diff --git a/include/class.export.php b/include/class.export.php
index 4ee0c0c796ed0e0d9f69349162ff0dac39817e3c..5b49b939eabc3384e5ac4fd19dd2318cfaeee829 100644
--- a/include/class.export.php
+++ b/include/class.export.php
@@ -424,7 +424,13 @@ class CsvResultsExporter extends ResultSetExporter {
         fputs($this->output, chr(0xEF) . chr(0xBB) . chr(0xBF));
         fputcsv($this->output, $this->getHeaders(), $delimiter);
         while ($row=$this->next())
-            fputcsv($this->output, $row, $delimiter);
+            fputcsv($this->output, array_map(
+                function($v){
+                    if (preg_match('/^[=\-+@].*/', $v))
+                        return "'".$v;
+                    return $v;
+                }, $row),
+            $delimiter);
 
         fclose($this->output);
     }
diff --git a/include/class.format.php b/include/class.format.php
index 7d4877b5e9a33778d8362191b33c237154f437b8..a04da630e23197db52d848368462c37cc337dc88 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -138,7 +138,7 @@ class Format {
             $xpath = new DOMXPath($doc);
             static $eE = array('area'=>1, 'br'=>1, 'col'=>1, 'embed'=>1,
                     'iframe' => 1, 'hr'=>1, 'img'=>1, 'input'=>1,
-                    'isindex'=>1, 'param'=>1);
+                    'isindex'=>1, 'param'=>1, 'div'=>1);
             do {
                 $done = true;
                 $nodes = $xpath->query('//*[not(text()) and not(node())]');
diff --git a/include/class.forms.php b/include/class.forms.php
index a6f57acef1eac179cb4c5fb4a4966a3fa7dcfa46..2502024b90566d37e57e2c534275dc0a0e0bcb8c 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -1444,7 +1444,8 @@ class TextboxField extends FormField {
         parent::validateEntry($value);
         $config = $this->getConfiguration();
         $validators = array(
-            '' =>       null,
+            '' =>       array(array('Validator', 'is_formula'),
+                __('Content cannot start with the following characters: = - + @')),
             'email' =>  array(array('Validator', 'is_valid_email'),
                 __('Enter a valid email address')),
             'phone' =>  array(array('Validator', 'is_phone'),
@@ -1529,9 +1530,12 @@ class TextareaField extends FormField {
 
     function validateEntry($value) {
         parent::validateEntry($value);
+        if (!$value)
+            return;
         $config = $this->getConfiguration();
         $validators = array(
-            '' =>       null,
+            '' =>       array(array('Validator', 'is_formula'),
+                __('Content cannot start with the following characters: = - + @')),
             'choices' => array(
                 function($val) {
                     $val = str_replace('"', '', JsonDataEncoder::encode($val));
@@ -1545,12 +1549,12 @@ class TextareaField extends FormField {
             ),
         );
         // Support configuration forms, as well as GUI-based form fields
-        $valid = $this->get('validator');
-        if (!$valid) {
+        if (!($valid = $this->get('validator')) && isset($config['validator']))
             $valid = $config['validator'];
-        }
-        if (!$value || !isset($validators[$valid]))
+
+        if (!isset($validators[$valid]))
             return;
+
         $func = $validators[$valid];
         $error = $func[1];
         if ($config['validator-error'])
diff --git a/include/class.user.php b/include/class.user.php
index e70749626b6a565f7d6bb8035ff30ba5a47056c3..412038646a9d655807b710f6a08aa28a1ab183a9 100644
--- a/include/class.user.php
+++ b/include/class.user.php
@@ -268,7 +268,7 @@ implements TemplateVariable, Searchable {
         //Validate the form
         $valid = true;
         $filter = function($f) use ($thisstaff) {
-            return !isset($thisstaff) || $f->isRequiredForStaff();
+            return !isset($thisstaff) || $f->isRequiredForStaff() || $f->isVisibleToStaff();
         };
         if (!$form->isValid($filter))
             $valid  = false;
diff --git a/include/class.validator.php b/include/class.validator.php
index 2e1928f37882ea18c24e0b1500e3d29c9e0b8bd4..89faae11e616db0160ed56f886c575f3c5297d2f 100644
--- a/include/class.validator.php
+++ b/include/class.validator.php
@@ -211,6 +211,11 @@ class Validator {
         return $error == '';
     }
 
+    static function is_formula($text, &$error='') {
+        if (!preg_match('/^[^=\+@-].*$/', $text))
+            $error = __('Content cannot start with the following characters: = - + @');
+        return $error == '';
+    }
 
     /*
      * check_ip
diff --git a/setup/inc/class.installer.php b/setup/inc/class.installer.php
index defde3e8d0db26f992e8add2bbbed1bba3b8bc51..d6ad5fca3634a3e55d321668e073a3e5ededbbeb 100644
--- a/setup/inc/class.installer.php
+++ b/setup/inc/class.installer.php
@@ -190,8 +190,8 @@ class Installer extends SetupWizard {
             'dept_id' => $dept_id,
             'role_id' => $role_id,
             'email' => $vars['admin_email'],
-            'firstname' => $vars['fname'],
-            'lastname' => $vars['lname'],
+            'firstname' => Format::htmlchars($vars['fname']),
+            'lastname' => Format::htmlchars($vars['lname']),
             'username' => $vars['username'],
         ));
         $staff->updatePerms(array(