From c83d4598de48883dccfcc51d7aaf9792f5d0c819 Mon Sep 17 00:00:00 2001
From: Jana Cupova <root@localhost>
Date: Feb 07 2022 08:36:59 +0000
Subject: Escape html values


Fixes: https://pagure.io/koji/issue/3155

---
diff --git a/www/kojiweb/archiveinfo.chtml b/www/kojiweb/archiveinfo.chtml
index 13ce2c0..9acb5e0 100644
--- a/www/kojiweb/archiveinfo.chtml
+++ b/www/kojiweb/archiveinfo.chtml
@@ -6,7 +6,7 @@
 #attr _PASSTHROUGH = ['archiveID', 'fileOrder', 'fileStart', 'buildrootOrder', 'buildrootStart']
 
 #include "includes/header.chtml"
-  <h4>Information for archive <a href="archiveinfo?archiveID=$archive.id">$archive.filename</a></h4>
+  <h4>Information for archive <a href="archiveinfo?archiveID=$archive.id">$util.escapeHTML($archive.filename)</a></h4>
 
   <table>
     <tr>
@@ -16,7 +16,7 @@
     #if $wininfo
       <th>File Name</th><td>$koji.pathinfo.winfile($archive)</td>
     #else
-      <th>File Name</th><td>$archive.filename</td>
+      <th>File Name</th><td>$util.escapeHTML($archive.filename)</td>
     #end if
     </tr>
     #if $archive.metadata_only
@@ -25,7 +25,7 @@
     </tr>
     #end if
     <tr>
-      <th>File Type</th><td>$archive_type.description</td>
+      <th>File Type</th><td>$util.escapeHTML($archive_type.description)</td>
     </tr>
     <tr>
       <th>Build</th><td><a href="buildinfo?buildID=$build.id">$koji.buildLabel($build)</a></td>
@@ -97,7 +97,7 @@
           </tr>
           #for $file in $files
           <tr class="$util.rowToggle($self)">
-            <td><a href="fileinfo?archiveID=$archive.id&filename=$quote($file.name)">$file.name</a></td><td><span title="$util.formatThousands($file.size)">$util.formatNatural($file.size)</span></td>
+            <td><a href="fileinfo?archiveID=$archive.id&filename=$quote($file.name)">$util.escapeHTML($file.name)</a></td><td><span title="$util.formatThousands($file.size)">$util.formatNatural($file.size)</span></td>
           </tr>
           #end for
         </table>
diff --git a/www/kojiweb/archivelist.chtml b/www/kojiweb/archivelist.chtml
index 8d11857..c9f3149 100644
--- a/www/kojiweb/archivelist.chtml
+++ b/www/kojiweb/archivelist.chtml
@@ -13,7 +13,7 @@ buildrootID=$buildroot.id #slurp
   #if $type == 'component'
   <h4>Component Archives of buildroot <a href="buildrootinfo?buildrootID=$buildroot.id">$util.brLabel($buildroot)</a></h4>
   #elif $type == 'image'
-  <h4>Archives installed in <a href="archiveinfo?archiveID=$image.id">$image.filename</a></h4>
+  <h4>Archives installed in <a href="archiveinfo?archiveID=$image.id">$util.escapeHTML($image.filename)</a></h4>
   #else
   <h4>Archives built in buildroot <a href="buildrootinfo?buildrootID=$buildroot.id">$util.brLabel($buildroot)</a></h4>
   #end if
@@ -52,8 +52,8 @@ buildrootID=$buildroot.id #slurp
     #if $len($archives) > 0
     #for $archive in $archives
     <tr class="$util.rowToggle($self)">
-      <td><a href="archiveinfo?archiveID=$archive.id">$archive.filename</a></td>
-      <td>$archive.type_name</td>
+      <td><a href="archiveinfo?archiveID=$archive.id">$util.escapeHTML($archive.filename)</a></td>
+      <td>$util.escapeHTML($archive.type_name)</td>
       #if $type == 'component'
       #set $project = $archive.project and 'yes' or 'no'
       <td class="$project">$util.imageTag($project)</td>
diff --git a/www/kojiweb/buildinfo.chtml b/www/kojiweb/buildinfo.chtml
index ff0d574..d905007 100644
--- a/www/kojiweb/buildinfo.chtml
+++ b/www/kojiweb/buildinfo.chtml
@@ -13,7 +13,7 @@
       <th>ID</th><td>$build.id</td>
     </tr>
     <tr>
-      <th>Package Name</th><td><a href="packageinfo?packageID=$build.package_id">$build.package_name</a></td>
+      <th>Package Name</th><td><a href="packageinfo?packageID=$build.package_id">$util.escapeHTML($build.package_name)</a></td>
     </tr>
     <tr>
       <th>Version</th><td>$build.version</td>
@@ -61,7 +61,7 @@
     </tr>
     #end if
     <tr>
-      <th>Built by</th><td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$build.owner_name</a></td>
+      <th>Built by</th><td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$util.escapeHTML($build.owner_name)</a></td>
     </tr>
     <tr>
       #set $stateName = $util.stateName($build.state)
@@ -76,7 +76,7 @@
     </tr>
     <tr>
       <th>Volume</th>
-      <td>$build.volume_name</td>
+      <td>$util.escapeHTML($build.volume_name)</td>
     </tr>
     <tr>
       <th>Started</th><td>$util.formatTimeLong($start_ts)</td>
@@ -94,7 +94,7 @@
     #end if
     #if $build.cg_id
     <tr>
-      <th>Content generator</th><td>$build.cg_name</td>
+      <th>Content generator</th><td>$util.escapeHTML($build.cg_name)</td>
     </tr>
     #end if
     #if $task
@@ -114,7 +114,7 @@
         <table class="nested">
           #for $tag in $tags
           <tr>
-            <td><a href="taginfo?tagID=$tag.id">$tag.name</a></td>
+            <td><a href="taginfo?tagID=$tag.id">$util.escapeHTML($tag.name)</a></td>
           </tr>
           #end for
         </table>
@@ -219,7 +219,7 @@
           <tr>
             <td/>
             <td>
-            <a href="$loginfo.dl_url">$loginfo.name</a>
+            <a href="$loginfo.dl_url">$util.escapeHTML($loginfo.name)</a>
             </td>
           </tr>
           #end for
diff --git a/www/kojiweb/buildrootinfo.chtml b/www/kojiweb/buildrootinfo.chtml
index 7d1d4de..00ef53d 100644
--- a/www/kojiweb/buildrootinfo.chtml
+++ b/www/kojiweb/buildrootinfo.chtml
@@ -8,10 +8,10 @@
 
   <table>
     <tr>
-      <th>Host</th><td><a href="hostinfo?hostID=$buildroot.host_id">$buildroot.host_name</a></td>
+      <th>Host</th><td><a href="hostinfo?hostID=$buildroot.host_id">$util.escapeHTML($buildroot.host_name)</a></td>
     </tr>
     <tr>
-      <th>Arch</th><td>$buildroot.arch</td>
+      <th>Arch</th><td>$util.escapeHTML($buildroot.arch)</td>
     </tr>
     <tr>
       <th>ID</th><td>$buildroot.id</td>
@@ -32,7 +32,7 @@
       <th>Repo ID</th><td><a href="repoinfo?repoID=$buildroot.repo_id">$buildroot.repo_id</a></td>
     </tr>
     <tr>
-      <th>Repo Tag</th><td><a href="taginfo?tagID=$buildroot.tag_id">$buildroot.tag_name</a></td>
+      <th>Repo Tag</th><td><a href="taginfo?tagID=$buildroot.tag_id">$util.escapeHTML($buildroot.tag_name)</a></td>
     </tr>
     <tr>
       <th>Repo State</th><td>$util.imageTag($util.repoStateName($buildroot.repo_state))</td>
diff --git a/www/kojiweb/buildrootinfo_cg.chtml b/www/kojiweb/buildrootinfo_cg.chtml
index 8d2933d..2f2a9b4 100644
--- a/www/kojiweb/buildrootinfo_cg.chtml
+++ b/www/kojiweb/buildrootinfo_cg.chtml
@@ -11,19 +11,19 @@
       <th>ID</th><td>$buildroot.id</td>
     </tr>
     <tr>
-      <th>Host OS</th><td>$buildroot.host_os</td>
+      <th>Host OS</th><td>$util.escapeHTML($buildroot.host_os)</td>
     </tr>
     <tr>
-      <th>Host Arch</th><td>$buildroot.host_arch</td>
+      <th>Host Arch</th><td>$util.escapeHTML($buildroot.host_arch)</td>
     </tr>
     <tr>
-      <th>Content Generator</th><td>$buildroot.cg_name ($buildroot.cg_version)</td>
+      <th>Content Generator</th><td>$util.escapeHTML($buildroot.cg_name) ($buildroot.cg_version)</td>
     </tr>
     <tr>
-      <th>Container Type</th><td>$buildroot.container_type</td>
+      <th>Container Type</th><td>$util.escapeHTML($buildroot.container_type)</td>
     </tr>
     <tr>
-      <th>Container Arch</th><td>$buildroot.container_arch</td>
+      <th>Container Arch</th><td>$util.escapeHTML($buildroot.container_arch)</td>
     </tr>
     #if $buildroot.get('extra')
     <tr>
diff --git a/www/kojiweb/builds.chtml b/www/kojiweb/builds.chtml
index 843955d..50fb113 100644
--- a/www/kojiweb/builds.chtml
+++ b/www/kojiweb/builds.chtml
@@ -5,7 +5,7 @@
 
 #include "includes/header.chtml"
 
-  <h4>#if $latest then 'Latest ' else ''##if $state != None then $util.stateName($state).capitalize() + ' ' else ''##if $type then $type.capitalize() + ' ' else ''#Builds#if $package then ' of <a href="packageinfo?packageID=%i">%s</a>' % ($package.id, $package.name) else ''##if $prefix then ' starting with "%s"' % $prefix else ''##if $user then ' by <a href="userinfo?userID=%i">%s</a>' % ($user.id, $user.name) else ''##if $tag then ' in tag <a href="taginfo?tagID=%i">%s</a>' % ($tag.id, $tag.name) else ''#</h4>
+  <h4>#if $latest then 'Latest ' else ''##if $state != None then $util.stateName($state).capitalize() + ' ' else ''##if $type then $type.capitalize() + ' ' else ''#Builds#if $package then ' of <a href="packageinfo?packageID=%i">%s</a>' % ($package.id, $util.escapeHTML($package.name)) else ''##if $prefix then ' starting with "%s"' % $prefix else ''##if $user then ' by <a href="userinfo?userID=%i">%s</a>' % ($user.id, $util.escapeHTML($user.name)) else ''##if $tag then ' in tag <a href="taginfo?tagID=%i">%s</a>' % ($tag.id, $util.escapeHTML($tag.name)) else ''#</h4>
 
   <table class="data-list">
     <tr>
@@ -38,7 +38,7 @@
           <option value="$loggedInUser.name">me</option>
           #end if
           #for $userOption in $users
-          <option value="$userOption.name" #if $userOption.name == ($user and $user.name or None) then 'selected="selected"' else ''#>$userOption.name</option>
+          <option value="$userOption.name" #if $userOption.name == ($user and $user.name or None) then 'selected="selected"' else ''#>$util.escapeHTML($userOption.name)</option>
           #end for
         </select>
         </td></tr>
@@ -124,9 +124,9 @@
           <td>$build.build_id</td>
           <td><a href="buildinfo?buildID=$build.build_id">$koji.buildLabel($build)</a></td>
           #if $tag
-          <td><a href="taginfo?tagID=$build.tag_id">$build.tag_name</a></td>
+          <td><a href="taginfo?tagID=$build.tag_id">$util.escapeHTML($build.tag_name)</a></td>
           #end if
-          <td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$build.owner_name</a></td>
+          <td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$util.escapeHTML($build.owner_name)</a></td>
           <td>$util.formatTime($build.completion_time)</td>
           #set $stateName = $util.stateName($build.state)
           <td class="$stateName">$util.stateImage($build.state)</td>
diff --git a/www/kojiweb/buildsbytarget.chtml b/www/kojiweb/buildsbytarget.chtml
index 97a7e7b..84f286b 100644
--- a/www/kojiweb/buildsbytarget.chtml
+++ b/www/kojiweb/buildsbytarget.chtml
@@ -1,4 +1,5 @@
 #from kojiweb import util
+#from urllib.parse import quote
 
 #def printOption(value, label=None)
 #if not $label
@@ -61,7 +62,7 @@
     #if $len($targets) > 0
     #for $target in $targets
     <tr class="$util.rowToggle($self)">
-      <td><a href="buildtargetinfo?name=$target.name">$target.name</a></td>
+      <td><a href="buildtargetinfo?name=$quote($target.name)">$util.escapeHTML($target.name)</a></td>
       <td width="#echo $graphWidth + 5#"><img src=$util.themePath('images/1px.gif') width="#echo $increment * $target.builds#" height="15" class="graphrow" alt="graph row"/></td>
       <td>$target.builds</td>
     </tr>
diff --git a/www/kojiweb/buildsbyuser.chtml b/www/kojiweb/buildsbyuser.chtml
index 002f645..ad523fc 100644
--- a/www/kojiweb/buildsbyuser.chtml
+++ b/www/kojiweb/buildsbyuser.chtml
@@ -35,7 +35,7 @@
     #if $len($userBuilds) > 0
     #for $userBuild in $userBuilds
     <tr class="$util.rowToggle($self)">
-      <td><a href="userinfo?userID=$userBuild.id">$userBuild.name</a></td>
+      <td><a href="userinfo?userID=$userBuild.id">$util.escapeHTML($userBuild.name)</a></td>
       <td width="#echo $graphWidth + 5#"><img src="$util.themePath('images/1px.gif')" width="#echo $increment * $userBuild.builds#" height="15" class="graphrow" alt="graph row"/></td>
       <td>$userBuild.builds</td>
     </tr>
diff --git a/www/kojiweb/buildtargetedit.chtml b/www/kojiweb/buildtargetedit.chtml
index 647a87c..b024d36 100644
--- a/www/kojiweb/buildtargetedit.chtml
+++ b/www/kojiweb/buildtargetedit.chtml
@@ -3,7 +3,7 @@
 #include "includes/header.chtml"
 
   #if $target
-  <h4>Edit target $target.name</h4>
+  <h4>Edit target $util.escapeHTML($target.name)</h4>
   #else
   <h4>Create build target</h4>
   #end if
@@ -17,7 +17,7 @@
       <tr>
         <th>Name</th>
       <td>
-        <input type="text" name="name" size="50" value="#if $target then $target.name else ''#"/>
+        <input type="text" name="name" size="50" value="#if $target then $util.escapeHTML($target.name) else ''#"/>
       </td>
     </tr>
     #if $target
@@ -31,7 +31,7 @@
         <select name="buildTag">
           <option value="">select tag</option>
           #for $tag in $tags
-          <option value="$tag.id"#if $target and $target.build_tag == $tag.id then ' selected="selected"' else ''#>$tag.name</option>
+          <option value="$tag.id"#if $target and $target.build_tag == $tag.id then ' selected="selected"' else ''#>$util.escapeHTML($tag.name)</option>
           #end for
         </select>
       </td>
@@ -42,7 +42,7 @@
         <select name="destTag">
           <option value="">select tag</option>
           #for $tag in $tags
-          <option value="$tag.id"#if $target and $target.dest_tag == $tag.id then ' selected="selected"' else ''#>$tag.name</option>
+          <option value="$tag.id"#if $target and $target.dest_tag == $tag.id then ' selected="selected"' else ''#>$util.escapeHTML($tag.name)</option>
           #end for
         </select>
       </td>
diff --git a/www/kojiweb/buildtargetinfo.chtml b/www/kojiweb/buildtargetinfo.chtml
index 42a51f6..55b1053 100644
--- a/www/kojiweb/buildtargetinfo.chtml
+++ b/www/kojiweb/buildtargetinfo.chtml
@@ -2,20 +2,20 @@
 
 #include "includes/header.chtml"
 
-  <h4>Information for target <a href="buildtargetinfo?targetID=$target.id">$target.name</a></h4>
+  <h4>Information for target <a href="buildtargetinfo?targetID=$target.id">$util.escapeHTML($target.name)</a></h4>
 
   <table>
     <tr>
-      <th>Name</th><td>$target.name</td>
+      <th>Name</th><td>$util.escapeHTML($target.name)</td>
     </tr>
     <tr>
       <th>ID</th><td>$target.id</td>
     </tr>
     <tr>
-      <th>Build Tag</th><td><a href="taginfo?tagID=$buildTag.id">$buildTag.name</a></td>
+      <th>Build Tag</th><td><a href="taginfo?tagID=$buildTag.id">$util.escapeHTML($buildTag.name)</a></td>
     </tr>
     <tr>
-      <th>Destination Tag</th><td><a href="taginfo?tagID=$destTag.id">$destTag.name</a></td>
+      <th>Destination Tag</th><td><a href="taginfo?tagID=$destTag.id">$util.escapeHTML($destTag.name)</a></td>
     </tr>
     #if 'admin' in $perms
     <tr>
diff --git a/www/kojiweb/buildtargets.chtml b/www/kojiweb/buildtargets.chtml
index ad02cbd..08eeab2 100644
--- a/www/kojiweb/buildtargets.chtml
+++ b/www/kojiweb/buildtargets.chtml
@@ -35,7 +35,7 @@
     #for $target in $targets
     <tr class="$util.rowToggle($self)">
       <td>$target.id</td>
-      <td><a href="buildtargetinfo?targetID=$target.id">$target.name</a></td>
+      <td><a href="buildtargetinfo?targetID=$target.id">$util.escapeHTML($target.name)</a></td>
     </tr>
     #end for
     #else
diff --git a/www/kojiweb/channelinfo.chtml b/www/kojiweb/channelinfo.chtml
index 2207365..63a2d47 100644
--- a/www/kojiweb/channelinfo.chtml
+++ b/www/kojiweb/channelinfo.chtml
@@ -2,7 +2,7 @@
 
 #include "includes/header.chtml"
 
-  <h4>Information for channel <a href="channelinfo?channelID=$channel.id">$channel.name</a></h4>
+  <h4>Information for channel <a href="channelinfo?channelID=$channel.id">$util.escapeHTML($channel.name)</a></h4>
 
   <table>
     <tr>
@@ -39,7 +39,7 @@
         </tr>
       #for $host in $hosts
         <tr class="$util.rowToggle($self)">
-          <td><a href="hostinfo?hostID=$host.id">$host.name</a></td>
+          <td><a href="hostinfo?hostID=$host.id">$util.escapeHTML($host.name)</a></td>
           <td class="$str($bool($host.enabled)).lower()">#if $host.enabled then $util.imageTag('yes') else $util.imageTag('no')#</td>
           <td class="$str($bool($host.ready)).lower()">#if $host.ready then $util.imageTag('yes') else $util.imageTag('no')#</td>
         </tr>
diff --git a/www/kojiweb/clusterhealth.chtml b/www/kojiweb/clusterhealth.chtml
index 5f1ab61..be4862d 100644
--- a/www/kojiweb/clusterhealth.chtml
+++ b/www/kojiweb/clusterhealth.chtml
@@ -59,7 +59,7 @@
     #for $channel in $channels
     <tr>
       <th>
-          <a href="channelinfo?channelID=$channel['id']">$channel['name']</a>
+          <a href="channelinfo?channelID=$channel['id']">$util.escapeHTML($channel['name'])</a>
           #if not $channel['enabled_channel']
           [disabled]
           #end if
diff --git a/www/kojiweb/externalrepoinfo.chtml b/www/kojiweb/externalrepoinfo.chtml
index 140331a..aa48ae6 100644
--- a/www/kojiweb/externalrepoinfo.chtml
+++ b/www/kojiweb/externalrepoinfo.chtml
@@ -2,24 +2,24 @@
 
 #include "includes/header.chtml"
 
-  <h4>Information for external repo <a href="externalrepoinfo?extrepoID=$extRepo.id">$extRepo.name</a></h4>
+  <h4>Information for external repo <a href="externalrepoinfo?extrepoID=$extRepo.id">$util.escapeHTML($extRepo.name)</a></h4>
 
   <table>
     <tr>
-      <th>Name</th><td>$extRepo.name</td>
+      <th>Name</th><td>$util.escapeHTML($extRepo.name)</td>
     </tr>
     <tr>
       <th>ID</th><td>$extRepo.id</td>
     </tr>
     <tr>
-      <th>URL</th><td><a href="$extRepo.url">$extRepo.url</a></td>
+      <th>URL</th><td><a href="$util.escapeHTML($extRepo.url)">$util.escapeHTML($extRepo.url)</a></td>
     </tr>
     <tr>
       <th>Tags using this external repo</th>
       <td>
 	#if $len($repoTags)
 	#for $tag in $repoTags
-	<a href="taginfo?tagID=$tag.tag_id">$tag.tag_name</a><br/>
+	<a href="taginfo?tagID=$tag.tag_id">$util.escapeHTML($tag.tag_name)</a><br/>
 	#end for
 	#else
 	No tags
diff --git a/www/kojiweb/fileinfo.chtml b/www/kojiweb/fileinfo.chtml
index 4631c78..2a19b6b 100644
--- a/www/kojiweb/fileinfo.chtml
+++ b/www/kojiweb/fileinfo.chtml
@@ -4,14 +4,14 @@
 
 #include "includes/header.chtml"
   #if $rpm
-  <h4>Information for file <a href="fileinfo?rpmID=$rpm.id&amp;filename=$quote($file.name)">$file.name</a></h4>
+  <h4>Information for file <a href="fileinfo?rpmID=$rpm.id&amp;filename=$quote($file.name)">$util.escapeHTML($file.name)</a></h4>
   #elif $archive
-  <h4>Information for file <a href="fileinfo?archiveID=$archive.id&amp;filename=$quote($file.name)">$file.name</a></h4>
+  <h4>Information for file <a href="fileinfo?archiveID=$archive.id&amp;filename=$quote($file.name)">$util.escapeHTML($file.name)</a></h4>
   #end if
 
   <table>
     <tr>
-      <th>Name</th><td>$file.name</td>
+      <th>Name</th><td>$util.escapeHTML($file.name)</td>
     </tr>
     #if $rpm
     <tr>
@@ -28,12 +28,12 @@
     #end if
     #if 'user' in $file and $file.user
     <tr>
-      <th>User</th><td>$file.user</td>
+      <th>User</th><td>$util.escapeHTML($file.user)</td>
     </tr>
     #end if
     #if 'group' in $file and $file.group
     <tr>
-      <th>Group</th><td>$file.group</td>
+      <th>Group</th><td>$util.escapeHTML($file.group)</td>
     </tr>
     #end if
     #if 'mode' in $file and $file.mode
@@ -56,7 +56,7 @@
     </tr>
     #elif $archive
     <tr>
-      <th>Archive</th><td><a href="archiveinfo?archiveID=$archive.id">$archive.filename</a></td>
+      <th>Archive</th><td><a href="archiveinfo?archiveID=$archive.id">$util.escapeHTML($archive.filename)</a></td>
     </tr>
     #end if
   </table>
diff --git a/www/kojiweb/hostedit.chtml b/www/kojiweb/hostedit.chtml
index 00a64c9..bdb342d 100644
--- a/www/kojiweb/hostedit.chtml
+++ b/www/kojiweb/hostedit.chtml
@@ -2,14 +2,14 @@
 
 #include "includes/header.chtml"
 
-  <h4>Edit host $host.name</h4>
+  <h4>Edit host $util.escapeHTML($host.name)</h4>
 
   <form action="hostedit">
     $util.authToken($self, form=True)
     <table>
       <tr>
         <th>Name</th>
-        <td>$host.name</td>
+        <td>$util.escapeHTML($host.name)</td>
       </tr>
       <tr>
         <th>ID</th>
@@ -20,7 +20,7 @@
       </tr>
       <tr>
         <th>Arches</th>
-        <td><input type="text" name="arches" value="$host.arches"/></td>
+        <td><input type="text" name="arches" value=$util.escapeHTML("$host.arches)"/></td>
       </tr>
       <tr>
         <th>Capacity</th>
@@ -43,7 +43,7 @@
         <td>
           <select name="channels" multiple="multiple">
             #for $channel in $allChannels
-            <option value="$channel.name" #if $channel in $hostChannels then 'selected="selected"' else ''#>$channel.name</option>
+            <option value="$channel.name" #if $channel in $hostChannels then 'selected="selected"' else ''#>$util.escapeHTML($channel.name)</option>
             #end for
           </select>
         </td>
diff --git a/www/kojiweb/hostinfo.chtml b/www/kojiweb/hostinfo.chtml
index 92d335b..883df3f 100644
--- a/www/kojiweb/hostinfo.chtml
+++ b/www/kojiweb/hostinfo.chtml
@@ -2,17 +2,17 @@
 
 #include "includes/header.chtml"
 
-  <h4>Information for host <a href="hostinfo?hostID=$host.id">$host.name</a></h4>
+  <h4>Information for host <a href="hostinfo?hostID=$host.id">$util.escapeHTML($host.name)</a></h4>
 
   <table>
     <tr>
-      <th>Name</th><td>$host.name</td>
+      <th>Name</th><td>$util.escapeHTML($host.name)</td>
     </tr>
     <tr>
       <th>ID</th><td>$host.id</td>
     </tr>
     <tr>
-      <th>Arches</th><td>$host.arches</td>
+      <th>Arches</th><td>$util.escapeHTML($host.arches)</td>
     </tr>
     <tr>
       <th>Capacity</th><td>$host.capacity</td>
@@ -51,7 +51,7 @@
       <th>Channels</th>
       <td>
         #for $channel in $channels
-        <a href="channelinfo?channelID=$channel.id" class="$channel.enabled">$channel.name</a><br/>
+        <a href="channelinfo?channelID=$channel.id" class="$channel.enabled">$util.escapeHTML($channel.name)</a><br/>
         #end for
         #if not $channels
         No channels
@@ -68,7 +68,7 @@
           </tr>
           #for $buildroot in $buildroots
           <tr class="$util.rowToggle($self)">
-            <td><a href="buildrootinfo?buildrootID=$buildroot.id">$buildroot.tag_name-$buildroot.id-$buildroot.repo_id</a></td>
+            <td><a href="buildrootinfo?buildrootID=$buildroot.id">$util.escapeHTML($buildroot.tag_name)-$buildroot.id-$buildroot.repo_id</a></td>
             <td>$util.formatTime($buildroot.create_event_time)</td>
             <td>$util.imageTag($util.brStateName($buildroot.state))</td>
           </tr>
diff --git a/www/kojiweb/hosts.chtml b/www/kojiweb/hosts.chtml
index 4eceb66..30cf775 100644
--- a/www/kojiweb/hosts.chtml
+++ b/www/kojiweb/hosts.chtml
@@ -58,7 +58,7 @@ in $channel channel
               <select name="channel" class="filterlist" onchange="javascript: window.location = 'hosts?channel=' + this.value + '$util.passthrough_except($self, 'channel')';">
                 <option value="all" #if not $channel then 'selected="selected"' else ''#>all</option>
                 #for $chan in $channels
-                <option value="$chan.name" #if $chan.name == $channel then 'selected="selected"' else ''#>$chan.name</option>
+                <option value="$chan.name" #if $chan.name == $channel then 'selected="selected"' else ''#>$util.escapeHTML($chan.name)</option>
                 #end for
               </select>
           </td>
@@ -120,11 +120,11 @@ in $channel channel
       #for $host in $hosts
         <tr class="$util.rowToggle($self)">
           <td>$host.id</td>
-          <td><a href="hostinfo?hostID=$host.id">$host.name</a></td>
+          <td><a href="hostinfo?hostID=$host.id">$util.escapeHTML($host.name)</a></td>
           <td>$host.arches</td>
           <td>
               #for $channame, $chan_id, $chan_enabled in zip($host.channels, $host.channels_id, $host.channels_enabled)
-                <a href="channelinfo?channelID=$chan_id" class="$chan_enabled">$channame</a>
+                <a href="channelinfo?channelID=$chan_id" class="$chan_enabled">$util.escapeHTML($channame)</a>
               #end for
           </td>
           <td class="$str($bool($host.enabled)).lower()">#if $host.enabled then $util.imageTag('yes') else $util.imageTag('no')#</td>
diff --git a/www/kojiweb/imageinfo.chtml b/www/kojiweb/imageinfo.chtml
index d490435..4bbc849 100644
--- a/www/kojiweb/imageinfo.chtml
+++ b/www/kojiweb/imageinfo.chtml
@@ -5,23 +5,23 @@
 
 #include "includes/header.chtml"
 
-<h4>Information for image <a href="imageinfo?imageID=$image.id">$image.filename</a></h4>
+<h4>Information for image <a href="imageinfo?imageID=$image.id">$util.escapeHTML($image.filename)</a></h4>
 
 <table>
   <tr>
     <th>ID</th><td>$image.id</td>
   </tr>
   <tr>
-    <th>File Name</th><td>$image.filename</a></td>
+    <th>File Name</th><td>$util.escapeHTML($image.filename)</a></td>
   </tr>
   <tr>
     <th>File Size</th><td><span title="$util.formatThousands($image.filesize)">$util.formatNatural($image.filesize)</span></td>
   </tr>
   <tr>
-    <th>Arch</th><td>$image.arch</td>
+    <th>Arch</th><td>$util.escapeHTML($image.arch)</td>
   </tr>
   <tr>
-    <th>Media Type</th><td>$image.mediatype</td>
+    <th>Media Type</th><td>$util.escapeHTML($image.mediatype)</td>
   </tr>
   <tr>
     #if $len($image.hash) == 32
@@ -42,7 +42,7 @@
     <th>Task</th><td><a href="taskinfo?taskID=$task.id" class="task$util.taskState($task.state)">$koji.taskLabel($task)</a></td>
   </tr>
   <tr>
-    <th>Buildroot</th><td><a href="buildrootinfo?buildrootID=$buildroot.id">/var/lib/mock/$buildroot.tag_name-$buildroot.id-$buildroot.repo_id</a></td>
+    <th>Buildroot</th><td><a href="buildrootinfo?buildrootID=$buildroot.id">$util.escapeHTML(/var/lib/mock/$buildroot.tag_name-$buildroot.id-$buildroot.repo_id)</a></td>
   </tr>
   <tr>
     <th colspan="2"><a href="rpmlist?imageID=$image.id&amp;type=image" title="RPMs that where installed into the LiveCD">Included RPMs</a></th>
diff --git a/www/kojiweb/index.chtml b/www/kojiweb/index.chtml
index ab14d0c..9aab309 100644
--- a/www/kojiweb/index.chtml
+++ b/www/kojiweb/index.chtml
@@ -20,9 +20,9 @@
     <tr class="$util.rowToggle($self)">
       #set $stateName = $util.stateName($build.state)
       <td>$build.build_id</td>
-      <td><a href="buildinfo?buildID=$build.build_id">$build.nvr</a></td>
+      <td><a href="buildinfo?buildID=$build.build_id">$util.escapeHTML($build.nvr)</a></td>
       #if not $user
-      <td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$build.owner_name</a></td>
+      <td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$util.escapeHTML($build.owner_name)</a></td>
       #end if
       <td>$util.formatTime($build.completion_ts)</td>
       <td class="$stateName">$util.stateImage($build.state)</td>
@@ -58,9 +58,9 @@
       #if not $user
       <td class="user-$task.owner_name">
         #if $task.owner_type == $koji.USERTYPES['HOST']
-        <a href="hostinfo?userID=$task.owner">$task.owner_name</a>
+        <a href="hostinfo?userID=$task.owner">$util.escapeHTML($task.owner_name)</a>
         #else
-        <a href="userinfo?userID=$task.owner">$task.owner_name</a>
+        <a href="userinfo?userID=$task.owner">$util.escapeHTML($task.owner_name)</a>
         #end if
       </td>
       #end if
@@ -111,8 +111,8 @@
     </tr>
     #for $package in $packages
     <tr class="$util.rowToggle($self)">
-      <td><a href="packageinfo?packageID=$package.package_id">$package.package_name</a></td>
-      <td><a href="taginfo?tagID=$package.tag_id">$package.tag_name</a></td>
+      <td><a href="packageinfo?packageID=$package.package_id">$util.escapeHTML($package.package_name)</a></td>
+      <td><a href="taginfo?tagID=$package.tag_id">$util.escapeHTML($package.tag_name)</a></td>
       #set $included = $package.blocked and 'no' or 'yes'
       <td>$util.imageTag($included)</td>
     </tr>
@@ -140,8 +140,8 @@
     </tr>
     #for $notif in $notifs
     <tr class="$util.rowToggle($self)">
-      <td>#if $notif.package then $notif.package.name else 'all'#</td>
-      <td>#if $notif.tag then $notif.tag.name else 'all'#</td>
+      <td>#if $notif.package then $util.escapeHTML($notif.package.name) else 'all'#</td>
+      <td>#if $notif.tag then $util.escapeHTML($notif.tag.name) else 'all'#</td>
       <td>#if $notif.success_only then 'success only' else 'all'#</td>
       <td><a href="notificationedit?notificationID=$notif.id$util.authToken($self)">edit</a></td>
       <td><a href="notificationdelete?notificationID=$notif.id$util.authToken($self)">delete</a></td>
diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py
index 8525c8f..2538cd4 100644
--- a/www/kojiweb/index.py
+++ b/www/kojiweb/index.py
@@ -43,11 +43,6 @@ def _sortbyname(x):
     return x['name']
 
 
-# regexps for input checking
-_VALID_SEARCH_CHARS = r"""a-zA-Z0-9"""
-_VALID_SEARCH_SYMS = r""" @.,_/\()%+-~*?|[]^$"""
-_VALID_SEARCH_RE = re.compile('^[' + _VALID_SEARCH_CHARS + re.escape(_VALID_SEARCH_SYMS) + ']+$')
-
 _VALID_ARCH_RE = re.compile(r'^[\w-]+$', re.ASCII)
 
 
@@ -61,14 +56,12 @@ def _validate_arch(arch):
         raise koji.GenericError("No such arch: %r" % arch)
 
 
-def _validate_name_or_id(value):
-    # integer ID or label, it is unicode alnum + search symbols (reasonable expectation?)
+def _convert_if_int(value):
+    # if value is digit, converts value to integer, otherwise it returns raw value
     if value.isdigit():
         return int(value)
-    elif _VALID_SEARCH_RE.match(value):
-        return value
     else:
-        raise koji.GenericError("Invalid int/label value: %r" % value)
+        return value
 
 
 # loggers
@@ -540,7 +533,7 @@ def tasks(environ, owner=None, state='active', view='tree', method='all', hostID
 
     opts = {'decode': True}
     if owner:
-        owner = _validate_name_or_id(owner)
+        owner = _convert_if_int(owner)
         ownerObj = server.getUser(owner, strict=True)
         opts['owner'] = ownerObj['id']
         values['owner'] = ownerObj['name']
@@ -598,7 +591,7 @@ def tasks(environ, owner=None, state='active', view='tree', method='all', hostID
     values['state'] = state
 
     if hostID:
-        hostID = int(hostID)
+        hostID = _convert_if_int(hostID)
         host = server.getHost(hostID, strict=True)
         opts['host_id'] = host['id']
         values['host'] = host
@@ -608,7 +601,7 @@ def tasks(environ, owner=None, state='active', view='tree', method='all', hostID
         values['hostID'] = None
 
     if channelID:
-        channelID = _validate_name_or_id(channelID)
+        channelID = _convert_if_int(channelID)
         channel = server.getChannel(channelID, strict=True)
         opts['channel_id'] = channel['id']
         values['channel'] = channel
@@ -916,13 +909,13 @@ def packages(environ, tagID=None, userID=None, order='package_name', start=None,
     server = _getServer(environ)
     tag = None
     if tagID is not None:
-        tagID = _validate_name_or_id(tagID)
+        tagID = _convert_if_int(tagID)
         tag = server.getTag(tagID, strict=True)
     values['tagID'] = tagID
     values['tag'] = tag
     user = None
     if userID is not None:
-        userID = _validate_name_or_id(userID)
+        userID = _convert_if_int(userID)
         user = server.getUser(userID, strict=True)
     values['userID'] = userID
     values['user'] = user
@@ -952,7 +945,7 @@ def packageinfo(environ, packageID, tagOrder='name', tagStart=None, buildOrder='
     values = _initValues(environ, 'Package Info', 'packages')
     server = _getServer(environ)
 
-    packageID = _validate_name_or_id(packageID)
+    packageID = _convert_if_int(packageID)
     package = server.getPackage(packageID)
     if package is None:
         raise koji.GenericError('No such package ID: %s' % packageID)
@@ -976,7 +969,7 @@ def taginfo(environ, tagID, all='0', packageOrder='package_name', packageStart=N
     values = _initValues(environ, 'Tag Info', 'tags')
     server = _getServer(environ)
 
-    tagID = _validate_name_or_id(tagID)
+    tagID = _convert_if_int(tagID)
     tag = server.getTag(tagID, strict=True)
 
     values['title'] = tag['name'] + ' | Tag Info'
@@ -1016,7 +1009,8 @@ def taginfo(environ, tagID, all='0', packageOrder='package_name', packageStart=N
 
     child = None
     if childID is not None:
-        child = server.getTag(int(childID), strict=True)
+        childID = _convert_if_int(childID)
+        child = server.getTag(childID, strict=True)
     values['child'] = child
 
     if environ['koji.currentUser']:
@@ -1193,7 +1187,7 @@ def externalrepoinfo(environ, extrepoID):
     values = _initValues(environ, 'External Repo Info', 'tags')
     server = _getServer(environ)
 
-    extrepoID = _validate_name_or_id(extrepoID)
+    extrepoID = _convert_if_int(extrepoID)
     extRepo = server.getExternalRepo(extrepoID, strict=True)
     repoTags = server.getTagExternalRepos(repo_info=extRepo['id'])
 
@@ -1349,7 +1343,7 @@ def builds(environ, userID=None, tagID=None, packageID=None, state=None, order='
 
     user = None
     if userID:
-        userID = _validate_name_or_id(userID)
+        userID = _convert_if_int(userID)
         user = server.getUser(userID, strict=True)
     values['userID'] = userID
     values['user'] = user
@@ -1361,14 +1355,14 @@ def builds(environ, userID=None, tagID=None, packageID=None, state=None, order='
 
     tag = None
     if tagID:
-        tagID = _validate_name_or_id(tagID)
+        tagID = _convert_if_int(tagID)
         tag = server.getTag(tagID, strict=True)
     values['tagID'] = tagID
     values['tag'] = tag
 
     package = None
     if packageID:
-        packageID = _validate_name_or_id(packageID)
+        packageID = _convert_if_int(packageID)
         package = server.getPackage(packageID, strict=True)
     values['packageID'] = packageID
     values['package'] = package
@@ -1454,13 +1448,14 @@ def userinfo(environ, userID, packageOrder='package_name', packageStart=None,
     values = _initValues(environ, 'User Info', 'users')
     server = _getServer(environ)
 
-    userID = _validate_name_or_id(userID)
+    userID = _convert_if_int(userID)
     user = server.getUser(userID, strict=True)
 
     values['title'] = user['name'] + ' | User Info'
 
     values['user'] = user
     values['userID'] = userID
+    values['owner'] = user['name']
     values['taskCount'] = server.listTasks(opts={'owner': user['id'], 'parent': None},
                                            queryOpts={'countOnly': True})
 
@@ -1708,12 +1703,12 @@ def hostinfo(environ, hostID=None, userID=None):
     server = _getServer(environ)
 
     if hostID:
-        hostID = _validate_name_or_id(hostID)
+        hostID = _convert_if_int(hostID)
         host = server.getHost(hostID)
         if host is None:
             raise koji.GenericError('No such host ID: %s' % hostID)
     elif userID:
-        userID = int(userID)
+        userID = _convert_if_int(userID)
         hosts = server.listHosts(userID=userID)
         host = None
         if hosts:
@@ -2426,17 +2421,17 @@ def recentbuilds(environ, user=None, tag=None, package=None):
 
     tagObj = None
     if tag is not None:
-        tag = _validate_name_or_id(tag)
+        tag = _convert_if_int(tag)
         tagObj = server.getTag(tag, strict=True)
 
     userObj = None
     if user is not None:
-        user = _validate_name_or_id(user)
+        user = _convert_if_int(user)
         userObj = server.getUser(user, strict=True)
 
     packageObj = None
     if package:
-        package = _validate_name_or_id(package)
+        package = _convert_if_int(package)
         packageObj = server.getPackage(package, strict=True)
 
     if tagObj is not None:
@@ -2532,13 +2527,6 @@ def search(environ, start=None, order=None):
         if match not in ('glob', 'regexp', 'exact'):
             raise koji.GenericError("No such match type: %r" % match)
 
-        if not _VALID_SEARCH_RE.match(terms):
-            values['error'] = 'Invalid search terms<br/>' + \
-                'Search terms may contain only these characters: ' + \
-                _VALID_SEARCH_CHARS + _VALID_SEARCH_SYMS
-            values['terms'] = ''
-            return _genHTML(environ, 'search.chtml')
-
         if match == 'regexp':
             try:
                 re.compile(terms)
@@ -2617,8 +2605,8 @@ def repoinfo(environ, repoID):
     values = _initValues(environ, 'Repo Info', 'tags')
     server = _getServer(environ)
 
-    repoID = _validate_name_or_id(repoID)
     values['repo_id'] = repoID
+    repoID = _convert_if_int(repoID)
     repo_info = server.repoInfo(repoID, strict=False)
     values['repo'] = repo_info
     if repo_info:
diff --git a/www/kojiweb/notificationedit.chtml b/www/kojiweb/notificationedit.chtml
index 12aaf3d..b0fe3ba 100644
--- a/www/kojiweb/notificationedit.chtml
+++ b/www/kojiweb/notificationedit.chtml
@@ -20,7 +20,7 @@
           <select name="package">
             <option value="all"#if $notif and not $notif.package_id then ' selected="selected"' else ''#>all</option>
             #for $package in $packages
-            <option value="$package.package_id"#if $notif and $notif.package_id == $package.package_id then ' selected="selected"' else ''#>$package.package_name</option>
+            <option value="$package.package_id"#if $notif and $notif.package_id == $package.package_id then ' selected="selected"' else ''#>$util.escapeHTML($package.package_name)</option>
             #end for
           </select>
         </td>
@@ -31,7 +31,7 @@
           <select name="tag">
             <option value="all"#if $notif and not $notif.tag_id then ' selected="selected"' else ''#>all</option>
             #for $tag in $tags
-            <option value="$tag.id"#if $notif and $notif.tag_id == $tag.id then ' selected="selected"' else ''#>$tag.name</option>
+            <option value="$tag.id"#if $notif and $notif.tag_id == $tag.id then ' selected="selected"' else ''#>$util.escapeHTML($tag.name)</option>
             #end for
           </select>
         </td>
diff --git a/www/kojiweb/packageinfo.chtml b/www/kojiweb/packageinfo.chtml
index 0e3838e..7e885d1 100644
--- a/www/kojiweb/packageinfo.chtml
+++ b/www/kojiweb/packageinfo.chtml
@@ -2,11 +2,11 @@
 
 #include "includes/header.chtml"
 
-  <h4>Information for package <a href="packageinfo?packageID=$package.id">$package.name</a></h4>
+  <h4>Information for package <a href="packageinfo?packageID=$package.id">$util.escapeHTML($package.name)</a></h4>
 
   <table>
     <tr>
-      <th>Name</th><td>$package.name</td>
+      <th>Name</th><td>$util.escapeHTML($package.name)</td>
     </tr>
     <tr>
       <th>ID</th><td>$package.id</td>
@@ -46,8 +46,8 @@
           </tr>
           #for $build in $builds
           <tr class="$util.rowToggle($self)">
-            <td><a href="buildinfo?buildID=$build.build_id">$build.nvr</a></td>
-            <td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$build.owner_name</a></td>
+            <td><a href="buildinfo?buildID=$build.build_id">$util.escapeHTML($build.nvr)</a></td>
+            <td class="user-$build.owner_name"><a href="userinfo?userID=$build.owner_id">$util.escapeHTML($build.owner_name)</a></td>
             <td>$util.formatTime($build.completion_ts)</td>
             #set $stateName = $util.stateName($build.state)
             <td class="$stateName">$util.stateImage($build.state)</td>
@@ -101,8 +101,8 @@
           </tr>
           #for $tag in $tags
           <tr class="$util.rowToggle($self)">
-            <td><a href="taginfo?tagID=$tag.id">$tag.name</a></td>
-            <td><a href="userinfo?userID=$tag.owner_id">$tag.owner_name</a></td>
+            <td><a href="taginfo?tagID=$tag.id">$util.escapeHTML($tag.name)</a></td>
+            <td><a href="userinfo?userID=$tag.owner_id">$util.escapeHTML($tag.owner_name)</a></td>
             #set $included = $tag.blocked and 'no' or 'yes'
             <td>$util.imageTag($included)</td>
             <td>$tag.extra_arches</td>
diff --git a/www/kojiweb/packages.chtml b/www/kojiweb/packages.chtml
index 08cae84..238b13e 100644
--- a/www/kojiweb/packages.chtml
+++ b/www/kojiweb/packages.chtml
@@ -4,7 +4,7 @@
 
 #include "includes/header.chtml"
 
-  <h4>Packages#if $prefix then ' starting with "%s"' % $prefix else ''##if $tag then ' in tag <a href="taginfo?tagID=%i">%s</a>' % ($tag.id, $tag.name) else ''##if $user then ' owned by <a href="userinfo?userID=%i">%s</a>' % ($user.id, $user.name) else ''#</h4>
+  <h4>Packages#if $prefix then ' starting with "%s"' % $prefix else ''##if $tag then ' in tag <a href="taginfo?tagID=%i">%s</a>' % ($tag.id, $util.escapeHTML($tag.name)) else ''##if $user then ' owned by <a href="userinfo?userID=%i">%s</a>' % ($user.id, $util.escapeHTML($user.name)) else ''#</h4>
 
   <table class="data-list">
     #if $tag
@@ -75,10 +75,10 @@
       #for $package in $packages
         <tr class="$util.rowToggle($self)">
           <td>$package.package_id</td>
-          <td><a href="packageinfo?packageID=$package.package_id">$package.package_name</a></td>
+          <td><a href="packageinfo?packageID=$package.package_id">$util.escapeHTML($package.package_name)</a></td>
           #if $tag or $user
-          <td><a href="taginfo?tagID=$package.tag_id">$package.tag_name</a></td>
-          <td class="user-$package.owner_name"><a href="userinfo?userID=$package.owner_id">$package.owner_name</a></td>
+          <td><a href="taginfo?tagID=$package.tag_id">$util.escapeHTML($package.tag_name)</a></td>
+          <td class="user-$package.owner_name"><a href="userinfo?userID=$package.owner_id">$util.escapeHTML($package.owner_name)</a></td>
           <td class="$str(not $package.blocked).lower()">#if $package.blocked then $util.imageTag('no') else $util.imageTag('yes')#</td>
           #end if
         </tr>
diff --git a/www/kojiweb/packagesbyuser.chtml b/www/kojiweb/packagesbyuser.chtml
index c4e5713..2c552fc 100644
--- a/www/kojiweb/packagesbyuser.chtml
+++ b/www/kojiweb/packagesbyuser.chtml
@@ -35,7 +35,7 @@
     #if $len($users) > 0
     #for $user in $users
     <tr class="$util.rowToggle($self)">
-      <td><a href="userinfo?userID=$user.id">$user.name</a></td>
+      <td><a href="userinfo?userID=$user.id">$util.escapeHTML($user.name)</a></td>
       <td width="#echo $graphWidth + 5#"><img src="$util.themePath('images/1px.gif')" width="#echo $increment * $user.packages#" height="15" class="graphrow" alt="graph row"/></td>
       <td>$user.packages</td>
     </tr>
diff --git a/www/kojiweb/recentbuilds.chtml b/www/kojiweb/recentbuilds.chtml
index 28e8eb5..48fdc6d 100644
--- a/www/kojiweb/recentbuilds.chtml
+++ b/www/kojiweb/recentbuilds.chtml
@@ -22,18 +22,18 @@
 
 <rss version="2.0">
   <channel>
-    <title>$siteName: recent builds#if $package then ' of package ' + $package.name else ''##if $tag then ' into tag ' + $tag.name else ''##if $user then ' by user ' + $user.name else ''#</title>
+    <title>$siteName: recent builds#if $package then ' of package ' + $util.escapeHTML($package.name) else ''##if $tag then ' into tag ' + $util.escapeHTML($tag.name) else ''##if $user then ' by user ' + $util.escapeHTML($user.name) else ''#</title>
     <link>$linkURL()</link>
     <description>
       A list of the most recent builds
       #if $package
-      of package $package.name
+      of package $util.escapeHTML($package.name)
       #end if
       #if $tag
-      into tag $tag.name
+      into tag $util.escapeHTML($tag.name)
       #end if
       #if $user
-      by user $user.name
+      by user $util.escapeHTML($user.name)
       #end if
       in the $siteName Build System.  The list is sorted in reverse chronological order by build completion time.
     </description>
diff --git a/www/kojiweb/repoinfo.chtml b/www/kojiweb/repoinfo.chtml
index 3379559..6cb9d5a 100644
--- a/www/kojiweb/repoinfo.chtml
+++ b/www/kojiweb/repoinfo.chtml
@@ -8,12 +8,12 @@
 #if $repo
 <table>
   <tr><th>ID</th><td>$repo.id</td><th></tr>
-  <tr><th>Tag</th><td><a href="taginfo?tagID=$repo.tag_id">$repo.tag_name</a></td></tr>
+  <tr><th>Tag</th><td><a href="taginfo?tagID=$repo.tag_id">$util.escapeHTML($repo.tag_name)</a></td></tr>
   #if $repo.task_id
   <tr><th>Task ID</th><td><a href="taskinfo?taskID=$repo.task_id">$repo.task_id</a></td></tr>
   #end if
   #set $state = $util.repoState($repo.state)
-  <tr><th>State</th><td class="repo$state">$state</td></tr>
+  <tr><th>State</th><td class="repo$state">$util.escapeHTML($state)</td></tr>
   <tr><th>Event</th><td>$repo.create_event ($util.formatTimeLong($repo.create_ts))</td></tr>
   #if $repo.state != koji.REPO_STATES['DELETED']
   <tr><th>URL</th><td><a href="$url">repodata</a></td></tr>
diff --git a/www/kojiweb/rpminfo.chtml b/www/kojiweb/rpminfo.chtml
index ea0210e..0240c60 100644
--- a/www/kojiweb/rpminfo.chtml
+++ b/www/kojiweb/rpminfo.chtml
@@ -8,7 +8,7 @@
 
 #include "includes/header.chtml"
   #set $epoch = ($rpm.epoch != None and $str($rpm.epoch) + ':' or '')
-  <h4>Information for RPM <a href="rpminfo?rpmID=$rpm.id">$rpm.name-$epoch$rpm.version-$rpm.release.${rpm.arch}.rpm</a></h4>
+  <h4>Information for RPM <a href="rpminfo?rpmID=$rpm.id">$util.escapeHTML($rpm.name)-$epoch$rpm.version-$rpm.release.${rpm.arch}.rpm</a></h4>
 
   <table>
     <tr>
@@ -16,9 +16,9 @@
     </tr>
     <tr>
       #if $build
-      <th>Name</th><td><a href="packageinfo?packageID=$build.package_id">$rpm.name</a></td>
+      <th>Name</th><td><a href="packageinfo?packageID=$build.package_id">$util.escapeHTML($rpm.name)</a></td>
       #else
-      <th>Name</th><td>$rpm.name</td>
+      <th>Name</th><td>$util.escapeHTML($rpm.name)</td>
       #end if
     </tr>
     <tr>
@@ -35,7 +35,7 @@
       <th>Epoch</th><td>$rpm.epoch</td>
     </tr>
     <tr>
-      <th>Arch</th><td>$rpm.arch</td>
+      <th>Arch</th><td>$util.escapeHTML($rpm.arch)</td>
     </tr>
     #if $rpm.external_repo_id == 0
     <tr>
@@ -55,7 +55,7 @@
     #end if
     #if $rpm.external_repo_id
     <tr>
-      <th>External Repository</th><td><a href="externalrepoinfo?extrepoID=$rpm.external_repo_id">$rpm.external_repo_name</a></td>
+      <th>External Repository</th><td><a href="externalrepoinfo?extrepoID=$rpm.external_repo_id">$util.escapeHTML($rpm.external_repo_name)</a></td>
     </tr>
     #end if
     <tr>
diff --git a/www/kojiweb/rpmlist.chtml b/www/kojiweb/rpmlist.chtml
index 0e8e554..6ba83aa 100644
--- a/www/kojiweb/rpmlist.chtml
+++ b/www/kojiweb/rpmlist.chtml
@@ -23,7 +23,7 @@ colspan="2" #slurp
   #if $type == 'component'
   <h4>Component RPMs of buildroot <a href="buildrootinfo?buildrootID=$buildroot.id">$util.brLabel($buildroot)</a></h4>
   #elif $type == 'image'
-  <h4>RPMs installed in <a href="archiveinfo?archiveID=$image.id">$image.filename</a></h4>
+  <h4>RPMs installed in <a href="archiveinfo?archiveID=$image.id">$util.escapeHTML($image.filename)</a></h4>
   #else
   <h4>RPMs built in buildroot <a href="buildrootinfo?buildrootID=$buildroot.id">$util.brLabel($buildroot)</a></h4>
   #end if
@@ -65,12 +65,12 @@ colspan="2" #slurp
     #for $rpm in $rpms
     <tr class="$util.rowToggle($self)">
       #set $epoch = ($rpm.epoch != None and $str($rpm.epoch) + ':' or '')
-      <td><a href="rpminfo?rpmID=$rpm.id">$rpm.name-$epoch$rpm.version-$rpm.release.${rpm.arch}.rpm</a></td>
+      <td><a href="rpminfo?rpmID=$rpm.id">$util.escapeHTML($rpm.name)-$epoch$rpm.version-$rpm.release.${rpm.arch}.rpm</a></td>
       #if $type in ['component', 'image']
       #if $rpm.external_repo_id == 0
       <td>internal</td>
       #else
-      <td><a href="externalrepoinfo?extrepoID=$rpm.external_repo_id">$rpm.external_repo_name</a></td>
+      <td><a href="externalrepoinfo?extrepoID=$rpm.external_repo_id">$util.escapeHTML($rpm.external_repo_name)</a></td>
       #end if
       #end if
       #if $type == 'component'
diff --git a/www/kojiweb/rpmsbyhost.chtml b/www/kojiweb/rpmsbyhost.chtml
index 2c63368..4ce41cf 100644
--- a/www/kojiweb/rpmsbyhost.chtml
+++ b/www/kojiweb/rpmsbyhost.chtml
@@ -67,7 +67,7 @@
     #if $len($hosts) > 0
     #for $host in $hosts
     <tr class="$util.rowToggle($self)">
-      <td><a href="hostinfo?hostID=$host.id">$host.name</a></td>
+      <td><a href="hostinfo?hostID=$host.id">$util.escapeHTML($host.name)</a></td>
       <td width="#echo $graphWidth + 5#"><img src="$util.themePath('images/1px.gif')" width="#echo $increment * $host.rpms#" height="15" class="graphrow" alt="graph row"/></td>
       <td>$host.rpms</td>
     </tr>
diff --git a/www/kojiweb/search.chtml b/www/kojiweb/search.chtml
index d67e9ea..2ccae34 100644
--- a/www/kojiweb/search.chtml
+++ b/www/kojiweb/search.chtml
@@ -86,7 +86,7 @@
     #for $result in $results
     <tr class="$util.rowToggle($self)">
       <td>$result.id</td>
-      <td><a href="${infoURL % $result}">$result.name</a></td>
+      <td><a href="${infoURL % $result}">$util.escapeHTML($result.name)</a></td>
     </tr>
     #end for
     #else
diff --git a/www/kojiweb/tagedit.chtml b/www/kojiweb/tagedit.chtml
index 920e3a1..b2ad1e8 100644
--- a/www/kojiweb/tagedit.chtml
+++ b/www/kojiweb/tagedit.chtml
@@ -14,7 +14,7 @@
       <tr>
         <th>Name</th>
         <td>
-          <input type="text" name="name" value="#if $tag then $tag.name else ''#"/>
+          <input type="text" name="name" value="#if $tag then $util.escapeHTML($tag.name) else ''#"/>
           #if $tag
           <input type="hidden" name="tagID" value="$tag.id"/>
           #end if
@@ -22,7 +22,7 @@
       </tr>
       <tr>
         <th>Arches</th>
-        <td><input type="text" name="arches" value="#if $tag then $tag.arches else ''#"/></td>
+        <td><input type="text" name="arches" value="#if $tag then $util.escapeHTML($tag.arches) else ''#"/></td>
       </tr>
       <tr>
         <th>Locked</th>
@@ -34,7 +34,7 @@
           <select name="permission">
             <option value="none" #if $tag and not $tag.perm_id then 'selected="selected"' else ''#>none</option>
             #for $permission in $permissions
-            <option value="$permission.id" #if $tag and $tag.perm_id == $permission.id then 'selected="selected"' else ''#>$permission.name</option>
+            <option value="$permission.id" #if $tag and $tag.perm_id == $permission.id then 'selected="selected"' else ''#>$util.escapeHTML($permission.name)</option>
             #end for
           </select>
         </td>
diff --git a/www/kojiweb/taginfo.chtml b/www/kojiweb/taginfo.chtml
index a644cb9..7c182da 100644
--- a/www/kojiweb/taginfo.chtml
+++ b/www/kojiweb/taginfo.chtml
@@ -1,24 +1,25 @@
 #from kojiweb import util
+#from urllib.parse import quote
 #import pprint
 
 #include "includes/header.chtml"
 
-  <h4>Information for tag <a href="taginfo?tagID=$tag.id">$tag.name</a></h4>
+  <h4>Information for tag <a href="taginfo?tagID=$tag.id">$util.escapeHTML($tag.name)</a></h4>
 
   <table>
     #if $child and 'admin' in $perms
     <tr>
-      <th colspan="2"><a href="tagparent?tagID=$child.id&parentID=$tag.id&action=add$util.authToken($self)">Add $tag.name as parent of $child.name</a></th>
+      <th colspan="2"><a href="tagparent?tagID=$child.id&parentID=$tag.id&action=add$util.authToken($self)">Add $util.escapeHTML($tag.name) as parent of $util.escapeHTML($child.name)</a></th>
     </tr>
     #end if
     <tr>
-      <th>Name</th><td>$tag.name</td>
+      <th>Name</th><td>$util.escapeHTML($tag.name)</td>
     </tr>
     <tr>
       <th>ID</th><td>$tag.id</td>
     </tr>
     <tr>
-      <th>Arches</th><td>$tag.arches</td>
+      <th>Arches</th><td>$util.escapeHTML($tag.arches)</td>
     </tr>
     <tr>
       <th>Locked</th><td class="$str(not $tag.locked).lower()">#if $tag.locked then 'yes' else 'no'#</td>
@@ -37,7 +38,7 @@
     <tr>
       <th>Inheritance</th>
       <td class="tree">
-        <span class="root">$tag.name</span>
+        <span class="root">$util.escapeHTML($tag.name)</span>
         #set $numParents = $len($inheritance)
         #set $iter = 0
         #set $maxDepth = 0
@@ -61,7 +62,7 @@
           #silent $tagsByChild[$parent.child_id].pop()
             <span class="treeBranch">
               <span class="treeLabel">
-                <a href="taginfo?tagID=$parent.parent_id">$parent.name</a>
+                <a href="taginfo?tagID=$parent.parent_id">$util.escapeHTML($parent.name)</a>
                 #if $depth == 1 and 'admin' in $perms
                 <span class="treeLink">(<a href="tagparent?tagID=$tag.id&parentID=$parent.parent_id&action=edit$util.authToken($self)">edit</a>) (<a href="tagparent?tagID=$tag.id&parentID=$parent.parent_id&action=remove$util.authToken($self)">remove</a>)</span>
                 #end if
@@ -102,9 +103,9 @@
       <th>External&nbsp;repos</th>
       <td>
 	#for $external_repo in $external_repos
-	<a href="externalrepoinfo?extrepoID=$external_repo.external_repo_id">$external_repo.external_repo_name</a> [$external_repo.merge_mode]
+	<a href="externalrepoinfo?extrepoID=$external_repo.external_repo_id">$util.escapeHTML($external_repo.external_repo_name)</a> [$external_repo.merge_mode]
 	#if $external_repo.tag_id != $tag.id
-	<span class="smaller">(inherited from <a href="taginfo?tagID=$external_repo.tag_id">$external_repo.tag_name</a>)</span>
+	<span class="smaller">(inherited from <a href="taginfo?tagID=$external_repo.tag_id">$util.escapeHTML($external_repo.tag_name)</a>)</span>
 	#end if
 	<br/>
 	#end for
@@ -136,7 +137,7 @@
       <td>
         #if $len($srcTargets)
         #for $target in $srcTargets
-        <a href="buildtargetinfo?name=$target.name">$target.name</a><br/>
+        <a href="buildtargetinfo?name=$quote($target.name)">$util.escapeHTML($target.name)</a><br/>
         #end for
         #else
         No build targets
@@ -148,7 +149,7 @@
       <td>
         #if $len($destTargets)
         #for $target in $destTargets
-        <a href="buildtargetinfo?name=$target.name">$target.name</a><br/>
+        <a href="buildtargetinfo?name=$quote($target.name)">$util.escapeHTML($target.name)</a><br/>
         #end for
         #else
         No build targets
diff --git a/www/kojiweb/tagparent.chtml b/www/kojiweb/tagparent.chtml
index cd391f2..b38c05b 100644
--- a/www/kojiweb/tagparent.chtml
+++ b/www/kojiweb/tagparent.chtml
@@ -15,14 +15,14 @@
       <tr>
         <th>Tag Name</th>
         <td>
-          $tag.name
+          $util.escapeHTML($tag.name)
           <input type="hidden" name="tagID" value="$tag.id"/>
         </td>
       </tr>
       <tr>
         <th>Parent Tag Name</th>
         <td>
-          $parent.name
+          $util.escapeHTML($parent.name)
           <input type="hidden" name="parentID" value="$parent.id"/>
         </td>
       </tr>
diff --git a/www/kojiweb/taskinfo.chtml b/www/kojiweb/taskinfo.chtml
index f2956ba..3db7017 100644
--- a/www/kojiweb/taskinfo.chtml
+++ b/www/kojiweb/taskinfo.chtml
@@ -20,7 +20,7 @@
       <span class="treeBranch">
         <span class="treeLabel">
           <span class="task$childState">$util.imageTag($childState)</span>
-          <a href="taskinfo?taskID=$child.id" class="task$childState" title="$childState">$koji.taskLabel($child)</a>
+          <a href="taskinfo?taskID=$child.id" class="task$childState" title="$childState">$util.escapeHTML($koji.taskLabel($child))</a>
         </span>
       </span>
     $printChildren($child.id, $childMap)
@@ -32,7 +32,7 @@
 
 #include "includes/header.chtml"
 
-  <h4>Information for task <a href="taskinfo?taskID=$task.id">$koji.taskLabel($task)</a></h4>
+  <h4>Information for task <a href="taskinfo?taskID=$task.id">$util.escapeHTML($koji.taskLabel($task))</a></h4>
 
   <table>
     <tr>
@@ -67,13 +67,13 @@
     </tr>
     #if $taskBuild
     <tr>
-      <th>Build</th><td><a href="buildinfo?buildID=$taskBuild.build_id">$koji.buildLabel($taskBuild)</a></td>
+      <th>Build</th><td><a href="buildinfo?buildID=$taskBuild.build_id">$util.escapeHTML($koji.buildLabel($taskBuild))</a></td>
     </tr>
     #end if
     #if $taskBuilds
     #for $build in $taskBuilds
     <tr>
-      <th>Build</th><td><a href="buildinfo?buildID=$build.build_id">$koji.buildLabel($build)</a></td>
+      <th>Build</th><td><a href="buildinfo?buildID=$build.build_id">$util.escapeHTML($koji.buildLabel($build))</a></td>
     </tr>
     #end for
     #end if
@@ -116,9 +116,9 @@
       <td>
         #if $owner
           #if $owner.usertype == $koji.USERTYPES['HOST']
-          <a href="hostinfo?userID=$owner.id">$owner.name</a>
+          <a href="hostinfo?userID=$owner.id">$util.escapeHTML($owner.name)</a>
           #else
-          <a href="userinfo?userID=$owner.id">$owner.name</a>
+          <a href="userinfo?userID=$owner.id">$util.escapeHTML($owner.name)</a>
           #end if
         #end if
       </td>
@@ -127,7 +127,7 @@
       <th>Channel</th>
       <td>
         #if $task.channel_id
-        <a href="channelinfo?channelID=$task.channel_id">$channelName</a>
+        <a href="channelinfo?channelID=$task.channel_id">$util.escapeHTML($channelName)</a>
         #end if
       </td>
     </tr>
@@ -135,12 +135,12 @@
       <th>Host</th>
       <td>
         #if $task.host_id
-        <a href="hostinfo?hostID=$task.host_id">$hostName</a>
+        <a href="hostinfo?hostID=$task.host_id">$util.escapeHTML($hostName)</a>
         #end if
       </td>
     </tr>
     <tr>
-      <th>Arch</th><td>$task.arch</td>
+      <th>Arch</th><td>$util.escapeHTML($task.arch)</td>
     </tr>
     #if $buildroots
     <tr>
@@ -156,7 +156,7 @@
       <th>Parent</th>
         <td>
         #if $parent
-        <a href="taskinfo?taskID=$parent.id" class="task$util.taskState($parent.state)">$koji.taskLabel($parent)</a>
+        <a href="taskinfo?taskID=$parent.id" class="task$util.taskState($parent.state)">$util.escapeHTML($koji.taskLabel($parent))</a>
         #end if
       </td>
     </tr>
diff --git a/www/kojiweb/taskinfo_params.chtml b/www/kojiweb/taskinfo_params.chtml
index f75f1c6..6cdd371 100644
--- a/www/kojiweb/taskinfo_params.chtml
+++ b/www/kojiweb/taskinfo_params.chtml
@@ -40,9 +40,9 @@ $value
 #if $len($params) > 1
 <strong>Build Tag:</strong>
 #if $buildTag.id
-<a href="taginfo?tagID=$buildTag.id">$buildTag.name</a>
+<a href="taginfo?tagID=$buildTag.id">$util.escapeHTML($buildTag.name)</a>
 #else
-$buildTag.name
+$util.escapeHTML($buildTag.name)
 #end if
 <br/>
 #end if
@@ -55,9 +55,9 @@ $printOpts($params[2])
 <strong>SRPM:</strong> $params[0]<br/>
 <strong>Build Tag:</strong>
 #if $buildTag.id
-<a href="taginfo?tagID=$buildTag.id">$buildTag.name</a>
+<a href="taginfo?tagID=$buildTag.id">$util.escapeHTML($buildTag.name)</a>
 #else
-$buildTag.name
+$util.escapeHTML($buildTag.name)
 #end if
 <br/>
 <strong>Arch:</strong> $params[2]<br/>
@@ -66,15 +66,15 @@ $buildTag.name
 $printOpts($params[4])
 #end if
 #elif $task.method == 'tagBuild'
-<strong>Destination Tag:</strong> <a href="taginfo?tagID=$destTag.id">$destTag.name</a><br/>
-<strong>Build:</strong> <a href="buildinfo?buildID=$build.id">$koji.buildLabel($build)</a>
+<strong>Destination Tag:</strong> <a href="taginfo?tagID=$destTag.id">$util.escapeHTML($destTag.name)</a><br/>
+<strong>Build:</strong> <a href="buildinfo?buildID=$build.id">$util.escapeHTML($koji.buildLabel($build))</a>
 #elif $task.method == 'buildNotification'
 #set $build = $params[1]
 #set $buildTarget = $params[2]
 <strong>Recipients:</strong>&nbsp;$printValue('', $params[0])<br/>
-<strong>Build:</strong> <a href="buildinfo?buildID=$build.id">$koji.buildLabel($build)</a><br/>
+<strong>Build:</strong> <a href="buildinfo?buildID=$build.id">$util.escapeHTML($koji.buildLabel($build))</a><br/>
 #if $buildTarget
-<strong>Build Target:</strong> <a href="buildtargetinfo?targetID=$buildTarget.id">$buildTarget.name</a><br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?targetID=$buildTarget.id">$util.escapeHTML($buildTarget.name)</a><br/>
 #else
 <strong>Build Target:</strong> (no build target)<br/>
 #end if
@@ -83,32 +83,32 @@ $printOpts($params[4])
 <strong>Recipients:</strong>&nbsp;$printValue('', $params[0])<br/>
 <strong>Successful?:</strong> #if $params[1] then 'yes' else 'no'#<br/>
 #if $destTag
-<strong>Tagged Into:</strong> <a href="taginfo?tagID=$destTag.id">$destTag.name</a><br/>
+<strong>Tagged Into:</strong> <a href="taginfo?tagID=$destTag.id">$util.escapeHTML($destTag.name)</a><br/>
 #end if
 #if $srcTag
-<strong>#if $destTag then 'Moved From:' else 'Untagged From:'#</strong> <a href="taginfo?tagID=$srcTag.id">$srcTag.name</a><br/>
+<strong>#if $destTag then 'Moved From:' else 'Untagged From:'#</strong> <a href="taginfo?tagID=$srcTag.id">$util.escapeHTML($srcTag.name)</a><br/>
 #end if
-<strong>Build:</strong> <a href="buildinfo?buildID=$build.id">$koji.buildLabel($build)</a><br/>
-<strong>#if $destTag then 'Tagged By:' else 'Untagged By:'#</strong> <a href="userinfo?userID=$user.id">$user.name</a><br/>
+<strong>Build:</strong> <a href="buildinfo?buildID=$build.id">$util.escapeHTML($koji.buildLabel($build))</a><br/>
+<strong>#if $destTag then 'Tagged By:' else 'Untagged By:'#</strong> <a href="userinfo?userID=$user.id">$util.escapeHTML($user.name)</a><br/>
 <strong>Ignore Success?:</strong> #if $params[6] then 'yes' else 'no'#<br/>
 #if $params[7]
 <strong>Failure Message:</strong> $params[7]
 #end if
 #elif $task.method == 'build'
 <strong>Source:</strong> $params[0]<br/>
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$params[1]</a><br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$util.escapeHTML($params[1])</a><br/>
 $printOpts($params[2])
 #elif $task.method == 'maven'
-<strong>SCM URL:</strong> $params[0]<br/>
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$params[1]</a><br/>
+<strong>SCM URL:</strong> $util.escapeHTML($params[0])<br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$util.escapeHTML($params[1])</a><br/>
 $printOpts($params[2])
 #elif $task.method == 'buildMaven'
-<strong>SCM URL:</strong> $params[0]<br/>
+<strong>SCM URL:</strong> $util.escapeHTML($params[0])<br/>
 <strong>Build Tag:</strong>
 #if $buildTag.id
-<a href="taginfo?tagID=$buildTag.id">$buildTag.name</a>
+<a href="taginfo?tagID=$buildTag.id">$util.escapeHTML($buildTag.name)</a>
 #else
-$buildTag.name
+$util.escapeHTML($buildTag.name)
 #end if
 <br/>
 #if $len($params) > 2
@@ -120,13 +120,13 @@ $printOpts($params[2])
 #set $buildTag = $buildTarget.name
 <strong>Build Tag:</strong>
 #if $buildTag.id
-<a href="taginfo?tagID=$buildTag.id">$buildTag.name</a>
+<a href="taginfo?tagID=$buildTag.id">$util.escapeHTML($buildTag.name)</a>
 #else
-$buildTag.name
+$util.escapeHTML($buildTag.name)
 #end if
 <br/>
 #else
-<strong>Build Target:</strong> <a href="buildtargetinfo?targetID=$buildTarget.id">$buildTarget.name</a><br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?targetID=$buildTarget.id">$util.escapeHTML($buildTarget.name)</a><br/>
 #end if
 #if $params[2]
 <strong>Build:</strong> <a href="buildinfo?buildID=$params[2].id">$koji.buildLabel($params[2])</a><br/>
@@ -144,53 +144,53 @@ $printOpts($params[4])
 <tr><td><strong>$key:</strong></td><td>$printMap($val)</td></tr>
 #end for
 </table>
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$params[1]</a><br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$util.escapeHTML($params[1])</a><br/>
 #if $len($params) > 2
 $printOpts($params[2])
 #end if
 #elif $task.method == 'livecd' or $task.method == 'appliance' or $task.method == 'livemedia'
-<strong>Name:</strong> $params[0]<br/>
-<strong>Version:</strong> $params[1]<br/>
-<strong>Arch:</strong> $params[2]<br/>
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[3])">$params[3]</a><br/>
-<strong>Kickstart File:</strong> $params[4]<br/>
+<strong>Name:</strong> $util.escapeHTML($params[0])<br/>
+<strong>Version:</strong> $util.escapeHTML($params[1])<br/>
+<strong>Arch:</strong> $util.escapeHTML($params[2])<br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[3])">$util.escapeHTML($params[3])</a><br/>
+<strong>Kickstart File:</strong> $util.escapeHTML($params[4])<br/>
 $printOpts($params[5])
 #elif $task.method == 'image'
 <strong>Arches:</strong> #echo ', '.join($params[2])#<br/>
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[3])">$params[3]</a><br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[3])">$util.escapeHTML($params[3])</a><br/>
 <strong>Installation Tree:</strong> $params[4]<br/>
 $printOpts($params[5])
 #elif $task.method == 'createLiveCD' or $task.method == 'createAppliance' or $task.method == 'createLiveMedia'
 #if $len($params) > 4:
 ## new method signature
-<strong>Arch:</strong> $params[3]<br/>
-<strong>Kickstart File:</strong> $params[7]<br/>
+<strong>Arch:</strong> $util.escapeHTML($params[3])<br/>
+<strong>Kickstart File:</strong> $util.escapeHTML($params[7])<br/>
 #if $len($params) > 8
 $printOpts($params[8])
 #end if
 #else
 ## old method signature
-<strong>Arch:</strong> $params[0]<br/>
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$params[1]</a><br/>
-<strong>Kickstart File:</strong> $params[2]<br/>
+<strong>Arch:</strong> $util.escapeHTML($params[0])<br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$util.escapeHTML($params[1])</a><br/>
+<strong>Kickstart File:</strong> $util.escapeHTML($params[2])<br/>
 #if $len($params) > 3
 $printOpts($params[3])
 #end if
 #end if
 #elif $task.method == 'createImage'
 #set $target = $params[4]
-<strong>Build Target:</strong> <a href="buildtargetinfo?targetID=$target.id">$target.name</a><br/>
-<strong>Install Tree:</strong> $params[7]<br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?targetID=$target.id">$util.escapeHTML($target.name)</a><br/>
+<strong>Install Tree:</strong> $util.escapeHTML($params[7])<br/>
 $printOpts($params[8])
 #elif $task.method == 'winbuild'
-<strong>VM:</strong> $params[0]<br/>
-<strong>SCM URL:</strong> $params[1]<br/>
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[2])">$params[2]</a><br/>
+<strong>VM:</strong> $util.escapeHTML($params[0])<br/>
+<strong>SCM URL:</strong> $util.escapeHTML($params[1])<br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[2])">$util.escapeHTML($params[2])</a><br/>
 #if $len($params) > 3
 $printOpts($params[3])
 #end if
 #elif $task.method == 'vmExec'
-<strong>VM:</strong> $params[0]<br/>
+<strong>VM:</strong> $util.escapeHTML($params[0])<br/>
 <strong>Exec Params:</strong><br/>
 #for $info in $params[1]
 #if $isinstance($info, dict)
@@ -203,20 +203,20 @@ $printMap($info, '&nbsp;&nbsp;&nbsp;&nbsp;')
 $printOpts($params[2])
 #end if
 #elif $task.method == 'newRepo'
-<strong>Tag:</strong> <a href="taginfo?tagID=$tag.id">$tag.name</a><br/>
+<strong>Tag:</strong> <a href="taginfo?tagID=$tag.id">$util.escapeHTML($tag.name)</a><br/>
 #if $len($params) > 1
   $printOpts($params[1])
 #end if
 #elif $task.method == 'distRepo'
-<strong>Tag:</strong> <a href="taginfo?tagID=$tag.id">$tag.name</a><br/>
+<strong>Tag:</strong> <a href="taginfo?tagID=$tag.id">$util.escapeHTML($tag.name)</a><br/>
 <strong>Repo ID:</strong> <a href="repoinfo?repoID=$params[1]">$params[1]</a></br>
 <strong>Keys:</strong> $printValue(0, $params[2])<br/>
 $printOpts($params[3])
 #elif $task.method == 'prepRepo'
-<strong>Tag:</strong> <a href="taginfo?tagID=$params[0].id">$params[0].name</a>
+<strong>Tag:</strong> <a href="taginfo?tagID=$params[0].id">$util.escapeHTML($params[0].name)</a>
 #elif $task.method == 'createrepo'
 <strong>Repo ID:</strong> <a href="repoinfo?repoID=$params[0]">$params[0]</a><br/>
-<strong>Arch:</strong> $params[1]<br/>
+<strong>Arch:</strong> $util.escapeHTML($params[1])<br/>
 #set $oldrepo = $params[2]
 #if $oldrepo
     <strong>Old Repo ID:</strong> <a href="repoinfo?repoID=$oldrepo.id">$oldrepo.id</a><br/>
@@ -226,7 +226,7 @@ $printOpts($params[3])
     <strong>External Repos:</strong> $printValue(None, [ext['external_repo_name'] for ext in $params[3]])<br/>
 #end if
 #elif $task.method == 'createdistrepo'
-<strong>Tag:</strong> <a href="taginfo?tagID=$tag.id">$tag.name</a><br/>
+<strong>Tag:</strong> <a href="taginfo?tagID=$tag.id">$util.escapeHTML($tag.name)</a><br/>
 <strong>Repo ID:</strong> <a href="repoinfo?repoID=$params[1]">$params[1]</a></br>
 <strong>Arch:</strong> $printValue(0, $params[2])<br/>
 <strong>Keys:</strong> $printValue(0, $params[3])<br/>
@@ -253,27 +253,27 @@ $printMap($subtask[2], '&nbsp;&nbsp;&nbsp;&nbsp;')
 #set $groupNum += 1
 &nbsp;&nbsp;<strong>$groupNum</strong>: #echo ', '.join($urls)#<br/>
 #end for
-<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$params[1]</a><br/>
+<strong>Build Target:</strong> <a href="buildtargetinfo?name=$quote($params[1])">$util.escapeHTML($params[1])</a><br/>
 $printOpts($params[2])
 #elif $task.method == 'waitrepo'
-<strong>Build Tag:</strong> $params[0]<br/>
+<strong>Build Tag:</strong> $util.escapeHTML($params[0])<br/>
 #if $params[1]
-<strong>Newer Than:</strong> $params[1]<br/>
+<strong>Newer Than:</strong> $util.escapeHTML($params[1])<br/>
 #end if
 #if $params[2]
 <strong>NVRs:</strong> $printValue('', $params[2])
 #end if
 #elif $task.method == 'restart'
-<strong>Host:</strong> <a href="hostinfo?hostID=$params[0].id">$params[0].name</a><br/>
+<strong>Host:</strong> <a href="hostinfo?hostID=$params[0].id">$util.escapeHTML($params[0].name)</a><br/>
 #elif $task.method == 'restartVerify'
-<strong>Host:</strong> <a href="hostinfo?hostID=$params[1].id">$params[1].name</a><br/>
+<strong>Host:</strong> <a href="hostinfo?hostID=$params[1].id">$util.escapeHTML($params[1].name)</a><br/>
 <strong>Restart Task:</strong>
     <a href="taskinfo?taskID=$rtask.id" class="task$util.taskState($rtask.state)">$koji.taskLabel($rtask)</a><br/>
 #elif $task.method == 'runroot'
 <strong>Build Tag:</strong> <a href="taginfo?tagID=$params[0]">$params[0]</a><br/>
-<strong>Arch:</strong> $params[1]<br/>
+<strong>Arch:</strong> $util.escapeHTML($params[1])<br/>
 $printOpts($params[3])
-<strong>Commands:</strong> $params[2]<br/>
+<strong>Commands:</strong> $util.escapeHTML($params[2])<br/>
 #else
 $params
 #end if
diff --git a/www/kojiweb/tasks.chtml b/www/kojiweb/tasks.chtml
index 0482512..00833ba 100644
--- a/www/kojiweb/tasks.chtml
+++ b/www/kojiweb/tasks.chtml
@@ -16,7 +16,7 @@
       #set $childState = $util.taskState($child.state)
       <span class="treeBranch">
         <span class="treeLabel">
-          <a href="taskinfo?taskID=$child.id" class="task$childState" title="$childState">$koji.taskLabel($child)</a>
+          <a href="taskinfo?taskID=$child.id" class="task$childState" title="$childState">$util.escapeHTML($koji.taskLabel($child))</a>
         </span>
       </span>
     $printChildren($child.id, $childMap)
@@ -40,7 +40,7 @@ All
 
 #include "includes/header.chtml"
 
-  <h4>$headerPrefix($state) #if $view == 'toplevel' then 'toplevel' else ''# #if $method != 'all' then $method else ''# Tasks#if $ownerObj then ' owned by <a href="userinfo?userID=%i">%s</a>' % ($ownerObj.id, $ownerObj.name) else ''##if $host then ' on host <a href="hostinfo?hostID=%i">%s</a>' % ($host.id, $host.name) else ''# #if $channel then ' in channel <a href="channelinfo?channelID=%i">%s</a>' % ($channel.id, $channel.name) else ''#</h4>
+  <h4>$headerPrefix($state) #if $view == 'toplevel' then 'toplevel' else ''# #if $method != 'all' then $method else ''# Tasks#if $ownerObj then ' owned by <a href="userinfo?userID=%i">%s</a>' % ($ownerObj.id, $util.escapeHTML($ownerObj.name)) else ''##if $host then ' on host <a href="hostinfo?hostID=%i">%s</a>' % ($host.id, $util.escapeHTML($host.name)) else ''# #if $channel then ' in channel <a href="channelinfo?channelID=%i">%s</a>' % ($channel.id, $util.escapeHTML($channel.name)) else ''#</h4>
 
   <table class="data-list">
     <tr>
@@ -69,7 +69,7 @@ All
           <option value="$loggedInUser.name">me</option>
           #end if
           #for $user in $users
-          <option value="$user.name" #if $user.name == $owner then 'selected="selected"' else ''#>$user.name</option>
+          <option value="$user.name" #if $user.name == $owner then 'selected="selected"' else ''#>$util.escapeHTML($user.name)</option>
           #end for
         </select>
         </td></tr>
@@ -159,9 +159,9 @@ All
           </td>
           <td class="user-$task.owner_name">
             #if $task.owner_type == $koji.USERTYPES['HOST']
-            <a href="hostinfo?userID=$task.owner">$task.owner_name</a>
+            <a href="hostinfo?userID=$task.owner">$util.escapeHTML($task.owner_name)</a>
             #else
-            <a href="userinfo?userID=$task.owner">$task.owner_name</a>
+            <a href="userinfo?userID=$task.owner">$util.escapeHTML($task.owner_name)</a>
             #end if
           </td>
           <td>$task.arch</td>
diff --git a/www/kojiweb/tasksbyhost.chtml b/www/kojiweb/tasksbyhost.chtml
index 4efa19e..337466f 100644
--- a/www/kojiweb/tasksbyhost.chtml
+++ b/www/kojiweb/tasksbyhost.chtml
@@ -51,7 +51,7 @@
     #if $len($hosts) > 0
     #for $host in $hosts
     <tr class="$util.rowToggle($self)">
-      <td><a href="hostinfo?hostID=$host.id">$host.name</a></td>
+      <td><a href="hostinfo?hostID=$host.id">$util.escapeHTML($host.name)</a></td>
       <td width="#echo $graphWidth + 5#"><img src="$util.themePath('images/1px.gif')" width="#echo $increment * $host.tasks#" height="15" class="graphrow" alt="graph row"/></td>
       <td>$host.tasks</td>
     </tr>
diff --git a/www/kojiweb/tasksbyuser.chtml b/www/kojiweb/tasksbyuser.chtml
index 843ea18..87620ec 100644
--- a/www/kojiweb/tasksbyuser.chtml
+++ b/www/kojiweb/tasksbyuser.chtml
@@ -35,7 +35,7 @@
     #if $len($users) > 0
     #for $user in $users
     <tr class="$util.rowToggle($self)">
-      <td><a href="userinfo?userID=$user.id">$user.name</a></td>
+      <td><a href="userinfo?userID=$user.id">$util.escapeHTML($user.name)</a></td>
       <td width="#echo $graphWidth + 5#"><img src="$util.themePath('images/1px.gif')" width="#echo $increment * $user.tasks#" height="15" class="graphrow" alt="graph row"/></td>
       <td>$user.tasks</td>
     </tr>
diff --git a/www/kojiweb/userinfo.chtml b/www/kojiweb/userinfo.chtml
index 88db1a3..a97d616 100644
--- a/www/kojiweb/userinfo.chtml
+++ b/www/kojiweb/userinfo.chtml
@@ -2,17 +2,17 @@
 
 #include "includes/header.chtml"
 
-  <h4>Information for user <a href="userinfo?userID=$user.id">$user.name</a></h4>
+  <h4>Information for user <a href="userinfo?userID=$user.id">$util.escapeHTML($user.name)</a></h4>
 
   <table>
     <tr>
-      <th>Name</th><td>$user.name</td>
+      <th>Name</th><td>$util.escapeHTML($user.name)</td>
     </tr>
     <tr>
       <th>ID</th><td>$user.id</td>
     </tr>
     <tr>
-      <th>Tasks</th><td><a href="tasks?owner=$user.name&state=all">$taskCount</a></td>
+      <th>Tasks</th><td><a href="tasks?$util.passthrough($self, 'owner')&state=all">$taskCount</a></td>
     </tr>
     <tr>
       <th id="packagelist">Packages</th>
@@ -47,8 +47,8 @@
           </tr>
           #for $package in $packages
           <tr class="$util.rowToggle($self)">
-            <td><a href="packageinfo?packageID=$package.package_id">$package.package_name</a></td>
-            <td><a href="taginfo?tagID=$package.tag_id">$package.tag_name</a></td>
+            <td><a href="packageinfo?packageID=$package.package_id">$util.escapeHTML($package.package_name)</a></td>
+            <td><a href="taginfo?tagID=$package.tag_id">$util.escapeHTML($package.tag_name)</a></td>
             <td class="$str(not $package.blocked).lower()">#if $package.blocked then $util.imageTag('no') else $util.imageTag('yes')#</td>
           </tr>
           #end for
@@ -92,7 +92,7 @@
           #for $build in $builds
           <tr class="$util.rowToggle($self)">
             #set $stateName = $util.stateName($build.state)
-            <td><a href="buildinfo?buildID=$build.build_id">$build.nvr</a></td>
+            <td><a href="buildinfo?buildID=$build.build_id">$util.escapeHTML($build.nvr)</a></td>
             <td>$util.formatTime($build.completion_ts)</td>
             <td class="$stateName">$util.stateImage($build.state)</td>
           </tr>
diff --git a/www/kojiweb/users.chtml b/www/kojiweb/users.chtml
index e8cafec..340c0e8 100644
--- a/www/kojiweb/users.chtml
+++ b/www/kojiweb/users.chtml
@@ -1,4 +1,5 @@
 #from kojiweb import util
+#from urllib.parse import quote
 
 #include "includes/header.chtml"
 
@@ -55,10 +56,10 @@
       #for $user in $users
         <tr class="$util.rowToggle($self)">
           <td>$user.id</td>
-          <td><a href="userinfo?userID=$user.name">$user.name</a></td>
-          <td><a href="packages?userID=$user.name">view</a></td>
-          <td><a href="builds?userID=$user.name">view</a></td>
-          <td><a href="tasks?owner=$user.name">view</a></td>
+          <td><a href="userinfo?userID=$quote($user.name)">$util.escapeHTML($user.name)</a></td>
+          <td><a href="packages?userID=$quote($user.name)">view</a></td>
+          <td><a href="builds?userID=$quote($user.name)">view</a></td>
+          <td><a href="tasks?owner=$quote($user.name)">view</a></td>
         </tr>
       #end for
     #else
diff --git a/www/lib/kojiweb/util.py b/www/lib/kojiweb/util.py
index b9f1f55..bad6566 100644
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@@ -25,6 +25,7 @@ import os
 import re
 import ssl
 import stat
+import urllib
 import xmlrpc.client
 # a bunch of exception classes that explainError needs
 from socket import error as socket_error
@@ -232,6 +233,11 @@ def passthrough(template, *vars):
     for var in vars:
         value = template.getVar(var, default=None)
         if value is not None:
+            if isinstance(value, str):
+                if value.isdigit():
+                    pass
+                else:
+                    value = urllib.parse.quote(value)
             result.append('%s=%s' % (var, value))
     if result:
         return '&' + '&'.join(result)


File Name	$koji.pathinfo.winfile($archive)	File Name	$archive.filename	File Name	$util.escapeHTML($archive.filename)
File Type	$archive_type.description	File Type	$util.escapeHTML($archive_type.description)
Build	$koji.buildLabel($build)
$file.name	$util.formatNatural($file.size)	$util.escapeHTML($file.name)	$util.formatNatural($file.size)
Host	$buildroot.host_name	Host	$util.escapeHTML($buildroot.host_name)
Arch	$buildroot.arch	Arch	$util.escapeHTML($buildroot.arch)
ID	$buildroot.id	Repo ID	$buildroot.repo_id
Repo Tag	$buildroot.tag_name	Repo Tag	$util.escapeHTML($buildroot.tag_name)
Repo State	$util.imageTag($util.repoStateName($buildroot.repo_state))	ID	$buildroot.id
Host OS	$buildroot.host_os	Host OS	$util.escapeHTML($buildroot.host_os)
Host Arch	$buildroot.host_arch	Host Arch	$util.escapeHTML($buildroot.host_arch)
Content Generator	$buildroot.cg_name ($buildroot.cg_version)	Content Generator	$util.escapeHTML($buildroot.cg_name) ($buildroot.cg_version)
Container Type	$buildroot.container_type	Container Type	$util.escapeHTML($buildroot.container_type)
Container Arch	$buildroot.container_arch	Container Arch	$util.escapeHTML($buildroot.container_arch)
$build.build_id	$koji.buildLabel($build)	$build.tag_name	$util.escapeHTML($build.tag_name)	$build.owner_name	$util.escapeHTML($build.owner_name)	$util.formatTime($build.completion_time)	$util.stateImage($build.state)
$target.name	$util.escapeHTML($target.name)		$target.builds
$userBuild.name	$util.escapeHTML($userBuild.name)		$userBuild.builds
Name	- +