Was alerted to possible XSS vulnerabilities (fixing in this release) by Rauf Giray Doğan (https://github.com/redhotchilihacker1)

Added convenience function filter_plain($str) to help sanitize fields which obviously should not contain HTML tags.

Modified various spots in the codebase to use either filter_plain() or filter_markup() where appropriate, to mitigate
any possible XSS vulnerabilities.

Changed the way filter_markup cleans malformed HTML, so it doesn't add extra tags.

Fixed bug in content module where a file field in a fieldset wouldn't perform upload.