If you are referring to the XSS protection patch - Nov 30 2009...

Question 1:

/admin/index.php
Look for this existing block of code:

Code:
  while (!$customers->EOF) {
    echo '              <div class="row"><span class="left"><a href="' . zen_href_link(FILENAME_CUSTOMERS, 'search=' . $customers->fields['customers_lastname'] . '&origin=' . FILENAME_DEFAULT, 'NONSSL') . '" class="contentlink">'. $customers->fields['customers_firstname'] . ' ' . $customers->fields['customers_lastname'] . '</a></span><span class="rigth">' . "\n";
    echo zen_date_short($customers->fields['customers_info_date_account_created']);
    echo '              </span></div>' . "\n";
    $customers->MoveNext();
  }
Replace existing block of code with this new block of code (note that the lines in red are the only new lines being added):

Code:
  while (!$customers->EOF) {
  	        $customers->fields['customers_firstname'] = zen_output_string_protected($customers->fields['customers_firstname']);
	        $customers->fields['customers_lastname'] = zen_output_string_protected($customers->fields['customers_lastname']);
    echo '              <div class="row"><span class="left"><a href="' . zen_href_link(FILENAME_CUSTOMERS, 'search=' . $customers->fields['customers_lastname'] . '&origin=' . FILENAME_DEFAULT, 'NONSSL') . '" class="contentlink">'. $customers->fields['customers_firstname'] . ' ' . $customers->fields['customers_lastname'] . '</a></span><span class="rigth">' . "\n";
    echo zen_date_short($customers->fields['customers_info_date_account_created']);
    echo '              </span></div>' . "\n";
    $customers->MoveNext();
  }


Question 2:

You should have more lines in that file (unless it's been modified for some reason). Make sure you are editing the correct file. I checked the stock 1.3.8a files and the /admin/customers.php file has 1227 lines.

/admin/customers.php

Look for this existing block of code:

Code:
    default:
      if (isset($cInfo) && is_object($cInfo)) {
        $customers_orders = $db->Execute("select o.orders_id, o.date_purchased, o.order_total, o.currency, o.currency_value,
Replace with this new block of code (note the line in red is the only new line being added):
Code:
    default:
      if (isset($cInfo) && is_object($cInfo)) {
        if (isset($_GET['search'])) $_GET['search'] = zen_output_string_protected($_GET['search']);
	    $customers_orders = $db->Execute("select o.orders_id, o.date_purchased, o.order_total, o.currency, o.currency_value,