diff --git a/ChangeLog b/ChangeLog
index 6074c5f0e..144ffa03a 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,8 @@ $Source$
 
 2006-06-28 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/Config.class.php: remove debug code
+    * libraries/common.lib.php: escape allowed parameters from non-token 
+      requests
 
 2006-06-27 Michal Čihař  <michal@cihar.com>
     * libraries/import/csv.php: Fix special case of Excel export with ; at the
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 564a0b2b3..b59ec9ba9 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -2808,6 +2808,9 @@ if (!isset($_REQUEST['token']) || $_SESSION['PMA_token'] != $_REQUEST['token'])
             unset($_GET[$key]);
             unset($_POST[$key]);
             unset($GLOBALS[$key]);
+        } else {
+            // allowed stuff could be compromised so escape it
+            $_REQUEST[$key] = htmlspecialchars($_REQUEST[$key]);
         }
     }
 }