Escape HTMl output

diff --git a/includes/SpecialPreferences.php b/includes/SpecialPreferences.php
index 57f857b..8934793 100644 (file)
--- a/includes/SpecialPreferences.php
+++ b/includes/SpecialPreferences.php
@@ -526,7 +526,7 @@ class PreferencesForm {
                <legend>$timezone</legend>
                <div><b>$tzServerTime:</b> $nowserver</div>
                <div><b>$ltz:</b> $nowlocal</div>
-               <div><label>$tzo*: <input type='text' name=\"wpHourDiff\" value=\"{$this->mHourDiff}\" size='6' /></label></div>
+               <div><label>$tzo*: <input type='text' name=\"wpHourDiff\" value=\"" . htmlspecialchars( $this->mHourDiff ) . "\" size='6' /></label></div>
                <div><input type=\"button\" value=\"$tzGuess\" onclick=\"javascript:guessTimezone()\" id=\"guesstimezonebutton\" style=\"display:none\" /></div>
                <div class='prefsectiontip'>* {$tzt}</div>
        </fieldset>\n\n" );