i dont know if its been fixed or even if it is needed but i found a bug from a google search?? in calendar.php the $month and $year can be given incorrect syntax in the address line ie
?month=-2z4&year=-2259
resulting in SQL errors
i made a fix of sorts
// security fix
if( empty( $month ) ){
$month = $a_current['month'];
}else{
$month = is_numeric($month) ? abs(intval($month)) : $a_current['month'];
if ($month > 12){ $month = $a_current['month']; }
}
if( empty( $year ) ){
$year = $a_current['year'];
}else{
$year = is_numeric($year) ? abs(intval($year)) : $a_current['year'];
if ( $year > 31){ $year = $a_current['year']; }
}// security fix
inserted above
$month_name = $a_monthnames[ $month ];