diff --git a/html/inc/util.inc b/html/inc/util.inc
index e2d15449e7d..bc07a9ff8ff 100644
--- a/html/inc/util.inc
+++ b/html/inc/util.inc
@@ -1048,6 +1048,20 @@ function sanitize_email($x) {
     }
 }
 
+// pages like top_hosts.php, team_members.php etc. have a textual
+// "sort_by" argument.
+// Check this to avoid XSS vulnerability
+//
+function sanitize_sort_by($x) {
+    switch($x) {
+    case 'expavg_credit':
+    case 'total_credit':
+        return;
+    default:
+        error_page('bad sort_by');
+    }
+}
+
 function flops_to_credit($f) {
     return $f*(200/86400e9);
 }
diff --git a/html/user/team_members.php b/html/user/team_members.php
index 402876891a1..7187fbfccf5 100644
--- a/html/user/team_members.php
+++ b/html/user/team_members.php
@@ -24,9 +24,9 @@
 
 check_get_args(array("sort_by", "offset", "teamid"));
 
-if (isset($_GET["sort_by"])) {
-    $sort_by = $_GET["sort_by"];
-    $sort_by = strip_tags($sort_by);    // remove XSS nonsense
+$sort_by = get_str("sort_by", true);
+if ($sort_by) {
+    sanitize_sort_by($sort_by);
 } else {
     $sort_by = "expavg_credit";
 }
diff --git a/html/user/top_hosts.php b/html/user/top_hosts.php
index 4a86ab11f64..930d4b19161 100644
--- a/html/user/top_hosts.php
+++ b/html/user/top_hosts.php
@@ -42,13 +42,11 @@ function get_top_hosts($offset, $sort_by) {
     return BoincHost::enum(null, "order by $sort_order limit $offset, $hosts_per_page");
 }
 
-$sort_by = get_str("sort_by", true);
-switch ($sort_by) {
-case "total_credit":
-case "expavg_credit":
-    break;
-default:
-    $sort_by = "expavg_credit";
+$sort_by = get_str('sort_by', true);
+if ($sort_by) {
+    sanitize_sort_by($sort_by);
+} else {
+    $sort_by = 'expavg_credit';
 }
 
 $offset = get_int("offset", true);
diff --git a/html/user/top_teams.php b/html/user/top_teams.php
index 7c3c33e3be9..9ccc43a3f8d 100644
--- a/html/user/top_teams.php
+++ b/html/user/top_teams.php
@@ -47,13 +47,11 @@ function get_top_teams($offset, $sort_by, $type){
     return BoincTeam::enum($type_clause, "order by $sort_order limit $offset, $teams_per_page");
 }
 
-$sort_by = get_str("sort_by", true);
-switch ($sort_by) {
-case "total_credit":
-case "expavg_credit":
-    break;
-default:
-    $sort_by = "expavg_credit";
+$sort_by = get_str('sort_by', true);
+if ($sort_by) {
+    sanitize_sort_by($sort_by);
+} else {
+    $sort_by = 'expavg_credit';
 }
 
 $type = get_int("type", true);
diff --git a/html/user/top_users.php b/html/user/top_users.php
index e3df1f88719..cf73a5a9344 100644
--- a/html/user/top_users.php
+++ b/html/user/top_users.php
@@ -72,13 +72,11 @@ function show_user_row($user, $i) {
     ";
 }
 
-$sort_by = get_str("sort_by", true);
-switch ($sort_by) {
-case "total_credit":
-case "expavg_credit":
-    break;
-default:
-    $sort_by = "expavg_credit";
+$sort_by = get_str('sort_by', true);
+if ($sort_by) {
+    sanitize_sort_by($sort_by);
+} else {
+    $sort_by = 'expavg_credit';
 }
 
 $offset = get_int("offset", true);