diff --git a/ChangeLog b/ChangeLog
index 350b7ab29..d4d4f1bf4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,10 @@
 phpMyAdmin - ChangeLog
 ======================
 
+3.4.3.2 (2011-07-XX)
+- [security] Fixed XSS vulnerability, see PMASA-2011-9
+- [security] Fixed local file inclusion vulnerability, see PMASA-2011-10
+
 3.4.3.1 (2011-07-02)
 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
diff --git a/sql.php b/sql.php
index 9b19174a4..eb9254ffd 100644
--- a/sql.php
+++ b/sql.php
@@ -719,7 +719,7 @@ if (0 == $num_rows || $is_affected) {
             parse_str($_REQUEST['transform_fields_list'], $edited_values);
 
             foreach($mime_map as $transformation) {
-                $include_file = $transformation['transformation'];
+                $include_file = PMA_securePath($transformation['transformation']);
                 $column_name = $transformation['column_name'];
                 $column_data = $edited_values[$column_name];
 
diff --git a/tbl_printview.php b/tbl_printview.php
index 74b6818e4..ce007d163 100644
--- a/tbl_printview.php
+++ b/tbl_printview.php
@@ -69,7 +69,7 @@ if ($multi_tables) {
         $tbl_list .= (empty($tbl_list) ? '' : ', ')
                   . PMA_backquote($table);
     }
-    echo '<strong>'.  __('Show tables') . ': ' . $tbl_list . '</strong>' . "\n";
+    echo '<strong>'.  __('Show tables') . ': ' . htmlspecialchars($tbl_list) . '</strong>' . "\n";
     echo '<hr />' . "\n";
 } // end if
 
@@ -84,7 +84,7 @@ foreach ($the_tables as $key => $table) {
     }
     $counter++;
     echo '<div' . $breakstyle . '>' . "\n";
-    echo '<h1>' . $table . '</h1>' . "\n";
+    echo '<h1>' . htmlspecialchars($table) . '</h1>' . "\n";
 
     /**
      * Gets table informations