bug 1138: Avoid double escaping of $_SESSION['_config']['OU'] and fix XSS