diff -u info2html-2.0-orig/info2html info2html-2.0/info2html
--- info2html-2.0-orig/info2html	2006-09-01 14:55:13.000000000 +0200
+++ info2html-2.0/info2html	2006-09-01 15:05:41.000000000 +0200
@@ -42,7 +42,7 @@
 
 use CGI;
 $ENV{'REQUEST_METHOD'} or
- print "Note: I'm really supposed to be run as a CGI!\n";
+ print "Note: I'm really supposed to be run as a CGI\!\n";
 
 #-- patterns
 $NODEBORDER    = '\037\014?';      #-- delimiter of an info node
@@ -62,7 +62,7 @@
 #---------------------------------------------------------
 # Don't reveal where we're looking... --jonh 5/20/97 (and reapplied 5/4/1998)
 sub DieFileNotFound{
-  local($FileName) = @_;
+  local($FileName) = &XssEscape(@_);
   #-- TEXT : error message if a file could not be opened
   print <<"EOF";
 <html><head><title>Info Files  - Error Message</title>
@@ -104,6 +104,28 @@
 }
 
 #----------------------------------------------------------
+#                   XssEscape
+#----------------------------------------------------------
+sub XssEscape {
+  local($Tag) = @_;
+  #-- output escaping is required to protect browser
+  #   against `cross site' and `cross frame scripting'
+
+  $Tag =~ s/&/&amp;/gs;		# ampersand
+  $Tag =~ s/#/&#35;/gs;
+  $Tag =~ s/;/&#59;/gs;
+  $Tag =~ s/[\000-\037\177-\237]/&iquest;/gs; # "ctrl" codes 0-31 and 127-159
+  $Tag =~ s/</&lt;/gs;		# less-than symbol
+  $Tag =~ s/>/&gt;/gs;		# greater-than symbol
+  $Tag =~ s/"/&quot;/gs;	# double quote
+  $Tag =~ s/\240/&nbsp;/gs;	# non-breaking space
+  $Tag =~ s/\255/&shy;/gs;	# soft hyphen
+				# the rest is interpreted
+				# as ISO 8859-1
+  $Tag;
+}
+
+#----------------------------------------------------------
 #                   ParsHeaderToken
 #----------------------------------------------------------
 # Parses the heaer line of an info node for a specific 
@@ -493,6 +515,8 @@
 #----------------------------------------------------------
 sub ReplyNotFoundMessage{
   local($FileName,$Tag) = @_;
+  $FileName = &XssEscape($FileName);
+  $Tag      = &XssEscape($Tag);
   print <<"EOF";
 <html><head><title>Info Files  -  Error Message</title>
 $BOTS_STAY_AWAY
Only in info2html-2.0: info2html.orig
Only in info2html-2.0: info2html.rej