diff --git a/build/lemonldap-ng/changelog b/build/lemonldap-ng/changelog
index f8edc7d48..c90341b92 100644
--- a/build/lemonldap-ng/changelog
+++ b/build/lemonldap-ng/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (0.9.5) unstable; urgency=low
+
+  * Bugs :
+    - bad XML filter when embedding <application> in <application> tags
+
+ -- Xavier Guimard <x.guimard@free.fr>  Wed, 12 Aug 2009 11:07:18 +0200
+
 lemonldap-ng (0.9.4) unstable; urgency=low
 
   * Bugs :
diff --git a/build/lemonldap-ng/debian/changelog b/build/lemonldap-ng/debian/changelog
index c698b7906..1e3b541d8 100644
--- a/build/lemonldap-ng/debian/changelog
+++ b/build/lemonldap-ng/debian/changelog
@@ -1,5 +1,5 @@
-lemonldap-ng (0.9.4-0) unstable; urgency=low
+lemonldap-ng (0.9.5-0) unstable; urgency=low
 
   * Local build
 
- -- Xavier Guimard <x.guimard@free.fr>  Sat, 17 Jan 2009 13:39:50 +0100
+ -- Xavier Guimard <x.guimard@free.fr>  Wed, 12 Aug 2009 11:08:42 +0200
diff --git a/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm b/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm
index 4dfe82d1c..3a0c23c68 100644
--- a/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm
+++ b/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm
@@ -30,9 +30,13 @@ sub new {
 # @param data datas to encrypt
 # @return encrypted datas in Base64 format
 sub encrypt {
-    my $self = shift;
+    my ( $self, $str ) = @_;
     my $tmp;
-    eval { $tmp = encode_base64( $self->SUPER::encrypt(@_), '' ); };
+    eval {
+        $tmp = encode_base64(
+            $self->SUPER::encrypt( $str . "\0" x ( 16 - length($str) % 16 ) ),
+            '' );
+    };
     if ($@) {
         $msg = "Crypt::Rijndael error : $@";
         return undef;
@@ -60,6 +64,10 @@ sub decrypt {
     }
     else {
         $msg = '';
+
+        # Obscure Perl re bug...
+        $tmp .="\0";
+        $tmp =~ s/\0*$//;
         return $tmp;
     }
 }
diff --git a/modules/lemonldap-ng-portal/META.yml b/modules/lemonldap-ng-portal/META.yml
index 3208180c3..3c157f91a 100644
--- a/modules/lemonldap-ng-portal/META.yml
+++ b/modules/lemonldap-ng-portal/META.yml
@@ -1,6 +1,6 @@
 --- #YAML:1.0
 name:                Lemonldap-NG-Portal
-version:             0.88
+version:             0.89
 abstract:            The authentication portal part of Lemonldap::NG Web-SSO
 license:             ~
 author:              
diff --git a/modules/lemonldap-ng-portal/example/apps/tools.png b/modules/lemonldap-ng-portal/example/apps/tools.png
index 49e44b679..7203dab92 100644
Binary files a/modules/lemonldap-ng-portal/example/apps/tools.png and b/modules/lemonldap-ng-portal/example/apps/tools.png differ
diff --git a/modules/lemonldap-ng-portal/example/apps/wheels.png b/modules/lemonldap-ng-portal/example/apps/wheels.png
index 7e7a4bbfa..ba5037268 100644
Binary files a/modules/lemonldap-ng-portal/example/apps/wheels.png and b/modules/lemonldap-ng-portal/example/apps/wheels.png differ
diff --git a/modules/lemonldap-ng-portal/example/skins/common/vcss-blue.gif b/modules/lemonldap-ng-portal/example/skins/common/vcss-blue.gif
index c373b2a7e..a145d81a6 100644
Binary files a/modules/lemonldap-ng-portal/example/skins/common/vcss-blue.gif and b/modules/lemonldap-ng-portal/example/skins/common/vcss-blue.gif differ
diff --git a/modules/lemonldap-ng-portal/example/skins/pastel/footer.tpl b/modules/lemonldap-ng-portal/example/skins/pastel/footer.tpl
index 2b793314c..bca5d1bc9 100644
--- a/modules/lemonldap-ng-portal/example/skins/pastel/footer.tpl
+++ b/modules/lemonldap-ng-portal/example/skins/pastel/footer.tpl
@@ -1,6 +1,6 @@
         <div id="footer">
-		 <a href="http://validator.w3.org/check?uri=referer"><img src="skins/common/valid-xhtml10-blue.png" alt="Valid XHTML 1.0" /></a>
-		 <a href="http://jigsaw.w3.org/css-validator/"><img src="skins/common/vcss-blue.gif" alt="Valid CSS" /></a>
+		 <a href="http://validator.w3.org/check?uri=referer"><img src="skins/common/valid-xhtml10-blue.png" width="88" height="31" alt="Valid XHTML 1.0" /></a>
+		 <a href="http://jigsaw.w3.org/css-validator/"><img src="skins/common/vcss-blue.gif" width="88" height="31" alt="Valid CSS" /></a>
 	</div>
 
         </div>
diff --git a/modules/lemonldap-ng-portal/example/skins/pastel/menu.tpl b/modules/lemonldap-ng-portal/example/skins/pastel/menu.tpl
index 6c0e42dea..fa72e5011 100644
--- a/modules/lemonldap-ng-portal/example/skins/pastel/menu.tpl
+++ b/modules/lemonldap-ng-portal/example/skins/pastel/menu.tpl
@@ -8,13 +8,13 @@
 
 		<ul>
 		<TMPL_IF NAME="DISPLAY_APPSLIST">
-		<li><a href="#appslist"><span><img src="skins/common/application_cascade.png" alt="appslist" /> <lang en="Your applications" fr="Vos applications" /></span></a></li>
+		<li><a href="#appslist"><span><img src="skins/common/application_cascade.png" width="16" height="16" alt="appslist" /> <lang en="Your applications" fr="Vos applications" /></span></a></li>
 		</TMPL_IF>
 		<TMPL_IF NAME="DISPLAY_PASSWORD">
-		<li><a href="#password"><span><img src="skins/common/vcard_edit.png" alt="password" /> <lang en="Password" fr="Mot de passe" /></span></a></li>
+		<li><a href="#password"><span><img src="skins/common/vcard_edit.png" width="16" height="16" alt="password" /> <lang en="Password" fr="Mot de passe" /></span></a></li>
 		</TMPL_IF>
 		<TMPL_IF NAME="DISPLAY_LOGOUT">
-		<li><a href="#logout"><span><img src="skins/common/door_out.png" alt="logout" /> <lang en="Logout" fr="D&eacute;connexion" /></span></a></li>
+		<li><a href="#logout"><span><img src="skins/common/door_out.png" width="16" height="16" alt="logout" /> <lang en="Logout" fr="D&eacute;connexion" /></span></a></li>
 		</TMPL_IF>
 		</ul>
 
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Menu.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Menu.pm
index 10de8d6ed..5d5d0f820 100755
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Menu.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Menu.pm
@@ -357,9 +357,23 @@ sub _displayDescription {
 sub _filterXML {
     my $self = shift;
     my ($root) = @_;
+    my @cat = $root->getElementsByTagName('category');
+    foreach my $cat (@cat) {
+        $self->_filterApp($cat);
+    }
 
-    my @apps = $root->getElementsByTagName('application');
-    foreach (@apps) {
+    # Hide empty categories
+    $self->_hideEmptyCategory($root);
+
+    return;
+}
+
+sub _filterApp {
+    my($self,$node)=@_;
+    my @apps = $node->getChildrenByTagName('application');
+    my $tag = 0;
+    foreach(@apps) {
+        my $stag = $self->_filterApp($_);
         my $appdisplay = $_->getChildrenByTagName('display')->string_value();
         my $appuri =
           $self->_userParam( $_->getChildrenByTagName('uri')->string_value() );
@@ -368,17 +382,26 @@ sub _filterXML {
         $_->unbindNode if ( $appdisplay eq "no" );
 
         # Keep node if display is "yes"
-        next if ( $appdisplay eq "yes" );
+        if ( $appdisplay eq "yes" ) {
+            $tag++;
+            next;
+        }
 
         # Check grant function if display is "auto" (this is the default)
-        $_->unbindNode unless ( $self->_grant($appuri) );
-
+        unless ( $self->_grant($appuri) ) {
+            if($stag) {
+                eval {$_->getChildrenByTagName('uri')->unbindNode() };
+                $tag++;
+            }
+            else {
+                $_->unbindNode;
+            }
+        }
+        else {
+            $tag++;
+        }
     }
-
-    # Hide empty categories
-    $self->_hideEmptyCategory($root);
-
-    return;
+    return $tag;
 }
 
 ## @method private void _hideEmptyCategory(XML::LibXML::Element cat)
@@ -443,7 +466,7 @@ sub _ppolicyWarning {
 sub _grant {
     my $self = shift;
     my ($uri) = @_;
-    $uri =~ m{(\w+)://([^/:]+)(:\d+)?(/.*)?$};
+    $uri =~ m{(\w+)://([^/:]+)(:\d+)?(/.*)?$} or return 0;
     my ( $protocol, $vhost, $port );
     ( $protocol, $vhost, $port, $path ) = ( $1, $2, $3, $4 );
     $path ||= '/';
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
index 87a3c4440..65fe3efd3 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@@ -140,12 +140,12 @@ sub new {
 
     # Authentication and userDB module are required and have to be in @ISA
     foreach (qw(authentication userDB passwordDB)) {
-        my $tmp =
-          'Lemonldap::NG::Portal::'
-          . ( $_ eq 'userDB'
+        my $tmp = 'Lemonldap::NG::Portal::'
+          . (
+            $_ eq 'userDB'
             ? 'UserDB'
-            : ( $_ eq 'passwordDB' ? 'PasswordDB' : 'Auth' ) )
-          . $self->{$_};
+            : ( $_ eq 'passwordDB' ? 'PasswordDB' : 'Auth' )
+          ) . $self->{$_};
         $tmp =~ s/\s.*$//;
         eval "require $tmp";
         $self->abort( "Configuration error", $@ ) if ($@);
@@ -231,6 +231,7 @@ sub setDefaultValues {
     my $self = shift;
     $self->{whatToTrace} ||= 'uid';
     $self->{whatToTrace} =~ s/^\$//;
+    $self->{httpOnly} = 1 unless ( defined( $self->{httpOnly} ) );
 }
 
 =begin WSDL
@@ -825,21 +826,23 @@ sub buildCookie {
     my $self = shift;
     push @{ $self->{cookie} },
       $self->cookie(
-        -name   => $self->{cookieName},
-        -value  => $self->{id},
-        -domain => $self->{domain},
-        -path   => "/",
-        -secure => $self->{securedCookie},
+        -name     => $self->{cookieName},
+        -value    => $self->{id},
+        -domain   => $self->{domain},
+        -path     => "/",
+        -secure   => $self->{securedCookie},
+        -httponly => $self->{httpOnly},
         @_,
       );
     if ( $self->{securedCookie} == 2 ) {
         push @{ $self->{cookie} },
           $self->cookie(
-            -name   => $self->{cookieName} . "http",
-            -value  => $self->{sessionInfo}->{_httpSession},
-            -domain => $self->{domain},
-            -path   => "/",
-            -secure => 0,
+            -name     => $self->{cookieName} . "http",
+            -value    => $self->{sessionInfo}->{_httpSession},
+            -domain   => $self->{domain},
+            -path     => "/",
+            -secure   => 0,
+            -httponly => $self->{httpOnly},
             @_,
           );
     }