diff --git a/ChangeLog b/ChangeLog
index 5bcddfc20a99..ee2ee0846ed7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@ phpMyAdmin - ChangeLog
 4.0.4.2 (not released yet)
 - [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
 - [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
+- [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
 
 4.0.4.1 (2013-06-30)
 - [security] Global variables scope injection vulnerability (see PMASA-2013-7)
diff --git a/libraries/config/validate.lib.php b/libraries/config/validate.lib.php
index cd03b6bed99d..8c62013de625 100644
--- a/libraries/config/validate.lib.php
+++ b/libraries/config/validate.lib.php
@@ -432,7 +432,7 @@ function validate_trusted_proxies($path, $values)
         $matches = array();
         // we catch anything that may (or may not) be an IP
         if (!preg_match("/^(.+):(?:[ ]?)\\w+$/", $line, $matches)) {
-            $result[$path][] = __('Incorrect value') . ': ' . $line;
+            $result[$path][] = __('Incorrect value') . ': ' . htmlspecialchars($line);
             continue;
         }
         // now let's check whether we really have an IP address