diff --git a/features/http-auth.xml b/features/http-auth.xml
index 2126b1b5ef..7f10c0d8ec 100644
--- a/features/http-auth.xml
+++ b/features/http-auth.xml
@@ -198,11 +198,11 @@ if (!isset($_SERVER['PHP_AUTH_USER']) ||
     ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER'])) {
     authenticate();
 } else {
-    echo "<p>Welcome: {$_SERVER['PHP_AUTH_USER']}<br />";
-    echo "Old: {$_REQUEST['OldAuth']}";
-    echo "<form action='{$_SERVER['PHP_SELF']}' METHOD='post'>\n";
+    echo "<p>Welcome: " . htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "<br />";
+    echo "Old: " . htmlspecialchars($_REQUEST['OldAuth']);
+    echo "<form action='' method='post'>\n";
     echo "<input type='hidden' name='SeenBefore' value='1' />\n";
-    echo "<input type='hidden' name='OldAuth' value='{$_SERVER['PHP_AUTH_USER']}' />\n";
+    echo "<input type='hidden' name='OldAuth' value=\"" . htmlspecialchars($_SERVER['PHP_AUTH_USER']) . "\" />\n";
     echo "<input type='submit' value='Re Authenticate' />\n";
     echo "</form></p>\n";
 }