--- a/plugins/SpecialUserFuncs.php	Sat Dec 19 16:06:27 2009 -0500
+++ b/plugins/SpecialUserFuncs.php	Thu Jul 01 18:24:11 2010 -0400
@@ -1236,13 +1236,13 @@
                     {
                       echo ' selected="selected"';
                     }
-                    echo '>' . $t['theme_name'] . '</option>';
+                    echo '>' . htmlspecialchars($t['theme_name']) . '</option>';
                   }
                 }
                ?>
               </select>
             </p>
-            <p><input type="hidden" name="return_to" value="<?php echo $ret; ?>" />
+            <p><input type="hidden" name="return_to" value="<?php echo htmlspecialchars($ret); ?>" />
                <input type="submit" name="themeselected" value="<?php echo $lang->get('userfuncs_changetheme_btn_continue'); ?>" /></p>
           <?php } else { 
             $theme = $_POST['theme'];
@@ -1268,13 +1268,13 @@
                   } else die($dir.' is not a dir');
                   foreach ( $list as $l )
                   {
-                    echo '<option value="'.$l.'">'.capitalize_first_letter($l).'</option>';
+                    echo '<option value="'.$l.'">'.ucfirst($l).'</option>';
                   }
                 ?>
               </select>
             </p>
-            <p><input type="hidden" name="return_to" value="<?php echo $ret; ?>" />
-               <input type="hidden" name="theme" value="<?php echo $theme; ?>" />
+            <p><input type="hidden" name="return_to" value="<?php echo htmlspecialchars($ret); ?>" />
+               <input type="hidden" name="theme" value="<?php echo htmlspecialchars($theme); ?>" />
                <input type="submit" name="allclear" value="<?php echo $lang->get('userfuncs_changetheme_btn_allclear'); ?>" /></p>
           <?php } ?>
         </form>