Index: /home/sogabe/public_html/mantis/core/print_api.php
===================================================================
--- /home/sogabe/public_html/mantis/core/print_api.php	(revision 131)
+++ /home/sogabe/public_html/mantis/core/print_api.php	(working copy)
@@ -302,7 +302,7 @@
 	function print_tag_input( $p_bug_id = 0, $p_string="" ) {
 		?>
 		<input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' ) ?>" />
-		<input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo $p_string ?>" />
+		<input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo string_attribute( $p_string ) ?>" />
 		<select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select">
 			<?php print_tag_option_list( $p_bug_id ); ?>
 		</select>
Index: /home/sogabe/public_html/mantis/tag_attach.php
===================================================================
--- /home/sogabe/public_html/mantis/tag_attach.php	(revision 130)
+++ /home/sogabe/public_html/mantis/tag_attach.php	(working copy)
@@ -76,7 +76,7 @@
 			}
 			$t_tag_string .= $t_tag_row['name'];
 		}
-
+		
 		foreach( $t_tags_failed as $t_tag_row ) {
 			echo '<tr ',helper_alternate_class(),'>';
 			if ( -1 == $t_tag_row['id'] ) {
@@ -84,7 +84,7 @@
 			} elseif ( -2 == $t_tag_row['id'] ) {
 				echo '<td class="category">',lang_get( 'tag_create_denied' ),'</td>';
 			}
-			echo '<td>',$t_tag_row['name'],'</td></tr>';
+			echo '<td>',string_html_specialchars( $t_tag_row['name'] ),'</td></tr>';
 			
 			if ( "" != $t_tag_string ) {
 				$t_tag_string .= config_get( 'tag_separator' );
@@ -91,7 +91,7 @@
 			}
 			$t_tag_string .= $t_tag_row['name'];
 		}
-?>
+?> 
 	<tr class="spacer"><td colspan="2"></td></tr>
 	<tr <?php echo helper_alternate_class() ?>>
 	<td class="category"><?php echo lang_get( 'tag_attach_long' ) ?></td>
Index: /home/sogabe/public_html/mantis/tag_update_page.php
===================================================================
--- /home/sogabe/public_html/mantis/tag_update_page.php	(revision 130)
+++ /home/sogabe/public_html/mantis/tag_update_page.php	(working copy)
@@ -75,7 +75,7 @@
 			if ( access_has_global_level( config_get( 'tag_edit_threshold' ) ) ) {
 				if ( ON == config_get( 'use_javascript' ) ) {
 					$t_username = prepare_user_name( $t_tag_row['user_id'] );
-					echo ajax_click_to_edit( $t_username, 'user_id', 'entrypoint=user_combobox&user_id=' . $t_tag_row['user_id'] . '&access_level=' . config_get( 'tag_create_threshold' ) );
+					echo ajax_click_to_edit( $t_username, 'user_id', 'entrypoint=user_combobox&amp;user_id=' . $t_tag_row['user_id'] . '&amp;access_level=' . config_get( 'tag_create_threshold' ) );
 				} else {
 					echo '<select ', helper_get_tab_index(), ' name="user_id">';
 					print_user_option_list( $t_tag_row['user_id'], ALL_PROJECTS, config_get( 'tag_create_threshold' ) );
@@ -98,7 +98,7 @@
 <tr <?php echo helper_alternate_class() ?>>
 	<td class="category"><?php echo lang_get( 'tag_description' ) ?></td>
 	<td colspan="4">
-		<textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo $t_tag_row['description'] ?></textarea>
+		<textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo string_textarea( $t_tag_row['description'] ) ?></textarea>
 	</td>
 </tr>
 
Index: /home/sogabe/public_html/mantis/tag_view_page.php
===================================================================
--- /home/sogabe/public_html/mantis/tag_view_page.php	(revision 130)
+++ /home/sogabe/public_html/mantis/tag_view_page.php	(working copy)
@@ -50,7 +50,7 @@
 
 	</td>
 	<td class="right" colspan="3">
-		<?php print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode($t_tag_row['name']), sprintf( lang_get( 'tag_filter_default' ), tag_stats_attached( $f_tag_id ) ) ); ?>
+		<?php print_bracket_link( 'search.php?hide_status_id=90&amp;tag_string='.urlencode($t_tag_row['name']), sprintf( lang_get( 'tag_filter_default' ), tag_stats_attached( $f_tag_id ) ) ); ?>
 	</td>
 </tr>
 
@@ -98,7 +98,7 @@
 			echo ( $i > 0 ? '<tr '.helper_alternate_class().'>' : '' );
 			echo "<td><a href='tag_view_page.php?tag_id=$t_tag[id]' title='$t_description'>$t_name</a></td>\n";
 			echo '<td colspan="3">';
-			print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode("+$t_tag_row[name]".config_get('tag_separator')."+$t_name"), sprintf( lang_get( 'tag_related_issues' ), $t_tag['count'] ) );
+			print_bracket_link( 'search.php?hide_status_id=90&amp;tag_string='.urlencode("+$t_tag_row[name]".config_get('tag_separator')."+$t_name"), sprintf( lang_get( 'tag_related_issues' ), $t_tag['count'] ) );
 			echo '</a></td></tr>';
 			
 			$i++;