--- nocc-0.9.5/functions.php.old	Sun Oct 20 00:12:34 2002
+++ nocc-0.9.5/functions.php	Sun Oct 20 00:27:12 2002
@@ -213,7 +213,7 @@
 		'body' => $glob_body,
 		'body_mime' => $tmp['mime'],
 		'body_transfer' => $tmp['transfer'],
-		'header' => $header,
+		'header' => htmlspecialchars($header),
 		'verbose' => $verbose,
 		'prev' => $prev_msg,
 		'next' => $next_msg
@@ -444,6 +444,7 @@
 	}
 	elseif (eregi('plain', $mime))
 	{
+		$body = htmlspecialchars($body);
 		$body = eregi_replace("(http|https|ftp)://([a-zA-Z0-9+-=%&:_.~?]+[#a-zA-Z0-9+]*)","<a href=\"\\1://\\2\" target=\"_blank\">\\1://\\2</a>", $body);
 		$body = eregi_replace("([#a-zA-Z0-9+-._]*)@([#a-zA-Z0-9+-_]*)\.([a-zA-Z0-9+-_.]+[#a-zA-Z0-9+]*)","<a href=\"$PHP_SELF?action=write&amp;mail_to=\\1@\\2.\\3&amp;lang=$lang\">\\1@\\2.\\3</a>", $body);
 		$body = nl2br($body);