diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 1dcb4ade7afb38d114bd986c3a5230d59bafd636..8f0c8a866788123663fbc1ccd19a5a0766b90a79 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 4.6.9, 2006-08-02
+------------------------
+- fixed security issue (XSS), see SA-2006-011
+
 Drupal 4.6.8, 2006-06-01
 ------------------------
 - fixed critical upload issue, see SA-2006-007
diff --git a/modules/user.module b/modules/user.module
index e7aa2a0b1675d4b28e4b8028e752541f0c0b8431..7cfd400b549d387f6b5894911385196872c4a18f 100644
--- a/modules/user.module
+++ b/modules/user.module
@@ -835,7 +835,7 @@ function user_login($edit = array(), $msg = '') {
 
   // Display login form:
   if ($msg) {
-    $output .= "<p>$msg</p>";
+    $output .= '<p>'. check_plain($msg) .'</p>';
   }
   if (count(user_auth_help_links()) > 0) {
     $output .= form_textfield(t('Username'), 'name', $edit['name'], 30, 64, t('Enter your %s username, or an ID from one of our affiliates: %a.', array('%s' => variable_get('site_name', 'local'), '%a' => implode(', ', user_auth_help_links()))));