Index: src/modules/standard/mod_imap.c
===================================================================
--- src/modules/standard/mod_imap.c	(revision 330526)
+++ src/modules/standard/mod_imap.c	(working copy)
@@ -328,7 +328,7 @@
     if (!strcasecmp(value, "referer")) {
         referer = ap_table_get(r->headers_in, "Referer");
         if (referer && *referer) {
-	    return ap_pstrdup(r->pool, referer);
+	    return ap_escape_html(r->pool, referer);
         }
         else {
 	    /* XXX:  This used to do *value = '\0'; ... which is totally bogus
Index: src/main/util.c
===================================================================
--- src/main/util.c	(revision 330526)
+++ src/main/util.c	(working copy)
@@ -1722,6 +1722,8 @@
 	    j += 3;
 	else if (s[i] == '&')
 	    j += 4;
+	else if (s[i] == '"')
+	    j += 5;
 
     if (j == 0)
 	return ap_pstrndup(p, s, i);
@@ -1740,6 +1742,10 @@
 	    memcpy(&x[j], "&", 5);
 	    j += 4;
 	}
+	else if (s[i] == '"') {
+	    memcpy(&x[j], """, 6);
+	    j += 5;
+	}
 	else
 	    x[j] = s[i];