diff --git a/smarty.inc.php b/smarty.inc.php
index c1f7225d..d368da2d 100644
--- a/smarty.inc.php
+++ b/smarty.inc.php
@@ -1,7 +1,40 @@
 <?php
 require_once ("$incpath/smarty/libs/Smarty.class.php");
 
-$smarty = new Smarty;
+/**
+ * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
+ */
+class PFASmarty extends Smarty {
+    public function assign($key, $value, $sanitise = true) {
+        if($sanitise == false) {
+            return parent::assign($key, $value);
+        }
+        $clean = $this->sanitise($value);
+        /* we won't run the key through sanitise() here... some might argue we should */
+        return parent::assign($key, $clean);
+    }
+
+    /**
+     * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset 
+     *
+     * @param mixed $data - array or primitive type; objects not supported.
+     * @return mixed $data
+     * */
+    public function sanitise($data) {
+        if(!is_array($data)) {
+            return htmlentities($data, ENT_QUOTES, 'UTF-8');
+        }
+        if(is_array($data)) {
+            $clean = array();
+            foreach($data as $key => $value) {
+                /* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
+                $clean[$this->sanitise($key)] = $this->sanitise($value);
+            }
+            return $clean;
+        }
+    }
+}
+$smarty = new PFASmarty();
 
 //$smarty->debugging = true;
 
@@ -30,10 +63,11 @@ else
 {
 	$motd_file = "motd.txt";
 }
-if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file))
-	$smarty->assign ('motd_file', $motd_file);
+if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) {
+    $smarty->assign ('motd_file', $motd_file);
+}
 
-function select_options ($aValues, $aSelected)
+function select_options($aValues, $aSelected)
 {
 	$ret_val = '';
 	foreach ($aValues as $val)