diff --git a/phpgwapi/inc/class.html.inc.php b/phpgwapi/inc/class.html.inc.php
index edd0496137..2d1f3af4fc 100644
--- a/phpgwapi/inc/class.html.inc.php
+++ b/phpgwapi/inc/class.html.inc.php
@@ -130,8 +130,8 @@ class html
 		$str = @htmlspecialchars($str,ENT_COMPAT,$this->charset);
 		
 		// we need '&#' unchanged, so we translate it back
-		$str = str_replace('&amp;#','&#',$str);
-		
+		$str = str_replace(array('&amp;#','&amp;nbsp;','&amp;lt;','&amp;gt;'),array('&#','&nbsp;','&lt;','&gt;'),$str);
+
 		return $str;
 	}
 	
@@ -175,7 +175,7 @@ class html
 			{
 				$out .= ' selected="1"';
 			}
-			$out .= ">" . ($no_lang || $text == '' ? $text : lang($text)) . "</option>\n";
+			$out .= ">" . $this->htmlspecialchars($no_lang || $text == '' ? $text : lang($text)) . "</option>\n";
 		}
 		$out .= "</select>\n";
 		
@@ -707,4 +707,4 @@ htmlareaConfig_'.$id.'.editorURL = '."'$this->phpgwapi_js_url/htmlarea/';";
 		}
 		return $html;
 	}		
-}
\ No newline at end of file
+}
