Index: src/modules/standard/mod_imap.c

===================================================================

--- build-tree-apache/apache_1.3.34/src/modules/standard/mod_imap.c	(revision 330526)

+++ build-tree-apache/apache_1.3.34/src/modules/standard/mod_imap.c	(working copy)

@@ -328,7 +328,7 @@

     if (!strcasecmp(value, "referer")) {

         referer = ap_table_get(r->headers_in, "Referer");

         if (referer && *referer) {

-	    return ap_pstrdup(r->pool, referer);

+	    return ap_escape_html(r->pool, referer);

         }

         else {

 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus

Index: src/main/util.c

===================================================================

--- build-tree-apache/apache_1.3.34/src/main/util.c	(revision 330526)

+++ build-tree-apache/apache_1.3.34/src/main/util.c	(working copy)

@@ -1722,6 +1722,8 @@

 	    j += 3;

 	else if (s[i] == '&')

 	    j += 4;

+	else if (s[i] == '"')

+	    j += 5;

     if (j == 0)

 	return ap_pstrndup(p, s, i);

@@ -1740,6 +1742,10 @@

 	    memcpy(&x[j], "&", 5);

 	    j += 4;

 	}

+	else if (s[i] == '"') {

+	    memcpy(&x[j], """, 6);

+	    j += 5;

+	}

 	else

 	    x[j] = s[i];