diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index f925acef2c305399c4cccce3ad9ca1e4057e57d5..a58e3c6cf68450b197e069c754d4a33b2d0377de 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,16 @@
 // $Id$
 
-5--1.x-dev
-==========
+5--1.6
+======
+
+IMPORTANT : this release fixes two cross-site scripting (XSS) vulnerabilities 
+in nodereference.module :
+- when a nodereference field is displayed using the 'plain' formatter
+- when a nodereference field is edited using the 'autocomplete text field' widget 
+  (only when _not_ using the 'advanced options - Views.module' for the field) 
+  
+All sites using CCK / nodereference.module should consider upgrading to this release
+as soon as possible.
 
 Features 
 --------
@@ -16,7 +25,7 @@ General
 Field / widget modules
 - #152892  Optionwidgets : Better help text for 'single on/off checkbox' widget label.   
 - #65133 / #152016  Nodereference : Added 'full node' and 'teaser' formatters.
-- #126926  Skip node_load in noderef formatter.
+- #126926  Nodereference : Skip node_load in 'title'-based formatters.
 
 Bugfix
 ------
@@ -28,16 +37,17 @@ General
 - #157786  Fix capitalization on fieldgroup edit form.
 - #136229  Fieldgroup weights not correctly imported when using content_copy.module.
 - #149832  Use 'plain' format for views argument handler ($op = 'title').
--          Added whitespace after field labels on node display
+- #137900  Added whitespace after field labels on node display
 
 Field / widget modules
+-          Nodereference : Fixed XSS vulnerabilities (missing check_plain's around node titles).
 - #147205  Nodereference : Fixed 'advanced settings - view arguments' not working.
 - #155327  Nodereference : Added missing "n." table aliases in 'referenceable nodes' query.
 - #153284  Nodereference : Fix unneeded and repeating {view_view} queries when 
            'advanced (Views) node selection' is *not* used.
 - #150297  Nodereference : Fix encoded raw htmlentities appearing in select widgets when using 
            'advanced (Views) node selection' is used.
-- #129016  Nodereference : Prevent possible errors when formatter gets called with non numeric 'nid'.
+- #129016  Nodereference : Prevent possible errors if formatter is called with non numeric 'nid'.
    
 5--1.5
 ======
diff --git a/nodereference.module b/nodereference.module
index 5e4ae8867a075f22ec5249b194b0dffa8a6efd8d..8085a6ae9badf41b703172327fe8fe6eda44a69a 100644
--- a/nodereference.module
+++ b/nodereference.module
@@ -97,13 +97,13 @@ function nodereference_field_settings($op, $field) {
     case 'filters':
       return array(
         'default' => array(
-        'list' => '_nodereference_filter_handler',
-        'list-type' => 'list',
-        'operator' => 'views_handler_operator_or',
-        'value-type' => 'array',
-        'extra' => array('field' => $field),
-      ),
-    );
+          'list' => '_nodereference_filter_handler',
+          'list-type' => 'list',
+          'operator' => 'views_handler_operator_or',
+          'value-type' => 'array',
+          'extra' => array('field' => $field),
+        ),
+      );
   }
 }
 
@@ -199,7 +199,7 @@ function nodereference_field_formatter($field, $item, $formatter, $node) {
       return node_view($referenced_node, TRUE);
 
     case 'plain':
-      return $titles[$item['nid']];
+      return check_plain($titles[$item['nid']]);
 
     default:
       return l($titles[$item['nid']], 'node/'. $item['nid']);
@@ -517,7 +517,7 @@ function theme_nodereference_item_advanced($item, $view) {
 }
 
 function theme_nodereference_item_simple($item) {
-  return $item->node_title;
+  return check_plain($item->node_title);
 }
 
 /**