--- userstat.pl.orig	Tue Apr 13 21:32:53 2004
+++ userstat.pl	Sat May  8 11:18:50 2004
@@ -59,7 +59,10 @@
 my $html=qq|<a href="_URL_" target="_blank" style="text-decoration: none">|.
          qq|<font color="_COLOR_">_TEXT_</font></a>|;
 
-$user=~s/[&;\`\<\>\(\)\{\}\[\]\s]//g;	# remove shell escape char
+# filter out dangerous characters
+$user=~s/[\/\"\'\`\|\<\>\\\(\)\[\]\{\}\$\s;&]//g;
+
+# remove shell escape char
 if ($user ne "") {
    my $status=`$ow_cgidir/openwebmail-tool.pl -m -e $user`;
    if ($status =~ /has no mail/) {