diff --git a/chrome/content/zotero/xpcom/utilities.js b/chrome/content/zotero/xpcom/utilities.js
index fd7ec0684..7a537fce6 100644
--- a/chrome/content/zotero/xpcom/utilities.js
+++ b/chrome/content/zotero/xpcom/utilities.js
@@ -903,7 +903,6 @@ Zotero.Utilities.HTTP = new function() {
 		xmlhttp.onreadystatechange = function() {
 			_stateChange(xmlhttp, callback);
 		};
-		xmlhttp.overrideMimeType("text/plain");
 		xmlhttp.send(null);
 		return xmlhttp;
 	}
@@ -973,7 +972,6 @@ Zotero.Utilities.HTTP = new function() {
 		};
 		
 		xmlhttp.send(body);
-		
 		return xmlhttp;
 	}
 	
diff --git a/chrome/content/zotero/xpcom/zotero.js b/chrome/content/zotero/xpcom/zotero.js
index b312bcd6b..224a00011 100644
--- a/chrome/content/zotero/xpcom/zotero.js
+++ b/chrome/content/zotero/xpcom/zotero.js
@@ -598,8 +598,17 @@ var Zotero = new function(){
 				}
 			}
 			
+			// Remove password in malformed XML messages
+			if (msg.category == 'malformed-xml') {
+				try {
+					// msg.message is read-only, so store separately
+					var altMessage = msg.message.replace(/(file: "https?:\/\/[^:]+:)([^@]+)(@[^"]+")/, "$1********$3");
+				}
+				catch (e) {}
+			}
+			
 			if (asStrings) {
-				errors.push(msg.message)
+				errors.push(altMessage ? altMessage : msg.message)
 			}
 			else {
 				errors.push(msg);