diff --git a/ChangeLog b/ChangeLog
index 66599fe2a..64c894389 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,7 @@ $Source$
     * main.php, libraries/select_server.lib.php,
       libraries/auth/cookie.auth.lib.php: Escape verbose server name (bug
       #1362671).
+    * index.php: Avoid XSS on HTTP_HOST.
 
 2005-11-20 Marc Delisle  <lem9@users.sourceforge.net>
     ### 2.7.0-rc1 released
diff --git a/index.php b/index.php
index f7a0a1d13..d09f5101a 100644
--- a/index.php
+++ b/index.php
@@ -129,7 +129,7 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
 <head>
 <link rel="icon" href="./favicon.ico" type="image/x-icon" />
 <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
-<title>phpMyAdmin <?php echo PMA_VERSION; ?> - <?php echo $HTTP_HOST; ?></title>
+<title>phpMyAdmin <?php echo PMA_VERSION; ?> - <?php echo htmlspecialchars($HTTP_HOST); ?></title>
 <meta http-equiv="Content-Type"
     content="text/html; charset=<?php echo $GLOBALS['charset']; ?>" />
 <script type="text/javascript" language="javascript">
@@ -164,4 +164,4 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
         </body>
     </noframes>
 </frameset>
-</html>
\ No newline at end of file
+</html>