diff -Nur a/db_operations.php b/db_operations.php
--- a/db_operations.php	2006-11-19 01:28:45.000000000 +0100
+++ b/db_operations.php	2009-10-24 14:45:11.000000000 +0200
@@ -403,7 +403,7 @@
         <?php
         while ($pages = @PMA_DBI_fetch_assoc($test_rs)) {
             echo '                <option value="' . $pages['page_nr'] . '">'
-                . $pages['page_nr'] . ': ' . $pages['page_descr'] . '</option>' . "\n";
+                . $pages['page_nr'] . ': ' . htmlspecialchars($pages['page_descr']) . '</option>' . "\n";
         } // end while
         PMA_DBI_free_result($test_rs);
         unset($test_rs);
diff -Nur a/pdf_pages.php b/pdf_pages.php
--- a/pdf_pages.php	2006-11-19 01:28:45.000000000 +0100
+++ b/pdf_pages.php	2009-10-24 14:44:44.000000000 +0200
@@ -271,7 +271,7 @@
             if (isset($chpage) && $chpage == $curr_page['page_nr']) {
                 echo ' selected="selected"';
             }
-            echo '>' . $curr_page['page_nr'] . ': ' . $curr_page['page_descr'] . '</option>';
+            echo '>' . $curr_page['page_nr'] . ': ' . htmlspecialchars($curr_page['page_descr']) . '</option>';
         } // end while
         echo "\n";
         ?>
@@ -424,12 +424,12 @@
             echo "\n" . '        <td>'
                  . "\n" . '            <select name="c_table_' . $i . '[name]">';
             foreach ($selectboxall AS $key => $value) {
-                echo "\n" . '                <option value="' . $value . '"';
+                echo "\n" . '                <option value="' . htmlspecialchars($value) . '"';
                 if ($value == $sh_page['table_name']) {
                     echo ' selected="selected"';
                     $tabExist[$_mtab] = TRUE;
                 }
-                echo '>' . $value . '</option>';
+                echo '>' . htmlspecialchars($value) . '</option>';
             } // end while
             echo "\n" . '            </select>'
                  . "\n" . '        </td>';
@@ -457,7 +457,7 @@
         echo "\n" . '        <td>'
              . "\n" . '            <select name="c_table_' . $i . '[name]">';
         foreach ($selectboxall AS $key => $value) {
-            echo "\n" . '                <option value="' . $value . '">' . $value . '</option>';
+            echo "\n" . '                <option value="' . htmlspecialchars($value) . '">' . htmlspecialchars($value) . '</option>';
         }
         echo "\n" . '            </select>'
              . "\n" . '        </td>';
@@ -488,8 +488,8 @@
     if (!empty($tabExist) && is_array($tabExist)) {
         foreach ($tabExist AS $key => $value) {
             if (!$value) {
-                $_strtrans  .= '<input type="hidden" name="delrow[]" value="' . $key . '" />' . "\n";
-                $_strname   .= '<li>' . $key . '</li>' . "\n";
+                $_strtrans  .= '<input type="hidden" name="delrow[]" value="' . htmlspecialchars($key) . '" />' . "\n";
+                $_strname   .= '<li>' . htmlspecialchars($key) . '</li>' . "\n";
                 $shoot       = TRUE;
             }
         }