diff --git a/html/inc/util.inc b/html/inc/util.inc
index 3119592c77..da7e867925 100644
--- a/html/inc/util.inc
+++ b/html/inc/util.inc
@@ -695,4 +695,12 @@ function select_from_array($name, $array, $selection) {
return $out;
}
+// Convert to entities, while preserving already-encoded entities.
+// Do NOT use if $str contains valid HTML tags.
+function boinc_htmlentities($str) {
+ $str = html_entity_decode($str, ENT_COMPAT, "UTF-8");
+ $str = htmlentities($str, ENT_COMPAT, "UTF-8");
+ return $str;
+}
+
?>
diff --git a/html/user/edit_user_info_action.php b/html/user/edit_user_info_action.php
index 8d3ae338a0..8c44d87b8b 100644
--- a/html/user/edit_user_info_action.php
+++ b/html/user/edit_user_info_action.php
@@ -8,7 +8,7 @@ require_once("../inc/countries.inc");
db_init();
$user = get_logged_in_user();
-$name = process_user_text(post_str("user_name"));
+$name = boinc_htmlentities(process_user_text(post_str("user_name")));
if ($name != strip_tags($name)) {
error_page("HTML tags not allowed in name");
}
diff --git a/html/user/forum_moderate_thread.php b/html/user/forum_moderate_thread.php
index e47b691ace..02901812d5 100644
--- a/html/user/forum_moderate_thread.php
+++ b/html/user/forum_moderate_thread.php
@@ -65,7 +65,6 @@ if (get_str('action')=="hide") {
$selectbox .= '';
row2("Destination forum:", $selectbox);
- //todo display where to move the thread as a dropdown instead of having to get ID
} elseif (get_str('action')=="title") {
echo "";
diff --git a/html/user/team_create_action.php b/html/user/team_create_action.php
index 935fc7457b..d6121ccca7 100644
--- a/html/user/team_create_action.php
+++ b/html/user/team_create_action.php
@@ -8,7 +8,7 @@ db_init();
$user = get_logged_in_user();
-$name = process_user_text(strip_tags(post_str("name")));
+$name = boinc_htmlentities(process_user_text(strip_tags(post_str("name"))));
if (strlen($name) == 0) {
error_page("Must set team name");
}
@@ -17,13 +17,13 @@ $url = process_user_text(strip_tags(post_str("url", true)));
if (strstr($url, "http://")) {
$url = substr($url, 7);
}
-$type = process_user_text(strip_tags(post_str("type", true)));
+$type = process_user_text(strip_tags(post_str("type", true)));
if (!is_valid_team_type($type)) {
$type = 'None';
}
$name_html = process_user_text(post_str("name_html", true));
-$description = process_user_text(post_str("description", true));
+$description = boinc_htmlentities(process_user_text(post_str("description", true)));
$country = process_user_text(post_str("country", true));
if (!is_valid_country($country)) {
diff --git a/html/user/team_edit_action.php b/html/user/team_edit_action.php
index 0ad020fe16..d5530a272c 100644
--- a/html/user/team_edit_action.php
+++ b/html/user/team_edit_action.php
@@ -12,27 +12,27 @@ if ($user->teamid == $teamid) {
$team = lookup_team($teamid);
require_founder_login($user, $team);
-
+
$team_url = process_user_text(strip_tags(post_str("url", true)));
$x = strstr($team_url, "http://");
if ($x) {
$team_url = substr($team_url, 7);
}
- $team_name = process_user_text(strip_tags(post_str("name")));
+ $team_name = boinc_htmlentities(process_user_text(strip_tags(post_str("name"))));
$team_name_lc = strtolower($team_name);
$team_name_html = process_user_text(post_str("name_html", true)); //Do we really not want to
- $team_description = process_user_text(post_str("description", true)); //scrub out bad HTML tags?
- $type = process_user_text(post_str("type", true));
- $country = process_user_text(post_str("country", true));
-
- if (! is_numeric($teamid)) {
- error_page("Team ID must be numeric.");
- }
-
- if (strlen($team_name) == 0) { // Should be caught up with the post_str("name"),
- error_page("Must specify team name"); // but you can never be too safe.
- }
-
+ $team_description = boinc_htmlentities(process_user_text(post_str("description", true))); //scrub out bad HTML tags?
+ $type = process_user_text(post_str("type", true));
+ $country = process_user_text(post_str("country", true));
+
+ if (! is_numeric($teamid)) {
+ error_page("Team ID must be numeric.");
+ }
+
+ if (strlen($team_name) == 0) { // Should be caught up with the post_str("name"),
+ error_page("Must specify team name"); // but you can never be too safe.
+ }
+
$query_team_table = sprintf(
"update team set name = '%s',
name_lc = '%s',