@@ -1105,6 +1105,49 @@ function plugins_test($hook, $type, $value, $params) {
 }
 
 /**
+ * Checks on deactivate plugin event if disabling it won't create unmet dependencies and blocks disable in such case.
+ *
+ * @param string $event  deactivate
+ * @param string $type   plugin
+ * @param array  $params Parameters array containing entry with ELggPlugin instance under 'plugin_entity' key
+ * @return bool  false to block plugin deactivation action
+ *
+ * @access private
+ */
+function _plugins_deactivate_dependency_check($event, $type, $params) {
+	$plugin_id = $params['plugin_entity']->getManifest()->getPluginID();
+	$plugin_name = $params['plugin_entity']->getManifest()->getName();
+
+	$active_plugins = elgg_get_plugins();
+
+	$dependents = array();
+	foreach ($active_plugins as $plugin) {
+		$manifest = $plugin->getManifest();
+		$requires = $manifest->getRequires();
+
+		foreach ($requires as $required) {
+			if ($required['type'] == 'plugin' && $required['name'] == $plugin_id) {
+				// there are active dependents
+				$dependents[$manifest->getPluginID()] = $plugin;
+			}
+		}
+	}
+
+	if ($dependents) {
+		$list = '<ul>';
+		// construct error message and prevent disabling
+		foreach ($dependents as $dependent) {
+			$list .= '<li>' . $dependent->getManifest()->getName() . '</li>';
+		}
+		$list .= '</ul>';
+
+		register_error(elgg_echo('ElggPlugin:Dependencies:ActiveDependent', array($plugin_name, $list)));
+
+		return false;
+	}
+}
+
+/**
  * Initialize the plugin system
  * Listens to system init and registers actions
  *
@@ -1115,6 +1158,10 @@ function plugin_init() {
 	run_function_once("plugin_run_once");
 
 	elgg_register_plugin_hook_handler('unit_test', 'system', 'plugins_test');
+	
+	// note - plugins are booted by the time this handler is registered
+	// deactivation due to error may have already occurred
+	elgg_register_event_handler('deactivate', 'plugin', '_plugins_deactivate_dependency_check');
 
 	elgg_register_action("plugins/settings/save", '', 'admin');
 	elgg_register_action("plugins/usersettings/save");
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index fb28e1e9a..e3d5ce9cd 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -326,6 +326,12 @@ function login(ElggUser $user, $persistent = false) {
 	set_last_login($_SESSION['guid']);
 	reset_login_failure_count($user->guid); // Reset any previous failed login attempts
 
+	// if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
+	if (is_memcache_available()) {
+		// this needs to happen with a shutdown function because of the timing with set_last_login()
+		register_shutdown_function("_elgg_invalidate_memcache_for_entity", $_SESSION['guid']);
+	}
+	
 	return true;
 }
 
diff --git a/engine/lib/system_log.php b/engine/lib/system_log.php
index 5a153afb2..84302632e 100644
--- a/engine/lib/system_log.php
+++ b/engine/lib/system_log.php
@@ -187,7 +187,16 @@ function system_log($object, $event) {
 		$object_subtype = $object->getSubtype();
 		$event = sanitise_string($event);
 		$time = time();
-		$ip_address = sanitise_string($_SERVER['REMOTE_ADDR']);
+
+		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
+		} elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_REAL_IP']));
+		} else {
+			$ip_address = $_SERVER['REMOTE_ADDR'];
+		}
+		$ip_address = sanitise_string($ip_address);
+
 		$performed_by = elgg_get_logged_in_user_guid();
 
 		if (isset($object->access_id)) {
diff --git a/engine/lib/upgrade.php b/engine/lib/upgrade.php
index 0cc1e64dc..158ec9ec1 100644
--- a/engine/lib/upgrade.php
+++ b/engine/lib/upgrade.php
@@ -245,7 +245,7 @@ function version_upgrade() {
 
 	// No version number? Oh snap...this is an upgrade from a clean installation < 1.7.
 	// Run all upgrades without error reporting and hope for the best.
-	// See http://trac.elgg.org/elgg/ticket/1432 for more.
+	// See https://github.com/elgg/elgg/issues/1432 for more.
 	$quiet = !$dbversion;
 
 	// Note: Database upgrades are deprecated as of 1.8.  Use code upgrades.  See #1433
diff --git a/engine/lib/upgrades/2010033101.php b/engine/lib/upgrades/2010033101.php
index 0bffee001..4779295fd 100644
--- a/engine/lib/upgrades/2010033101.php
+++ b/engine/lib/upgrades/2010033101.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Conditional upgrade for UTF8 as described in http://trac.elgg.org/ticket/1928
+ * Conditional upgrade for UTF8 as described in https://github.com/elgg/elgg/issues/1928
  */
 
 // get_version() returns the code version.
diff --git a/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php b/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php
index 07732f261..780038c32 100644
--- a/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php
+++ b/engine/lib/upgrades/2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php
@@ -3,7 +3,7 @@
  * Elgg 1.8.3 upgrade 2012041801
  * multiple_user_tokens
  *
- * Fixes http://trac.elgg.org/ticket/4291
+ * Fixes https://github.com/elgg/elgg/issues/4291
  * Removes the unique index on users_apisessions for user_guid and site_guid
  */
 
diff --git a/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
new file mode 100644
index 000000000..538d74dd6
--- /dev/null
+++ b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * Elgg 1.8.15 upgrade 2013060900
+ * site_secret
+ *
+ * Description
+ */
+
+$strength = _elgg_get_site_secret_strength();
+
+if ($strength !== 'strong') {
+	// a new key is needed immediately
+	register_translations(elgg_get_root_path() . 'languages/');
+
+	elgg_add_admin_notice('weak_site_key', elgg_echo("upgrade:site_secret_warning:$strength"));
+}
diff --git a/engine/lib/views.php b/engine/lib/views.php
index 7f179f572..1142461fe 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -369,7 +369,7 @@ function elgg_view_exists($view, $viewtype = '', $recurse = true) {
  * view, $view_name plugin hook.
  *
  * @warning Any variables in $_SESSION will override passed vars
- * upon name collision.  See {@trac #2124}.
+ * upon name collision.  See https://github.com/Elgg/Elgg/issues/2124
  *
  * @param string  $view     The name and location of the view to use
  * @param array   $vars     Variables to pass to the view.
@@ -795,7 +795,7 @@ function elgg_view_menu($menu_name, array $vars = array()) {
  *  - bool 'full_view' Whether to show a full or condensed view.
  *
  * @tip This function can automatically appends annotations to entities if in full
- * view and a handler is registered for the entity:annotate.  See {@trac 964} and
+ * view and a handler is registered for the entity:annotate.  See https://github.com/Elgg/Elgg/issues/964 and
  * {@link elgg_view_entity_annotations()}.
  *
  * @param ElggEntity $entity The entity to display
@@ -1249,7 +1249,7 @@ function elgg_view_river_item($item, array $vars = array()) {
 
 	// @todo this needs to be cleaned up
 	// Don't hide objects in closed groups that a user can see.
-	// see http://trac.elgg.org/ticket/4789
+	// see https://github.com/elgg/elgg/issues/4789
 	//	else {
 	//		// hide based on object's container
 	//		$visibility = ElggGroupItemVisibility::factory($object->container_guid);
@@ -1560,7 +1560,7 @@ function autoregister_views($view_base, $folder, $base_location_path, $viewtype)
 function elgg_views_add_rss_link() {
 	global $autofeed;
 	if (isset($autofeed) && $autofeed == true) {
-		$url = full_url();
+		$url = current_page_url();
 		if (substr_count($url, '?')) {
 			$url .= "&view=rss";
 		} else {
diff --git a/engine/tests/api/entity_getter_functions.php b/engine/tests/api/entity_getter_functions.php
index 0492b1fb0..fef9dc0c5 100644
--- a/engine/tests/api/entity_getter_functions.php
+++ b/engine/tests/api/entity_getter_functions.php
@@ -426,7 +426,7 @@ class ElggCoreEntityGetterFunctionsTest extends ElggCoreUnitTest {
 
 		$options = array(
 			'types' => $types,
-			'subtype' => $subtype
+			'subtypes' => $subtype
 		);
 
 		$es = elgg_get_entities($options);
diff --git a/engine/tests/api/helpers.php b/engine/tests/api/helpers.php
index 10216140f..414fb4145 100644
--- a/engine/tests/api/helpers.php
+++ b/engine/tests/api/helpers.php
@@ -519,7 +519,7 @@ class ElggCoreHelpersTest extends ElggCoreUnitTest {
 		$this->assertIdentical($elements_sorted_string, $test_elements);
 	}
 
-	// see http://trac.elgg.org/ticket/4288
+	// see https://github.com/elgg/elgg/issues/4288
 	public function testElggBatchIncOffset() {
 		// normal increment
 		$options = array(
diff --git a/engine/tests/api/metadata.php b/engine/tests/api/metadata.php
index 0862341c1..d23510c6a 100644
--- a/engine/tests/api/metadata.php
+++ b/engine/tests/api/metadata.php
@@ -139,7 +139,7 @@ class ElggCoreMetadataAPITest extends ElggCoreUnitTest {
 
 	// Make sure metadata with multiple values is correctly deleted when re-written
 	// by another user
-	// http://trac.elgg.org/ticket/2776
+	// https://github.com/elgg/elgg/issues/2776
 	public function test_elgg_metadata_multiple_values() {
 		$u1 = new ElggUser();
 		$u1->username = rand();
diff --git a/engine/tests/api/plugins.php b/engine/tests/api/plugins.php
index 114f3991b..d0f111c48 100644
--- a/engine/tests/api/plugins.php
+++ b/engine/tests/api/plugins.php
@@ -69,7 +69,7 @@ class ElggCorePluginsAPITest extends ElggCoreUnitTest {
 			'description' => 'A longer, more interesting description.',
 			'website' => 'http://www.elgg.org/',
 			'repository' => 'https://github.com/Elgg/Elgg',
-			'bugtracker' => 'http://trac.elgg.org',
+			'bugtracker' => 'https://github.com/elgg/elgg/issues',
 			'donations' => 'http://elgg.org/supporter.php',
 			'copyright' => '(C) Elgg Foundation 2011',
 			'license' => 'GNU General Public License version 2',
@@ -174,7 +174,7 @@ class ElggCorePluginsAPITest extends ElggCoreUnitTest {
 	}
 	
 		public function testElggPluginManifestGetBugtracker() {
-		$this->assertEqual($this->manifest18->getBugTrackerURL(), 'http://trac.elgg.org');
+		$this->assertEqual($this->manifest18->getBugTrackerURL(), 'https://github.com/elgg/elgg/issues');
 		$this->assertEqual($this->manifest17->getBugTrackerURL(), '');
 	}
 	
diff --git a/engine/tests/objects/entities.php b/engine/tests/objects/entities.php
index 248b85c9e..bac72079e 100644
--- a/engine/tests/objects/entities.php
+++ b/engine/tests/objects/entities.php
@@ -271,7 +271,7 @@ class ElggCoreEntityTest extends ElggCoreUnitTest {
 		$this->save_entity();
 
 		// test deleting incorrectly
-		// @link http://trac.elgg.org/ticket/2273
+		// @link https://github.com/elgg/elgg/issues/2273
 		$this->assertNull($this->entity->deleteMetadata('impotent'));
 		$this->assertEqual($this->entity->important, 'indeed!');
 
diff --git a/engine/tests/objects/objects.php b/engine/tests/objects/objects.php
index 915594e0a..263ab2414 100644
--- a/engine/tests/objects/objects.php
+++ b/engine/tests/objects/objects.php
@@ -194,7 +194,7 @@ class ElggCoreObjectTest extends ElggCoreUnitTest {
 		$old = elgg_set_ignore_access(true);
 	}
 
-	// see http://trac.elgg.org/ticket/1196
+	// see https://github.com/elgg/elgg/issues/1196
 	public function testElggEntityRecursiveDisableWhenLoggedOut() {
 		$e1 = new ElggObject();
 		$e1->access_id = ACCESS_PUBLIC;
diff --git a/engine/tests/objects/users.php b/engine/tests/objects/users.php
index 7d2ef6961..8a1033ac4 100644
--- a/engine/tests/objects/users.php
+++ b/engine/tests/objects/users.php
@@ -145,7 +145,7 @@ class ElggCoreUserTest extends ElggCoreUnitTest {
 	}
 
 	public function testElggUserNameCache() {
-		// Trac #1305
+		// issue https://github.com/elgg/elgg/issues/1305
 
 		// very unlikely a user would have this username
 		$name = (string)time();
diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php
index f173b5b9f..689275661 100644
--- a/engine/tests/regression/trac_bugs.php
+++ b/engine/tests/regression/trac_bugs.php
@@ -1,7 +1,7 @@
 <?php
 /**
- * Elgg Regression Tests -- Trac Bugfixes
- * Any bugfixes from Trac that require testing belong here.
+ * Elgg Regression Tests -- GitHub Bugfixes
+ * Any bugfixes from GitHub that require testing belong here.
  *
  * @package Elgg
  * @subpackage Test
@@ -201,8 +201,8 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 	}
 
 	/**
-	 * http://trac.elgg.org/ticket/3210 - Don't remove -s in friendly titles
-	 * http://trac.elgg.org/ticket/2276 - improve char encoding
+	 * https://github.com/elgg/elgg/issues/3210 - Don't remove -s in friendly titles
+	 * https://github.com/elgg/elgg/issues/2276 - improve char encoding
 	 */
 	public function test_friendly_title() {
 		$cases = array(
@@ -216,7 +216,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 			=> "a-a-a-a-a-a-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 			
 			// separators trimmed
-			"-_ hello _-" 
+			"-_ hello _-"
 			=> "hello",
 
 			// accents removed, lower case, other multibyte chars are URL encoded
@@ -286,7 +286,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 			'web archive anchor <a href="http://web.archive.org/web/20000229040250/http://www.google.com/">google</a>' =>
 				'web archive anchor <a href="http://web.archive.org/web/20000229040250/http://www.google.com/">google</a>',
 
-			'single quotes already anchor <a href=\'http://www.yahoo.com\'>yahoo</a>' => 
+			'single quotes already anchor <a href=\'http://www.yahoo.com\'>yahoo</a>' =>
 				'single quotes already anchor <a href=\'http://www.yahoo.com\'>yahoo</a>',
 
 			'unquoted already anchor <a href=http://www.yahoo.com>yahoo</a>' =>
@@ -302,7 +302,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 	
 	/**
 	 * Ensure additional select columns do not end up in entity attributes.
-	 * 
+	 *
 	 * https://github.com/Elgg/Elgg/issues/5538
 	 */
 	public function test_extra_columns_dont_appear_in_attributes() {
@@ -332,4 +332,74 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 		
 		$group->delete();
 	}
+
+	/**
+	 * Ensure that ElggBatch doesn't go into infinite loop when disabling annotations recursively when show hidden is enabled.
+	 *
+	 * https://github.com/Elgg/Elgg/issues/5952
+	 */
+	public function test_disabling_annotations_infinite_loop() {
+
+		//let's have some entity
+		$group = new ElggGroup();
+		$group->name = 'test_group';
+		$group->access_id = ACCESS_PUBLIC;
+		$this->assertTrue($group->save() !== false);
+
+		$total = 51;
+		//add some annotations
+		for ($cnt = 0; $cnt < $total; $cnt++) {
+			$group->annotate('test_annotation', 'value_' . $total);
+		}
+
+		//disable them
+		$show_hidden = access_get_show_hidden_status();
+		access_show_hidden_entities(true);
+		$options = array(
+			'guid' => $group->guid,
+			'limit' => $total, //using strict limit to avoid real infinite loop and just see ElggBatch limiting on it before finishing the work
+		);
+		elgg_disable_annotations($options);
+		access_show_hidden_entities($show_hidden);
+
+		//confirm all being disabled
+		$annotations = $group->getAnnotations(array(
+			'limit' => $total,
+		));
+		foreach ($annotations as $annotation) {
+			$this->assertTrue($annotation->enabled == 'no');
+		}
+
+		//delete group and annotations
+		$group->delete();
+	}
+
+	public function test_ElggXMLElement_does_not_load_external_entities() {
+		$elLast = libxml_disable_entity_loader(false);
+
+		// build payload that should trigger loading of external entity
+		$payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml');
+		$path = realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt');
+		$path = str_replace('\\', '/', $path);
+		if ($path[0] != '/') {
+			$path = '/' . $path;
+		}
+		$path = 'file://' . $path;
+		$payload = sprintf($payload, $path);
+
+		// make sure we can actually this in this environment
+		$element = new SimpleXMLElement($payload);
+		$can_load_entity = preg_match('/secret/', (string)$element->methodName);
+
+		$this->skipUnless($can_load_entity, "XXE vulnerability cannot be tested on this system");
+
+		if ($can_load_entity) {
+			$el = new ElggXMLElement($payload);
+			$chidren = $el->getChildren();
+			$content = $chidren[0]->getContent();
+			$this->assertNoPattern('/secret/', $content);
+		}
+
+		libxml_disable_entity_loader($elLast);
+	}
 }
diff --git a/engine/tests/test_files/plugin_18/manifest.xml b/engine/tests/test_files/plugin_18/manifest.xml
index 5d788616a..c8b407511 100644
--- a/engine/tests/test_files/plugin_18/manifest.xml
+++ b/engine/tests/test_files/plugin_18/manifest.xml
@@ -7,7 +7,7 @@
 	<description>A longer, more interesting description.</description>
 	<website>http://www.elgg.org/</website>
 	<repository>https://github.com/Elgg/Elgg</repository>
-	<bugtracker>http://trac.elgg.org</bugtracker>
+	<bugtracker>https://github.com/elgg/elgg/issues</bugtracker>
 	<donations>http://elgg.org/supporter.php</donations>
 	<copyright>(C) Elgg Foundation 2011</copyright>
 	<license>GNU General Public License version 2</license>
diff --git a/engine/tests/test_files/xxe/external_entity.txt b/engine/tests/test_files/xxe/external_entity.txt
new file mode 100644
index 000000000..536aca34d
--- /dev/null
+++ b/engine/tests/test_files/xxe/external_entity.txt
@@ -0,0 +1 @@
+secret
\ No newline at end of file
diff --git a/engine/tests/test_files/xxe/request.xml b/engine/tests/test_files/xxe/request.xml
new file mode 100644
index 000000000..4390f9db2
--- /dev/null
+++ b/engine/tests/test_files/xxe/request.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ELEMENT methodName ANY >
+<!ENTITY xxe SYSTEM "%s" >
+]>
+<methodCall>
+    <methodName>test&xxe;test</methodName>
+</methodCall>