XSS fixes

tbl_tracking.php

@@ -473,8 +473,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
         ?>
                 <tr class="noclick <?php echo $style; ?>">
                     <td><small><?php echo $i; ?></small></td>
-                    <td><small><?php echo $entry['date']; ?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td>
-                    <td><small><?php echo $entry['username']; ?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
                     <td><?php echo $statement; ?></td>
                 </tr>
         <?php
@@ -507,10 +507,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
     ?>
     </form>
     <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
-    <input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" />
+    <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" />
-    <input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" />
+    <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" />
-    <input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" />
+    <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" />
-    <input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" />
+    <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" />
     <?php
     echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>";
     ?>