Index: admin/shipping_options.php
diff -u admin/shipping_options.php:1.30.2.12 admin/shipping_options.php:1.30.2.13
--- admin/shipping_options.php:1.30.2.12	Thu Sep 25 11:04:49 2008
+++ admin/shipping_options.php	Fri Oct  3 18:01:28 2008
@@ -53,6 +53,8 @@
 	$xml_contact_fields = array();
 	$xml_address_fields = array();
 
+	$userinfo = array_map("htmlspecialchars",$userinfo);
+
 	if (!empty($userinfo['company_name']))
 		$xml_contact_fields[] = "<CompanyName>{$userinfo['company_name']}</CompanyName>";