Index: trunk/CHANGELOG
===================================================================
--- trunk/CHANGELOG	(revision 668)
+++ trunk/CHANGELOG	(revision 669)
@@ -12,7 +12,8 @@
 
 ------------------------------------- 2.7.0 -------------------------------------
 04-Feb-2008 Thomas Hornik
-!	email-addresses are excluded from search-results page.
+!	email-addresses are excluded from search-results page.
+#	Fixed possible XSS in account/login.php and forgot-form.php
 04-Feb-2008 Christian Sommer
 #	allowed usage of tags in settings fields: website_header, website_footer
 03-Feb-2008 Thomas Hornik
Index: trunk/wb/account/forgot_form.php
===================================================================
--- trunk/wb/account/forgot_form.php	(revision 668)
+++ trunk/wb/account/forgot_form.php	(revision 669)
@@ -34,7 +34,7 @@
 // Check if the user has already submitted the form, otherwise show it
 if(isset($_POST['email']) AND $_POST['email'] != "") {
 	
-	$email = $_POST['email'];
+	$email = strip_tags($_POST['email']);
 	
 	// Check if the email exists in the database
 	$query = "SELECT user_id,username,display_name,email,last_reset,password FROM ".TABLE_PREFIX."users WHERE email = '".$wb->add_slashes($_POST['email'])."'";
Index: trunk/wb/account/login.php
===================================================================
--- trunk/wb/account/login.php	(revision 668)
+++ trunk/wb/account/login.php	(revision 669)
@@ -53,7 +53,7 @@
 require_once(WB_PATH.'/framework/class.login.php');
 
 // Create new login app
-$redirect = (isset($_REQUEST['redirect'])) ? $_REQUEST['redirect'] : '';
+$redirect = strip_tags((isset($_REQUEST['redirect'])) ? $_REQUEST['redirect'] : '');
 $thisApp = new Login(
 							array(
 									"MAX_ATTEMPS" => "3",