diff --git a/web.d b/web.d
index b3e8b43..00ec20e 100644
--- a/web.d
+++ b/web.d
@@ -249,6 +249,13 @@ class ApiProvider : WebDotDBaseType {
 		}
 	}
 
+	/// Shorthand for ensurePost and checkCsrfToken. You should use this on non-indempotent 
+	/// functions. Override it if doing some custom checking.
+	void ensureGoodPost() {
+		ensurePost();
+		checkCsrfToken();
+	}
+
 	// gotta make sure this isn't callable externally! Oh lol that'd defeat the point...
 	/// Gets the CSRF info (an associative array with key and token inside at least) from the session.
 	/// Note that the actual token is generated by the Session class.
@@ -397,7 +404,9 @@ class ApiProvider : WebDotDBaseType {
 		assert(ret !is null);
 	}
 	body {
-		auto document = new Document("<html><head></head><body id=\"body\"></body></html>");
+		auto document = new Document("<!DOCTYPE html><html><head><title></title><link rel=\"stylesheet\" href=\"styles.css\" /></head><body><div id=\"body\"></div><script src=\"functions.js\"></script></body></html>");
+		if(this.reflection !is null)
+			document.title = this.reflection.name;
 		auto container = document.getElementById("body");
 		return container;
 	}
@@ -930,6 +939,13 @@ void run(Provider)(Cgi cgi, Provider instantiation, size_t pathInfoStartingPoint
 		cgi.close();
 		return;
 	}
+	if(funName == "styles.css") {
+		cgi.gzipResponse = true;
+		cgi.setResponseContentType("text/css");
+		cgi.write(instantiation.stylesheet(), true);
+		cgi.close();
+		return;
+	}
 
 	CallInfo info;
 
@@ -965,6 +981,9 @@ void run(Provider)(Cgi cgi, Provider instantiation, size_t pathInfoStartingPoint
 		base = instantiation.builtInFunctions;
 
 	if(instantiator.length) {
+		assert(fun !is null);
+		assert(fun.parentObject !is null);
+		assert(fun.parentObject.instantiate !is null);
 		base = fun.parentObject.instantiate(instantiator);
 	}
 
@@ -1080,7 +1099,9 @@ void run(Provider)(Cgi cgi, Provider instantiation, size_t pathInfoStartingPoint
 					if(n)
 						n.innerText = beautify(fun.originalName);
 
-					form.prependChild(Element.make("p", ipe.msg));
+					// FIXME: I like having something, but it needs to not
+					// show it on the first user load.
+					// form.prependChild(Element.make("p", ipe.msg));
 				}
 
 				assert(form !is null);
@@ -1607,7 +1628,7 @@ string toHtml(T)(T a) {
 		else
 			ret = a.toString();
 	} else
-	static if(isArray!(T)) {
+	static if(isArray!(T) && !isSomeString!(T)) {
 		static if(__traits(compiles, typeof(T[0]).makeHtmlArray(a)))
 			ret = to!string(typeof(T[0]).makeHtmlArray(a));
 		else
@@ -1619,8 +1640,13 @@ string toHtml(T)(T a) {
 		ret = a.makeHtmlElement().toString();
 	else static if(is(T == Html))
 		ret = a.source;
-	else
-		ret = std.array.replace(htmlEntitiesEncode(to!string(a)), "\n", "<br />\n");
+	else {
+		auto str = to!string(a);
+		if(str.indexOf("\t") == -1)
+			ret = std.array.replace(htmlEntitiesEncode(str), "\n", "<br />\n");
+		else // if there's tabs in it, output it as code or something; the tabs are probably there for a reason.
+			ret = "<pre>" ~ htmlEntitiesEncode(str) ~ "</pre>";
+	}
 
 	return ret;
 }