--- loncom/interface/lonaboutme.pm	2021/11/30 15:55:37	1.161
+++ loncom/interface/lonaboutme.pm	2022/11/14 18:50:42	1.164
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Personal Information Page
 #
-# $Id: lonaboutme.pm,v 1.161 2021/11/30 15:55:37 raeburn Exp $
+# $Id: lonaboutme.pm,v 1.164 2022/11/14 18:50:42 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -84,6 +84,7 @@ use Apache::lonlocal;
 use Apache::lonmsgdisplay();
 use Apache::lontemplate;
 use Apache::longroup;
+use Apache::lonhtmlcommon();
 use HTML::Entities();
 use Image::Magick;
 
@@ -222,12 +223,14 @@ sub handler {
             $args->{'no_nav_bar'} = 1;
         } elsif (!$env{'form.register'}) { #Don't show breadcrumbs twice, when this page is part of course content and you call it
             if (($env{'request.course.id'}) &&
-                 ($env{'form.folderpath'} =~ /^supplemental/)) {
+                ($env{'form.folderpath'} =~ /^supplemental/)) {
+                &Apache::loncommon::validate_folderpath(1,'',$coursenum,$coursedomain);
                 my $crstype = &Apache::loncommon::course_type();
                 my $title = $env{'form.title'};
                 if ($title eq '') {
                     $title = &mt('Personal Information Page');
                 }
+                $title = &HTML::Entities::encode($title,'\'"<>&');
                 my $brcrum =
                     &Apache::lonhtmlcommon::docs_breadcrumbs(undef,$crstype,undef,$title,1);
                 if (ref($brcrum) eq 'ARRAY') {
@@ -805,10 +808,8 @@ sub parse_directory {
 sub aboutme_access {
     my ($uname,$udom) = @_;
     my $privcheck = $env{'request.course.id'};
-    my $sec;
     if ($env{'request.course.sec'} ne '') {
-        $sec = $env{'request.course.sec'};
-        $privcheck .= '/'.$sec;
+        $privcheck .= '/'.$env{'request.course.sec'};
     }
     my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
     my $cnum = $env{'course.'.$env{'request.course.id'}.'.num'};