diff -ruN a/cgi/ajax/phrase b/cgi/ajax/phrase
--- a/cgi/ajax/phrase	2021-02-23 08:56:22.069012347 +0000
+++ b/cgi/ajax/phrase	2021-02-23 09:13:10.880795073 +0000
@@ -36,7 +36,7 @@
 	{
 		for(values(%$pins))
 		{
-			my $doc = eval { $repo->xml->parse_string( $_ ) };
+			my $doc = eval { $repo->xml->parse_string( $_, expand_entities => 0 ) };
 			if( defined $doc )
 			{
 				$_ = $repo->xml->clone( $doc->documentElement );
diff -ruN a/cgi/latex2png b/cgi/latex2png
--- a/cgi/latex2png	2021-02-23 08:56:22.070012357 +0000
+++ b/cgi/latex2png	1970-01-01 00:00:00.000000000 +0000
@@ -1,32 +0,0 @@
-######################################################################
-#
-#  Turn a latex string into a PNG
-#
-######################################################################
-#
-#  __COPYRIGHT__
-#
-# Copyright 2000-2008 University of Southampton. All Rights Reserved.
-# 
-#  __LICENSE__
-#
-######################################################################
-
-use EPrints;
-
-use strict;
-
-my $session = new EPrints::Session;
-exit( 0 ) unless( defined $session );
-
-my $latex = $session->param( "latex" );
-$latex = "???" if( !defined $latex );
-
-my $pngfile = EPrints::Latex::texstring_to_png( $session, $latex );
-
-$session->send_http_header( content_type=>'image/png' );
-open( PNG, $pngfile ) || die "can't open $pngfile";
-while(<PNG>) { print; }
-close PNG;
-
-$session->terminate();
diff -ruN a/cgi/toolbox/toolbox b/cgi/toolbox/toolbox
--- a/cgi/toolbox/toolbox	2021-02-23 08:56:22.072012379 +0000
+++ b/cgi/toolbox/toolbox	2021-02-23 09:13:24.889944662 +0000
@@ -25,6 +25,11 @@
 
 my %opts = ();
 
+if ( $cmd !~ m/^[a-zA-Z0-9_]+$/ )
+{
+        toolbox_fail( $session, "Invalid toolbox function" );
+}
+
 if( !$session->valid_login( $username, $password ) )
 {
 	toolbox_fail( $session, "Invalid username/password" );
diff -ruN a/perl_lib/EPrints/XML/LibXML.pm b/perl_lib/EPrints/XML/LibXML.pm
--- a/perl_lib/EPrints/XML/LibXML.pm	2021-02-23 08:56:22.285014657 +0000
+++ b/perl_lib/EPrints/XML/LibXML.pm	2021-02-23 09:13:58.364302097 +0000
@@ -73,7 +73,7 @@
 	$PARSER = XML::LibXML->new();
 }
 
-=item $doc = parse_xml_string( $string )
+=item $doc = parse_xml_string( $string, %opts )
 
 Create a new DOM document from $string.
 
@@ -81,8 +81,23 @@
 
 sub parse_xml_string
 {
-	my( $string ) = @_;
-
+	my( $string, %opts ) = @_;
+	
+	if ( keys %opts )
+        {
+                my %cur_opts = ();
+                foreach ( keys %opts )
+                {
+                        $cur_opts{$_} = $PARSER->get_option( $_ );
+                        $PARSER->set_option( $_, $opts{$_} );
+                }
+                my $parsed = $PARSER->parse_string( $string );
+                foreach ( keys %cur_opts )
+                {
+                        $PARSER->set_option( $_, $cur_opts{$_} );
+                }
+                return $parsed;
+        }
 	return $PARSER->parse_string( $string );
 }
 
diff -ruN a/perl_lib/EPrints/XML.pm b/perl_lib/EPrints/XML.pm
--- a/perl_lib/EPrints/XML.pm	2021-02-23 08:56:22.284014647 +0000
+++ b/perl_lib/EPrints/XML.pm	2021-02-23 09:13:47.490185983 +0000
@@ -125,8 +125,8 @@
 
 sub parse_string
 {
-	my( $self, $string ) = @_;
-	return parse_xml_string( $string );
+	my( $self, $string, %opts ) = @_;
+	return parse_xml_string( $string, %opts );
 }
 
 =item $doc_frag = parse_frag_string( $string )