diff --git a/ChangeLog b/ChangeLog
index a81818fc8..e1ad9cf53 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 - bug #1807923 [login] Login with html entities in password fails
 - [core] Undefined variable when creating a table that exists
 
+2.11.1.1 (not yet released)
+- bug #1810629 [setup] XSS in setup.php
+
 2.11.1.0 (2007-09-20)
 
 - bug #1783667 [export] NO_AUTO_VALUE_ON_ZERO and MySQL version 
diff --git a/scripts/setup.php b/scripts/setup.php
index 4fe497154..ee723523d 100644
--- a/scripts/setup.php
+++ b/scripts/setup.php
@@ -1951,7 +1951,10 @@ switch ($action) {
             if (empty($_SERVER['REQUEST_URI']) || empty($_SERVER['HTTP_HOST'])) {
                 $redir = '';
             } else {
-                $redir = ' If your server is also configured to accept HTTPS request follow <a href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '">this link</a> to use secure connection.';
+                $redir = ' If your server is also configured to accept HTTPS request'
+                    . ' follow <a href="https://'
+                    . htmlspecialchars($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
+                    . '">this link</a> to use secure connection.';
             }
             message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection');
         }