-<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= $pkgnum %>">
-<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= $pkg %>">
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= encode_entities($pkgnum) %>">
+<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= encode_entities($pkg) %>">