Index: uc_realex.module
===================================================================
--- uc_realex.module	(revision 833)
+++ uc_realex.module	(working copy)
@@ -155,7 +155,7 @@
  * Process the Response send back from Realex once payment is completed
  */
 function uc_realex_complete() {
-  watchdog('uc_realex', t('Receiving new order notification for order !order_id.', array('!order_id' => check_plain($_POST['ORDER_ID']))));
+  watchdog('uc_realex', t('Receiving new order notification for order @order_id.', array('@order_id' => $_POST['ORDER_ID'])));
 
   /*
  Note:The below code is used to grab the fields Realex Payments POSTs back 
@@ -169,14 +169,14 @@
 */
 
 
-  $timestamp  = $_POST['TIMESTAMP'];
-  $result     = $_POST['RESULT'];
-  $orderid    = $_POST['ORDER_ID'];
-  $message    = $_POST['MESSAGE'];
-  $authcode   = $_POST['AUTHCODE'];
-  $pasref     = $_POST['PASREF'];
-  $realexsha1 = $_POST['SHA1HASH'];
-  $batch      = $_POST['BATCHID'];
+  $timestamp  = check_plain($_POST['TIMESTAMP']);
+  $result     = check_plain($_POST['RESULT']);
+  $orderid    = check_plain($_POST['ORDER_ID']);
+  $message    = filter_xss($_POST['MESSAGE']);
+  $authcode   = check_plain($_POST['AUTHCODE']);
+  $pasref     = check_plain($_POST['PASREF']);
+  $realexsha1 = check_plain($_POST['SHA1HASH']);
+  $batch      = check_plain($_POST['BATCHID']);
   $uc_cart_id = check_plain($_POST['uc_cart_id']);
   // -------------------------------------------------------------
   //Replace these with the values you receive from Realex Payments.If you have not yet received these values please contact us.
@@ -196,7 +196,7 @@
 
   //Check to see if hashes match or not
   if ($sha1hash != $realexsha1) {
-    watchdog('uc_realex', t('Hash match failed for order !order_id.', array('!order_id' => check_plain($_POST['ORDER_ID']))));
+    watchdog('uc_realex', t('Hash match failed for order @order_id.', array('@order_id' => $_POST['ORDER_ID'])));
     drupal_set_message("hashes don't match - response not authenticated!");
   }
 
