diff --git a/ctf.css b/ctf.css
index 1eb1fc1..4078cf0 100644
--- a/ctf.css
+++ b/ctf.css
@@ -19,3 +19,8 @@ a:hover {
     color: #000;
     background: #f00;
 }
+input {
+    border: 2px solid #088;
+    color: #fff;
+    background: #000;
+}
\ No newline at end of file
diff --git a/puzzler.cgi b/puzzler.cgi
index 84fe253..d7b8952 100755
--- a/puzzler.cgi
+++ b/puzzler.cgi
@@ -8,6 +8,13 @@ import re
 import sys
 import pointscli
 import teams
+from urllib.parse import quote, unquote
+
+##
+## This allows you to edit the URL and work on puzzles that haven't been
+## unlocked yet.  For now I think that's an okay vulnerability.  It's a
+## hacking contest, after all.
+##
 
 cat_re = re.compile(r'^[a-z]+$')
 points_re = re.compile(r'^[0-9]+$')
@@ -21,8 +28,7 @@ points_by_cat = {}
 points_by_team = {}
 try:
     for line in open('puzzler.dat'):
-        line = line.strip()
-        cat, team, pts = line.split('\t')
+        cat, team, pts = [unquote(v) for v in line.strip().split('\t')]
         pts = int(pts)
         points_by_cat[cat] = max(points_by_cat.get(cat, 0), pts)
         points_by_team.setdefault((team, cat), set()).add(pts)
@@ -96,10 +102,10 @@ def show_puzzles(cat, cat_dir):
     puzzles = sorted([int(v) for v in os.listdir(cat_dir)])
     if puzzles:
         print('<ul>')
-        opened = max(opened, puzzles[0])
         for p in puzzles:
-            if p <= opened:
-                print('<li><a href="puzzler.cgi?c=%s&p=%d">%d</a></li>' % (cat, p, p))
+            print('<li><a href="puzzler.cgi?c=%s&p=%d">%d</a></li>' % (cat, p, p))
+            if p > opened:
+                break
         print('</ul>')
     else:
         print('<p>None (someone is slacking)</p>')
@@ -132,11 +138,12 @@ def show_puzzle(cat, points, points_dir):
 def win(cat, team, points):
     start_html('Winner!')
     points = int(points)
-    pointscli.submit(cat, team, points)
-    end_html()
     f = open('puzzler.dat', 'a')
-    fctnl.lockf(f, LOCK_EX)
-    f.write('%s\t%s\t%d\n' % (cat, team, points))
+    fcntl.lockf(f, fcntl.LOCK_EX)
+    f.write('%s\t%s\t%d\n' % (quote(cat), quote(team), points))
+    pointscli.submit(cat, team, points)
+    print('<p>%d points for %s.</p>' % (team, points))
+    end_html()
 
 def main():
     cat_dir = safe_join('puzzles', cat)
diff --git a/teams.py b/teams.py
index a9bb384..f27b7a2 100755
--- a/teams.py
+++ b/teams.py
@@ -1,11 +1,11 @@
 #! /usr/bin/env python3
 
 import fcntl
+from urllib.parse import quote, unquote
 
 house = 'dirtbags'
 
 teams = None
-
 def build_teams():
     global teams
 
@@ -13,22 +13,25 @@ def build_teams():
     try:
         f = open('passwd')
         for line in f:
-            team, passwd = line.strip().split('\t')
+            line = line.strip()
+            team, passwd = [unquote(v) for v in line.strip().split('\t')]
             teams[team] = passwd
     except IOError:
         pass
 
-def chkpasswd(team, passwd):
+def validate(team):
     if teams is None:
         build_teams()
+
+def chkpasswd(team, passwd):
+    validate(team)
     if teams.get(team) == passwd:
         return True
     else:
         return False
 
 def exists(team):
-    if teams is None:
-        build_teams()
+    validate(team)
     if team == house:
         return True
     return team in teams
@@ -37,4 +40,4 @@ def add(team, passwd):
     f = open('passwd', 'a')
     fcntl.lockf(f, fcntl.LOCK_EX)
     f.seek(0, 2)
-    f.write('%s\t%s\n' % (team, passwd))
+    f.write('%s\t%s\n' % (quote(team), quote(passwd)))