diff --git a/phpgwapi/inc/class.html.inc.php b/phpgwapi/inc/class.html.inc.php
index 3326e4e15c..580663de89 100644
--- a/phpgwapi/inc/class.html.inc.php
+++ b/phpgwapi/inc/class.html.inc.php
@@ -130,7 +130,7 @@ class html
$str = @htmlspecialchars($str,ENT_COMPAT,$this->charset);
// we need '&#' unchanged, so we translate it back
- $str = str_replace('&#','&#',$str);
+ $str = str_replace(array('&#',' ','<','>'),array('&#',' ','<','>'),$str);
return $str;
}
@@ -176,7 +176,7 @@ class html
{
$out .= ' selected="1"';
}
- $out .= ">" . ($no_lang || $text == '' ? $text : lang($text)) . "\n";
+ $out .= ">" . $this->htmlspecialchars($no_lang || $text == '' ? $text : lang($text)) . "\n";
}
$out .= "\n";