From 72fc5decbe8bbcbdfce7abce82ed901041d496fc Mon Sep 17 00:00:00 2001
From: Meik Sievertsen <acydburn@phpbb.com>
Date: Sun, 9 Mar 2003 02:03:15 +0000
Subject: [PATCH] fixed problems with usernames using html special chars, added
 GMT + 13 to english lang_main (yes, again. ;)), paul will slap me again... i
 see the trout coming, but this var has to be added.

git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@3616 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/admin/admin_users.php               | 4 ++--
 phpBB/groupcp.php                         | 2 +-
 phpBB/language/lang_english/lang_main.php | 1 +
 phpBB/login.php                           | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/phpBB/admin/admin_users.php b/phpBB/admin/admin_users.php
index c318150c9d..b45687fde2 100644
--- a/phpBB/admin/admin_users.php
+++ b/phpBB/admin/admin_users.php
@@ -216,7 +216,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])
 			message_die(GENERAL_MESSAGE, $message);
 		}
 
-		$username = ( !empty($HTTP_POST_VARS['username']) ) ? trim(strip_tags( $HTTP_POST_VARS['username'] ) ) : '';
+		$username = ( !empty($HTTP_POST_VARS['username']) ) ? trim(strip_tags(htmlspecialchars($HTTP_POST_VARS['username']))) : '';
 		$email = ( !empty($HTTP_POST_VARS['email']) ) ? trim(strip_tags(htmlspecialchars( $HTTP_POST_VARS['email'] ) )) : '';
 
 		$password = ( !empty($HTTP_POST_VARS['password']) ) ? trim(strip_tags(htmlspecialchars( $HTTP_POST_VARS['password'] ) )) : '';
@@ -736,7 +736,7 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])
 		// Now parse and display it as a template
 		//
 		$user_id = $this_userdata['user_id'];
-		$username = htmlspecialchars($this_userdata['username']);
+		$username = $this_userdata['username'];
 		$email = $this_userdata['user_email'];
 		$password = '';
 		$password_confirm = '';
diff --git a/phpBB/groupcp.php b/phpBB/groupcp.php
index 7a88fef9a7..ec6fdd80a9 100644
--- a/phpBB/groupcp.php
+++ b/phpBB/groupcp.php
@@ -471,7 +471,7 @@ else if ( $group_id )
 
 			if ( isset($HTTP_POST_VARS['add']) )
 			{
-				$username = ( isset($HTTP_POST_VARS['username']) ) ? $HTTP_POST_VARS['username'] : "";
+				$username = ( isset($HTTP_POST_VARS['username']) ) ? htmlspecialchars($HTTP_POST_VARS['username']) : '';
 				
 				$sql = "SELECT user_id, user_email, user_lang, user_level  
 					FROM " . USERS_TABLE . " 
diff --git a/phpBB/language/lang_english/lang_main.php b/phpBB/language/lang_english/lang_main.php
index 7d3e3fa0d2..e3c768ae4e 100644
--- a/phpBB/language/lang_english/lang_main.php
+++ b/phpBB/language/lang_english/lang_main.php
@@ -923,6 +923,7 @@ $lang['9.5'] = 'GMT + 9.5 Hours';
 $lang['10'] = 'GMT + 10 Hours';
 $lang['11'] = 'GMT + 11 Hours';
 $lang['12'] = 'GMT + 12 Hours';
+$lang['13'] = 'GMT + 13 Hours';
 
 // These are displayed in the timezone select box
 $lang['tz']['-12'] = 'GMT - 12 Hours';
diff --git a/phpBB/login.php b/phpBB/login.php
index 64fe4c3590..11090f2327 100644
--- a/phpBB/login.php
+++ b/phpBB/login.php
@@ -54,7 +54,7 @@ if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($
 {
 	if( ( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) ) && !$userdata['session_logged_in'] )
 	{
-		$username = isset($HTTP_POST_VARS['username']) ? $HTTP_POST_VARS['username'] : '';
+		$username = isset($HTTP_POST_VARS['username']) ? trim(htmlspecialchars($HTTP_POST_VARS['username'])) : '';
 		$password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : '';
 
 		$sql = "SELECT user_id, username, user_password, user_active, user_level