diff -urN punbb-1.2.3/upload/admin_categories.php punbb-1.2.5/upload/admin_categories.php
--- punbb-1.2.3/upload/admin_categories.php	Tue Jan 11 20:41:14 2005
+++ punbb-1.2.5/upload/admin_categories.php	Sun Apr  3 20:48:30 2005
@@ -123,7 +123,7 @@
 						</div>
 					</fieldset>
 				</div>
-				<p><input type="submit" name="del_cat_comply" value="Delete" />&nbsp;&nbsp;&nbsp;<a href="javascript:history.go(-1)" />Go back</a></p>
+				<p><input type="submit" name="del_cat_comply" value="Delete" /><a href="javascript:history.go(-1)">Go back</a></p>
 			</form>
 		</div>
 	</div>
diff -urN punbb-1.2.3/upload/admin_censoring.php punbb-1.2.5/upload/admin_censoring.php
--- punbb-1.2.3/upload/admin_censoring.php	Fri Mar 11 19:17:26 2005
+++ punbb-1.2.5/upload/admin_censoring.php	Thu Apr  7 21:38:22 2005
@@ -57,7 +57,7 @@
 {
 	confirm_referrer('admin_censoring.php');
 
-	$id = key($_POST['update']);
+	$id = intval(key($_POST['update']));
 
 	$search_for = trim($_POST['search_for'][$id]);
 	$replace_with = trim($_POST['replace_with'][$id]);
diff -urN punbb-1.2.3/upload/admin_forums.php punbb-1.2.5/upload/admin_forums.php
--- punbb-1.2.3/upload/admin_forums.php	Fri Feb 18 22:05:02 2005
+++ punbb-1.2.5/upload/admin_forums.php	Sun Apr  3 20:48:30 2005
@@ -117,7 +117,7 @@
 						</div>
 					</fieldset>
 				</div>
-				<p><input type="submit" name="del_forum_comply" value="Delete" />&nbsp;&nbsp;&nbsp;<a href="javascript:history.go(-1)" />Go back</a></p>
+				<p><input type="submit" name="del_forum_comply" value="Delete" /><a href="javascript:history.go(-1)">Go back</a></p>
 			</form>
 		</div>
 	</div>
diff -urN punbb-1.2.3/upload/admin_groups.php punbb-1.2.5/upload/admin_groups.php
--- punbb-1.2.3/upload/admin_groups.php	Fri Feb 18 22:05:02 2005
+++ punbb-1.2.5/upload/admin_groups.php	Tue Apr  5 01:06:00 2005
@@ -229,8 +229,8 @@
 
 	if ($_POST['mode'] == 'add')
 	{
-		$db->query('SELECT 1 FROM '.$db->prefix.'groups WHERE g_title=\''.$db->escape($title).'\'') or error('Unable to check group title collision', __FILE__, __LINE__, $db->error());
-		if ($db->num_rows())
+		$result = $db->query('SELECT 1 FROM '.$db->prefix.'groups WHERE g_title=\''.$db->escape($title).'\'') or error('Unable to check group title collision', __FILE__, __LINE__, $db->error());
+		if ($db->num_rows($result))
 			message('There is already a group with the title \''.pun_htmlspecialchars($title).'\'.');
 
 		$db->query('INSERT INTO '.$db->prefix.'groups (g_title, g_user_title, g_read_board, g_post_replies, g_post_topics, g_edit_posts, g_delete_posts, g_delete_topics, g_set_title, g_search, g_search_users, g_edit_subjects_interval, g_post_flood, g_search_flood) VALUES(\''.$db->escape($title).'\', '.$user_title.', '.$read_board.', '.$post_replies.', '.$post_topics.', '.$edit_posts.', '.$delete_posts.', '.$delete_topics.', '.$set_title.', '.$search.', '.$search_users.', '.$edit_subjects_interval.', '.$post_flood.', '.$search_flood.')') or error('Unable to add group', __FILE__, __LINE__, $db->error());
@@ -242,7 +242,13 @@
 			$db->query('INSERT INTO '.$db->prefix.'forum_perms (group_id, forum_id, read_forum, post_replies, post_topics) VALUES('.$new_group_id.', '.$cur_forum_perm['forum_id'].', '.$cur_forum_perm['read_forum'].', '.$cur_forum_perm['post_replies'].', '.$cur_forum_perm['post_topics'].')') or error('Unable to insert group forum permissions', __FILE__, __LINE__, $db->error());
 	}
 	else
+	{
+		$result = $db->query('SELECT 1 FROM '.$db->prefix.'groups WHERE g_title=\''.$db->escape($title).'\' AND g_id!='.$_POST['group_id']) or error('Unable to check group title collision', __FILE__, __LINE__, $db->error());
+		if ($db->num_rows($result))
+			message('There is already a group with the title \''.pun_htmlspecialchars($title).'\'.');
+
 		$db->query('UPDATE '.$db->prefix.'groups SET g_title=\''.$db->escape($title).'\', g_user_title='.$user_title.', g_read_board='.$read_board.', g_post_replies='.$post_replies.', g_post_topics='.$post_topics.', g_edit_posts='.$edit_posts.', g_delete_posts='.$delete_posts.', g_delete_topics='.$delete_topics.', g_set_title='.$set_title.', g_search='.$search.', g_search_users='.$search_users.', g_edit_subjects_interval='.$edit_subjects_interval.', g_post_flood='.$post_flood.', g_search_flood='.$search_flood.' WHERE g_id='.$_POST['group_id']) or error('Unable to update group', __FILE__, __LINE__, $db->error());
+	}
 
 	// Regenerate the quickjump cache
 	require_once PUN_ROOT.'include/cache.php';
diff -urN punbb-1.2.3/upload/admin_index.php punbb-1.2.5/upload/admin_index.php
--- punbb-1.2.3/upload/admin_index.php	Sun Jan 23 18:36:42 2005
+++ punbb-1.2.5/upload/admin_index.php	Sun Mar 20 20:13:24 2005
@@ -64,7 +64,7 @@
 
 
 // Show phpinfo() output
-else if ($action == 'phpinfo')
+else if ($action == 'phpinfo' && $pun_user['g_id'] == PUN_ADMIN)
 {
 	// Is phpinfo() a disabled function?
 	if (strpos(strtolower((string)@ini_get('disable_functions')), 'phpinfo') !== false)
@@ -93,7 +93,7 @@
 
 
 // Get number of current visitors
-$result = $db->query('SELECT COUNT(user_id) FROM '.$db->prefix.'online') or error('Unable to fetch online count', __FILE__, __LINE__, $db->error());
+$result = $db->query('SELECT COUNT(user_id) FROM '.$db->prefix.'online WHERE idle=0') or error('Unable to fetch online count', __FILE__, __LINE__, $db->error());
 $num_online = $db->result($result);
 
 
diff -urN punbb-1.2.3/upload/admin_prune.php punbb-1.2.5/upload/admin_prune.php
--- punbb-1.2.3/upload/admin_prune.php	Tue Jan 11 20:41:14 2005
+++ punbb-1.2.5/upload/admin_prune.php	Sun Apr  3 20:48:30 2005
@@ -135,7 +135,7 @@
 						</div>
 					</fieldset>
 				</div>
-				<p><input type="submit" name="prune_comply" value="Prune" />&nbsp;&nbsp;&nbsp;<a href="javascript:history.go(-1)" />Go back</a></p>
+				<p><input type="submit" name="prune_comply" value="Prune" /><a href="javascript:history.go(-1)">Go back</a></p>
 			</form>
 		</div>
 	</div>
diff -urN punbb-1.2.3/upload/admin_users.php punbb-1.2.5/upload/admin_users.php
--- punbb-1.2.3/upload/admin_users.php	Fri Mar 11 19:17:26 2005
+++ punbb-1.2.5/upload/admin_users.php	Sun Apr  3 20:48:30 2005
@@ -49,7 +49,7 @@
 ?>
 <div class="linkst">
 	<div class="inbox">
-		<div><a href="javascript:history.go(-1)" />Go back</a></div>
+		<div><a href="javascript:history.go(-1)">Go back</a></div>
 	</div>
 </div>
 
@@ -98,7 +98,7 @@
 
 <div class="linksb">
 	<div class="inbox">
-		<div><a href="javascript:history.go(-1)" />Go back</a></div>
+		<div><a href="javascript:history.go(-1)">Go back</a></div>
 	</div>
 </div>
 <?php
@@ -121,7 +121,7 @@
 ?>
 <div class="linkst">
 	<div class="inbox">
-		<div><a href="javascript:history.go(-1)" />Go back</a></div>
+		<div><a href="javascript:history.go(-1)">Go back</a></div>
 	</div>
 </div>
 
@@ -202,7 +202,7 @@
 
 <div class="linksb">
 	<div class="inbox">
-		<div><a href="javascript:history.go(-1)" />Go back</a></div>
+		<div><a href="javascript:history.go(-1)">Go back</a></div>
 	</div>
 </div>
 <?php
@@ -278,7 +278,7 @@
 ?>
 <div class="linkst">
 	<div class="inbox">
-		<div><a href="javascript:history.go(-1)" />Go back</a></div>
+		<div><a href="javascript:history.go(-1)">Go back</a></div>
 	</div>
 </div>
 
@@ -338,7 +338,7 @@
 
 <div class="linksb">
 	<div class="inbox">
-		<div><a href="javascript:history.go(-1)" />Go back</a></div>
+		<div><a href="javascript:history.go(-1)">Go back</a></div>
 	</div>
 </div>
 <?php
diff -urN punbb-1.2.3/upload/help.php punbb-1.2.5/upload/help.php
--- punbb-1.2.3/upload/help.php	Wed Jan 12 21:17:34 2005
+++ punbb-1.2.5/upload/help.php	Fri Mar 18 23:20:44 2005
@@ -86,7 +86,7 @@
 		&nbsp;&nbsp;&nbsp;&nbsp;[quote]<?php echo $lang_help['Quote text'] ?>[/quote]<br /><br />
 		<?php echo $lang_help['produces quote box'] ?><br /><br />
 		<div class="postmsg">
-			<blockquote><div class="incqbox"></h4><p><?php echo $lang_help['Quote text'] ?></p></div></blockquote>
+			<blockquote><div class="incqbox"><p><?php echo $lang_help['Quote text'] ?></p></div></blockquote>
 		</div>
 	</div>
 </div>
diff -urN punbb-1.2.3/upload/include/dblayer/common_db.php punbb-1.2.5/upload/include/dblayer/common_db.php
--- punbb-1.2.3/upload/include/dblayer/common_db.php	Tue Jan 11 20:41:14 2005
+++ punbb-1.2.5/upload/include/dblayer/common_db.php	Fri Mar 18 23:07:48 2005
@@ -23,6 +23,11 @@
 ************************************************************************/
 
 
+// Make sure no one attempts to run this script "directly"
+if (!defined('PUN'))
+	exit;
+
+
 //
 // Return current timestamp (with microseconds) as a float (used in dblayer)
 //
diff -urN punbb-1.2.3/upload/include/email.php punbb-1.2.5/upload/include/email.php
--- punbb-1.2.3/upload/include/email.php	Fri Mar 11 19:15:58 2005
+++ punbb-1.2.5/upload/include/email.php	Thu Apr  7 21:41:16 2005
@@ -33,7 +33,10 @@
 //
 function is_valid_email($email)
 {
-	return preg_match('#^.{1,}@.{2,}\..{2,}$#', $email);
+	if (strlen($email) > 50)
+		return false;
+
+	return preg_match('/^(([^<>()[\]\\.,;:\s@"\']+(\.[^<>()[\]\\.,;:\s@"\']+)*)|("[^"\']+"))@((\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])|(([a-zA-Z\d\-]+\.)+[a-zA-Z]{2,}))$/', $email);
 }
 
 
@@ -65,7 +68,7 @@
 
 	// Default sender/return address
 	if (!$from)
-		$from = '"'.$pun_config['o_board_title'].' '.$lang_common['Mailer'].'" <'.$pun_config['o_webmaster_email'].'>';
+		$from = '"'.str_replace('"', '', $pun_config['o_board_title'].' '.$lang_common['Mailer']).'" <'.$pun_config['o_webmaster_email'].'>';
 
 	// Do a little spring cleaning
 	$to = trim(preg_replace('#[\n\r]+#s', '', $to));
diff -urN punbb-1.2.3/upload/include/functions.php punbb-1.2.5/upload/include/functions.php
--- punbb-1.2.3/upload/include/functions.php	Fri Mar 11 18:57:06 2005
+++ punbb-1.2.5/upload/include/functions.php	Fri Mar 18 23:10:18 2005
@@ -739,7 +739,7 @@
 
 	if (strpos($lang_common['lang_encoding'], '8859') !== false)
 	{
-		$fishy_chars = array(chr(0x81), chr(0x8D), chr(0x8F), chr(0x90), chr(0x9D), chr(0xA0), chr(0xCA));
+		$fishy_chars = array(chr(0x81), chr(0x8D), chr(0x8F), chr(0x90), chr(0x9D), chr(0xA0));
 		return trim(str_replace($fishy_chars, ' ', $str));
 	}
 	else
diff -urN punbb-1.2.3/upload/include/parser.php punbb-1.2.5/upload/include/parser.php
--- punbb-1.2.3/upload/include/parser.php	Sun Jan 30 14:52:38 2005
+++ punbb-1.2.5/upload/include/parser.php	Tue Apr  5 23:17:14 2005
@@ -45,29 +45,29 @@
 	$b = array('[b]', '[i]', '[u]', '[/b]', '[/i]', '[/u]');
 	$text = str_replace($a, $b, $text);
 
-	// Do the more complex BBCodes (and strip excessive whitespace)
-	$a = array( '#\[url=(.*?)\]\s*#i',
+	// Do the more complex BBCodes (also strip excessive whitespace and useless quotes)
+	$a = array( '#\[url=("|\'|)(.*?)\\1\]\s*#i',
 				'#\[url\]\s*#i',
 				'#\s*\[/url\]#i',
-				'#\[email=(.*?)\]\s*#i',
+				'#\[email=("|\'|)(.*?)\\1\]\s*#i',
 				'#\[email\]\s*#i',
 				'#\s*\[/email\]#i',
 				'#\[img\]\s*(.*?)\s*\[/img\]#is',
-				'#\[colou?r=(.*?)\](.*?)\[/colou?r\]#is');
+				'#\[colou?r=("|\'|)(.*?)\\1\](.*?)\[/colou?r\]#is');
 
-	$b = array(	'[url=$1]',
+	$b = array(	'[url=$2]',
 				'[url]',
 				'[/url]',
-				'[email=$1]',
+				'[email=$2]',
 				'[email]',
 				'[/email]',
 				'[img]$1[/img]',
-				'[color=$1]$2[/color]');
+				'[color=$2]$3[/color]');
 
 	if (!$is_signature)
 	{
 		// For non-signatures, we have to do the quote and code tags as well
-		$a[] = '#\[quote=(&quot;|"|\'|)(.*)\\1\]\s*#i';
+		$a[] = '#\[quote=(&quot;|"|\'|)(.*?)\\1\]\s*#i';
 		$a[] = '#\[quote\]\s*#i';
 		$a[] = '#\s*\[/quote\]\s*#i';
 		$a[] = '#\[code\][\r\n]*(.*?)\s*\[/code\]\s*#is';
@@ -182,8 +182,10 @@
 		// We found a [code]
 		else if ($c_start < min($c_end, $q_start, $q_end))
 		{
+			// Make sure there's a [/code] and that any new [code] doesn't occur before the end tag
 			$tmp = strpos($text, '[/code]');
-			if ($tmp === false)
+			$tmp2 = strpos(substr($text, 6), '[code]');
+			if ($tmp === false || ($tmp2 !== false && $tmp2 < $tmp))
 			{
 				$error = $lang_common['BBCode error'].' '.$lang_common['BBCode error 2'];
 				return;
diff -urN punbb-1.2.3/upload/install.php punbb-1.2.5/upload/install.php
--- punbb-1.2.3/upload/install.php	Fri Mar 11 18:55:20 2005
+++ punbb-1.2.5/upload/install.php	Thu Apr  7 23:26:36 2005
@@ -24,7 +24,7 @@
 
 
 // The PunBB version this script installs
-$punbb_version = '1.2.3';
+$punbb_version = '1.2.5';
 
 
 define('PUN_ROOT', './');
diff -urN punbb-1.2.3/upload/login.php punbb-1.2.5/upload/login.php
--- punbb-1.2.3/upload/login.php	Mon Feb 21 23:33:52 2005
+++ punbb-1.2.5/upload/login.php	Fri Apr  1 20:08:04 2005
@@ -40,7 +40,9 @@
 	$form_username = trim($_POST['req_username']);
 	$form_password = trim($_POST['req_password']);
 
-	$result = $db->query('SELECT id, group_id, password, save_pass FROM '.$db->prefix.'users WHERE username=\''.$db->escape($form_username).'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+	$username_sql = ($db_type == 'mysql' || $db_type == 'mysqli') ? 'username=\''.$db->escape($form_username).'\'' : 'LOWER(username)=LOWER(\''.$db->escape($form_username).'\')';
+
+	$result = $db->query('SELECT id, group_id, password, save_pass FROM '.$db->prefix.'users WHERE '.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
 	list($user_id, $group_id, $db_password_hash, $save_pass) = $db->fetch_row($result);
 
 	$authorized = false;
diff -urN punbb-1.2.3/upload/misc.php punbb-1.2.5/upload/misc.php
--- punbb-1.2.3/upload/misc.php	Mon Feb 28 02:02:16 2005
+++ punbb-1.2.5/upload/misc.php	Fri Apr  1 20:38:52 2005
@@ -118,7 +118,7 @@
 
 		require_once PUN_ROOT.'include/email.php';
 
-		pun_mail($recipient_email, $mail_subject, $mail_message, $pun_user['username'].' <'.$pun_user['email'].'>');
+		pun_mail($recipient_email, $mail_subject, $mail_message, '"'.str_replace('"', '', $pun_user['username']).'" <'.$pun_user['email'].'>');
 
 		redirect($_POST['redirect_url'], $lang_misc['E-mail sent redirect']);
 	}
diff -urN punbb-1.2.3/upload/moderate.php punbb-1.2.5/upload/moderate.php
--- punbb-1.2.3/upload/moderate.php	Thu Feb 24 22:16:34 2005
+++ punbb-1.2.5/upload/moderate.php	Sun Mar 20 17:16:04 2005
@@ -50,7 +50,7 @@
 		$ip = $db->result($result);
 	}
 
-	message('The IP address is: '.$ip.'<br />The host name is: '.gethostbyaddr($ip).'<br /><br /><a href="admin_users.php?show_users='.$ip.'">Show more users for this IP</a>');
+	message('The IP address is: '.$ip.'<br />The host name is: '.@gethostbyaddr($ip).'<br /><br /><a href="admin_users.php?show_users='.$ip.'">Show more users for this IP</a>');
 }
 
 
@@ -285,7 +285,7 @@
 			message($lang_common['Bad request']);
 
 		$topics = explode(',', $_POST['topics']);
-		$move_to_forum = intval($_POST['move_to_forum']);
+		$move_to_forum = isset($_POST['move_to_forum']) ? intval($_POST['move_to_forum']) : 0;
 		if (empty($topics) || $move_to_forum < 1)
 			message($lang_common['Bad request']);
 
@@ -351,7 +351,7 @@
 						<br /><select name="move_to_forum">
 <?php
 
-	$result = $db->query('SELECT c.id AS cid, c.cat_name, f.id AS fid, f.forum_name FROM '.$db->prefix.'categories AS c INNER JOIN '.$db->prefix.'forums AS f ON c.id=f.cat_id WHERE f.redirect_url IS NULL ORDER BY c.disp_position, c.id, f.disp_position') or error('Unable to fetch category/forum list', __FILE__, __LINE__, $db->error());
+	$result = $db->query('SELECT c.id AS cid, c.cat_name, f.id AS fid, f.forum_name FROM '.$db->prefix.'categories AS c INNER JOIN '.$db->prefix.'forums AS f ON c.id=f.cat_id LEFT JOIN '.$db->prefix.'forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id='.$pun_user['group_id'].') WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND f.redirect_url IS NULL ORDER BY c.disp_position, c.id, f.disp_position', true) or error('Unable to fetch category/forum list', __FILE__, __LINE__, $db->error());
 
 	$cur_category = 0;
 	while ($cur_forum = $db->fetch_assoc($result))
@@ -472,7 +472,7 @@
 		if (empty($topics))
 			message($lang_misc['No topics selected']);
 
-		$db->query('UPDATE '.$db->prefix.'topics SET closed='.$action.' WHERE id IN('.implode(',', array_keys($topics)).')') or error('Unable to close topics', __FILE__, __LINE__, $db->error());
+		$db->query('UPDATE '.$db->prefix.'topics SET closed='.$action.' WHERE id IN('.implode(',', $topics).')') or error('Unable to close topics', __FILE__, __LINE__, $db->error());
 
 		$redirect_msg = ($action) ? $lang_misc['Close topics redirect'] : $lang_misc['Open topics redirect'];
 		redirect('moderate.php?fid='.$fid, $redirect_msg);
diff -urN punbb-1.2.3/upload/profile.php punbb-1.2.5/upload/profile.php
--- punbb-1.2.3/upload/profile.php	Thu Feb 24 22:16:34 2005
+++ punbb-1.2.5/upload/profile.php	Thu Apr  7 21:49:28 2005
@@ -59,7 +59,7 @@
 		$result = $db->query('SELECT activate_string, activate_key FROM '.$db->prefix.'users WHERE id='.$id) or error('Unable to fetch new password', __FILE__, __LINE__, $db->error());
 		list($new_password_hash, $new_password_key) = $db->fetch_row($result);
 
-		if ($key != $new_password_key)
+		if ($key == '' || $key != $new_password_key)
 			message($lang_profile['Pass key bad'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');
 		else
 		{
@@ -194,7 +194,7 @@
 			message($lang_profile['E-mail key bad'].' <a href="mailto:'.$pun_config['o_admin_email'].'">'.$pun_config['o_admin_email'].'</a>.');
 		else
 		{
-			$db->query('UPDATE '.$db->prefix.'users SET email=\''.$new_email.'\', activate_string=NULL, activate_key=NULL WHERE id='.$id) or error('Unable to update e-mail address', __FILE__, __LINE__, $db->error());
+			$db->query('UPDATE '.$db->prefix.'users SET email=activate_string, activate_string=NULL, activate_key=NULL WHERE id='.$id) or error('Unable to update e-mail address', __FILE__, __LINE__, $db->error());
 
 			message($lang_profile['E-mail updated'], true);
 		}
@@ -303,6 +303,9 @@
 
 	if (isset($_POST['form_sent']))
 	{
+		if (!isset($_FILES['req_file']))
+			message($lang_profile['No file']);
+			
 		$uploaded_file = $_FILES['req_file'];
 
 		// Make sure the upload went smooth
@@ -360,7 +363,7 @@
 
 			// Now check the width/height
 			list($width, $height, ,) = getimagesize($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
-			if ($width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
+			if (empty($width) || empty($height) || $width > $pun_config['o_avatars_width'] || $height > $pun_config['o_avatars_height'])
 			{
 				@unlink($pun_config['o_avatars_dir'].'/'.$id.'.tmp');
 				message($lang_profile['Too wide or high'].' '.$pun_config['o_avatars_width'].'x'.$pun_config['o_avatars_height'].' '.$lang_profile['pixels'].'.');
@@ -966,7 +969,7 @@
 					<div class="infldset">
 						<dl>
 							<dt><?php echo $lang_profile['Jabber'] ?>: </dt>
-							<dd><?php echo ($user['jabber'] !='') ? $user['jabber'] : $lang_profile['Unknown']; ?></dd>
+							<dd><?php echo ($user['jabber'] !='') ? pun_htmlspecialchars($user['jabber']) : $lang_profile['Unknown']; ?></dd>
 							<dt><?php echo $lang_profile['ICQ'] ?>: </dt>
 							<dd><?php echo ($user['icq'] !='') ? $user['icq'] : $lang_profile['Unknown']; ?></dd>
 							<dt><?php echo $lang_profile['MSN'] ?>: </dt>
@@ -1232,7 +1235,7 @@
 						<legend><?php echo $lang_profile['Contact details legend'] ?></legend>
 						<div class="infldset">
 							<input type="hidden" name="form_sent" value="1" />
-							<label><?php echo $lang_profile['Jabber'] ?><br /><input id="jabber" type="text" name="form[jabber]" value="<?php echo $user['jabber'] ?>" size="40" maxlength="75" /><br /></label>
+							<label><?php echo $lang_profile['Jabber'] ?><br /><input id="jabber" type="text" name="form[jabber]" value="<?php echo pun_htmlspecialchars($user['jabber']) ?>" size="40" maxlength="75" /><br /></label>
 							<label><?php echo $lang_profile['ICQ'] ?><br /><input id="icq" type="text" name="form[icq]" value="<?php echo $user['icq'] ?>" size="12" maxlength="12" /><br /></label>
 							<label><?php echo $lang_profile['MSN'] ?><br /><input id="msn" type="text" name="form[msn]" value="<?php echo pun_htmlspecialchars($user['msn']) ?>" size="40" maxlength="50" /><br /></label>
 							<label><?php echo $lang_profile['AOL IM'] ?><br /><input id="aim" type="text" name="form[aim]" value="<?php echo pun_htmlspecialchars($user['aim']) ?>" size="20" maxlength="30" /><br /></label>
diff -urN punbb-1.2.3/upload/viewtopic.php punbb-1.2.5/upload/viewtopic.php
--- punbb-1.2.3/upload/viewtopic.php	Tue Feb  1 16:16:46 2005
+++ punbb-1.2.5/upload/viewtopic.php	Thu Apr  7 22:52:56 2005
@@ -183,7 +183,7 @@
 $post_count = 0;	// Keep track of post numbers
 
 // Retrieve the posts (and their respective poster/online status)
-$result = $db->query('SELECT DISTINCT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'users AS u ON u.id=p.poster_id INNER JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id LEFT JOIN '.$db->prefix.'online AS o ON (o.user_id=u.id AND o.idle=0) WHERE p.topic_id='.$id.' ORDER BY p.id LIMIT '.$start_from.','.$pun_user['disp_posts'], true) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());
+$result = $db->query('SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'users AS u ON u.id=p.poster_id INNER JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id LEFT JOIN '.$db->prefix.'online AS o ON (o.user_id=u.id AND o.idle=0) WHERE p.topic_id='.$id.' ORDER BY p.id LIMIT '.$start_from.','.$pun_user['disp_posts'], true) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());
 while ($cur_post = $db->fetch_assoc($result))
 {
 	$post_count++;