Index: wp-admin/admin-functions.php
===================================================================
--- wp-admin/admin-functions.php	(revision 4936)
+++ wp-admin/admin-functions.php	(working copy)
@@ -1914,7 +1914,7 @@
 	if ( strstr( $size, 'g' ) )
 		$bytes = $size * 1024 * 1024 * 1024;
 ?>
-<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo $action ?>">
+<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo wp_specialchars( $action ); ?>">
 <p>
 <label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> )
 <input type="file" id="upload" name="import" size="25" />