diff --git a/lam/templates/3rdParty/pla/htdocs/add_value_form.php b/lam/templates/3rdParty/pla/htdocs/add_value_form.php
index 02d5fe83..66d9757d 100644
--- a/lam/templates/3rdParty/pla/htdocs/add_value_form.php
+++ b/lam/templates/3rdParty/pla/htdocs/add_value_form.php
@@ -34,7 +34,7 @@ if ($request['attribute']->isReadOnly())
 # Render the form
 if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST') != 'ajax') {
 	# Render the form.
-	$request['page']->drawTitle(sprintf(_('Add new <b>%s</b> value to <b>%s</b>'),$request['attr'],get_rdn($request['dn'])));
+	$request['page']->drawTitle(sprintf(_('Add new <b>%s</b> value to <b>%s</b>'), htmlspecialchars($request['attr']),htmlspecialchars(get_rdn($request['dn']))));
 	$request['page']->drawSubTitle();
 
 	if (! strcasecmp($request['attr'],'objectclass')) {