--- patched/web/html/pkgedit.php	2007-09-07 23:24:08.000000000 -0400
+++ new/web/html/pkgedit.php	2007-09-07 22:25:17.000000000 -0400
@@ -73,7 +73,7 @@
 		$q = "INSERT INTO PackageComments ";
 		$q.= "(PackageID, UsersID, Comments, CommentTS) VALUES (";
 		$q.= intval($_REQUEST["ID"]).", ".uid_from_sid($_COOKIE["AURSID"]) . ", ";
-		$q.= "'".mysql_real_escape_string($_REQUEST["comment"])."', ";
+		$q.= "'".mysql_real_escape_string(htmlentities($_REQUEST["comment"],ENT_QUOTES))."', ";
 		$q.= "UNIX_TIMESTAMP())";
 		db_query($q, $dbh);
 		print __("Comment has been added.")."<br />&nbsp;<br />\n";
--- patched/web/lib/pkgfuncs.inc	2007-09-07 23:24:08.000000000 -0400
+++ new/web/lib/pkgfuncs.inc	2007-09-07 23:12:49.000000000 -0400
@@ -568,7 +568,8 @@
 					print "</span>";
 					print "<tr><td class='boxSoft'>";
 					print "<code>\n";
-					print str_replace("\n", "<br>", str_replace('"',"&quot;", htmlspecialchars(strip_tags(stripslashes($carr["Comments"])))));
+					//print str_replace("\n", "<br>", str_replace('"',"&quot;", htmlspecialchars(strip_tags(stripslashes($carr["Comments"])))));
+					print str_replace("\n", "<br>", $carr["Comments"]);
 					print "</code>\n";
 					print "</td></tr>\n";
 					print "</table>\n";