From 972e65d02b14a19cc1beba516954973735c12c2b Mon Sep 17 00:00:00 2001
From: joyqi <magike.net@gmail.com>
Date: Thu, 27 Feb 2014 23:13:09 +0800
Subject: [PATCH] =?UTF-8?q?=E5=85=A8=E9=9D=A2=E5=A2=9E=E5=8A=A0security?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=A8=A1=E5=9D=97=EF=BC=8C=E4=BF=9D=E6=8A=A4?=
 =?UTF-8?q?=E5=85=8D=E5=8F=97=E8=B7=A8=E7=AB=99=E6=94=BB=E5=87=BB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 admin/common.php                        |   1 +
 admin/file-upload-js.php                |   2 +-
 admin/manage-categories.php             |  10 +-
 admin/manage-comments.php               |  32 +++---
 admin/manage-medias.php                 |   8 +-
 admin/manage-pages.php                  |   4 +-
 admin/manage-posts.php                  |   4 +-
 admin/manage-tags.php                   |   6 +-
 admin/manage-users.php                  |   4 +-
 admin/media.php                         |   2 +-
 admin/plugins.php                       |  24 +----
 admin/theme-editor.php                  |   2 +-
 admin/themes.php                        |  72 +------------
 admin/upgrade.php                       |   5 +-
 admin/write-js.php                      |   4 +-
 admin/write-page.php                    |   4 +-
 admin/write-post.php                    |   4 +-
 var/Typecho/Common.php                  |  24 +----
 var/Typecho/Config.php                  |   5 +-
 var/Typecho/Db.php                      |   2 +-
 var/Typecho/Request.php                 |  28 ++---
 var/Widget/Abstract.php                 |   8 ++
 var/Widget/Comments/Edit.php            |   1 +
 var/Widget/Contents/Attachment/Edit.php |  15 +--
 var/Widget/Contents/Page/Edit.php       |   1 +
 var/Widget/Contents/Post/Admin.php      |   8 --
 var/Widget/Contents/Post/Edit.php       |   1 +
 var/Widget/Do.php                       |   1 -
 var/Widget/Feedback.php                 |   1 +
 var/Widget/Metas/Category/Edit.php      |   5 +-
 var/Widget/Metas/Tag/Edit.php           |   5 +-
 var/Widget/Options.php                  |   7 +-
 var/Widget/Options/Discussion.php       |   3 +-
 var/Widget/Options/General.php          |   3 +-
 var/Widget/Options/Permalink.php        |   3 +-
 var/Widget/Options/Reading.php          |   5 +-
 var/Widget/Plugins/Config.php           |   8 +-
 var/Widget/Plugins/Edit.php             |  23 ++--
 var/Widget/Security.php                 | 134 ++++++++++++++++++++++++
 var/Widget/Themes/Config.php            |  10 +-
 var/Widget/Themes/Edit.php              |   4 +-
 var/Widget/Themes/Files.php             |   1 +
 var/Widget/Upgrade.php                  |   1 +
 var/Widget/Upload.php                   |   1 +
 var/Widget/User.php                     |   8 +-
 var/Widget/Users/Admin.php              |   8 --
 var/Widget/Users/Edit.php               |   3 +-
 var/Widget/Users/Profile.php            |   9 +-
 var/Widget/XmlRpc.php                   |   4 +-
 49 files changed, 284 insertions(+), 244 deletions(-)
 create mode 100644 var/Widget/Security.php

diff --git a/admin/common.php b/admin/common.php
index 63d79088..39b0a905 100644
--- a/admin/common.php
+++ b/admin/common.php
@@ -19,6 +19,7 @@ Typecho_Plugin::factory('admin/common.php')->begin();
 
 Typecho_Widget::widget('Widget_Options')->to($options);
 Typecho_Widget::widget('Widget_User')->to($user);
+Typecho_Widget::widget('Widget_Security')->to($security);
 Typecho_Widget::widget('Widget_Menu')->to($menu);
 
 /** 初始化上下文 */
diff --git a/admin/file-upload-js.php b/admin/file-upload-js.php
index 9bde9685..5f92213b 100644
--- a/admin/file-upload-js.php
+++ b/admin/file-upload-js.php
@@ -120,7 +120,7 @@ $(document).ready(function() {
     $('#tab-files').bind('init', function () {
         var uploader = new plupload.Uploader({
             browse_button   :   $('.upload-file').get(0),
-            url             :   '<?php $options->index('/action/upload' 
+            url             :   '<?php $security->index('/action/upload'
                 . (isset($fileParentContent) ? '?cid=' . $fileParentContent->cid : '')); ?>',
             runtimes        :   'html5,flash,silverlight,html4',
             flash_swf_url   :   '<?php $options->adminUrl('js/Moxie.swf'); ?>',
diff --git a/admin/manage-categories.php b/admin/manage-categories.php
index c28effb8..8124eac5 100644
--- a/admin/manage-categories.php
+++ b/admin/manage-categories.php
@@ -20,10 +20,10 @@ Typecho_Widget::widget('Widget_Metas_Category_Admin')->to($categories);
                             <div class="btn-group btn-drop">
                                 <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                                 <ul class="dropdown-menu">
-                                    <li><a lang="<?php _e('此分类下的所有内容将被删除, 你确认要删除这些分类吗?'); ?>" href="<?php $options->index('/action/metas-category-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
-                                    <li><a lang="<?php _e('刷新分类可能需要等待较长时间, 你确认要刷新这些分类吗?'); ?>" href="<?php $options->index('/action/metas-category-edit?do=refresh'); ?>"><?php _e('刷新'); ?></a></li>
+                                    <li><a lang="<?php _e('此分类下的所有内容将被删除, 你确认要删除这些分类吗?'); ?>" href="<?php $security->index('/action/metas-category-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                    <li><a lang="<?php _e('刷新分类可能需要等待较长时间, 你确认要刷新这些分类吗?'); ?>" href="<?php $security->index('/action/metas-category-edit?do=refresh'); ?>"><?php _e('刷新'); ?></a></li>
                                     <li class="multiline">
-                                        <button type="button" class="btn merge btn-s" rel="<?php $options->index('/action/metas-category-edit?do=merge'); ?>"><?php _e('合并到'); ?></button>
+                                        <button type="button" class="btn merge btn-s" rel="<?php $security->index('/action/metas-category-edit?do=merge'); ?>"><?php _e('合并到'); ?></button>
                                         <select name="merge">
                                             <?php $categories->parse('<option value="{mid}">{name}</option>'); ?>
                                         </select>
@@ -77,7 +77,7 @@ Typecho_Widget::widget('Widget_Metas_Category_Admin')->to($categories);
                                     <?php if ($options->defaultCategory == $categories->mid): ?>
                                     <?php _e('默认'); ?>
                                     <?php else: ?>
-                                    <a class="hidden-by-mouse" href="<?php $options->index('/action/metas-category-edit?do=default&mid=' . $categories->mid); ?>" title="<?php _e('设为默认'); ?>"><?php _e('默认'); ?></a>
+                                    <a class="hidden-by-mouse" href="<?php $security->index('/action/metas-category-edit?do=default&mid=' . $categories->mid); ?>" title="<?php _e('设为默认'); ?>"><?php _e('默认'); ?></a>
                                     <?php endif; ?>
                                     </td>
                                     <td><a class="balloon-button left size-<?php echo Typecho_Common::splitByCount($categories->count, 1, 10, 20, 50, 100); ?>" href="<?php $options->adminUrl('manage-posts.php?category=' . $categories->mid); ?>"><?php $categories->count(); ?></a></td>
@@ -114,7 +114,7 @@ include 'common-js.php';
                     ids.push($(this).val());
                 });
 
-                $.post('<?php $options->index('/action/metas-category-edit?do=sort'); ?>', 
+                $.post('<?php $security->index('/action/metas-category-edit?do=sort'); ?>',
                     $.param({mid : ids}));
 
                 $('tr', table).each(function (i) {
diff --git a/admin/manage-comments.php b/admin/manage-comments.php
index becbc1d5..9dfeb468 100644
--- a/admin/manage-comments.php
+++ b/admin/manage-comments.php
@@ -52,13 +52,13 @@ $isAllComments = ('on' == $request->get('__typecho_all_comments') || 'on' == Typ
                             <div class="btn-group btn-drop">
                             <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                             <ul class="dropdown-menu">
-                                <li><a href="<?php $options->index('/action/comments-edit?do=approved'); ?>"><?php _e('通过'); ?></a></li>
-                                <li><a href="<?php $options->index('/action/comments-edit?do=waiting'); ?>"><?php _e('待审核'); ?></a></li>
-                                <li><a href="<?php $options->index('/action/comments-edit?do=spam'); ?>"><?php _e('标记垃圾'); ?></a></li>
-                                <li><a lang="<?php _e('你确认要删除这些评论吗?'); ?>" href="<?php $options->index('/action/comments-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li> 
+                                <li><a href="<?php $security->index('/action/comments-edit?do=approved'); ?>"><?php _e('通过'); ?></a></li>
+                                <li><a href="<?php $security->index('/action/comments-edit?do=waiting'); ?>"><?php _e('待审核'); ?></a></li>
+                                <li><a href="<?php $security->index('/action/comments-edit?do=spam'); ?>"><?php _e('标记垃圾'); ?></a></li>
+                                <li><a lang="<?php _e('你确认要删除这些评论吗?'); ?>" href="<?php $security->index('/action/comments-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                             </ul>
                             <?php if('spam' == $request->get('status')): ?>
-                                <button lang="<?php _e('你确认要删除所有垃圾评论吗?'); ?>" class="btn btn-s btn-warn btn-operate" href="<?php $options->index('/action/comments-edit?do=delete-spam'); ?>"><?php _e('删除所有垃圾评论'); ?></button>
+                                <button lang="<?php _e('你确认要删除所有垃圾评论吗?'); ?>" class="btn btn-s btn-warn btn-operate" href="<?php $security->index('/action/comments-edit?do=delete-spam'); ?>"><?php _e('删除所有垃圾评论'); ?></button>
                             <?php endif; ?>
                             </div>
                         </div>
@@ -147,28 +147,28 @@ $isAllComments = ('on' == $request->get('__typecho_all_comments') || 'on' == Typ
                                     <?php if('approved' == $comments->status): ?>
                                     <span class="weak"><?php _e('通过'); ?></span>
                                     <?php else: ?>
-                                    <a href="<?php $options->index('/action/comments-edit?do=approved&coid=' . $comments->coid); ?>" class="operate-approved"><?php _e('通过'); ?></a>
+                                    <a href="<?php $security->index('/action/comments-edit?do=approved&coid=' . $comments->coid); ?>" class="operate-approved"><?php _e('通过'); ?></a>
                                     <?php endif; ?>
                                     
                                     <?php if('waiting' == $comments->status): ?>
                                     <span class="weak"><?php _e('待审核'); ?></span>
                                     <?php else: ?>
-                                    <a href="<?php $options->index('/action/comments-edit?do=waiting&coid=' . $comments->coid); ?>" class="operate-waiting"><?php _e('待审核'); ?></a>
+                                    <a href="<?php $security->index('/action/comments-edit?do=waiting&coid=' . $comments->coid); ?>" class="operate-waiting"><?php _e('待审核'); ?></a>
                                     <?php endif; ?>
                                     
                                     <?php if('spam' == $comments->status): ?>
                                     <span class="weak"><?php _e('垃圾'); ?></span>
                                     <?php else: ?>
-                                    <a href="<?php $options->index('/action/comments-edit?do=spam&coid=' . $comments->coid); ?>" class="operate-spam"><?php _e('垃圾'); ?></a>
+                                    <a href="<?php $security->index('/action/comments-edit?do=spam&coid=' . $comments->coid); ?>" class="operate-spam"><?php _e('垃圾'); ?></a>
                                     <?php endif; ?>
                                     
-                                    <a href="#<?php $comments->theId(); ?>" rel="<?php $options->index('/action/comments-edit?do=edit&coid=' . $comments->coid); ?>" class="operate-edit"><?php _e('编辑'); ?></a>
+                                    <a href="#<?php $comments->theId(); ?>" rel="<?php $security->index('/action/comments-edit?do=edit&coid=' . $comments->coid); ?>" class="operate-edit"><?php _e('编辑'); ?></a>
 
                                     <?php if('approved' == $comments->status && 'comment' == $comments->type): ?>
-                                    <a href="#<?php $comments->theId(); ?>" rel="<?php $options->index('/action/comments-edit?do=reply&coid=' . $comments->coid); ?>" class="operate-reply"><?php _e('回复'); ?></a>
+                                    <a href="#<?php $comments->theId(); ?>" rel="<?php $security->index('/action/comments-edit?do=reply&coid=' . $comments->coid); ?>" class="operate-reply"><?php _e('回复'); ?></a>
                                     <?php endif; ?>
                                     
-                                    <a lang="<?php _e('你确认要删除%s的评论吗?', htmlspecialchars($comments->author)); ?>" href="<?php $options->index('/action/comments-edit?do=delete&coid=' . $comments->coid); ?>" class="operate-delete"><?php _e('删除'); ?></a>
+                                    <a lang="<?php _e('你确认要删除%s的评论吗?', htmlspecialchars($comments->author)); ?>" href="<?php $security->index('/action/comments-edit?do=delete&coid=' . $comments->coid); ?>" class="operate-delete"><?php _e('删除'); ?></a>
                                 </div>
                             </td>
                         </tr>
@@ -194,13 +194,13 @@ $isAllComments = ('on' == $request->get('__typecho_all_comments') || 'on' == Typ
                             <div class="btn-group btn-drop">
                             <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                             <ul class="dropdown-menu">
-                                <li><a href="<?php $options->index('/action/comments-edit?do=approved'); ?>"><?php _e('通过'); ?></a></li>
-                                <li><a href="<?php $options->index('/action/comments-edit?do=waiting'); ?>"><?php _e('待审核'); ?></a></li>
-                                <li><a href="<?php $options->index('/action/comments-edit?do=spam'); ?>"><?php _e('标记垃圾'); ?></a></li>
-                                <li><a lang="<?php _e('你确认要删除这些评论吗?'); ?>" href="<?php $options->index('/action/comments-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                <li><a href="<?php $security->index('/action/comments-edit?do=approved'); ?>"><?php _e('通过'); ?></a></li>
+                                <li><a href="<?php $security->index('/action/comments-edit?do=waiting'); ?>"><?php _e('待审核'); ?></a></li>
+                                <li><a href="<?php $security->index('/action/comments-edit?do=spam'); ?>"><?php _e('标记垃圾'); ?></a></li>
+                                <li><a lang="<?php _e('你确认要删除这些评论吗?'); ?>" href="<?php $security->index('/action/comments-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                             </ul>
                             <?php if('spam' == $request->get('status')): ?>
-                                <button lang="<?php _e('你确认要删除所有垃圾评论吗?'); ?>" class="btn btn-s btn-warn btn-operate" href="<?php $options->index('/action/comments-edit?do=delete-spam'); ?>"><?php _e('删除所有垃圾评论'); ?></button>
+                                <button lang="<?php _e('你确认要删除所有垃圾评论吗?'); ?>" class="btn btn-s btn-warn btn-operate" href="<?php $security->index('/action/comments-edit?do=delete-spam'); ?>"><?php _e('删除所有垃圾评论'); ?></button>
                             <?php endif; ?>
                             </div>
                         </div>
diff --git a/admin/manage-medias.php b/admin/manage-medias.php
index 58a16342..1c08f79c 100644
--- a/admin/manage-medias.php
+++ b/admin/manage-medias.php
@@ -20,9 +20,9 @@ $stat = Typecho_Widget::widget('Widget_Stat');
                             <div class="btn-group btn-drop">
                             <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                             <ul class="dropdown-menu">
-                                <li><a lang="<?php _e('你确认要删除这些文件吗?'); ?>" href="<?php $options->index('/action/contents-attachment-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                <li><a lang="<?php _e('你确认要删除这些文件吗?'); ?>" href="<?php $security->index('/action/contents-attachment-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                             </ul>
-                            <button class="btn btn-s btn-warn btn-operate" href="<?php $options->index('/action/contents-attachment-edit?do=clear'); ?>" lang="<?php _e('您确认要清理未归档的文件吗?'); ?>"><?php _e('清理未归档文件'); ?></button>
+                            <button class="btn btn-s btn-warn btn-operate" href="<?php $security->index('/action/contents-attachment-edit?do=clear'); ?>" lang="<?php _e('您确认要清理未归档的文件吗?'); ?>"><?php _e('清理未归档文件'); ?></button>
                             </div>
                         </div>
                         <div class="search" role="search">
@@ -96,10 +96,10 @@ $stat = Typecho_Widget::widget('Widget_Stat');
                             <div class="btn-group btn-drop">
                                 <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                                 <ul class="dropdown-menu">
-                                    <li><a lang="<?php _e('你确认要删除这些文件吗?'); ?>" href="<?php $options->index('/action/contents-attachment-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                    <li><a lang="<?php _e('你确认要删除这些文件吗?'); ?>" href="<?php $security->index('/action/contents-attachment-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                                 </ul>
                             </div>
-                            <button class="btn btn-s btn-warn btn-operate" href="<?php $options->index('/action/contents-attachment-edit?do=clear'); ?>" lang="<?php _e('您确认要清理未归档的文件吗?'); ?>"><?php _e('清理未归档文件'); ?></button>
+                            <button class="btn btn-s btn-warn btn-operate" href="<?php $security->index('/action/contents-attachment-edit?do=clear'); ?>" lang="<?php _e('您确认要清理未归档的文件吗?'); ?>"><?php _e('清理未归档文件'); ?></button>
                         </div>
                         <?php if($attachments->have()): ?>
                         <ul class="typecho-pager">
diff --git a/admin/manage-pages.php b/admin/manage-pages.php
index f6f64c34..423770f1 100644
--- a/admin/manage-pages.php
+++ b/admin/manage-pages.php
@@ -17,7 +17,7 @@ $stat = Typecho_Widget::widget('Widget_Stat');
                             <div class="btn-group btn-drop">
                             <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                             <ul class="dropdown-menu">
-                                <li><a lang="<?php _e('你确认要删除这些页面吗?'); ?>" href="<?php $options->index('/action/contents-page-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                <li><a lang="<?php _e('你确认要删除这些页面吗?'); ?>" href="<?php $security->index('/action/contents-page-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                             </ul>
                             </div>
                         </div>
@@ -119,7 +119,7 @@ include 'table-js.php';
                     ids.push($(this).val());
                 });
 
-                $.post('<?php $options->index('/action/contents-page-edit?do=sort'); ?>', 
+                $.post('<?php $security->index('/action/contents-page-edit?do=sort'); ?>',
                     $.param({cid : ids}));
             }
         });
diff --git a/admin/manage-posts.php b/admin/manage-posts.php
index 6a969938..c8f2f4ac 100644
--- a/admin/manage-posts.php
+++ b/admin/manage-posts.php
@@ -17,7 +17,7 @@ $stat = Typecho_Widget::widget('Widget_Stat');
                             <div class="btn-group btn-drop">
                                 <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                                 <ul class="dropdown-menu">
-                                    <li><a lang="<?php _e('你确认要删除这些文章吗?'); ?>" href="<?php $options->index('/action/contents-post-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                    <li><a lang="<?php _e('你确认要删除这些文章吗?'); ?>" href="<?php $security->index('/action/contents-post-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                                 </ul>
                             </div>  
                         </div>
@@ -127,7 +127,7 @@ $stat = Typecho_Widget::widget('Widget_Stat');
                             <div class="btn-group btn-drop">
                                 <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                                 <ul class="dropdown-menu">
-                                    <li><a lang="<?php _e('你确认要删除这些文章吗?'); ?>" href="<?php $options->index('/action/contents-post-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                    <li><a lang="<?php _e('你确认要删除这些文章吗?'); ?>" href="<?php $security->index('/action/contents-post-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                                 </ul>
                             </div>  
                         </div>
diff --git a/admin/manage-tags.php b/admin/manage-tags.php
index 05f2d7ff..b0f6ffd8 100644
--- a/admin/manage-tags.php
+++ b/admin/manage-tags.php
@@ -20,10 +20,10 @@ Typecho_Widget::widget('Widget_Metas_Tag_Admin')->to($tags);
                         <div class="btn-group btn-drop">
                         <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                         <ul class="dropdown-menu">
-                            <li><a lang="<?php _e('你确认要删除这些标签吗?'); ?>" href="<?php $options->index('/action/metas-tag-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
-                            <li><a lang="<?php _e('刷新标签可能需要等待较长时间, 你确认要刷新这些标签吗?'); ?>" href="<?php $options->index('/action/metas-tag-edit?do=refresh'); ?>"><?php _e('刷新'); ?></a></li>
+                            <li><a lang="<?php _e('你确认要删除这些标签吗?'); ?>" href="<?php $security->index('/action/metas-tag-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                            <li><a lang="<?php _e('刷新标签可能需要等待较长时间, 你确认要刷新这些标签吗?'); ?>" href="<?php $security->index('/action/metas-tag-edit?do=refresh'); ?>"><?php _e('刷新'); ?></a></li>
                             <li class="multiline">
-                                <button type="button" class="btn btn-s merge" rel="<?php $options->index('/action/metas-tag-edit?do=merge'); ?>"><?php _e('合并到'); ?></button>
+                                <button type="button" class="btn btn-s merge" rel="<?php $security->index('/action/metas-tag-edit?do=merge'); ?>"><?php _e('合并到'); ?></button>
                                 <input type="text" name="merge" class="text-s" />
                             </li>
                         </ul>
diff --git a/admin/manage-users.php b/admin/manage-users.php
index b18be034..5bfe7bfe 100644
--- a/admin/manage-users.php
+++ b/admin/manage-users.php
@@ -15,7 +15,7 @@ include 'menu.php';
                             <div class="btn-group btn-drop">
                             <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                             <ul class="dropdown-menu">
-                                <li><a lang="<?php _e('你确认要删除这些用户吗?'); ?>" href="<?php $options->index('/action/users-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                <li><a lang="<?php _e('你确认要删除这些用户吗?'); ?>" href="<?php $security->index('/action/users-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                             </ul>
                             </div>  
                         </div>
@@ -94,7 +94,7 @@ include 'menu.php';
                             <div class="btn-group btn-drop">
                             <button class="btn dropdown-toggle btn-s" type="button"><i class="sr-only"><?php _e('操作'); ?></i><?php _e('选中项'); ?> <i class="i-caret-down"></i></button>
                             <ul class="dropdown-menu">
-                                <li><a lang="<?php _e('你确认要删除这些用户吗?'); ?>" href="<?php $options->index('/action/users-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
+                                <li><a lang="<?php _e('你确认要删除这些用户吗?'); ?>" href="<?php $security->index('/action/users-edit?do=delete'); ?>"><?php _e('删除'); ?></a></li>
                             </ul>
                             </div>  
                         </div>
diff --git a/admin/media.php b/admin/media.php
index 64cae0f1..8a315373 100644
--- a/admin/media.php
+++ b/admin/media.php
@@ -144,7 +144,7 @@ $(document).ready(function() {
 
     var uploader = new plupload.Uploader({
         browse_button   :   $('.upload-file').get(0),
-        url             :   '<?php $options->index('/action/upload?do=modify&cid=' . $attachment->cid); ?>',
+        url             :   '<?php $security->index('/action/upload?do=modify&cid=' . $attachment->cid); ?>',
         runtimes        :   'html5,flash,silverlight,html4',
         flash_swf_url   :   '<?php $options->adminUrl('js/Moxie.swf'); ?>',
         silverlight_xap_url     :   '<?php $options->adminUrl('js/Moxie.xap'); ?>',
diff --git a/admin/plugins.php b/admin/plugins.php
index eaadad89..ccf6e790 100644
--- a/admin/plugins.php
+++ b/admin/plugins.php
@@ -43,15 +43,11 @@ include 'menu.php';
                                 . '">' . $activatedPlugins->author . '</a>'; ?></td>
                                 <td>
                                     <?php if ($activatedPlugins->activate || $activatedPlugins->deactivate || $activatedPlugins->config || $activatedPlugins->personalConfig): ?>
-                                        <?php if ($activatedPlugins->activated): ?>
-                                            <?php if ($activatedPlugins->config): ?>
-                                                <a href="<?php $options->adminUrl('options-plugin.php?config=' . $activatedPlugins->name); ?>"><?php _e('设置'); ?></a> 
-                                                &bull; 
-                                            <?php endif; ?>
-                                            <a lang="<?php _e('你确认要禁用插件 %s 吗?', $activatedPlugins->name); ?>" href="<?php $options->index('/action/plugins-edit?deactivate=' . $activatedPlugins->name); ?>"><?php _e('禁用'); ?></a>
-                                        <?php else: ?>
-                                            <a href="<?php $options->index('/action/plugins-edit?activate=' . $activatedPlugins->name); ?>"><?php _e('启用'); ?></a>
+                                        <?php if ($activatedPlugins->config): ?>
+                                            <a href="<?php $options->adminUrl('options-plugin.php?config=' . $activatedPlugins->name); ?>"><?php _e('设置'); ?></a>
+                                            &bull;
                                         <?php endif; ?>
+                                        <a lang="<?php _e('你确认要禁用插件 %s 吗?', $activatedPlugins->name); ?>" href="<?php $security->index('/action/plugins-edit?deactivate=' . $activatedPlugins->name); ?>"><?php _e('禁用'); ?></a>
                                     <?php else: ?>
                                         <span class="important"><?php _e('即插即用'); ?></span>
                                     <?php endif; ?>
@@ -105,17 +101,7 @@ include 'menu.php';
                                 <td><?php echo empty($deactivatedPlugins->homepage) ? $deactivatedPlugins->author : '<a href="' . $deactivatedPlugins->homepage
                                 . '">' . $deactivatedPlugins->author . '</a>'; ?></td>
                                 <td>
-                                    <?php if ($deactivatedPlugins->activate || $deactivatedPlugins->deactivate || $deactivatedPlugins->config || $deactivatedPlugins->personalConfig): ?>
-                                        <?php if ($deactivatedPlugins->activated): ?>
-                                            <?php if ($deactivatedPlugins->config): ?>
-                                                <a href="<?php $options->adminUrl('options-plugin.php?config=' . $deactivatedPlugins->name); ?>"><?php _e('设置'); ?></a> 
-                                                | 
-                                            <?php endif; ?>
-                                            <a href="<?php $options->index('/action/plugins-edit?deactivate=' . $deactivatedPlugins->name); ?>"><?php _e('禁用'); ?></a>
-                                        <?php else: ?>
-                                            <a href="<?php $options->index('/action/plugins-edit?activate=' . $deactivatedPlugins->name); ?>"><?php _e('启用'); ?></a>
-                                        <?php endif; ?>
-                                    <?php endif; ?>
+                                    <a href="<?php $security->index('/action/plugins-edit?activate=' . $deactivatedPlugins->name); ?>"><?php _e('启用'); ?></a>
                                 </td>
                             </tr>
                             <?php endwhile; ?>
diff --git a/admin/theme-editor.php b/admin/theme-editor.php
index a5c76e35..a042d00b 100644
--- a/admin/theme-editor.php
+++ b/admin/theme-editor.php
@@ -28,7 +28,7 @@ Typecho_Widget::widget('Widget_Themes_Files')->to($files);
                 
             <div class="typecho-edit-theme">
                 <div class="col-mb-12 col-tb-8 col-9 content">
-                    <form method="post" name="theme" id="theme" action="<?php $options->index('/action/themes-edit'); ?>">
+                    <form method="post" name="theme" id="theme" action="<?php $security->index('/action/themes-edit'); ?>">
                         <label for="content" class="sr-only"><?php _e('编辑源码'); ?></label>
                         <textarea name="content" id="content" class="w-100 mono" <?php if(!$files->currentIsWriteable()): ?>readonly<?php endif; ?>><?php echo $files->currentContent(); ?></textarea>
                         <p class="submit">
diff --git a/admin/themes.php b/admin/themes.php
index 1b21389b..24f375af 100644
--- a/admin/themes.php
+++ b/admin/themes.php
@@ -44,7 +44,7 @@ include 'menu.php';
                                     <?php if($options->theme != $themes->name): ?>
                                         <p>
                                             <a class="edit" href="<?php $options->adminUrl('theme-editor.php?theme=' . $themes->name); ?>"><?php _e('编辑'); ?></a> &nbsp;
-                                            <a class="activate" href="<?php $options->index('/action/themes-edit?change=' . $themes->name); ?>"><?php _e('启用'); ?></a>
+                                            <a class="activate" href="<?php $security->index('/action/themes-edit?change=' . $themes->name); ?>"><?php _e('启用'); ?></a>
                                         </p>
                                     <?php endif; ?>
                                 </td>
@@ -61,73 +61,5 @@ include 'menu.php';
 <?php
 include 'copyright.php';
 include 'common-js.php';
+include 'footer.php';
 ?>
-
-<script type="text/javascript">
-    (function () {
-        window.addEvent('domready', function() {
-            $(document).getElements('table.typecho-list-table tr td').each(function (item, index) {
-                var _a = item.getElement('a.activate'),
-                _e = item.getElement('a.edit');
-                
-                if (_a && _e) {
-                    item.addEvents({
-                    
-                        'mouseover': function () {
-                            this.addClass('hover');
-                            
-                            if (0 == index % 2) {
-                                _a.setStyles({
-                                
-                                    'right': _a.getParent('td').getNext('td').getSize().x + 1,
-                                    
-                                    'top': _a.getParent('td').getPosition(_a.getParent('.col-12')).y
-                                
-                                });
-                                
-                                _a.addClass('typecho-radius-bottomleft');
-                                
-                                _e.setStyles({
-                                
-                                    'right': _e.getParent('td').getNext('td').getSize().x + 1,
-                                    
-                                    'top': _e.getParent('td').getPosition(_e.getParent('.col-12')).y + _e.getParent('td').getSize().y - _e.getSize().y - 1
-                                
-                                });
-                                
-                                _e.addClass('typecho-radius-topleft');
-                            } else {
-                                _a.setStyles({
-                                
-                                    'left': _a.getParent('td').getPosition(_a.getParent('.col-12')).x,
-                                    
-                                    'top': _a.getParent('td').getPosition(_a.getParent('.col-12')).y
-                                
-                                });
-                                
-                                _a.addClass('typecho-radius-bottomright');
-                                
-                                _e.setStyles({
-                                
-                                    'left': _e.getParent('td').getPosition(_e.getParent('.col-12')).x,
-                                    
-                                    'top': _e.getParent('td').getPosition(_e.getParent('.col-12')).y + _e.getParent('td').getSize().y - _e.getSize().y - 1
-                                
-                                });
-                                
-                                _e.addClass('typecho-radius-topright');
-                            }
-                        },
-                        
-                        'mouseleave': function () {
-                            this.removeClass('hover');
-                        }
-                    
-                    });
-                }
-            });
-        });
-    })();
-</script>
-
-<?php include 'footer.php'; ?>
diff --git a/admin/upgrade.php b/admin/upgrade.php
index e907a75d..718d47a0 100644
--- a/admin/upgrade.php
+++ b/admin/upgrade.php
@@ -10,8 +10,9 @@ include 'menu.php';
         <div class="row typecho-page-main" role="main">
             <div class="col-mb-12">
                 <div id="typecho-welcome">
-                    <form action="<?php echo Typecho_Router::url('do', array('action' => 'upgrade', 'widget' => 'Upgrade'), 
-                    Typecho_Common::url('index.php', $options->rootUrl)); ?>" method="post">
+                    <form action="<?php echo $security->getTokenUrl(
+                        Typecho_Router::url('do', array('action' => 'upgrade', 'widget' => 'Upgrade'),
+                        Typecho_Common::url('index.php', $options->rootUrl))); ?>" method="post">
                     <h3><?php _e('检测到新版本!'); ?></h3>
                     <ul>
                         <li><?php _e('您已经更新了系统程序, 我们还需要执行一些后续步骤来完成升级'); ?></li>
diff --git a/admin/write-js.php b/admin/write-js.php
index 47bef5ed..695a84b0 100644
--- a/admin/write-js.php
+++ b/admin/write-js.php
@@ -38,7 +38,7 @@ $(document).ready(function() {
     $('#title').select();
 
     // text 自动拉伸
-    Typecho.editorResize('text', '<?php $options->index('/action/ajax?do=editorResize'); ?>');
+    Typecho.editorResize('text', '<?php $security->index('/action/ajax?do=editorResize'); ?>');
 
     // tag autocomplete 提示
     var tags = $('#tags'), tagsPre = [];
@@ -171,7 +171,7 @@ $(document).ready(function() {
                 locked = true;
 
                 autoSave.text('<?php _e('正在保存'); ?>');
-                $.post(formAction + '?do=save', data, function (o) {
+                $.post(formAction, data + '&do=save', function (o) {
                     savedData = data;
                     lastSaveTime = o.time;
                     cid = o.cid;
diff --git a/admin/write-page.php b/admin/write-page.php
index f764ef5b..2b50bf2f 100644
--- a/admin/write-page.php
+++ b/admin/write-page.php
@@ -8,12 +8,12 @@ Typecho_Widget::widget('Widget_Contents_Page_Edit')->to($page);
     <div class="body container">
         <?php include 'page-title.php'; ?>
         <div class="row typecho-page-main typecho-post-area" role="form">
-            <form action="<?php $options->index('/action/contents-page-edit'); ?>" method="post" name="write_page">
+            <form action="<?php $security->index('/action/contents-page-edit'); ?>" method="post" name="write_page">
                 <div class="col-mb-12 col-tb-9" role="main">
                     <?php if ($page->draft && $page->draft['cid'] != $page->cid): ?>
                     <?php $pageModifyDate = new Typecho_Date($page->draft['modified']); ?>
                         <cite class="edit-draft-notice"><?php _e('当前正在编辑的是保存于%s的草稿, 你可以<a href="%s">删除它</a>', $pageModifyDate->word(), 
-                        Typecho_Common::url('/action/contents-page-edit?do=deleteDraft&cid=' . $page->cid, $options->index)); ?></cite>
+                        $security->getIndex('/action/contents-page-edit?do=deleteDraft&cid=' . $page->cid)); ?></cite>
                     <?php endif; ?>
 
                     <p class="title">
diff --git a/admin/write-post.php b/admin/write-post.php
index 87f5c23b..d8ad69f8 100644
--- a/admin/write-post.php
+++ b/admin/write-post.php
@@ -8,12 +8,12 @@ Typecho_Widget::widget('Widget_Contents_Post_Edit')->to($post);
     <div class="body container">
         <?php include 'page-title.php'; ?>
         <div class="row typecho-page-main typecho-post-area" role="form">
-            <form action="<?php $options->index('/action/contents-post-edit'); ?>" method="post" name="write_post">
+            <form action="<?php $security->index('/action/contents-post-edit'); ?>" method="post" name="write_post">
                 <div class="col-mb-12 col-tb-9" role="main">
                     <?php if ($post->draft && $post->draft['cid'] != $post->cid): ?>
                     <?php $postModifyDate = new Typecho_Date($post->draft['modified']); ?>
                     <cite class="edit-draft-notice"><?php _e('你正在编辑的是保存于 %s 的草稿, 你也可以 <a href="%s">删除它</a>', $postModifyDate->word(), 
-                    Typecho_Common::url('/action/contents-post-edit?do=deleteDraft&cid=' . $post->cid, $options->index)); ?></cite>
+                    $security->getIndex('/action/contents-post-edit?do=deleteDraft&cid=' . $post->cid)); ?></cite>
                     <?php endif; ?>
 
                     <p class="title">
diff --git a/var/Typecho/Common.php b/var/Typecho/Common.php
index ed8430d0..94fbf3c1 100644
--- a/var/Typecho/Common.php
+++ b/var/Typecho/Common.php
@@ -22,14 +22,6 @@ class Typecho_Common
     /** 程序版本 */
     const VERSION = '0.9/14.2.24';
 
-    /**
-     * 缓存的包含路径
-     *
-     * @access private
-     * @var array
-     */
-    private static $_cachedIncludePath = false;
-
     /**
      * 锁定的代码块
      *
@@ -38,14 +30,6 @@ class Typecho_Common
      */
     private static $_lockedBlocks = array('<p></p>' => '');
     
-    /**
-     * 允许的标签
-     * 
-     * @access private
-     * @var array
-     */
-    private static $_allowableTags = '';
-    
     /**
      * 允许的属性
      * 
@@ -522,6 +506,7 @@ EOF;
      * </code>
      *
      * @access public
+     * @param int $count
      * @return string
      */
     public static function splitByCount($count)
@@ -602,14 +587,12 @@ EOF;
      * </code>
      *
      * @access public
-     * @param string $string 需要处理的字符串
+     * @param string $html 需要处理的字符串
      * @param string $allowableTags 需要忽略的html标签
      * @return string
      */
     public static function stripTags($html, $allowableTags = NULL)
     {
-        static $dom;
-
         $normalizeTags = '';
         $allowableAttributes = array();
 
@@ -645,8 +628,7 @@ EOF;
     /**
      * 将url中的非法字符串
      *
-     * @access private
-     * @param string $string 需要过滤的url
+     * @param string $url 需要过滤的url
      * @return string
      */
     public static function safeUrl($url)
diff --git a/var/Typecho/Config.php b/var/Typecho/Config.php
index 7f7eb31a..0e58fc74 100644
--- a/var/Typecho/Config.php
+++ b/var/Typecho/Config.php
@@ -32,7 +32,6 @@ class Typecho_Config implements Iterator
      *
      * @access public
      * @param mixed $config 配置列表
-     * @return void
      */
     public function __construct($config = array())
     {
@@ -45,7 +44,7 @@ class Typecho_Config implements Iterator
      *
      * @access public
      * @param array $config 配置列表
-     * @return void
+     * @return Typecho_Config
      */
     public static function factory($config = array())
     {
@@ -118,7 +117,7 @@ class Typecho_Config implements Iterator
      * 获取当前指针
      *
      * @access public
-     * @return void
+     * @return mixed
      */
     public function key()
     {
diff --git a/var/Typecho/Db.php b/var/Typecho/Db.php
index a571a89a..1bb00d16 100644
--- a/var/Typecho/Db.php
+++ b/var/Typecho/Db.php
@@ -109,7 +109,7 @@ class Typecho_Db
      *
      * @param mixed $adapterName 适配器名称
      * @param string $prefix 前缀
-     * @return void
+     * @throws Typecho_Db_Exception
      */
     public function __construct($adapterName, $prefix = 'typecho_')
     {
diff --git a/var/Typecho/Request.php b/var/Typecho/Request.php
index 88b39146..6b4e4a7a 100644
--- a/var/Typecho/Request.php
+++ b/var/Typecho/Request.php
@@ -137,7 +137,7 @@ class Typecho_Request
      *
      * @access private
      * @param mixed $value
-     * @return void
+     * @return mixed
      */
     private function _applyFilter($value)
     {
@@ -156,8 +156,7 @@ class Typecho_Request
      * 设置过滤器
      *
      * @access public
-     * @param mixed $filter 过滤器名称
-     * @return Typecho_Widget_Request
+     * @return Typecho_Request
      */
     public function filter()
     {
@@ -176,7 +175,7 @@ class Typecho_Request
      *
      * @access public
      * @param string $key 指定参数
-     * @return void
+     * @return mixed
      */
     public function __get($key)
     {
@@ -188,13 +187,12 @@ class Typecho_Request
      *
      * @access public
      * @param string $key 指定参数
-     * @return void
+     * @return boolean
      */
     public function __isset($key)
     {
         return isset($_GET[$key])
         || isset($_POST[$key])
-        || isset($_COOKIE[$key])
         || $this->isSetParam($key);
     }
 
@@ -204,12 +202,10 @@ class Typecho_Request
      * @access public
      * @param string $key 指定参数
      * @param mixed $default 默认参数 (default: NULL)
-     * @return void
+     * @return mixed
      */
     public function get($key, $default = NULL)
     {
-        $value = $default;
-
         switch (true) {
             case isset($this->_params[$key]):
                 $value = $this->_params[$key];
@@ -220,9 +216,6 @@ class Typecho_Request
             case isset($_POST[$key]):
                 $value = $_POST[$key];
                 break;
-            case isset($_COOKIE[$key]):
-                $value = $_COOKIE[$key];
-                break;
             default:
                 $value = $default;
                 break;
@@ -236,7 +229,7 @@ class Typecho_Request
      * 从参数列表指定的值中获取http传递参数
      *
      * @access public
-     * @param mixed $parameter 指定的参数
+     * @param mixed $params 指定的参数
      * @return array
      */
     public function from($params)
@@ -325,7 +318,7 @@ class Typecho_Request
      * getRequestRoot 
      * 
      * @access public
-     * @return void
+     * @return string
      */
     public function getRequestRoot()
     {
@@ -595,8 +588,7 @@ class Typecho_Request
      * 设置ip地址
      *
      * @access public
-     * @param unknown $ip
-     * @return unknown
+     * @param string $ip
      */
     public function setIp($ip = NULL)
     {
@@ -648,7 +640,7 @@ class Typecho_Request
      * 获取客户端
      *
      * @access public
-     * @return void
+     * @return string
      */
     public function getAgent()
     {
@@ -675,7 +667,7 @@ class Typecho_Request
      * 获取客户端
      *
      * @access public
-     * @return void
+     * @return string
      */
     public function getReferer()
     {
diff --git a/var/Widget/Abstract.php b/var/Widget/Abstract.php
index c33e55a4..d8dfb328 100644
--- a/var/Widget/Abstract.php
+++ b/var/Widget/Abstract.php
@@ -35,6 +35,13 @@ abstract class Widget_Abstract extends Typecho_Widget
      */
     protected $user;
 
+    /**
+     * 安全模块
+     *
+     * @var Widget_Security
+     */
+    protected $security;
+
     /**
      * 数据库对象
      *
@@ -61,6 +68,7 @@ abstract class Widget_Abstract extends Typecho_Widget
         /** 初始化常用组件 */
         $this->options = $this->widget('Widget_Options');
         $this->user = $this->widget('Widget_User');
+        $this->security = $this->widget('Widget_Security');
     }
 
     /**
diff --git a/var/Widget/Comments/Edit.php b/var/Widget/Comments/Edit.php
index 8199473b..e1da513f 100644
--- a/var/Widget/Comments/Edit.php
+++ b/var/Widget/Comments/Edit.php
@@ -368,6 +368,7 @@ class Widget_Comments_Edit extends Widget_Abstract_Comments implements Widget_In
     public function action()
     {
         $this->user->pass('contributor');
+        $this->security->protect();
         $this->on($this->request->is('do=waiting'))->waitingComment();
         $this->on($this->request->is('do=spam'))->spamComment();
         $this->on($this->request->is('do=approved'))->approvedComment();
diff --git a/var/Widget/Contents/Attachment/Edit.php b/var/Widget/Contents/Attachment/Edit.php
index 7839d9cd..841a7109 100644
--- a/var/Widget/Contents/Attachment/Edit.php
+++ b/var/Widget/Contents/Attachment/Edit.php
@@ -107,13 +107,12 @@ class Widget_Contents_Attachment_Edit extends Widget_Contents_Post_Edit implemen
      * 生成表单
      *
      * @access public
-     * @param string $action 表单动作
      * @return Typecho_Widget_Helper_Form_Element
      */
-    public function form($action = NULL)
+    public function form()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/contents-attachment-edit', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/contents-attachment-edit'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 文件名称 */
@@ -141,10 +140,11 @@ class Widget_Contents_Attachment_Edit extends Widget_Contents_Post_Edit implemen
         /** 提交按钮 */
         $submit = new Typecho_Widget_Helper_Form_Element_Submit(NULL, NULL, _t('提交修改'));
         $submit->input->setAttribute('class', 'btn primary');
-        $delete = new Typecho_Widget_Helper_Layout('a', array('href' =>
-        Typecho_Common::url('/action/contents-attachment-edit?do=delete&cid=' . $this->cid, $this->options->index),
-        'class' => 'operate-delete',
-        'lang'  => _t('你确认删除文件 %s 吗?', $this->attachment->name)));
+        $delete = new Typecho_Widget_Helper_Layout('a', array(
+            'href'  => $this->security->getIndex('/action/contents-attachment-edit?do=delete&cid=' . $this->cid),
+            'class' => 'operate-delete',
+            'lang'  => _t('你确认删除文件 %s 吗?', $this->attachment->name)
+        ));
         $submit->container($delete->html(_t('删除文件')));
         $form->addItem($submit);
 
@@ -326,6 +326,7 @@ class Widget_Contents_Attachment_Edit extends Widget_Contents_Post_Edit implemen
      */
     public function action()
     {
+        $this->security->protect();
         $this->on($this->request->is('do=delete'))->deleteAttachment();
         $this->on($this->request->is('do=update'))->updateAttachment();
         $this->on($this->request->is('do=clear'))->clearAttachment();
diff --git a/var/Widget/Contents/Page/Edit.php b/var/Widget/Contents/Page/Edit.php
index ad7d4dbe..91918ab4 100644
--- a/var/Widget/Contents/Page/Edit.php
+++ b/var/Widget/Contents/Page/Edit.php
@@ -260,6 +260,7 @@ class Widget_Contents_Page_Edit extends Widget_Contents_Post_Edit implements Wid
      */
     public function action()
     {
+        $this->security->protect();
         $this->on($this->request->is('do=publish') || $this->request->is('do=save'))->writePage();
         $this->on($this->request->is('do=delete'))->deletePage();
         $this->on($this->request->is('do=deleteDraft'))->deletePageDraft();
diff --git a/var/Widget/Contents/Post/Admin.php b/var/Widget/Contents/Post/Admin.php
index ccfc702d..dcf8bedd 100644
--- a/var/Widget/Contents/Post/Admin.php
+++ b/var/Widget/Contents/Post/Admin.php
@@ -35,14 +35,6 @@ class Widget_Contents_Post_Admin extends Widget_Abstract_Contents
      */
     private $_total = false;
 
-    /**
-     * 分页大小
-     *
-     * @access private
-     * @var integer
-     */
-    private $pageSize;
-
     /**
      * 当前页
      *
diff --git a/var/Widget/Contents/Post/Edit.php b/var/Widget/Contents/Post/Edit.php
index 57d56996..39f3811b 100644
--- a/var/Widget/Contents/Post/Edit.php
+++ b/var/Widget/Contents/Post/Edit.php
@@ -887,6 +887,7 @@ class Widget_Contents_Post_Edit extends Widget_Abstract_Contents implements Widg
      */
     public function action()
     {
+        $this->security->protect();
         $this->on($this->request->is('do=publish') || $this->request->is('do=save'))->writePost();
         $this->on($this->request->is('do=delete'))->deletePost();
         $this->on($this->request->is('do=deleteDraft'))->deletePostDraft();
diff --git a/var/Widget/Do.php b/var/Widget/Do.php
index 9890d8c8..13f608e8 100644
--- a/var/Widget/Do.php
+++ b/var/Widget/Do.php
@@ -35,7 +35,6 @@ class Widget_Do extends Typecho_Widget
         'contents-attachment-edit'  =>  'Widget_Contents_Attachment_Edit',
         'metas-category-edit'       =>  'Widget_Metas_Category_Edit',
         'metas-tag-edit'            =>  'Widget_Metas_Tag_Edit',
-        'metas-tag-edit'            =>  'Widget_Metas_Tag_Edit',
         'options-discussion'        =>  'Widget_Options_Discussion',
         'options-general'           =>  'Widget_Options_General',
         'options-permalink'         =>  'Widget_Options_Permalink',
diff --git a/var/Widget/Feedback.php b/var/Widget/Feedback.php
index 4da015bf..83b3fa4b 100644
--- a/var/Widget/Feedback.php
+++ b/var/Widget/Feedback.php
@@ -258,6 +258,7 @@ class Widget_Feedback extends Widget_Abstract_Comments implements Widget_Interfa
      *
      * @access public
      * @return void
+     * @throws Typecho_Widget_Exception
      */
     public function action()
     {
diff --git a/var/Widget/Metas/Category/Edit.php b/var/Widget/Metas/Category/Edit.php
index f00ed001..13d79431 100644
--- a/var/Widget/Metas/Category/Edit.php
+++ b/var/Widget/Metas/Category/Edit.php
@@ -123,8 +123,8 @@ class Widget_Metas_Category_Edit extends Widget_Abstract_Metas implements Widget
     public function form($action = NULL)
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/metas-category-edit', $this->options->index),
-        Typecho_Widget_Helper_Form::POST_METHOD);
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/metas-category-edit'),
+            Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 分类名称 */
         $name = new Typecho_Widget_Helper_Form_Element_Text('name', NULL, NULL, _t('分类名称 *'));
@@ -478,6 +478,7 @@ class Widget_Metas_Category_Edit extends Widget_Abstract_Metas implements Widget
      */
     public function action()
     {
+        $this->security->protect();
         $this->on($this->request->is('do=insert'))->insertCategory();
         $this->on($this->request->is('do=update'))->updateCategory();
         $this->on($this->request->is('do=delete'))->deleteCategory();
diff --git a/var/Widget/Metas/Tag/Edit.php b/var/Widget/Metas/Tag/Edit.php
index 0ae4d620..c2afb0e7 100644
--- a/var/Widget/Metas/Tag/Edit.php
+++ b/var/Widget/Metas/Tag/Edit.php
@@ -124,8 +124,8 @@ class Widget_Metas_Tag_Edit extends Widget_Abstract_Metas implements Widget_Inte
     public function form($action = NULL)
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/metas-tag-edit', $this->options->index),
-        Typecho_Widget_Helper_Form::POST_METHOD);
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/metas-tag-edit'),
+            Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 标签名称 */
         $name = new Typecho_Widget_Helper_Form_Element_Text('name', NULL, NULL,
@@ -352,6 +352,7 @@ class Widget_Metas_Tag_Edit extends Widget_Abstract_Metas implements Widget_Inte
      */
     public function action()
     {
+        $this->security->protect();
         $this->on($this->request->is('do=insert'))->insertTag();
         $this->on($this->request->is('do=update'))->updateTag();
         $this->on($this->request->is('do=delete'))->deleteTag();
diff --git a/var/Widget/Options.php b/var/Widget/Options.php
index 3264840b..d52146c0 100644
--- a/var/Widget/Options.php
+++ b/var/Widget/Options.php
@@ -50,7 +50,6 @@ class Widget_Options extends Typecho_Widget
      * @param mixed $request request对象
      * @param mixed $response response对象
      * @param mixed $params 参数列表
-     * @return void
      */
     public function __construct($request, $response, $params = NULL)
     {
@@ -470,7 +469,8 @@ class Widget_Options extends Typecho_Widget
      * 获取插件系统参数
      *
      * @param mixed $pluginName 插件名称
-     * @return void
+     * @return mixed
+     * @throws Typecho_Plugin_Exception
      */
     public function plugin($pluginName)
     {
@@ -490,7 +490,8 @@ class Widget_Options extends Typecho_Widget
      * 获取个人插件系统参数
      *
      * @param mixed $pluginName 插件名称
-     * @return void
+     * @return mixed
+     * @throws Typecho_Plugin_Exception
      */
     public function personalPlugin($pluginName)
     {
diff --git a/var/Widget/Options/Discussion.php b/var/Widget/Options/Discussion.php
index 9ebbc3ca..99a5aa20 100644
--- a/var/Widget/Options/Discussion.php
+++ b/var/Widget/Options/Discussion.php
@@ -29,7 +29,7 @@ class Widget_Options_Discussion extends Widget_Abstract_Options implements Widge
     public function form()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/options-discussion', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/options-discussion'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 评论日期格式 */
@@ -232,6 +232,7 @@ class Widget_Options_Discussion extends Widget_Abstract_Options implements Widge
     public function action()
     {
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->isPost())->updateDiscussionSettings();
         $this->response->redirect($this->options->adminUrl);
     }
diff --git a/var/Widget/Options/General.php b/var/Widget/Options/General.php
index 8955e338..21353f5f 100644
--- a/var/Widget/Options/General.php
+++ b/var/Widget/Options/General.php
@@ -29,7 +29,7 @@ class Widget_Options_General extends Widget_Abstract_Options implements Widget_I
     public function form()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/options-general', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/options-general'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 站点名称 */
@@ -186,6 +186,7 @@ class Widget_Options_General extends Widget_Abstract_Options implements Widget_I
     public function action()
     {
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->isPost())->updateGeneralSettings();
         $this->response->redirect($this->options->adminUrl);
     }
diff --git a/var/Widget/Options/Permalink.php b/var/Widget/Options/Permalink.php
index 44b1f9f9..f235f39d 100644
--- a/var/Widget/Options/Permalink.php
+++ b/var/Widget/Options/Permalink.php
@@ -203,7 +203,7 @@ RewriteRule . {$basePath}index.php [L]
     public function form()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('index.php/action/options-permalink', $this->options->rootUrl),
+        $form = new Typecho_Widget_Helper_Form($this->security->getRootUrl('index.php/action/options-permalink'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 是否使用地址重写功能 */
@@ -342,6 +342,7 @@ RewriteRule . {$basePath}index.php [L]
     public function action()
     {
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->isGet() && $this->request->is('do=enableRewriteAnyway'))->enableRewriteAnyway();
         $this->on($this->request->isPost())->updatePermalinkSettings();
         $this->response->redirect($this->options->adminUrl);
diff --git a/var/Widget/Options/Reading.php b/var/Widget/Options/Reading.php
index f2892c0b..0a4db64f 100644
--- a/var/Widget/Options/Reading.php
+++ b/var/Widget/Options/Reading.php
@@ -29,8 +29,8 @@ class Widget_Options_Reading extends Widget_Options_Permalink
     public function form()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/options-reading', $this->options->index),
-        Typecho_Widget_Helper_Form::POST_METHOD);
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/options-reading'),
+            Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 文章日期格式 */
         $postDateFormat = new Typecho_Widget_Helper_Form_Element_Text('postDateFormat', NULL, $this->options->postDateFormat,
@@ -209,6 +209,7 @@ class Widget_Options_Reading extends Widget_Options_Permalink
     public function action()
     {
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->isPost())->updateReadingSettings();
         $this->response->redirect($this->options->adminUrl);
     }
diff --git a/var/Widget/Plugins/Config.php b/var/Widget/Plugins/Config.php
index 921f44ac..61e2b2a9 100644
--- a/var/Widget/Plugins/Config.php
+++ b/var/Widget/Plugins/Config.php
@@ -46,7 +46,6 @@ class Widget_Plugins_Config extends Widget_Abstract_Options
      * 绑定动作
      *
      * @access public
-     * @return unknown
      */
     public function execute()
     {
@@ -76,7 +75,8 @@ class Widget_Plugins_Config extends Widget_Abstract_Options
      * 配置插件
      *
      * @access public
-     * @return void
+     * @return Typecho_Widget_Helper_Form
+     * @throws Typecho_Widget_Exception
      */
     public function config()
     {
@@ -94,8 +94,8 @@ class Widget_Plugins_Config extends Widget_Abstract_Options
 
         /** 载入插件 */
         require_once $this->_pluginFileName;
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/plugins-edit?config=' . $pluginName,
-        $this->options->index), Typecho_Widget_Helper_Form::POST_METHOD);
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/plugins-edit?config=' . $pluginName),
+            Typecho_Widget_Helper_Form::POST_METHOD);
         call_user_func(array($this->_className, 'config'), $form);
 
         $options = $this->options->plugin($pluginName);
diff --git a/var/Widget/Plugins/Edit.php b/var/Widget/Plugins/Edit.php
index 3a3038ad..a8534abd 100644
--- a/var/Widget/Plugins/Edit.php
+++ b/var/Widget/Plugins/Edit.php
@@ -22,13 +22,10 @@ class Widget_Plugins_Edit extends Widget_Abstract_Options implements Widget_Inte
 {
     /**
      * 手动配置插件变量
-     * 
-     * @access public
-     * @static
-     * @param mixed $pluginName 插件名称
-     * @param mixed array $settings 变量键值对
-     * @param bool $isPersonal. (default: false) 是否为私人变量
-     * @return void
+     *
+     * @param       $pluginName 插件名称
+     * @param array $settings 变量键值对
+     * @param bool  $isPersonal 是否为私人变量
      */
     public static function configPlugin($pluginName, array $settings, $isPersonal = false)
     {
@@ -69,8 +66,8 @@ class Widget_Plugins_Edit extends Widget_Abstract_Options implements Widget_Inte
     /**
      * 启用插件
      *
-     * @access public
-     * @return void
+     * @param $pluginName
+     * @throws Typecho_Widget_Exception
      */
     public function activate($pluginName)
     {
@@ -143,8 +140,10 @@ class Widget_Plugins_Edit extends Widget_Abstract_Options implements Widget_Inte
     /**
      * 禁用插件
      *
-     * @access public
-     * @return void
+     * @param $pluginName
+     * @throws Typecho_Widget_Exception
+     * @throws Exception
+     * @throws Typecho_Plugin_Exception
      */
     public function deactivate($pluginName)
     {
@@ -210,6 +209,7 @@ class Widget_Plugins_Edit extends Widget_Abstract_Options implements Widget_Inte
     /**
      * 配置插件
      *
+     * @param $pluginName
      * @access public
      * @return void
      */
@@ -287,6 +287,7 @@ class Widget_Plugins_Edit extends Widget_Abstract_Options implements Widget_Inte
     public function action()
     {
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->is('activate'))->activate($this->request->activate);
         $this->on($this->request->is('deactivate'))->deactivate($this->request->deactivate);
         $this->on($this->request->is('config'))->config($this->request->config);
diff --git a/var/Widget/Security.php b/var/Widget/Security.php
new file mode 100644
index 00000000..a51777ee
--- /dev/null
+++ b/var/Widget/Security.php
@@ -0,0 +1,134 @@
+<?php
+
+/**
+ * 安全选项组件
+ *
+ * @link typecho
+ * @package Widget
+ * @copyright Copyright (c) 2014 Typecho team (http://typecho.org)
+ * @license GNU General Public License 2.0
+ */
+class Widget_Security extends Typecho_Widget
+{
+    /**
+     * @var string
+     */
+    private $_token;
+
+    /**
+     * @var Widget_Options
+     */
+    private $_options;
+
+    /**
+     * 初始化函数
+     *
+     */
+    public function execute()
+    {
+        $this->_options = $this->widget('Widget_Options');
+        $user = $this->widget('Widget_User');
+
+        $token = uniqid();
+        if ($user->hasLogin()) {
+            $token = $user->authCode . '&' . $user->uid
+                . '&' . $this->request->getRequestUrl();
+        }
+
+        $this->_token = md5($token);
+    }
+
+    /**
+     * 生成带token的路径
+     *
+     * @param $path
+     * @return string
+     */
+    public function getTokenUrl($path)
+    {
+        $parts = parse_url($path);
+        $params = array();
+
+        if (!empty($parts['query'])) {
+            parse_str($parts['query'], $params);
+        }
+
+        $params['_'] = $this->_token;
+        $parts['query'] = http_build_query($params);
+
+        return Typecho_Common::buildUrl($parts);
+    }
+
+    /**
+     * 保护提交数据
+     *
+     */
+    public function protect()
+    {
+        $user = $this->widget('Widget_User');
+        $token = uniqid();
+        if ($user->hasLogin()) {
+            $token = $user->authCode . '&' . $user->uid
+                . '&' . $this->request->getReferer();
+        }
+
+        if ($this->request->get('_') != md5($token)) {
+            $this->widget('Widget_Notice')->set(_t('一次不安全的跳转已经被阻止'));
+            $this->response->redirect($this->_options->adminUrl);
+        }
+    }
+
+    /**
+     * 获取安全的后台路径
+     *
+     * @param string $path
+     * @return string
+     */
+    public function getAdminUrl($path)
+    {
+        return Typecho_Common::url($this->getTokenUrl($path), $this->_options->adminUrl);
+    }
+
+    /**
+     * 获取安全的路由路径
+     *
+     * @param $path
+     * @return string
+     */
+    public function getIndex($path)
+    {
+        return Typecho_Common::url($this->getTokenUrl($path), $this->_options->index);
+    }
+
+    /**
+     * 获取绝对路由路径
+     *
+     * @param $path
+     * @return string
+     */
+    public function getRootUrl($path)
+    {
+        return Typecho_Common::url($this->getTokenUrl($path), $this->_options->rootUrl);
+    }
+
+    /**
+     * 输出后台安全路径
+     *
+     * @param $path
+     */
+    public function adminUrl($path)
+    {
+        echo $this->getAdminUrl($path);
+    }
+
+    /**
+     * 输出安全的路由路径
+     *
+     * @param $path
+     */
+    public function index($path)
+    {
+        echo $this->getIndex($path);
+    }
+}
+ 
\ No newline at end of file
diff --git a/var/Widget/Themes/Config.php b/var/Widget/Themes/Config.php
index 60c27cdd..9d77ebec 100644
--- a/var/Widget/Themes/Config.php
+++ b/var/Widget/Themes/Config.php
@@ -23,6 +23,7 @@ class Widget_Themes_Config extends Widget_Abstract_Options
      *
      * @access public
      * @return void
+     * @throws Typecho_Widget_Exception
      */
     public function execute()
     {
@@ -52,7 +53,8 @@ class Widget_Themes_Config extends Widget_Abstract_Options
      */
     public static function isExists()
     {
-        $configFile = __TYPECHO_ROOT_DIR__ . __TYPECHO_THEME_DIR__ . '/' . Typecho_Widget::widget('Widget_Options')->theme . '/functions.php';
+        $configFile = __TYPECHO_ROOT_DIR__ . __TYPECHO_THEME_DIR__
+            . '/' . Typecho_Widget::widget('Widget_Options')->theme . '/functions.php';
         
         if (file_exists($configFile)) {
             require_once $configFile;
@@ -69,12 +71,12 @@ class Widget_Themes_Config extends Widget_Abstract_Options
      * 配置外观
      *
      * @access public
-     * @return void
+     * @return Typecho_Widget_Helper_Form
      */
     public function config()
     {
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/themes-edit?config',
-        $this->options->index), Typecho_Widget_Helper_Form::POST_METHOD);
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/themes-edit?config'),
+            Typecho_Widget_Helper_Form::POST_METHOD);
         themeConfig($form);
         $inputs = $form->getInputs();
         
diff --git a/var/Widget/Themes/Edit.php b/var/Widget/Themes/Edit.php
index b320789d..30bbceb0 100644
--- a/var/Widget/Themes/Edit.php
+++ b/var/Widget/Themes/Edit.php
@@ -26,6 +26,7 @@ class Widget_Themes_Edit extends Widget_Abstract_Options implements Widget_Inter
      * @access public
      * @param string $theme 外观名称
      * @return void
+     * @throws Typecho_Widget_Exception
      */
     public function changeTheme($theme)
     {
@@ -76,6 +77,7 @@ class Widget_Themes_Edit extends Widget_Abstract_Options implements Widget_Inter
      * @param string $theme 外观名称
      * @param string $file 文件名
      * @return void
+     * @throws Typecho_Widget_Exception
      */
     public function editThemeFile($theme, $file)
     {
@@ -141,7 +143,6 @@ class Widget_Themes_Edit extends Widget_Abstract_Options implements Widget_Inter
      * 用自有函数处理配置信息
      *
      * @access public
-     * @param string $pluginName 插件名称
      * @param array $settings 配置值
      * @param boolean $isInit 是否为初始化
      * @return boolean
@@ -166,6 +167,7 @@ class Widget_Themes_Edit extends Widget_Abstract_Options implements Widget_Inter
     {
         /** 需要管理员权限 */
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->is('change'))->changeTheme($this->request->change);
         $this->on($this->request->is('edit&theme'))->editThemeFile($this->request->theme, $this->request->edit);
         $this->on($this->request->is('config'))->config($this->options->theme);
diff --git a/var/Widget/Themes/Files.php b/var/Widget/Themes/Files.php
index c568ab15..750e4ab7 100644
--- a/var/Widget/Themes/Files.php
+++ b/var/Widget/Themes/Files.php
@@ -41,6 +41,7 @@ class Widget_Themes_Files extends Typecho_Widget
      *
      * @access public
      * @return void
+     * @throws Typecho_Widget_Exception
      */
     public function execute()
     {
diff --git a/var/Widget/Upgrade.php b/var/Widget/Upgrade.php
index bb19d44b..45847e5c 100644
--- a/var/Widget/Upgrade.php
+++ b/var/Widget/Upgrade.php
@@ -117,6 +117,7 @@ class Widget_Upgrade extends Widget_Abstract_Options implements Widget_Interface
     public function action()
     {
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->isPost())->upgrade();
         $this->response->redirect($this->options->adminUrl);
     }
diff --git a/var/Widget/Upload.php b/var/Widget/Upload.php
index e22127e3..e4b110f6 100644
--- a/var/Widget/Upload.php
+++ b/var/Widget/Upload.php
@@ -413,6 +413,7 @@ class Widget_Upload extends Widget_Abstract_Contents implements Widget_Interface
     public function action()
     {
         if ($this->user->pass('contributor', true) && $this->request->isPost()) {
+            $this->security->protect();
             if ($this->request->is('do=modify&cid')) {
                 $this->modify();
             } else {
diff --git a/var/Widget/User.php b/var/Widget/User.php
index e9bf03fb..333f3866 100644
--- a/var/Widget/User.php
+++ b/var/Widget/User.php
@@ -63,7 +63,6 @@ class Widget_User extends Typecho_Widget
      * @param mixed $request request对象
      * @param mixed $response response对象
      * @param mixed $params 参数列表
-     * @return void
      */
     public function __construct($request, $response, $params = NULL)
     {
@@ -132,7 +131,8 @@ class Widget_User extends Typecho_Widget
         if ($user && $hashValidate) {
 
             if (!$temporarily) {
-                $authCode = sha1(Typecho_Common::randString(20));
+                $authCode = function_exists('openssl_random_pseudo_bytes') ?
+                    bin2hex(openssl_random_pseudo_bytes(16)) : sha1(Typecho_Common::randString(20));
                 $user['authCode'] = $authCode;
 
                 Typecho_Cookie::set('__typecho_uid', $user['uid'], $expire);
@@ -203,7 +203,7 @@ class Widget_User extends Typecho_Widget
      * 判断用户是否已经登录
      *
      * @access public
-     * @return void
+     * @return boolean
      */
     public function hasLogin()
     {
@@ -237,7 +237,7 @@ class Widget_User extends Typecho_Widget
      * @param string $group 用户组
      * @param boolean $return 是否为返回模式
      * @return boolean
-     * @throws TypechoWidgetException
+     * @throws Typecho_Widget_Exception
      */
     public function pass($group, $return = false)
     {
diff --git a/var/Widget/Users/Admin.php b/var/Widget/Users/Admin.php
index 905ff8db..7762e41f 100644
--- a/var/Widget/Users/Admin.php
+++ b/var/Widget/Users/Admin.php
@@ -34,14 +34,6 @@ class Widget_Users_Admin extends Widget_Abstract_Users
      */
     private $_total = false;
 
-    /**
-     * 分页大小
-     *
-     * @access private
-     * @var integer
-     */
-    private $_pageSize;
-
     /**
      * 当前页
      *
diff --git a/var/Widget/Users/Edit.php b/var/Widget/Users/Edit.php
index 6dc825e4..78e9d6ae 100644
--- a/var/Widget/Users/Edit.php
+++ b/var/Widget/Users/Edit.php
@@ -90,7 +90,7 @@ class Widget_Users_Edit extends Widget_Abstract_Users implements Widget_Interfac
     public function form($action = NULL)
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/users-edit', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/users-edit'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 用户名称 */
@@ -298,6 +298,7 @@ class Widget_Users_Edit extends Widget_Abstract_Users implements Widget_Interfac
     public function action()
     {
         $this->user->pass('administrator');
+        $this->security->protect();
         $this->on($this->request->is('do=insert'))->insertUser();
         $this->on($this->request->is('do=update'))->updateUser();
         $this->on($this->request->is('do=delete'))->deleteUser();
diff --git a/var/Widget/Users/Profile.php b/var/Widget/Users/Profile.php
index 80994590..a995600f 100644
--- a/var/Widget/Users/Profile.php
+++ b/var/Widget/Users/Profile.php
@@ -41,7 +41,7 @@ class Widget_Users_Profile extends Widget_Users_Edit implements Widget_Interface
     public function profileForm()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/users-profile', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/users-profile'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 用户昵称 */
@@ -90,7 +90,7 @@ class Widget_Users_Profile extends Widget_Users_Edit implements Widget_Interface
     public function optionsForm()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/users-profile', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/users-profile'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 自动保存 */
@@ -151,7 +151,7 @@ class Widget_Users_Profile extends Widget_Users_Edit implements Widget_Interface
     public function personalForm($pluginName, $className, $pluginFileName, &$group)
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/users-profile', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/users-profile'),
         Typecho_Widget_Helper_Form::POST_METHOD);
         $form->setAttribute('name', $pluginName);
         $form->setAttribute('id', $pluginName);
@@ -206,7 +206,7 @@ class Widget_Users_Profile extends Widget_Users_Edit implements Widget_Interface
     public function passwordForm()
     {
         /** 构建表格 */
-        $form = new Typecho_Widget_Helper_Form(Typecho_Common::url('/action/users-profile', $this->options->index),
+        $form = new Typecho_Widget_Helper_Form($this->security->getIndex('/action/users-profile'),
         Typecho_Widget_Helper_Form::POST_METHOD);
 
         /** 用户密码 */
@@ -415,6 +415,7 @@ class Widget_Users_Profile extends Widget_Users_Edit implements Widget_Interface
      */
     public function action()
     {
+        $this->security->protect();
         $this->on($this->request->is('do=profile'))->updateProfile();
         $this->on($this->request->is('do=options'))->updateOptions();
         $this->on($this->request->is('do=password'))->updatePassword();
diff --git a/var/Widget/XmlRpc.php b/var/Widget/XmlRpc.php
index da5082f4..02d9e75d 100644
--- a/var/Widget/XmlRpc.php
+++ b/var/Widget/XmlRpc.php
@@ -510,7 +510,7 @@ class Widget_XmlRpc extends Widget_Abstract_Contents implements Widget_Interface
             $updateRows = $this->update($attachment, $this->db->sql()->where('cid = ?', $postId));
             return true;
         }
-        return $this->mwEditPost($blogId, $postId, $userName, $password, $content, $publish);
+        return $this->mwEditPost($blogId, $postId, $userName, $password, $content);
     }
 
     /**
@@ -968,7 +968,7 @@ class Widget_XmlRpc extends Widget_Abstract_Contents implements Widget_Interface
                 }
             
                 if (!$this->_wpOptions[$option]['readonly'] && isset($this->_wpOptions[$option]['option'])) {
-                    if ($db->query($db->update('table.options')
+                    if ($this->db->query($this->db->update('table.options')
                     ->rows(array('value' => $value))
                     ->where('name = ?', $this->_wpOptions[$option]['option'])) > 0) {
                         $struct[$option]['value'] = $value;