diff --git a/comments.php b/comments.php
index cc50db3..2de01af 100644
--- a/comments.php
+++ b/comments.php
@@ -99,7 +99,7 @@
 
 				$name 	= trim(stripslashes(@$_POST['name']));
 				$email 	= isset($_POST['email'])? trim($_POST['email']) : null;
-				$url 	= isset($_POST['url'])? trim(stripslashes($_POST['url'])) : null;
+				$url 	= isset($_POST['url'])? trim(stripslashes(htmlspecialchars($_POST['url']))) : null;
 				
 				/*
 				 * check name
diff --git a/fp-includes/core/core.users.php b/fp-includes/core/core.users.php
index d6022b7..c12f53d 100755
--- a/fp-includes/core/core.users.php
+++ b/fp-includes/core/core.users.php
@@ -103,7 +103,8 @@
 		if ($userid == null && ($user = user_loggedin())) {
 			return $user;
 		} 
-		if (file_exists($f = USERS_DIR . $userid.".php")) {
+		if (!preg_match('![/\\.]!', $userid) &&
+			file_exists($f = USERS_DIR . $userid.".php")) {
 			include($f);
 			
 			return $user;