diff --git a/lam/templates/3rdParty/pla/htdocs/add_value_form.php b/lam/templates/3rdParty/pla/htdocs/add_value_form.php
index 02d5fe83..66d9757d 100644
--- a/lam/templates/3rdParty/pla/htdocs/add_value_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/add_value_form.php
@@ -34,7 +34,7 @@ if ($request['attribute']->isReadOnly())
# Render the form
if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST') != 'ajax') {
# Render the form.
- $request['page']->drawTitle(sprintf(_('Add new %s value to %s'),$request['attr'],get_rdn($request['dn'])));
+ $request['page']->drawTitle(sprintf(_('Add new %s value to %s'), htmlspecialchars($request['attr']),htmlspecialchars(get_rdn($request['dn']))));
$request['page']->drawSubTitle();
if (! strcasecmp($request['attr'],'objectclass')) {