--- phpmyadmin-2.9.1.1.orig/scripts/setup.php	2006-11-19 01:28:45.000000000 +0100
+++ phpmyadmin-2.9.1.1/scripts/setup.php	2007-11-07 14:44:58.000000000 +0100
@@ -1854,7 +1854,9 @@
             if (empty($_SERVER['REQUEST_URI']) || empty($_SERVER['HTTP_HOST'])) {
                 $redir = '';
             } else {
-                $redir = ' If your server is also configured to accept HTTPS request follow <a href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '">this link</a> to use secure connection.';
+                $redir = ' If your server is also configured to accept HTTPS request follow <a href="https://' .
+                    htmlspecialchars($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) .
+                    '">this link</a> to use secure connection.';
             }
             message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection');
         }