In both the client and staff interfaces, where the URL and request
parameters were echo'd back without any escaping