--- mailboxes/search_form.cgi.orig	2009-03-18 07:30:35.000000000 +0200
+++ mailboxes/search_form.cgi	2009-04-09 12:47:29.000000000 +0300
@@ -13,8 +13,8 @@
 
 # Start of form
 print &ui_form_start("mail_search.cgi");
-print &ui_hidden("user", $in{'user'});
-print &ui_hidden("ofolder", $in{'folder'});
+print &ui_hidden("user", &html_escape($in{'user'}));
+print &ui_hidden("ofolder", &html_escape($in{'folder'}));
 print &ui_table_start($text{'sform_header'}, "width=100%", 2);
 
 # And/or mode
@@ -54,7 +54,7 @@
 print &ui_table_end();
 print &ui_form_end([ [ undef, $text{'sform_ok'} ] ]);
 
-&ui_print_footer("list_mail.cgi?folder=$in{'folder'}&user=".
+&ui_print_footer("list_mail.cgi?folder=" . &urlize($in{'folder'}) . "&user=".
 		  &urlize($in{'user'}), $text{'mail_return'},
 		 "", $text{'index_return'});
 
