Index: /branches/1.0/php/xlogin.php
===================================================================
--- /branches/1.0/php/xlogin.php (revision 1183)
+++ /branches/1.0/php/xlogin.php (revision 1184)
@@ -86,10 +86,10 @@
 
    // Get the expected form variables from the POST array
-   if (isset($_POST["language"])) {
+   if (isset($_POST["language"])   && strlen($_POST["language"]) == 2 ) {
       $display_language = trim($_POST["language"]);
    } else {
       $display_language = $default_display_language;
    }
-   if (isset($_POST["charset"])) {
+   if (isset($_POST["charset"]) && preg_match("/^[\x20-\x7e]{1,40}$/", $_POST["charset"])) {
       $html_charset = trim($_POST["charset"]);
    } else {
Index: /branches/1.0/php/login.php
===================================================================
--- /branches/1.0/php/login.php (revision 950)
+++ /branches/1.0/php/login.php (revision 1184)
@@ -81,4 +81,8 @@
    if (isset($_GET["super"])) {
       $super = trim($_GET["super"]);
+      if($super != "register" && $super != "unregister") {
+        $logger->err("invalid super parameter");
+        $super = "";
+      }
    } else {
       $super = "";
@@ -86,9 +90,9 @@
 
    // Determine the initial language preference,
-   // either from default or from manually selected link 
-   if (isset($_GET["lang"])) {
+   // either from default or from manually selected link
+   if (isset($_GET["lang"]) && strlen($_GET["lang"]) == 2 ) {
       $display_language = trim($_GET["lang"]);
       $display_language_is_default = false;
-   } elseif (isset($_GET["prevlang"])) {
+   } elseif (isset($_GET["prevlang"]) && strlen($_GET["prevlang"]) == 2) {
       $display_language = trim($_GET["prevlang"]);
       $display_language_is_default = true;
@@ -111,5 +115,6 @@
 
    // Determine the user's character set preference
-   if (isset($_GET["charset"])) {
+   // Charset must be printable ascii, 1-40 characters.  /^[\x20-\x7e]{1,40}$/
+   if (isset($_GET["charset"]) && preg_match("/^[\x20-\x7e]{1,40}$/", $_GET["charset"])) {
        $html_charset = trim($_GET["charset"]);
    } else {
Index: /branches/1.0/php/internal-init.php
===================================================================
--- /branches/1.0/php/internal-init.php (revision 950)
+++ /branches/1.0/php/internal-init.php (revision 1184)
@@ -87,5 +87,5 @@
 
     // Determine the user's language preference
-    if (isset($_GET["lang"])) {
+    if (isset($_GET["lang"]) && strlen($_GET["lang"]) == 2 ) {
        $display_language = trim($_GET["lang"]);
     } else {
@@ -98,5 +98,5 @@
 
     // Determine the user's character set preference
-    if (isset($_GET["charset"])) {
+    if (isset($_GET["charset"]) && preg_match("/^[\x20-\x7e]{1,40}$/", $_GET["charset"])) {
         $html_charset = trim($_GET["charset"]);
     } else {