diff -Naur WebCalendar-1.2.4.orig/edit_entry_handler.php WebCalendar-1.2.4.new/edit_entry_handler.php
--- WebCalendar-1.2.4.orig/edit_entry_handler.php	2012-02-17 11:09:49.523345221 +0100
+++ WebCalendar-1.2.4.new/edit_entry_handler.php	2012-02-17 12:50:59.541471469 +0100
@@ -152,16 +152,19 @@
   $location = strip_tags ( $location );
 }
 
-// Don't allow certain HTML tags in description.
+// Don't allow certain HTML tags in name, description and location.
 // Malicious users can use meta refresh to redirect users to another
 // site (possibly a malware site).  This could be form a public submission
 // on an event calendar, and the admin gets sent to the malware site when
 // viewing the event to approve/reject it.
 $bannedTags = array ( 'HTML', 'HEAD', 'TITLE', 'BODY',
   'SCRIPT', 'META', 'LINK', 'OBJECT', 'APPLET' );
-for ( $i = 0; $i < count ( $bannedTags ); $i++ ) {
-  if ( preg_match ( "/<\s*$bannedTags[$i]/i", $description ) ) {
-    $error = translate('Security violation!');
+foreach (array($name, $description, $location) as $chkfld) {
+  for ( $i = 0; $i < count ( $bannedTags ); $i++ ) {
+    if ( preg_match ( "/<\s*$bannedTags[$i]/i", $chkfld ) ) {
+      $error = translate('Security violation!');
+      break 2;
+    }
   }
 }
 
diff -Naur WebCalendar-1.2.4.orig/view_entry.php WebCalendar-1.2.4.new/view_entry.php
--- WebCalendar-1.2.4.orig/view_entry.php	2012-02-17 11:09:49.466347759 +0100
+++ WebCalendar-1.2.4.new/view_entry.php	2012-02-17 12:41:58.190467151 +0100
@@ -421,7 +421,7 @@
       </tr>' : '' ) . ( $DISABLE_URL_FIELD != 'Y' && ! empty ( $url ) ? '
       <tr>
         <td class="aligntop bold">' . translate ( 'URL' ) . ':</td>
-        <td>' . activate_urls ( $url ) . '</td>
+        <td>' . activate_urls(htmlspecialchars($url)) . '</td>
       </tr>' : '' );
 
 if ( $event_status != 'A' && ! empty ( $event_status ) ) {
@@ -685,10 +685,10 @@
               <td width="30%">';
       if ( strlen ( $tempemail ) && $can_email != 'N' ) {
         echo '<a href="mailto:' . $tempemail . '?subject=' . $subject
-         . '">&nbsp;' . $tempfullname . '</a>';
+         . '">&nbsp;' . htmlspecialchars($tempfullname) . '</a>';
         $allmails[] = $tempemail;
       } else
-        echo '&nbsp;' . $tempfullname;
+        echo '&nbsp;' . htmlspecialchars($tempfullname);
 
       echo '</td>
               <td width="5%" align="center">' . $percentage . '%</td>
@@ -711,7 +711,7 @@
           ';
       if ( strlen ( $tempemail ) > 0 && $can_email != 'N' ) {
         echo '<a href="mailto:' . $tempemail . '?subject=' . $subject . '">'
-         . $tempfullname . '</a>';
+         . htmlspecialchars($tempfullname) . '</a>';
         $allmails[] = $tempemail;
       } else
         echo $tempfullname;
@@ -727,7 +727,7 @@
         for ( $i = 0, $cnt = count ( $ext_users ); $i < $cnt; $i++ ) {
           if ( ! empty ( $ext_users[$i] ) ) {
             echo '
-          ' . $ext_users[$i] . ' (' . $externUserStr . ')<br />';
+          ' . htmlspecialchars($ext_users[$i]) . ' (' . $externUserStr . ')<br />';
             if ( preg_match ( '/mailto: (\S+)"/', $ext_users[$i], $match ) )
               $allmails[] = $match[1];
           }