diff --git a/ChangeLog b/ChangeLog
index 5099cede3..cd91dcadb 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
 $Id$
 $Source$
 
+2003-06-25 Michal Cihar  <nijel@users.sourceforge.net>
+    * libraries/sqlparser.lib.php3: Fixed XSS problem.
+
 2003-06-24 Marc Delisle  <lem9@users.sourceforge.net>
     * sql.php3, bug 759568, row count, DISTINCT and MySQL 4
 
diff --git a/libraries/sqlparser.lib.php3 b/libraries/sqlparser.lib.php3
index 484237146..7864e49a7 100644
--- a/libraries/sqlparser.lib.php3
+++ b/libraries/sqlparser.lib.php3
@@ -131,7 +131,7 @@ if (!defined('PMA_SQP_LIB_INCLUDED')) {
             $SQP_errorString = '<p>'.$GLOBALS['strSQLParserUserError'] . '</p>' . "\n"
                 . '<pre>' . "\n"
                 . 'ERROR: ' . $message . "\n"
-                . 'SQL: ' . $sql .  "\n"
+                . 'SQL: ' . htmlspecialchars($sql) .  "\n"
                 . '</pre>' . "\n";
 
             /*
@@ -162,7 +162,7 @@ if (!defined('PMA_SQP_LIB_INCLUDED')) {
             $debugstr .= 'PMA: ' . PMA_VERSION . "\n";
             $debugstr .= 'PHP VER,OS: ' . PMA_PHP_STR_VERSION . ' ' . PHP_OS . "\n";
             $debugstr .= 'LANG: ' . $GLOBALS['lang'] . "\n";
-            $debugstr .= 'SQL: ' . $sql;
+            $debugstr .= 'SQL: ' . htmlspecials($sql);
 
             $encodedstr     = $debugstr;
             if (PMA_PHP_INT_VERSION >= 40001 && @function_exists('gzcompress')) {