diff -ur VERSION VERSION
--- VERSION	2015-02-24 12:01:05.000000000 -0800
+++ VERSION	2015-03-19 12:29:53.000000000 -0700
@@ -1 +1 @@
-2014-09-29c "Hrun"
+2014-09-29d "Hrun"
diff -ur doku.php doku.php
--- doku.php	2015-02-24 12:01:05.000000000 -0800
+++ doku.php	2015-03-19 12:29:53.000000000 -0700
@@ -9,7 +9,7 @@
  */
 
 // update message version
-$updateVersion = 46.3;
+$updateVersion = 46.4;
 
 //  xdebug_start_profiling();
 
diff -ur lib/plugins/usermanager/admin.php lib/plugins/usermanager/admin.php
--- lib/plugins/usermanager/admin.php	2015-02-24 12:01:05.000000000 -0800
+++ lib/plugins/usermanager/admin.php	2015-03-19 12:29:53.000000000 -0700
@@ -191,9 +191,9 @@
                  */
                 $groups = join(', ',$grps);
                 ptln("    <tr class=\"user_info\">");
-                ptln("      <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".$user."]\" ".$delete_disable." /></td>");
+                ptln("      <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".hsc($user)."]\" ".$delete_disable." /></td>");
                 if ($editable) {
-                    ptln("    <td><a href=\"".wl($ID,array('fn[edit]['.hsc($user).']' => 1,
+                    ptln("    <td><a href=\"".wl($ID,array('fn[edit]['.$user.']' => 1,
                                                            'do' => 'admin',
                                                            'page' => 'usermanager',
                                                            'sectok' => getSecurityToken())).
@@ -325,7 +325,7 @@
 
         // save current $user, we need this to access details if the name is changed
         if ($user)
-          ptln("          <input type=\"hidden\" name=\"userid_old\"  value=\"".$user."\" />",$indent);
+          ptln("          <input type=\"hidden\" name=\"userid_old\"  value=\"".hsc($user)."\" />",$indent);
 
         $this->_htmlFilterSettings($indent+10);
 
@@ -370,6 +370,7 @@
             $fieldtype = 'text';
             $autocomp  = '';
         }
+        $value = hsc($value);
 
         echo "<tr $class>";
         echo "<td><label for=\"$id\" >$label: </label></td>";
