diff --git a/ext/alias_editor/theme.php b/ext/alias_editor/theme.php
index 7b6bfb49..dfb24f44 100644
--- a/ext/alias_editor/theme.php
+++ b/ext/alias_editor/theme.php
@@ -12,8 +12,8 @@ class AliasEditorTheme extends Themelet {
 
 		$can_manage = $user->can("manage_alias_list");
 		if($can_manage) {
-			$action = "<th width='10%'>Action</th>";
-			$add = "
+			$h_action = "<th width='10%'>Action</th>";
+			$h_add = "
 				<tr>
 					".make_form(make_link("alias/add"))."
 						<td><input type='text' name='oldtag'></td>
@@ -24,8 +24,8 @@ class AliasEditorTheme extends Themelet {
 			";
 		}
 		else {
-			$action = "";
-			$add = "";
+			$h_action = "";
+			$h_add = "";
 		}
 
 		$h_aliases = "";
@@ -49,15 +49,10 @@ class AliasEditorTheme extends Themelet {
 			$h_aliases .= "</tr>";
 		}
 		$html = "
-			<script type='text/javascript'>
-			$(document).ready(function() {
-				$(\"#aliases\").tablesorter();
-			});
-			</script>
-			<table id='aliases' class='zebra'>
-				<thead><tr><th>From</th><th>To</th>$action</tr></thead>
+			<table id='aliases' class='sortable zebra'>
+				<thead><tr><th>From</th><th>To</th>$h_action</tr></thead>
 				<tbody>$h_aliases</tbody>
-				<tfoot>$add</tfoot>
+				<tfoot>$h_add</tfoot>
 			</table>
 			<p><a href='".make_link("alias/export/aliases.csv")."'>Download as CSV</a></p>
 		";
diff --git a/ext/comment/theme.php b/ext/comment/theme.php
index acdabed2..0da3f240 100644
--- a/ext/comment/theme.php
+++ b/ext/comment/theme.php
@@ -167,7 +167,6 @@ class CommentListTheme extends Themelet {
 
 		if($i_uid == $config->get_int("anon_id")) {
 			$anoncode = "";
-			$style = "";
 			$anoncode2 = "";
 			if($this->show_anon_id) {
 				$anoncode = '<sup>'.$this->anon_id.'</sup>';
@@ -181,7 +180,7 @@ class CommentListTheme extends Themelet {
 					}
 				}
 			}
-			$h_userlink = "<span class='username'$style>" . $h_name . $anoncode . $anoncode2 . "</span>";
+			$h_userlink = "<span class='username'>" . $h_name . $anoncode . $anoncode2 . "</span>";
 			$this->anon_id++;
 		}
 		else {
@@ -197,10 +196,10 @@ class CommentListTheme extends Themelet {
 			';
 		}
 		else {
-			$avatar = "";
+			$h_avatar = "";
 			if(!empty($comment->owner_email)) {
 				$hash = md5(strtolower($comment->owner_email));
-				$avatar = "<img src=\"http://www.gravatar.com/avatar/$hash.jpg\"><br>";
+				$h_avatar = "<img src=\"http://www.gravatar.com/avatar/$hash.jpg\"><br>";
 			}
 			$h_reply = " - <a href='javascript: replyTo($i_image_id, $i_comment_id)'>Reply</a>";
 			$h_ip = $user->can("view_ip") ? "<br>".show_ip($comment->poster_ip, "Comment posted {$comment->posted}") : "";
@@ -211,7 +210,7 @@ class CommentListTheme extends Themelet {
 				<a name="'.$i_comment_id.'"></a>
 				<div class="comment">
 					<div class="info">
-					'.$avatar.'
+					'.$h_avatar.'
 					'.$h_timestamp.$h_reply.$h_ip.$h_del.'
 					</div>
 					'.$h_userlink.': '.$h_comment.'
@@ -221,19 +220,19 @@ class CommentListTheme extends Themelet {
 		return "";
 	}
 
-	protected function build_postbox($image_id) {
+	protected function build_postbox(/*int*/ $image_id) {
 		global $config;
 
 		$i_image_id = int_escape($image_id);
 		$hash = CommentList::get_hash();
-		$captcha = $config->get_bool("comment_captcha") ? captcha_get_html() : "";
+		$h_captcha = $config->get_bool("comment_captcha") ? captcha_get_html() : "";
 
 		return '
 			'.make_form(make_link("comment/add")).'
 				<input type="hidden" name="image_id" value="'.$i_image_id.'" />
 				<input type="hidden" name="hash" value="'.$hash.'" />
 				<textarea id="comment_on_'.$i_image_id.'" name="comment" rows="5" cols="50"></textarea>
-				'.$captcha.'
+				'.$h_captcha.'
 				<br><input type="submit" value="Post Comment" />
 			</form>
 		';
diff --git a/ext/ext_manager/theme.php b/ext/ext_manager/theme.php
index 7dd74d5c..879380cb 100644
--- a/ext/ext_manager/theme.php
+++ b/ext/ext_manager/theme.php
@@ -3,7 +3,7 @@
 class ExtManagerTheme extends Themelet {
 	public function display_table(Page $page, /*array*/ $extensions, /*bool*/ $editable) {
 		global $user;
-		$en = $editable ? "<th>Enabled</th>" : "";
+		$h_en = $editable ? "<th>Enabled</th>" : "";
 		$html = "
 			".make_form(make_link("ext_manager/set"))."
 				<script type='text/javascript'>
@@ -13,7 +13,7 @@ class ExtManagerTheme extends Themelet {
 				</script>
 				<table id='extensions' class='zebra'>
 					<thead>
-						<tr>$en<th>Name</th><th>Description</th></tr>
+						<tr>$h_en<th>Name</th><th>Description</th></tr>
 					</thead>
 					<tbody>
 		";
@@ -21,27 +21,26 @@ class ExtManagerTheme extends Themelet {
 		foreach($extensions as $extension) {
 			if(!$editable && $extension->visibility == "admin") continue;
 
-			$ext_name = $extension->ext_name;
-			$h_name = empty($extension->name) ? $ext_name : html_escape($extension->name);
+			$h_name = html_escape(empty($extension->name) ? $extension->ext_name : $extension->name);
 			$h_description = html_escape($extension->description);
 			if($extension->enabled === TRUE) $h_enabled = " checked='checked'";
 			else if($extension->enabled === FALSE) $h_enabled = "";
 			else $h_enabled = " disabled checked='checked'";
-			$h_link = make_link("ext_doc/".html_escape($extension->ext_name));
+			$h_link = make_link("ext_doc/".url_escape($extension->ext_name));
 			$oe = ($n++ % 2 == 0) ? "even" : "odd";
 
-			$en = $editable ? "<td><input type='checkbox' name='ext_$ext_name'$h_enabled></td>" : "";
+			$h_en = $editable ? "<td><input type='checkbox' name='ext_".html_escape($extension->ext_name)."'$h_enabled></td>" : "";
 			$html .= "
 				<tr class='$oe'>
-					$en
+					$h_en
 					<td><a href='$h_link'>$h_name</a></td>
 					<td style='text-align: left;'>$h_description</td>
 				</tr>";
 		}
-		$set = $editable ? "<tfoot><tr><td colspan='5'><input type='submit' value='Set Extensions'></td></tr></tfoot>" : "";
+		$h_set = $editable ? "<tfoot><tr><td colspan='5'><input type='submit' value='Set Extensions'></td></tr></tfoot>" : "";
 		$html .= "
 					</tbody>
-					$set
+					$h_set
 				</table>
 			</form>
 		";
diff --git a/ext/handle_pixel/theme.php b/ext/handle_pixel/theme.php
index a90543c3..84957ac3 100644
--- a/ext/handle_pixel/theme.php
+++ b/ext/handle_pixel/theme.php
@@ -4,8 +4,8 @@ class PixelFileHandlerTheme extends Themelet {
 	public function display_image(Page $page, Image $image) {
 		global $config;
 
-		$ilink = $image->get_image_link();
-		$html = "<img id='main_image' src='$ilink'>";
+		$u_ilink = $image->get_image_link();
+		$html = "<img id='main_image' src='$u_ilink'>";
 		if($config->get_bool("image_show_meta")) {
 			# FIXME: only read from jpegs?
 			$exif = @exif_read_data($image->get_image_filename(), 0, true);
diff --git a/ext/image/theme.php b/ext/image/theme.php
index 8d0537a1..c21a7390 100644
--- a/ext/image/theme.php
+++ b/ext/image/theme.php
@@ -6,7 +6,7 @@ class ImageIOTheme {
 	 *
 	 * @param $image_id The image to delete
 	 */
-	public function get_deleter_html($image_id) {
+	public function get_deleter_html(/*int*/ $image_id) {
 		global $config;
 
 		if($config->get_bool("image_jquery_confirm")) {
@@ -33,14 +33,11 @@ class ImageIOTheme {
 	 *
 	 * @param $image_id The image to replace
 	 */
-	public function get_replace_html($image_id) {
-	
-		$html = "
-				".make_form(make_link("image_admin/replace"))."
+	public function get_replace_html(/*int*/ $image_id) {
+		$html = make_form(make_link("image_admin/replace"))."
 					<input type='hidden' name='image_id' value='$image_id' />
 					<input type='submit' value='Replace' />
 				</form>";
-		
 		return $html;
 	}
 }
diff --git a/ext/setup/theme.php b/ext/setup/theme.php
index 472a074f..609ed6b8 100644
--- a/ext/setup/theme.php
+++ b/ext/setup/theme.php
@@ -15,7 +15,6 @@ class SetupTheme extends Themelet {
 	public function display_page(Page $page, SetupPanel $panel) {
 		global $user;
 
-
 		usort($panel->blocks, "blockcmp");
 
 		/*
@@ -44,35 +43,31 @@ class SetupTheme extends Themelet {
 	public function display_advanced(Page $page, $options) {
 		global $user;
 
-		$rows = "";
+		$h_rows = "";
 		$n = 0;
 		ksort($options);
 		foreach($options as $name => $value) {
+			$h_name = html_escape($name);
 			$h_value = html_escape($value);
 			$len = strlen($h_value);
 			$oe = ($n++ % 2 == 0) ? "even" : "odd";
 
-			$box = "";
+			$h_box = "";
 			if(strpos($value, "\n") > 0) {
-				$box .= "<textarea cols='50' rows='4' name='_config_$name'>$h_value</textarea>";
+				$h_box .= "<textarea cols='50' rows='4' name='_config_$h_name'>$h_value</textarea>";
 			}
 			else {
-				$box .= "<input type='text' name='_config_$name' value='$h_value'>";
+				$h_box .= "<input type='text' name='_config_$h_name' value='$h_value'>";
 			}
-			$box .= "<input type='hidden' name='_type_$name' value='string'>";
-			$rows .= "<tr class='$oe'><td>$name</td><td>$box</td></tr>";
+			$h_box .= "<input type='hidden' name='_type_$h_name' value='string'>";
+			$h_rows .= "<tr class='$oe'><td>$h_name</td><td>$h_box</td></tr>";
 		}
 
 		$table = "
-			<script type='text/javascript'>
-			$(document).ready(function() {
-				$(\"#settings\").tablesorter();
-			});
-			</script>
 			".make_form(make_link("setup/save"))."
-				<table id='settings' class='zebra'>
+				<table id='settings' class='sortable zebra'>
 					<thead><tr><th width='25%'>Name</th><th>Value</th></tr></thead>
-					<tbody>$rows</tbody>
+					<tbody>$h_rows</tbody>
 					<tfoot><tr><td colspan='2'><input type='submit' value='Save Settings'></td></tr></tfoot>
 				</table>
 			</form>
diff --git a/ext/tag_edit/theme.php b/ext/tag_edit/theme.php
index 7dd5e9da..419afee6 100644
--- a/ext/tag_edit/theme.php
+++ b/ext/tag_edit/theme.php
@@ -37,12 +37,12 @@ class TagEditTheme extends Themelet {
 		$h_owner = html_escape($image->get_owner()->name);
 		$h_av = $image->get_owner()->get_avatar_html();
 		$h_date = autodate($image->posted);
-		$ip = $user->can("view_ip") ? " (".show_ip($image->owner_ip, "Image posted {$image->posted}").")" : "";
+		$h_ip = $user->can("view_ip") ? " (".show_ip($image->owner_ip, "Image posted {$image->posted}").")" : "";
 		return "
 			<tr>
 				<td>Uploader</td>
 				<td>
-					<span class='view'><a class='username' href='".make_link("user/$h_owner")."'>$h_owner</a>$ip, $h_date</span>
+					<span class='view'><a class='username' href='".make_link("user/$h_owner")."'>$h_owner</a>$h_ip, $h_date</span>
 					<input class='edit' type='text' name='tag_edit__owner' value='$h_owner'>
 				</td>
 				<td width='80px' rowspan='4'>$h_av</td>
@@ -64,7 +64,7 @@ class TagEditTheme extends Themelet {
 		";
 	}
 
-	private function format_source($source) {
+	private function format_source(/*string*/ $source) {
 		if(!empty($source)) {
 			$h_source = html_escape($source);
 			if(startsWith($source, "http://") || startsWith($source, "https://")) {
diff --git a/ext/tag_list/theme.php b/ext/tag_list/theme.php
index 23065572..59f7c556 100644
--- a/ext/tag_list/theme.php
+++ b/ext/tag_list/theme.php
@@ -53,9 +53,10 @@ class TagListTheme extends Themelet {
 			}
 		}
 		
-		if($config->get_string('tag_list_image_type')=="tags"){
-			$page->add_block(new Block("Tags", $html, "left", 10));}
-		else{
+		if($config->get_string('tag_list_image_type')=="tags") {
+			$page->add_block(new Block("Tags", $html, "left", 10));
+		}
+		else {
 			$page->add_block(new Block("Related Tags", $html, "left", 10));
 		}
 	}
@@ -109,7 +110,7 @@ class TagListTheme extends Themelet {
 		global $config;
 
 		// store local copy for speed.
-		$info_link		= $config->get_string('info_link');
+		$info_link = $config->get_string('info_link');
 		
 		$html = "";
 		$n = 0;
diff --git a/ext/upload/_style.css b/ext/upload/_style.css
deleted file mode 100644
index ef8424c9..00000000
--- a/ext/upload/_style.css
+++ /dev/null
@@ -1,14 +0,0 @@
-/* Only need to change the file/url inputs */
-#large_upload_form INPUT.wid {
-	width: 100%;
-}
-#radio_button {
-	width: auto;
-}
-#wrapper {
-    opacity : 0.4;
-    filter: alpha(opacity=40); // msie
-}
-
-/* This is needed since the theme style.css forcibly sets vertical align to "top". */
-TABLE.vert TD, TABLE.vert TH {vertical-align: middle;}
diff --git a/ext/upload/style.css b/ext/upload/style.css
index 33c7f922..7102f3cc 100644
--- a/ext/upload/style.css
+++ b/ext/upload/style.css
@@ -1,3 +1,17 @@
+/* Only need to change the file/url inputs */
+#large_upload_form INPUT.wid {
+	width: 100%;
+}
+#radio_button {
+	width: auto;
+}
+#wrapper {
+    opacity : 0.4;
+    filter: alpha(opacity=40); // msie
+}
+
+/* This is needed since the theme style.css forcibly sets vertical align to "top". */
+TABLE.vert TD, TABLE.vert TH {vertical-align: middle;}
 .mini_upload INPUT {
 	width: 100%;
 }
diff --git a/ext/upload/theme.php b/ext/upload/theme.php
index 567938d0..8c3dca71 100644
--- a/ext/upload/theme.php
+++ b/ext/upload/theme.php
@@ -11,7 +11,6 @@ class UploadTheme extends Themelet {
 
 	public function display_page(Page $page) {
 		global $config, $page;
-		$page->add_html_header("<link rel='stylesheet' href='".get_base_href()."/ext/upload/_style.css' type='text/css'>");
 		
 		$tl_enabled = ($config->get_string("transload_engine", "none") != "none");
 		// Uploader 2.0!
@@ -157,7 +156,6 @@ class UploadTheme extends Themelet {
 	/* only allows 1 file to be uploaded - for replacing another image file */
 	public function display_replace_page(Page $page, /*int*/ $image_id) {
 		global $config, $page;
-		$page->add_html_header("<link rel='stylesheet' href='".get_base_href()."/ext/upload/_style.css' type='text/css'>");
 		$tl_enabled = ($config->get_string("transload_engine", "none") != "none");
 
 		$js2 = 'javascript:$(function() {
diff --git a/ext/user/theme.php b/ext/user/theme.php
index c8a7068e..a4639cd7 100644
--- a/ext/user/theme.php
+++ b/ext/user/theme.php
@@ -17,7 +17,7 @@ class UserPageTheme extends Themelet {
 		$html .= "<tr><td>Name</td></tr>";
 		foreach($users as $duser) {
 			$html .= "<tr>";
-			$html .= "<td><a href='".make_link("user/".$duser->name)."'>".html_escape($duser->name)."</a></td>";
+			$html .= "<td><a href='".make_link("user/".url_escape($duser->name))."'>".html_escape($duser->name)."</a></td>";
 			$html .= "</tr>";
 		}
 		$html .= "</table>";
@@ -50,7 +50,7 @@ class UserPageTheme extends Themelet {
 		if(empty($tac)) {$html = "";}
 		else {$html = '<p>'.$tac.'</p>';}
 
-		$reca = "<tr><td colspan='2'>".captcha_get_html()."</td></tr>";
+		$h_reca = "<tr><td colspan='2'>".captcha_get_html()."</td></tr>";
 
 		$html .= '
 		'.make_form(make_link("user_admin/create"))."
@@ -59,7 +59,7 @@ class UserPageTheme extends Themelet {
 				<tr><td>Password</td><td><input type='password' name='pass1'></td></tr>
 				<tr><td>Repeat Password</td><td><input type='password' name='pass2'></td></tr>
 				<tr><td>Email (Optional)</td><td><input type='text' name='email'></td></tr>
-				$reca
+				$h_reca
 				<tr><td colspan='2'><input type='Submit' value='Create Account'></td></tr>
 			</table>
 		</form>
@@ -135,8 +135,8 @@ class UserPageTheme extends Themelet {
 		assert(is_array($stats));
 		$stats[] = 'User ID: '.$duser->id;
 
-		$page->set_title($duser->name."'s Page");
-		$page->set_heading($duser->name."'s Page");
+		$page->set_title(html_escape($duser->name)."'s Page");
+		$page->set_heading(html_escape($duser->name)."'s Page");
 		$page->add_block(new NavBlock());
 		$page->add_block(new Block("Stats", join("<br>", $stats), "main", 0));
 
diff --git a/ext/view/theme.php b/ext/view/theme.php
index 7e0bd8b9..4bce845d 100644
--- a/ext/view/theme.php
+++ b/ext/view/theme.php
@@ -7,11 +7,11 @@ class ViewImageTheme extends Themelet {
 	public function display_page(Image $image, $editor_parts) {
 		global $page;
 
-		$metatags = str_replace(" ", ", ", html_escape($image->get_tag_list()));
+		$h_metatags = str_replace(" ", ", ", html_escape($image->get_tag_list()));
 
 		$page->set_title("Image {$image->id}: ".html_escape($image->get_tag_list()));
-		$page->add_html_header("<meta name=\"keywords\" content=\"$metatags\">");
-		$page->add_html_header("<meta property=\"og:title\" content=\"$metatags\">");
+		$page->add_html_header("<meta name=\"keywords\" content=\"$h_metatags\">");
+		$page->add_html_header("<meta property=\"og:title\" content=\"$h_metatags\">");
 		$page->add_html_header("<meta property=\"og:type\" content=\"article\">");
 		$page->add_html_header("<meta property=\"og:image\" content=\"".make_http($image->get_thumb_link())."\">");
 		$page->add_html_header("<meta property=\"og:url\" content=\"".make_http(make_link("post/view/{$image->id}"))."\">");