From 1117e03d5425835508b376425b21ebf750146c73 Mon Sep 17 00:00:00 2001
From: David Anderson <davea@ssl.berkeley.edu>
Date: Thu, 18 Jul 2013 12:50:42 -0700
Subject: [PATCH] web: fix XSS vulnerability in team_member.php

---
 html/user/team_members.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/html/user/team_members.php b/html/user/team_members.php
index 07ffd58bb7..4fc054613d 100644
--- a/html/user/team_members.php
+++ b/html/user/team_members.php
@@ -24,6 +24,7 @@ check_get_args(array("sort_by", "offset", "teamid"));
 
 if (isset($_GET["sort_by"])) {
     $sort_by = $_GET["sort_by"];
+    $sort_by = strip_tags($sort_by);    // remove XSS nonsense
 } else {
     $sort_by = "expavg_credit";
 }