diff --git a/ChangeLog b/ChangeLog
index 36a9e0aca..7c40e9db9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,11 @@ phpMyAdmin - ChangeLog
 - [interface] Avoid showing the password in phpinfo()'s output
 - bug #3441572 [GUI] 'newer version of phpMyAdmin' message not shown in IE8
 - bug #3407235 [interface] Entering the key through a lookup window does not reset NULL
+- [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
+- [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
+- [security] Self-XSS on column type (Create index), see PMASA-2011-18
+- [security] Self-XSS on column type (table Search), see PMASA-2011-18
+- [security] Self-XSS on invalid query (table overview), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import
diff --git a/js/db_operations.js b/js/db_operations.js
index b0536942c..ad3963535 100644
--- a/js/db_operations.js
+++ b/js/db_operations.js
@@ -32,7 +32,7 @@ $(document).ready(function() {
 
         var $form = $(this);
 
-        var question = 'CREATE DATABASE ' + $('#new_db_name').val() + ' / DROP DATABASE ' + window.parent.db;
+        var question = escapeHtml('CREATE DATABASE ' + $('#new_db_name').val() + ' / DROP DATABASE ' + window.parent.db);
 
         PMA_prepareForAjaxRequest($form);
         /**
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index ad382663a..caeeee200 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -1059,13 +1059,10 @@ function PMA_showMessage($message, $sql_query = null, $type = 'notice', $is_view
         } else {
             // Parse SQL if needed
             $parsed_sql = PMA_SQP_parse($query_base);
-            if (PMA_SQP_isError()) {
-                unset($parsed_sql);
-            }
         }
 
         // Analyze it
-        if (isset($parsed_sql)) {
+        if (isset($parsed_sql) && ! PMA_SQP_isError()) {
             $analyzed_display_query = PMA_SQP_analyze($parsed_sql);
             // Here we append the LIMIT added for navigation, to
             // enable its display. Adding it higher in the code
diff --git a/libraries/server_synchronize.lib.php b/libraries/server_synchronize.lib.php
index c1b9159a7..53ad9d788 100644
--- a/libraries/server_synchronize.lib.php
+++ b/libraries/server_synchronize.lib.php
@@ -1335,7 +1335,7 @@ function PMA_syncDisplayHeaderSource($src_db) {
 
     echo '<table id="serverstatusconnections" class="data" width="55%">';
     echo '<tr>';
-    echo '<th>' . __('Source database') . ':  ' . $src_db . '<br />(';
+    echo '<th>' . __('Source database') . ':  ' . htmlspecialchars($src_db) . '<br />(';
     if ('cur' == $_SESSION['src_type']) {
         echo __('Current server');
     } else {
@@ -1358,7 +1358,7 @@ function PMA_syncDisplayHeaderSource($src_db) {
 function PMA_syncDisplayHeaderTargetAndMatchingTables($trg_db, $matching_tables) {
     echo '<table id="serverstatusconnections" class="data" width="43%">';
     echo '<tr>';
-    echo '<th>' . __('Target database') . ':  '. $trg_db . '<br />(';
+    echo '<th>' . __('Target database') . ':  '. htmlspecialchars($trg_db) . '<br />(';
     if ('cur' == $_SESSION['trg_type']) {
         echo __('Current server');
     } else {
diff --git a/tbl_indexes.php b/tbl_indexes.php
index 54923a0f8..ac3238721 100644
--- a/tbl_indexes.php
+++ b/tbl_indexes.php
@@ -200,7 +200,7 @@ foreach ($index->getColumns() as $column) {
          || preg_match('/(char|text)/i', $field_type)) {
             echo '<option value="' . htmlspecialchars($field_name) . '"'
                  . (($field_name == $column->getName()) ? ' selected="selected"' : '') . '>'
-                 . htmlspecialchars($field_name) . ' [' . $field_type . ']'
+                 . htmlspecialchars($field_name) . ' [' . htmlspecialchars($field_type) . ']'
                  . '</option>' . "\n";
         }
     } // end foreach $fields
@@ -222,7 +222,7 @@ for ($i = 0; $i < $add_fields; $i++) {
     <?php
     foreach ($fields as $field_name => $field_type) {
         echo '<option value="' . htmlspecialchars($field_name) . '">'
-             . htmlspecialchars($field_name) . ' [' . $field_type . ']'
+             . htmlspecialchars($field_name) . ' [' . htmlspecialchars($field_type) . ']'
              . '</option>' . "\n";
     } // end foreach $fields
     ?>
diff --git a/tbl_select.php b/tbl_select.php
index 2cb008629..841422292 100644
--- a/tbl_select.php
+++ b/tbl_select.php
@@ -124,7 +124,7 @@ if (!isset($param) || $param[0] == '') {
         ?>
         <tr class="noclick <?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>">
             <th><?php echo htmlspecialchars($fields_list[$i]); ?></th>
-            <td><?php echo $fields_type[$i]; ?></td>
+            <td><?php echo htmlspecialchars($fields_type[$i]); ?></td>
             <td><?php echo $fields_collation[$i]; ?></td>
             <td><select name="func[]">
         <?php
@@ -190,7 +190,7 @@ if (!isset($param) || $param[0] == '') {
             <?php
         } elseif (strncasecmp($fields_type[$i], 'enum', 4) == 0) {
             // e n u m s
-            $enum_value=explode(', ', str_replace("'", '', substr($fields_type[$i], 5, -1)));
+            $enum_value=explode(', ', str_replace("'", '', substr(htmlspecialchars($fields_type[$i]), 5, -1)));
             $cnt_enum_value = count($enum_value);
             echo '            <select name="fields[' . $i . '][]"'
                 .' multiple="multiple" size="' . min(3, $cnt_enum_value) . '">' . "\n";