diff --git a/ChangeLog b/ChangeLog
index ed20829b..9488f8d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@
 	* Changed the end-of-line encodings of all non-Windows-related and 
 	  non-autogenerated text files to use UNIX LF (lots of them had mixed
 	  LF/CRLF).
+	* HTML escape the remotely retrieved version string printed to the HTML
+	  in order to prevent and attacks (if this would have been possible at
+	  all in 12 characters).
 
 2013-03-06  Andrew McMillan  <andrew@morphoss.com>
 	* Fix capitalisation of 'plpgsql' & 'sql' for Postgres 9.2. (debbug #702403)
diff --git a/debian/changelog b/debian/changelog
index 39b9e344..a417d403 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,6 @@
 davical (1.1.2-1) unstable; urgency=low
 
-  * New upstream release (closes:#702403)
+  * New upstream release (closes:#702403, #703290)
 
  -- Andrew McMillan <awm@debian.org>  Wed, 01 May 2013 10:05:33 +1200
 
diff --git a/htdocs/setup.php b/htdocs/setup.php
index 54345f39..ac43670c 100644
--- a/htdocs/setup.php
+++ b/htdocs/setup.php
@@ -252,7 +252,7 @@ function check_davical_version() {
   $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
   $version_file = @fopen($url, 'r');
   if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
-  $current_version = trim(fread( $version_file,12));
+  $current_version = htmlentities( trim(fread( $version_file,12)) );
   fclose($version_file);
   $result = new CheckResult($c->version_string == $current_version);
   if ( ! $result->getOK() ) {