diff --git a/ChangeLog b/ChangeLog
index 0b6c41f0d..d0e4435c2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@ $HeadURL$
 2006-11-17 Michal Čihař  <michal@cihar.com>
     * sql.php, libraries/display_tbl.lib.php: Force pos to be integer to avoid
       XSS.
+    * navigation.php: Fix XSS on table comment.
 
 2006-11-16 Marc Delisle  <lem9@users.sourceforge.net>
     * pmd_pdf.php: export coordinates to PDF page even if the tables
diff --git a/navigation.php b/navigation.php
index c6360a17f..5d3692fcb 100644
--- a/navigation.php
+++ b/navigation.php
@@ -557,8 +557,8 @@ function PMA_displayTableList($tables, $visible = false,
             }
             echo ' id="icon_' . htmlspecialchars($table_db . '.' . $table['Name']) . '"'
                 .' width="10" height="10" alt="' . $GLOBALS['strBrowse'] . '" /></a>' . "\n"
-                .'<a href="' . $href . '" title="' . $table['Comment']
-                .' (' . PMA_formatNumber($table['Rows'], 0) . ' ' . $GLOBALS['strRows'] . ')"'
+                .'<a href="' . $href . '" title="' . htmlspecialchars($table['Comment']
+                .' (' . PMA_formatNumber($table['Rows'], 0) . ' ' . $GLOBALS['strRows']) . ')"'
                 .' id="' . htmlspecialchars($table_db . '.' . $table['Name']) . '">'
                 . htmlspecialchars($table['disp_name']) . '</a>';
             echo '</li>' . "\n";