diff --git a/src/messenger/webim/b.php b/src/messenger/webim/b.php
index 5a886328..f83310a4 100644
--- a/src/messenger/webim/b.php
+++ b/src/messenger/webim/b.php
@@ -25,7 +25,7 @@ if($referer && isset($_SESSION['threadid'])) {
 	$link = connect();
 	$thread = thread_by_id_($_SESSION['threadid'], $link);
     if ($thread && $thread['istate'] != $state_closed) {
-        $msg = getstring2_("chat.client.visited.page", array($referer), $thread['locale']);
+        $msg = getstring2_("chat.client.visited.page", array($referer), $thread['locale'], true);
         post_message_($thread['threadid'], $kind_for_agent,$msg,$link);
     }
     mysql_close($link);
diff --git a/src/messenger/webim/client.php b/src/messenger/webim/client.php
index 8d6c1595..84f56e06 100644
--- a/src/messenger/webim/client.php
+++ b/src/messenger/webim/client.php
@@ -131,14 +131,14 @@ if( !isset($_GET['token']) || !isset($_GET['thread']) ) {
 		$_SESSION['threadid'] = $thread['threadid'];
 		
 		if( $referrer ) {
-			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.came.from',array($referrer)),$link);
+			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.came.from',array($referrer),true),$link);
 		}
-		post_message_($thread['threadid'],$kind_info,getstring('chat.wait'),$link);
+		post_message_($thread['threadid'],$kind_info,getstring('chat.wait', true),$link);
 		if($email) {
-			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.email',array($email)),$link);
+			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.email',array($email),true),$link);
 		}
 		if($info) {
-			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.info',array($info)),$link);
+			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.info',array($info),true),$link);
 		}
 		if($firstmessage) {
 			$postedid = post_message_($thread['threadid'],$kind_user,$firstmessage,$link,$visitor['name']);
diff --git a/src/messenger/webim/leavemessage.php b/src/messenger/webim/leavemessage.php
index f4bbb0bf..58c4dd5d 100644
--- a/src/messenger/webim/leavemessage.php
+++ b/src/messenger/webim/leavemessage.php
@@ -33,13 +33,13 @@ function store_message($name, $email, $info, $message,$groupid,$referrer) {
 	$link = connect();
 	$thread = create_thread($groupid,$name,$remoteHost,$referrer,$current_locale,$visitor['id'], $userbrowser,$state_left,$link);
 	if( $referrer ) {
-		post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.came.from',array($referrer)),$link);
+		post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.came.from',array($referrer),true),$link);
 	}
 	if($email) {
-		post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.email',array($email)),$link);
+		post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.email',array($email),true),$link);
 	}
 	if($info) {
-		post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.info',array($info)),$link);
+		post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.visitor.info',array($info),true),$link);
 	}
 	post_message_($thread['threadid'],$kind_user,$message,$link,$name);
 	mysql_close($link);
@@ -102,8 +102,8 @@ if(!locale_exists($message_locale)) {
 
 store_message($visitor_name, $email, $info, $message, $groupid, $referrer);
 
-$subject = getstring2_("leavemail.subject", array($visitor_name), $message_locale);
-$body = getstring2_("leavemail.body", array($visitor_name,$email,$message,$info ? "$info\n" : ""), $message_locale);
+$subject = getstring2_("leavemail.subject", array($visitor_name), $message_locale,true);
+$body = getstring2_("leavemail.body", array($visitor_name,$email,$message,$info ? "$info\n" : ""), $message_locale,true);
 
 if (isset($group) && !empty($group['vcemail'])) {
 	$inbox_mail = $group['vcemail'];
diff --git a/src/messenger/webim/libs/chat.php b/src/messenger/webim/libs/chat.php
index 0efdd9e9..039885b1 100644
--- a/src/messenger/webim/libs/chat.php
+++ b/src/messenger/webim/libs/chat.php
@@ -166,7 +166,7 @@ function print_thread_messages($thread, $token, $lastid, $isuser, $format, $agen
 		$output = get_messages($threadid, "xml", $isuser, $lastid);
 
 		start_xml_output();
-		print("<thread lastid=\"$lastid\" typing=\"" . $istyping . "\" canpost=\"" . (($isuser || $agentid != null && $agentid == $thread['agentId']) ? 1 : 0) . "\">");
+		print("<thread lastid=\"$lastid\" typing=\"" . htmlspecialchars($istyping) . "\" canpost=\"" . (($isuser || $agentid != null && $agentid == $thread['agentId']) ? 1 : 0) . "\">");
 		foreach ($output as $msg) {
 			print $msg;
 		}
@@ -176,13 +176,13 @@ function print_thread_messages($thread, $token, $lastid, $isuser, $format, $agen
 		$output = get_messages($threadid, "html", $isuser, $lastid);
 
 		start_html_output();
-		$url = "$webimroot/thread.php?act=refresh&amp;thread=$threadid&amp;token=$token&amp;html=on&amp;user=" . ($isuser ? "true" : "false");
+		$url = "$webimroot/thread.php?act=refresh&amp;thread=" . htmlspecialchars($threadid) . "&amp;token=" . htmlspecialchars($token) . "&amp;html=on&amp;user=" . ($isuser ? "true" : "false");
 
 		print(
 				"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">" .
 				"<html>\n<head>\n" .
 				"<link href=\"$webimroot/styles/default/chat.css\" rel=\"stylesheet\" type=\"text/css\">\n" .
-				"<meta http-equiv=\"Refresh\" content=\"" . $settings['updatefrequency_oldchat'] . "; URL=$url&amp;sn=11\">\n" .
+				"<meta http-equiv=\"Refresh\" content=\"" . htmlspecialchars($settings['updatefrequency_oldchat']) . "; URL=$url&amp;sn=11\">\n" .
 				"<meta http-equiv=\"Pragma\" content=\"no-cache\">\n" .
 				"<title>chat</title>\n" .
 				"</head>\n" .
@@ -290,9 +290,9 @@ function setup_logo()
 {
 	global $page, $settings;
 	loadsettings();
-	$page['ct.company.name'] = topage($settings['title']);
-	$page['ct.company.chatLogoURL'] = topage($settings['logo']);
-	$page['webimHost'] = topage($settings['hosturl']);
+	$page['ct.company.name'] = htmlspecialchars(topage($settings['title']));
+	$page['ct.company.chatLogoURL'] = htmlspecialchars(topage($settings['logo']));
+	$page['webimHost'] = htmlspecialchars(topage($settings['hosturl']));
 }
 
 function setup_leavemessage($name, $email, $message, $groupid, $groupname, $info, $referrer, $canshowcaptcha)
@@ -337,7 +337,7 @@ function setup_survey($name, $email, $groupid, $info, $referrer, $canshowcaptcha
 				$groupname .= " (offline)";
 			}
 			$isselected = $k['groupid'] == $groupid;
-			$val .= "<option value=\"" . $k['groupid'] . "\"" . ($isselected ? " selected=\"selected\"" : "") . ">$groupname</option>";
+			$val .= "<option value=\"" . htmlspecialchars($k['groupid']) . "\"" . ($isselected ? " selected=\"selected\"" : "") . ">" . htmlspecialchars($groupname) . "</option>";
 		}
 		$page['groups'] = $val;
 	}
@@ -359,11 +359,11 @@ function setup_chatview_for_user($thread, $level)
 	$page['displ1'] = $nameisset ? "none" : "inline";
 	$page['displ2'] = $nameisset ? "inline" : "none";
 	$page['level'] = $level;
-	$page['ct.chatThreadId'] = $thread['threadid'];
-	$page['ct.token'] = $thread['ltoken'];
+	$page['ct.chatThreadId'] = htmlspecialchars($thread['threadid']);
+	$page['ct.token'] = htmlspecialchars($thread['ltoken']);
 	$page['ct.user.name'] = htmlspecialchars(topage($thread['userName']));
 	$page['canChangeName'] = $settings['usercanchangename'] == "1";
-	$page['chat.title'] = topage($settings['chattitle']);
+	$page['chat.title'] = htmlspecialchars(topage($settings['chattitle']));
 
 	setup_logo();
 	if ($settings['sendmessagekey'] == 'enter') {
@@ -374,11 +374,11 @@ function setup_chatview_for_user($thread, $level)
 		$page['ignorectrl'] = 0;
 	}
 
-	$params = "thread=" . $thread['threadid'] . "&amp;token=" . $thread['ltoken'];
-	$page['mailLink'] = "$webimroot/client.php?" . $params . "&amp;level=$level&amp;act=mailthread";
+	$params = "thread=" . $thread['threadid'] . "&token=" . $thread['ltoken'];
+	$page['mailLink'] = htmlspecialchars("$webimroot/client.php?" . $params . "&level=$level&act=mailthread");
 
 	if ($settings['enablessl'] == "1" && !is_secure_request()) {
-		$page['sslLink'] = get_app_location(true, true) . "/client.php?" . $params . "&amp;level=$level";
+		$page['sslLink'] = htmlspecialchars(get_app_location(true, true) . "/client.php?" . $params . "&level=$level");
 	}
 
 	$page['isOpera95'] = is_agent_opera95();
@@ -420,10 +420,10 @@ function setup_chatview_for_operator($thread, $operator)
 	$page['agent'] = true;
 	$page['user'] = false;
 	$page['canpost'] = $thread['agentId'] == $operator['operatorid'];
-	$page['ct.chatThreadId'] = $thread['threadid'];
-	$page['ct.token'] = $thread['ltoken'];
+	$page['ct.chatThreadId'] = htmlspecialchars($thread['threadid']);
+	$page['ct.token'] = htmlspecialchars($thread['ltoken']);
 	$page['ct.user.name'] = htmlspecialchars(topage(get_user_name($thread['userName'], $thread['remote'], $thread['userid'])));
-	$page['chat.title'] = topage($settings['chattitle']);
+	$page['chat.title'] = htmlspecialchars(topage($settings['chattitle']));
 
 	setup_logo();
 	if ($settings['sendmessagekey'] == 'enter') {
@@ -435,20 +435,20 @@ function setup_chatview_for_operator($thread, $operator)
 	}
 
 	if ($settings['enablessl'] == "1" && !is_secure_request()) {
-		$page['sslLink'] = get_app_location(true, true) . "/operator/agent.php?thread=" . $thread['threadid'] . "&amp;token=" . $thread['ltoken'];
+		$page['sslLink'] = htmlspecialchars(get_app_location(true, true) . "/operator/agent.php?thread=" . $thread['threadid'] . "&token=" . $thread['ltoken']);
 	}
 	$page['isOpera95'] = is_agent_opera95();
 	$page['neediframesrc'] = needsFramesrc();
 	$page['historyParams'] = array("userid" => "" . $thread['userid']);
-	$page['historyParamsLink'] = add_params($webimroot . "/operator/userhistory.php", $page['historyParams']);
+	$page['historyParamsLink'] = htmlspecialchars(add_params($webimroot . "/operator/userhistory.php", $page['historyParams']));
 	$predefinedres = "";
 	$canned_messages = load_canned_messages($thread['locale'], $thread['groupid']);
 	foreach ($canned_messages as $answer) {
 		$predefinedres .= "<option>" . htmlspecialchars(topage($answer['vcvalue'])) . "</option>";
 	}
 	$page['predefinedAnswers'] = $predefinedres;
-	$params = "thread=" . $thread['threadid'] . "&amp;token=" . $thread['ltoken'];
-	$page['redirectLink'] = "$webimroot/operator/agent.php?" . $params . "&amp;act=redirect";
+	$params = "thread=" . $thread['threadid'] . "&token=" . $thread['ltoken'];
+	$page['redirectLink'] = htmlspecialchars("$webimroot/operator/agent.php?" . $params . "&act=redirect");
 
 	$page['namePostfix'] = "";
 	$page['frequency'] = $settings['updatefrequency_chat'];
@@ -527,7 +527,7 @@ function rename_user($thread, $newname)
 
 	if ($thread['userName'] != $newname) {
 		post_message_($thread['threadid'], $kind_events,
-					  getstring2_("chat.status.user.changedname", array($thread['userName'], $newname), $thread['locale']), $link);
+					  getstring2_("chat.status.user.changedname", array($thread['userName'], $newname), $thread['locale'], true), $link);
 	}
 	mysql_close($link);
 }
@@ -542,8 +542,8 @@ function close_thread($thread, $isuser)
 												'messageCount' => "(SELECT COUNT(*) FROM ${mysqlprefix}chatmessage WHERE ${mysqlprefix}chatmessage.threadid = t.threadid AND ikind = 1)"), $link);
 	}
 
-	$message = $isuser ? getstring2_("chat.status.user.left", array($thread['userName']), $thread['locale'])
-			: getstring2_("chat.status.operator.left", array($thread['agentName']), $thread['locale']);
+	$message = $isuser ? getstring2_("chat.status.user.left", array($thread['userName']), $thread['locale'], true)
+			: getstring2_("chat.status.operator.left", array($thread['agentName']), $thread['locale'], true);
 	post_message_($thread['threadid'], $kind_events, $message, $link);
 	mysql_close($link);
 }
@@ -642,7 +642,7 @@ function reopen_thread($threadid)
 					  array("istate" => $state_waiting, "nextagent" => 0), $link);
 	}
 
-	post_message_($thread['threadid'], $kind_events, getstring_("chat.status.user.reopenedthread", $thread['locale']), $link);
+	post_message_($thread['threadid'], $kind_events, getstring_("chat.status.user.reopenedthread", $thread['locale'], true), $link);
 	mysql_close($link);
 	return $thread;
 }
@@ -662,17 +662,17 @@ function take_thread($thread, $operator)
 
 		if ($state == $state_waiting) {
 			if ($operatorName != $thread['agentName']) {
-				$message_to_post = getstring2_("chat.status.operator.changed", array($operatorName, $thread['agentName']), $thread['locale']);
+				$message_to_post = getstring2_("chat.status.operator.changed", array($operatorName, $thread['agentName']), $thread['locale'], true);
 			} else {
-				$message_to_post = getstring2_("chat.status.operator.returned", array($operatorName), $thread['locale']);
+				$message_to_post = getstring2_("chat.status.operator.returned", array($operatorName), $thread['locale'], true);
 			}
 		} else {
-			$message_to_post = getstring2_("chat.status.operator.joined", array($operatorName), $thread['locale']);
+			$message_to_post = getstring2_("chat.status.operator.joined", array($operatorName), $thread['locale'], true);
 		}
 	} else if ($state == $state_chatting) {
 		if ($operator['operatorid'] != $thread['agentId']) {
 			do_take_thread($threadid, $operator['operatorid'], $operatorName);
-			$message_to_post = getstring2_("chat.status.operator.changed", array($operatorName, $thread['agentName']), $thread['locale']);
+			$message_to_post = getstring2_("chat.status.operator.changed", array($operatorName, $thread['agentName']), $thread['locale'], true);
 		}
 	} else {
 		die("cannot take thread");
@@ -693,9 +693,9 @@ function check_for_reassign($thread, $operator)
 		 || $thread['agentId'] == $operator['operatorid'])) {
 		do_take_thread($thread['threadid'], $operator['operatorid'], $operatorName);
 		if ($operatorName != $thread['agentName']) {
-			$message_to_post = getstring2_("chat.status.operator.changed", array($operatorName, $thread['agentName']), $thread['locale']);
+			$message_to_post = getstring2_("chat.status.operator.changed", array($operatorName, $thread['agentName']), $thread['locale'], true);
 		} else {
-			$message_to_post = getstring2_("chat.status.operator.returned", array($operatorName), $thread['locale']);
+			$message_to_post = getstring2_("chat.status.operator.returned", array($operatorName), $thread['locale'], true);
 		}
 
 		post_message($thread['threadid'], $kind_events, $message_to_post);
@@ -719,13 +719,13 @@ function notify_operators($thread, $firstmessage, $link)
 		$text = getstring2_("notify.new.text", array(
 													get_app_location(true, $settings['enablessl'] == '1' && $settings['forcessl'] == '1') . "/operator/agent.php?thread=" . $thread['threadid'],
 													$thread['userName']
-											   ), $thread['locale']);
+											   ), $thread['locale'], true);
 		if ($firstmessage) {
 			$text .= "\n$firstmessage";
 		}
 		foreach ($result as $op) {
 			if ($op['time'] < $settings['online_timeout'] && is_valid_email($op['vcjabbername'])) {
-				webim_xmpp($op['vcjabbername'], getstring2("notify.new.subject", array($thread['userName'])), $text, $link);
+				webim_xmpp($op['vcjabbername'], getstring2("notify.new.subject", array($thread['userName']), true), $text, $link);
 			}
 		}
 	}
diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index 4377efbd..b5396519 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -59,7 +59,7 @@ function verifyparam($name, $regexp, $default = null)
 		if (isset($default))
 			return $default;
 	}
-	echo "<html><head></head><body>Wrong parameter used or absent: " . $name . "</body></html>";
+	echo "<html><head></head><body>Wrong parameter used or absent: " . htmlspecialchars($name) . "</body></html>";
 	exit;
 }
 
@@ -197,7 +197,7 @@ function getoutputenc()
 	return isset($output_encoding[$current_locale]) ? $output_encoding[$current_locale] : $webim_encoding;
 }
 
-function getstring_($text, $locale)
+function getstring_($text, $locale, $raw = false)
 {
 	global $messages;
 	if (!isset($messages[$locale]))
@@ -205,30 +205,33 @@ function getstring_($text, $locale)
 
 	$localized = $messages[$locale];
 	if (isset($localized[$text]))
-		return $localized[$text];
+		return $raw ? $localized[$text] : sanitize_string($localized[$text], 'low', 'moderate');
 	if ($locale != 'en') {
-		return getstring_($text, 'en');
+		return getstring_($text, 'en', $raw);
 	}
 
-	return "!" . $text;
+	return "!" . ($raw ? $text : sanitize_string($text, 'low', 'moderate'));
 }
 
-function getstring($text)
+function getstring($text, $raw = false)
 {
 	global $current_locale;
-	return getstring_($text, $current_locale);
+	$string = getstring_($text, $current_locale, true);
+	return $raw ? $string : sanitize_string($string, 'low', 'moderate');
 }
 
-function getlocal($text)
+function getlocal($text, $raw = false)
 {
 	global $current_locale, $webim_encoding;
-	return myiconv($webim_encoding, getoutputenc(), getstring_($text, $current_locale));
+	$string = myiconv($webim_encoding, getoutputenc(), getstring_($text, $current_locale), true);
+	return $raw ? $string : sanitize_string($string, 'low', 'moderate');
 }
 
-function getlocal_($text, $locale)
+function getlocal_($text, $locale, $raw = false)
 {
 	global $webim_encoding;
-	return myiconv($webim_encoding, getoutputenc(), getstring_($text, $locale));
+	$string = myiconv($webim_encoding, getoutputenc(), getstring_($text, $locale), true);
+	return $raw ? $string : sanitize_string($string, 'low', 'moderate');
 }
 
 function topage($text)
@@ -237,41 +240,42 @@ function topage($text)
 	return myiconv($webim_encoding, getoutputenc(), $text);
 }
 
-function getstring2_($text, $params, $locale)
+function getstring2_($text, $params, $locale, $raw = false)
 {
-	$string = getstring_($text, $locale);
+	$string = getstring_($text, $locale, true);
 	for ($i = 0; $i < count($params); $i++) {
 		$string = str_replace("{" . $i . "}", $params[$i], $string);
 	}
-	return $string;
+	return $raw ? $string : sanitize_string($string, 'low', 'moderate');
 }
 
-function getstring2($text, $params)
+function getstring2($text, $params, $raw = false)
 {
 	global $current_locale;
-	return getstring2_($text, $params, $current_locale);
+	$string = getstring2_($text, $params, $current_locale, true);
+	return $raw ? $string : sanitize_string($string, 'low', 'moderate');
 }
 
-function getlocal2($text, $params)
+function getlocal2($text, $params, $raw = false)
 {
 	global $current_locale, $webim_encoding;
-	$string = myiconv($webim_encoding, getoutputenc(), getstring_($text, $current_locale));
+	$string = myiconv($webim_encoding, getoutputenc(), getstring_($text, $current_locale, true));
 	for ($i = 0; $i < count($params); $i++) {
 		$string = str_replace("{" . $i . "}", $params[$i], $string);
 	}
-	return $string;
+	return $raw ? $string : sanitize_string($string, 'low', 'moderate');
 }
 
 /* prepares for Javascript string */
 function getlocalforJS($text, $params)
 {
 	global $current_locale, $webim_encoding;
-	$string = myiconv($webim_encoding, getoutputenc(), getstring_($text, $current_locale));
+	$string = myiconv($webim_encoding, getoutputenc(), getstring_($text, $current_locale, true));
 	$string = str_replace("\"", "\\\"", str_replace("\n", "\\n", $string));
 	for ($i = 0; $i < count($params); $i++) {
 		$string = str_replace("{" . $i . "}", $params[$i], $string);
 	}
-	return $string;
+	return sanitize_string($string, 'low', 'moderate');
 }
 
 /* ajax server actions use utf-8 */
@@ -450,7 +454,7 @@ function no_field($key)
 function failed_uploading_file($filename, $key)
 {
 	return getlocal2("errors.failed.uploading.file",
-		array($filename, getlocal($key)));
+		array(htmlspecialchars($filename), getlocal($key)));
 }
 
 function wrong_field($key)
@@ -469,8 +473,8 @@ function get_popup($href, $jshref, $message, $title, $wndName, $options)
 function get_image($href, $width, $height)
 {
 	if ($width != 0 && $height != 0)
-		return "<img src=\"$href\" border=\"0\" width=\"$width\" height=\"$height\" alt=\"\"/>";
-	return "<img src=\"$href\" border=\"0\" alt=\"\"/>";
+		return "<img src=\"" . htmlspecialchars($href) . "\" border=\"0\" width=\"" . htmlspecialchars($width) . "\" height=\"" . htmlspecialchars($height) . "\" alt=\"\"/>";
+	return "<img src=\"" . htmlspecialchars($href) . "\" border=\"0\" alt=\"\"/>";
 }
 
 function get_gifimage_size($filename)
@@ -730,4 +734,82 @@ function setcsrftoken()
 	}
 }
 
+/* simple HTML sanitation
+ *
+ * includes some code from the PHP Strip Attributes Class For XML and HTML
+ * Copyright 2009 David (semlabs.co.uk)
+ * Available under the MIT License.
+ *
+ * http://semlabs.co.uk/journal/php-strip-attributes-class-for-xml-and-html
+ *
+ */
+
+function sanitize_string($string, $tags_level = 'high', $attr_level = 'high')
+{
+	$sanitize_tags = array(
+		'high' => '',
+		'moderate' => '<span><em><strong><b><i><br>',
+		'low' => '<span><em><strong><b><i><br><p><ul><ol><li><a><font><style>'
+	);
+
+	$sanitize_attributes = array(
+		'high' => array(),
+		'moderate' => array('class', 'style', 'href', 'rel', 'id'),
+		'low' => false
+	);
+
+	$tags_level = array_key_exists($tags_level, $sanitize_tags) ? $tags_level : 'high';
+	$string = strip_tags($string, $sanitize_tags[$tags_level]);
+
+	$attr_level = array_key_exists($attr_level, $sanitize_attributes) ? $attr_level : 'high';
+	if ($sanitize_attributes[$attr_level]) {
+
+		preg_match_all("/<([^ !\/\>\n]+)([^>]*)>/i", $string, $elements);
+		foreach ($elements[1] as $key => $element) {
+			if ($elements[2][$key]) {
+
+				$new_attributes = '';
+				preg_match_all("/([^ =]+)\s*=\s*[\"|']{0,1}([^\"']*)[\"|']{0,1}/i", $elements[2][$key], $attributes );
+
+				if ($attributes[1]) {
+					foreach ($attributes[1] as $attr_key => $attr) {
+						if (in_array($attributes[1][$attr_key], $sanitize_attributes[$attr_level])) {
+							$new_attributes .= ' ' . $attributes[1][$attr_key] . '="' . $attributes[2][$attr_key] . '"';
+						}
+					}
+				}
+
+				$replacement = '<' . $elements[1][$key] . $new_attributes . '>';
+				$string = preg_replace( '/' . reg_escape($elements[0][$key]) . '/', $replacement, $string );
+
+			}
+		}
+
+	}
+
+	return $string;
+}
+
+function reg_escape ($string) {
+
+	$conversions = array(	"^" => "\^",
+				"[" => "\[",
+				"." => "\.",
+				"$" => "\$",
+				"{" => "\{",
+				"*" => "\*",
+				"(" => "\(",
+				"\\" => "\\\\",
+				"/" => "\/",
+				"+" => "\+",
+				")" => "\)",
+				"|" => "\|",
+				"?" => "\?",
+				"<" => "\<",
+				">" => "\>"
+	);
+
+	return strtr($string, $conversions);
+}
+
 ?>
diff --git a/src/messenger/webim/libs/demothread.php b/src/messenger/webim/libs/demothread.php
index 81ba0b9f..1b447a42 100644
--- a/src/messenger/webim/libs/demothread.php
+++ b/src/messenger/webim/libs/demothread.php
@@ -53,19 +53,19 @@ function demo_process_thread($act, $outformat, $lastid, $isuser, $canpost, $isty
 		if ($lastid == 1) {
 			demo_print_message(
 				array('ikind' => $kind_for_agent, 'created' => time() - 15, 'tname' => '',
-					 'tmessage' => getstring2('chat.came.from', array("http://google.com"))), $outformat);
+					 'tmessage' => getstring2('chat.came.from', array("http://google.com"), true)), $outformat);
 			demo_print_message(
 				array('ikind' => $kind_info, 'created' => time() - 15, 'tname' => '',
 					 'tmessage' => getstring('chat.wait')), $outformat);
 			demo_print_message(
 				array('ikind' => $kind_events, 'created' => time() - 10, 'tname' => '',
-					 'tmessage' => getstring2("chat.status.operator.joined", array("Administrator"))), $outformat);
+					 'tmessage' => getstring2("chat.status.operator.joined", array("Administrator"), true)), $outformat);
 			demo_print_message(
 				array('ikind' => $kind_agent, 'created' => time() - 9, 'tname' => 'Administrator',
-					 'tmessage' => getstring("demo.chat.welcome")), $outformat);
+					 'tmessage' => getstring("demo.chat.welcome"), true), $outformat);
 			demo_print_message(
 				array('ikind' => $kind_user, 'created' => time() - 5, 'tname' => getstring("chat.default.username"),
-					 'tmessage' => getstring("demo.chat.question")), $outformat);
+					 'tmessage' => getstring("demo.chat.question", true)), $outformat);
 			if ($canpost && $outformat == 'xml') {
 				demo_print_message(
 					array('ikind' => $kind_info, 'created' => time() - 5, 'tname' => '',
diff --git a/src/messenger/webim/libs/getcode.php b/src/messenger/webim/libs/getcode.php
index fe3ed4ba..8104a96e 100644
--- a/src/messenger/webim/libs/getcode.php
+++ b/src/messenger/webim/libs/getcode.php
@@ -36,9 +36,9 @@ function generate_button($title, $locale, $style, $group, $inner, $showhost, $fo
 		$link = append_query($link, "group=$group");
 
 	$modsecfix = $modsecurity ? ".replace('http://','').replace('https://','')" : "";
-	$jslink = append_query("'" . $link, "url='+escape(document.location.href$modsecfix)+'&amp;referrer='+escape(document.referrer$modsecfix)");
-	$temp = get_popup($link, "$jslink",
-					  $inner, $title, "webim", "toolbar=0,scrollbars=0,location=0,status=1,menubar=0,width=640,height=480,resizable=1");
+	$jslink = htmlspecialchars(append_query("'" . $link, "url='+escape(document.location.href$modsecfix)+'&referrer='+escape(document.referrer$modsecfix)"));
+	$temp = get_popup(htmlspecialchars($link), "$jslink",
+					  $inner, htmlspecialchars($title), "webim", "toolbar=0,scrollbars=0,location=0,status=1,menubar=0,width=640,height=480,resizable=1");
 	return "<!-- mibew button -->" . $temp . "<!-- / mibew button -->";
 }
 
diff --git a/src/messenger/webim/libs/operator.php b/src/messenger/webim/libs/operator.php
index 3c1b87be..55ffd40c 100755
--- a/src/messenger/webim/libs/operator.php
+++ b/src/messenger/webim/libs/operator.php
@@ -203,7 +203,7 @@ function append_query($link, $pv)
 {
 	$infix = '?';
 	if (strstr($link, $infix) !== FALSE)
-		$infix = '&amp;';
+		$infix = '&';
 	return "$link$infix$pv";
 }
 
@@ -305,8 +305,8 @@ function setup_redirect_links($threadid, $token)
 				)
 				: "";
 		$agent_list .= "<li><a href=\"" . add_params($webimroot . "/operator/redirect.php", $params) .
-					   "\" title=\"" . topage(get_operator_name($agent)) . "\">" .
-					   topage(get_operator_name($agent)) .
+					   "\" title=\"" . htmlspecialchars(topage(get_operator_name($agent))) . "\">" .
+					   htmlspecialchars(topage(get_operator_name($agent))) .
 					   "</a> $status</li>";
 	}
 	$page['redirectToAgent'] = $agent_list;
@@ -322,8 +322,8 @@ function setup_redirect_links($threadid, $token)
 							? getlocal("char.redirect.operator.away_suff")
 							: "");
 			$group_list .= "<li><a href=\"" . add_params($webimroot . "/operator/redirect.php", $params) .
-						   "\" title=\"" . topage(get_group_name($group)) . "\">" .
-						   topage(get_group_name($group)) .
+						   "\" title=\"" . htmlspecialchars(topage(get_group_name($group))) . "\">" .
+						   htmlspecialchars(topage(get_group_name($group))) .
 						   "</a> $status</li>";
 		}
 	}
diff --git a/src/messenger/webim/libs/pagination.php b/src/messenger/webim/libs/pagination.php
index cb16732f..68ed4b09 100644
--- a/src/messenger/webim/libs/pagination.php
+++ b/src/messenger/webim/libs/pagination.php
@@ -18,12 +18,12 @@
 $pagination_spacing = "&nbsp;&nbsp;&nbsp;";
 $links_on_page = 5;
 
-function generate_pagination_link($page, $title)
+function generate_pagination_link($page, $title, $raw = false)
 {
 	$lnk = $_SERVER['REQUEST_URI'];
 	$href = preg_replace("/\?page=\d+\&/", "?", preg_replace("/\&page=\d+/", "", $lnk));
 	$href .= strstr($href, "?") ? "&page=$page" : "?page=$page";
-	return "<a href=\"" . htmlspecialchars($href) . "\" class=\"pagelink\">$title</a>";
+	return "<a href=\"" . htmlspecialchars($href) . "\" class=\"pagelink\">" . ($raw ? $title : htmlspecialchars($title)) . "</a>";
 }
 
 function generate_pagination_image($id, $alt)
@@ -112,7 +112,7 @@ function generate_pagination($pagination, $bottom = true)
 		$maxPage = min($curr_page + $links_on_page, $pagination['total']);
 
 		if ($curr_page > 1) {
-			$result .= generate_pagination_link($curr_page - 1, generate_pagination_image("prevpage", getlocal("tag.pagination.previous"))) . $pagination_spacing;
+			$result .= generate_pagination_link($curr_page - 1, generate_pagination_image("prevpage", getlocal("tag.pagination.previous")), true) . $pagination_spacing;
 		}
 
 		for ($i = $minPage; $i <= $maxPage; $i++) {
@@ -126,7 +126,7 @@ function generate_pagination($pagination, $bottom = true)
 		}
 
 		if ($curr_page < $pagination['total']) {
-			$result .= $pagination_spacing . generate_pagination_link($curr_page + 1, generate_pagination_image("nextpage", getlocal("tag.pagination.next")));
+			$result .= $pagination_spacing . generate_pagination_link($curr_page + 1, generate_pagination_image("nextpage", getlocal("tag.pagination.next")), true);
 		}
 		$result .= "</div>";
 	}
diff --git a/src/messenger/webim/libs/userinfo.php b/src/messenger/webim/libs/userinfo.php
index 856edb0e..2080b4c9 100644
--- a/src/messenger/webim/libs/userinfo.php
+++ b/src/messenger/webim/libs/userinfo.php
@@ -50,7 +50,7 @@ function get_user_addr($addr)
 	global $settings;
 	if ($settings['geolink'] && preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)/", $addr, $matches)) {
 		$userip = $matches[1];
-		return get_popup(str_replace("{ip}", $userip, $settings['geolink']), '', htmlspecialchars($addr), "GeoLocation", "ip$userip", $settings['geolinkparams']);
+		return get_popup(htmlspecialchars(str_replace("{ip}", $userip, $settings['geolink'])), '', htmlspecialchars($addr), "GeoLocation", htmlspecialchars("ip$userip"), htmlspecialchars($settings['geolinkparams']));
 	}
 	return htmlspecialchars($addr);
 }
diff --git a/src/messenger/webim/mail.php b/src/messenger/webim/mail.php
index 7c774705..54df50bb 100644
--- a/src/messenger/webim/mail.php
+++ b/src/messenger/webim/mail.php
@@ -57,8 +57,8 @@ foreach( $output as $msg ) {
 	$history .= $msg;
 }
 
-$subject = getstring("mail.user.history.subject");
-$body = getstring2("mail.user.history.body", array($thread['userName'],$history) );
+$subject = getstring("mail.user.history.subject", true);
+$body = getstring2("mail.user.history.body", array($thread['userName'],$history), true);
 
 $link = connect();
 webim_mail($email, $webim_mailbox, $subject, $body, $link);
diff --git a/src/messenger/webim/operator/ban.php b/src/messenger/webim/operator/ban.php
index 8e201561..bdc798d3 100644
--- a/src/messenger/webim/operator/ban.php
+++ b/src/messenger/webim/operator/ban.php
@@ -52,7 +52,7 @@ if (isset($_POST['address'])) {
 
 	if ((!$banId && $existing_ban) ||
 		($banId && $existing_ban && $banId != $existing_ban['banid'])) {
-		$errors[] = getlocal2("ban.error.duplicate", array($address, $existing_ban['banid']));
+		$errors[] = getlocal2("ban.error.duplicate", array(htmlspecialchars($address), htmlspecialchars($existing_ban['banid'])));
 	}
 
 	if (count($errors) == 0) {
diff --git a/src/messenger/webim/operator/groupmembers.php b/src/messenger/webim/operator/groupmembers.php
index b7b8be4b..410ed65b 100644
--- a/src/messenger/webim/operator/groupmembers.php
+++ b/src/messenger/webim/operator/groupmembers.php
@@ -78,7 +78,7 @@ if (!$group) {
 }
 
 $page['formop'] = array();
-$page['currentgroup'] = $group ? topage(htmlspecialchars($group['vclocalname'])) : "";
+$page['currentgroup'] = $group ? topage($group['vclocalname']) : "";
 
 foreach (get_group_members($groupid) as $rel) {
 	$page['formop'][] = $rel['operatorid'];
diff --git a/src/messenger/webim/operator/index.php b/src/messenger/webim/operator/index.php
index e5f38e2e..764d2c59 100644
--- a/src/messenger/webim/operator/index.php
+++ b/src/messenger/webim/operator/index.php
@@ -30,7 +30,7 @@ $page = array(
 	'localeLinks' => get_locale_links("$webimroot/operator/index.php"),
 	'needUpdate' => $settings['dbversion'] != $dbversion,
 	'needChangePassword' => $operator['vcpassword'] == md5(''),
-	'profilePage' => "$webimroot/operator/operator.php?op=".$operator['operatorid'],
+	'profilePage' => "$webimroot/operator/operator.php?op=".htmlspecialchars($operator['operatorid']),
 	'updateWizard' => "$webimroot/install/",
 	'newFeatures' => $settings['featuresversion'] != $featuresversion,
 	'featuresPage' => "$webimroot/operator/features.php",
diff --git a/src/messenger/webim/operator/redirect.php b/src/messenger/webim/operator/redirect.php
index 6a535578..51578081 100644
--- a/src/messenger/webim/operator/redirect.php
+++ b/src/messenger/webim/operator/redirect.php
@@ -39,14 +39,14 @@ if (isset($_GET['nextGroup'])) {
 	$nextGroup = group_by_id($nextid);
 
 	if ($nextGroup) {
-		$page['message'] = getlocal2("chat.redirected.group.content", array(topage(get_group_name($nextGroup))));
+		$page['message'] = getlocal2("chat.redirected.group.content", array(htmlspecialchars(topage(get_group_name($nextGroup)))));
 		if ($thread['istate'] == $state_chatting) {
 			$link = connect();
 			commit_thread($threadid,
 						  array("istate" => $state_waiting, "nextagent" => 0, "groupid" => $nextid, "agentId" => 0, "agentName" => "''"), $link);
 			post_message_($thread['threadid'], $kind_events,
 						  getstring2_("chat.status.operator.redirect",
-									  array(get_operator_name($operator)), $thread['locale']), $link);
+									  array(get_operator_name($operator)), $thread['locale'], true), $link);
 			mysql_close($link);
 		} else {
 			$errors[] = getlocal("chat.redirect.cannot");
@@ -60,7 +60,7 @@ if (isset($_GET['nextGroup'])) {
 	$nextOperator = operator_by_id($nextid);
 
 	if ($nextOperator) {
-		$page['message'] = getlocal2("chat.redirected.content", array(topage(get_operator_name($nextOperator))));
+		$page['message'] = getlocal2("chat.redirected.content", array(htmlspecialchars(topage(get_operator_name($nextOperator)))));
 		if ($thread['istate'] == $state_chatting) {
 			$link = connect();
 			$threadupdate = array("istate" => $state_waiting, "nextagent" => $nextid, "agentId" => 0);
@@ -72,7 +72,7 @@ if (isset($_GET['nextGroup'])) {
 			commit_thread($threadid, $threadupdate, $link);
 			post_message_($thread['threadid'], $kind_events,
 						  getstring2_("chat.status.operator.redirect",
-									  array(get_operator_name($operator)), $thread['locale']), $link);
+									  array(get_operator_name($operator)), $thread['locale'], true), $link);
 			mysql_close($link);
 		} else {
 			$errors[] = getlocal("chat.redirect.cannot");
diff --git a/src/messenger/webim/operator/settings.php b/src/messenger/webim/operator/settings.php
index 0d82e261..b6daca1c 100644
--- a/src/messenger/webim/operator/settings.php
+++ b/src/messenger/webim/operator/settings.php
@@ -69,7 +69,7 @@ if (isset($_POST['email']) && isset($_POST['title']) && isset($_POST['logo'])) {
 	if ($params['geolinkparams']) {
 		foreach (preg_split("/,/", $params['geolinkparams']) as $oneparam) {
 			if (!preg_match("/^\s*(toolbar|scrollbars|location|status|menubar|width|height|resizable)=\d{1,4}$/", $oneparam)) {
-				$errors[] = "Wrong link parameter: \"$oneparam\", should be one of 'toolbar, scrollbars, location, status, menubar, width, height or resizable'";
+				$errors[] = "Wrong link parameter: \"" . htmlspecialchars($oneparam) . "\", should be one of 'toolbar, scrollbars, location, status, menubar, width, height or resizable'";
 			}
 		}
 	}
diff --git a/src/messenger/webim/operator/update.php b/src/messenger/webim/operator/update.php
index 6212cbb1..070b844c 100644
--- a/src/messenger/webim/operator/update.php
+++ b/src/messenger/webim/operator/update.php
@@ -24,7 +24,7 @@ require_once('../libs/groups.php');
 $operator = get_logged_in();
 if (!$operator) {
 	start_xml_output();
-	echo "<error><descr>" . myiconv($webim_encoding, "utf-8", escape_with_cdata(getstring("agent.not_logged_in"))) . "</descr></error>";
+	echo "<error><descr>" . htmlspecialchars(htmlspecialchars(myiconv($webim_encoding, "utf-8", escape_with_cdata(getstring("agent.not_logged_in"))))) . "</descr></error>";
 	exit;
 }
 
@@ -51,7 +51,7 @@ function thread_to_xml($thread, $link)
 $webim_encoding, $operator, $settings,
 $can_viewthreads, $can_takeover, $mysqlprefix;
 	$state = $threadstate_to_string[$thread['istate']];
-	$result = "<thread id=\"" . $thread['threadid'] . "\" stateid=\"$state\"";
+	$result = "<thread id=\"" . htmlspecialchars(htmlspecialchars($thread['threadid'])) . "\" stateid=\"$state\"";
 	if ($state == "closed")
 		return $result . "/>";
 
@@ -77,10 +77,10 @@ $can_viewthreads, $can_takeover, $mysqlprefix;
 
 	$banForThread = $settings['enableban'] == "1" ? ban_for_addr_($thread['remote'], $link) : false;
 	if ($banForThread) {
-		$result .= " ban=\"blocked\" banid=\"" . $banForThread['banid'] . "\"";
+		$result .= " ban=\"blocked\" banid=\"" . htmlspecialchars(htmlspecialchars($banForThread['banid'])) . "\"";
 	}
 
-	$result .= " state=\"$state\" typing=\"" . $thread['userTyping'] . "\">";
+	$result .= " state=\"$state\" typing=\"" . htmlspecialchars(htmlspecialchars($thread['userTyping'])) . "\">";
 	$result .= "<name>";
 	if ($banForThread) {
 		$result .= htmlspecialchars(getstring('chat.client.spam.prefix'));
@@ -88,15 +88,15 @@ $can_viewthreads, $can_takeover, $mysqlprefix;
 	$result .= htmlspecialchars(htmlspecialchars(get_user_name($thread['userName'], $thread['remote'], $thread['userid']))) . "</name>";
 	$result .= "<addr>" . htmlspecialchars(get_user_addr($thread['remote'])) . "</addr>";
 	$result .= "<agent>" . htmlspecialchars(htmlspecialchars($threadoperator)) . "</agent>";
-	$result .= "<time>" . $thread['unix_timestamp(dtmcreated)'] . "000</time>";
-	$result .= "<modified>" . $thread['unix_timestamp(dtmmodified)'] . "000</modified>";
+	$result .= "<time>" . htmlspecialchars(htmlspecialchars($thread['unix_timestamp(dtmcreated)'])) . "000</time>";
+	$result .= "<modified>" . htmlspecialchars(htmlspecialchars($thread['unix_timestamp(dtmmodified)'])) . "000</modified>";
 
 	if ($banForThread) {
-		$result .= "<reason>" . $banForThread['comment'] . "</reason>";
+		$result .= "<reason>" . htmlspecialchars(htmlspecialchars($banForThread['comment'])) . "</reason>";
 	}
 
 	$userAgent = get_useragent_version($thread['userAgent']);
-	$result .= "<useragent>" . $userAgent . "</useragent>";
+	$result .= "<useragent>" . htmlspecialchars(htmlspecialchars($userAgent)) . "</useragent>";
 	if ($thread["shownmessageid"] != 0) {
 		$query = "select tmessage from ${mysqlprefix}chatmessage where messageid = " . $thread["shownmessageid"];
 		$line = select_one_row($query, $link);
diff --git a/src/messenger/webim/view/agent.php b/src/messenger/webim/view/agent.php
index 717f699a..10f2df6f 100644
--- a/src/messenger/webim/view/agent.php
+++ b/src/messenger/webim/view/agent.php
@@ -32,7 +32,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php } ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['needChangePassword'] ) { ?>
@@ -47,7 +47,7 @@ require_once('inc_errors.php');
 <?php if( $page['opid'] || $page['canmodify'] ) { ?>
 <form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php">
 <?php print_csrf_token_input() ?>
-<input type="hidden" name="opid" value="<?php echo $page['opid'] ?>"/>
+<input type="hidden" name="opid" value="<?php echo htmlspecialchars($page['opid']) ?>"/>
 <?php if(!$page['showjabber']) { ?>
 <input type="hidden" name="jabber" value="<?php echo form_value('jabber') ?>"/>
 <?php if(form_value_cb('jabbernotify')) { ?><input type="hidden" name="jabbernotify" value="on"/><?php } ?>
@@ -133,7 +133,7 @@ require_once('inc_errors.php');
 
 <?php if($page['canmodify']) { ?>
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 <?php } ?>
 	</div>
@@ -147,7 +147,7 @@ require_once('inc_errors.php');
 
 </form>
 <?php } ?>
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/agents.php b/src/messenger/webim/view/agents.php
index b51046c2..a708d1a1 100644
--- a/src/messenger/webim/view/agents.php
+++ b/src/messenger/webim/view/agents.php
@@ -31,14 +31,14 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page_agents.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
 <?php if($page['canmodify']) { ?>
 <div class="tabletool">
 	<img src='<?php echo $webimroot ?>/images/buttons/createagent.gif' border="0" alt="" />
-	<a href='<?php echo $webimroot ?>/operator/operator.php' title="<?php echo getlocal("page_agents.new_agent") ?>">
+	<a href='<?php echo $webimroot ?>/operator/operator.php' title="<?php echo htmlspecialchars(getlocal("page_agents.new_agent")) ?>">
 		<?php echo getlocal("page_agents.new_agent") ?>
 	</a>
 </div>
@@ -64,7 +64,7 @@ require_once('inc_errors.php');
 <?php foreach( $page['allowedAgents'] as $a ) { ?>
 <tr>
 	<td class="notlast">
-   		<a id="ti<?php echo $a['operatorid'] ?>" href="<?php echo $webimroot ?>/operator/operator.php?op=<?php echo $a['operatorid'] ?>" class="man">
+   		<a id="ti<?php echo htmlspecialchars($a['operatorid']) ?>" href="<?php echo $webimroot ?>/operator/operator.php?op=<?php echo urlencode($a['operatorid']) ?>" class="man">
    			<?php echo htmlspecialchars(topage($a['vclogin'])) ?>
    		</a>
 	</td>
@@ -82,11 +82,11 @@ require_once('inc_errors.php');
 	</td>
 <?php if($page['canmodify']) { ?>
 	<td>
-  <a class="removelink" id="i<?php echo $a['operatorid'] ?>" href="<?php echo $webimroot ?>/operator/operators.php?act=del&amp;id=<?php echo $a['operatorid'] ?><?php print_csrf_token_in_url() ?>">
+  <a class="removelink" id="i<?php echo htmlspecialchars($a['operatorid']) ?>" href="<?php echo $webimroot ?>/operator/operators.php?act=del&amp;id=<?php echo urlencode($a['operatorid']) ?><?php print_csrf_token_in_url() ?>">
 			remove
 		</a>
 	</td>
-<?php } ?>	
+<?php } ?>
 </tr>
 <?php } ?>
 </tbody>
@@ -98,7 +98,7 @@ $('a.removelink').click(function(){
 });
 //--></script>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/avatar.php b/src/messenger/webim/view/avatar.php
index 2a3841ad..1149f251 100644
--- a/src/messenger/webim/view/avatar.php
+++ b/src/messenger/webim/view/avatar.php
@@ -27,19 +27,19 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page_avatar.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
 <form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
 <?php print_csrf_token_input() ?>
-<input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
+<input type="hidden" name="op" value="<?php echo htmlspecialchars($page['opid']) ?>"/>
 	<div>
 <?php print_tabbar(); ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<p>
-		<b><?php echo $page['currentop'] ?>&lrm;</b>
+		<b><?php echo htmlspecialchars($page['currentop']) ?>&lrm;</b>
 	</p>
 
 	<div class="fieldForm">
@@ -48,9 +48,9 @@ require_once('inc_errors.php');
 		<div class="field">
 			<div class="flabel"><?php echo getlocal('form.field.avatar.current') ?></div>
 			<div class="fvalue">
-				<img src="<?php echo $page['avatar'] ?>" alt="cannot load avatar"/><br/>
+				<img src="<?php echo htmlspecialchars($page['avatar']) ?>" alt="cannot load avatar"/><br/>
 <?php if($page['canmodify']) { ?>
-                <a class="formauth" href='<?php echo $webimroot ?>/operator/avatar.php?op=<?php echo $page['opid'] ?>&amp;delete=true'>
+                <a class="formauth" href="<?php echo $webimroot ?>/operator/avatar.php?op=<?php echo urlencode($page['opid']) ?>&amp;delete=true">
                     <?php echo getlocal("page_agent.clear_avatar") ?>
                 </a>
 <?php } ?>
@@ -77,20 +77,20 @@ require_once('inc_errors.php');
 		</div>
 
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 <?php } ?>
 	</div>
 
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 
 	<div class="asterisk">
 		<?php echo getlocal("common.asterisk_explanation") ?>
 	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/ban.php b/src/messenger/webim/view/ban.php
index a3fa9b08..e5bae6b1 100644
--- a/src/messenger/webim/view/ban.php
+++ b/src/messenger/webim/view/ban.php
@@ -21,7 +21,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 ?>
 
 <?php if( $page['saved'] ) { ?>
-	<?php echo getlocal2("page_ban.sent",array($page['address'])) ?>
+	<?php echo getlocal2("page_ban.sent",array(htmlspecialchars($page['address']))) ?>
 
 	<script type="text/javascript"><!--
 		setTimeout( (function() { window.close(); }), 1500 );
@@ -42,9 +42,9 @@ require_once('inc_errors.php');
 <?php } ?>
 
 <form name="banForm" method="post" action="<?php echo $webimroot ?>/operator/ban.php">
-<input type="hidden" name="banId" value="<?php echo $page['banId'] ?>"/>
+<input type="hidden" name="banId" value="<?php echo htmlspecialchars($page['banId']) ?>"/>
 <?php if( $page['threadid'] ) { ?>
-<input type="hidden" name="threadid" value="<?php echo $page['threadid'] ?>"/>
+<input type="hidden" name="threadid" value="<?php echo htmlspecialchars($page['threadid']) ?>"/>
 <?php } ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 	
@@ -77,7 +77,7 @@ require_once('inc_errors.php');
 		</div>
 		
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 	</div>
 	
diff --git a/src/messenger/webim/view/blocked_visitors.php b/src/messenger/webim/view/blocked_visitors.php
index 3d7435c2..a65d4a55 100644
--- a/src/messenger/webim/view/blocked_visitors.php
+++ b/src/messenger/webim/view/blocked_visitors.php
@@ -37,7 +37,7 @@ require_once('inc_errors.php');
 
 <div class="tabletool">
 	<img src="<?php echo $webimroot ?>/images/buttons/createban.gif" border="0" alt=""/>
-	<a href="<?php echo $webimroot ?>/operator/ban.php" title="<?php echo getlocal("page_bans.add") ?>">
+	<a href="<?php echo $webimroot ?>/operator/ban.php" title="<?php echo htmlspecialchars(getlocal("page_bans.add")) ?>">
 		<?php echo getlocal("page_bans.add") ?>
 	</a>
 </div>
@@ -64,7 +64,7 @@ if( $page['pagination.items'] ) {
 	foreach( $page['pagination.items'] as $b ) { ?>
 	<tr>
 	<td class="notlast">
-		<a href="ban.php?id=<?php echo $b['banid'] ?>" class="man" id="ti<?php echo $b['banid'] ?>">
+		<a href="ban.php?id=<?php echo urlencode($b['banid']) ?>" class="man" id="ti<?php echo htmlspecialchars($b['banid']) ?>">
 		   	<?php echo htmlspecialchars($b['address']) ?>
 	   	</a>
 	</td>
@@ -81,7 +81,7 @@ if( $page['pagination.items'] ) {
 ?>
 	</td>
 	<td>
-		<a class="removelink" id="i<?php echo $b['banid'] ?>" href="<?php echo $webimroot ?>/operator/blocked.php?act=del&amp;id=<?php echo $b['banid'] ?>">
+		<a class="removelink" id="i<?php echo htmlspecialchars($b['banid']) ?>" href="<?php echo $webimroot ?>/operator/blocked.php?act=del&amp;id=<?php echo urlencode($b['banid']) ?>">
 			remove
 		</a>
 	</td>
diff --git a/src/messenger/webim/view/canned.php b/src/messenger/webim/view/canned.php
index 41722959..ff4bd0a3 100644
--- a/src/messenger/webim/view/canned.php
+++ b/src/messenger/webim/view/canned.php
@@ -25,32 +25,32 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("canned.descr") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
 <form name="cannedForm" method="get" action="<?php echo $webimroot ?>/operator/canned.php">
-	
+
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<div class="packedFormField">
 		<?php echo getlocal("canned.locale") ?><br/>
 		<select name="lang" onchange="this.form.submit();"><?php
 			foreach($page['locales'] as $k) {
-				echo "<option value=\"".$k["id"]."\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">".$k["name"]."</option>";
+				echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>";
 			} ?></select>
 	</div>
-	
+
 <?php if($page['showgroups']) { ?>
 	<div class="packedFormField">
 		<?php echo getlocal("canned.group") ?><br/>
-		<select name="group" onchange="this.form.submit();"><?php 
-			foreach($page['groups'] as $k) { 
-				echo "<option value=\"".$k["groupid"]."\"".($k["groupid"] == form_value("group") ? " selected=\"selected\"" : "").">".$k["vclocalname"]."</option>";
+		<select name="group" onchange="this.form.submit();"><?php
+			foreach($page['groups'] as $k) {
+				echo "<option value=\"" . htmlspecialchars($k["groupid"]) . "\"".($k["groupid"] == form_value("group") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["vclocalname"]) . "</option>";
 			} ?></select>
 	</div>
 <?php } ?>
-	
+
 	<br clear="all"/>
 	
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
@@ -59,8 +59,8 @@ require_once('inc_errors.php');
 
 <div class="tabletool">
 	<img src="<?php echo $webimroot ?>/images/buttons/createban.gif" border="0" alt=""/>
-	<a href="<?php echo $webimroot ?>/operator/cannededit.php?lang=<?php echo form_value("lang") ?>&amp;group=<?php echo form_value("group")?>" target="_blank" 
-				onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/cannededit.php?lang=<?php echo form_value("lang") ?>&amp;group=<?php echo form_value("group")?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;">
+	<a href="<?php echo $webimroot ?>/operator/cannededit.php?lang=<?php echo urlencode(form_value("lang")) ?>&amp;group=<?php echo urlencode(form_value("group")) ?>" target="_blank"
+				onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/cannededit.php?lang=<?php echo urlencode(form_value("lang")) ?>&amp;group=<?php echo urlencode(form_value("group")) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;">
 		<?php echo getlocal("canned.add") ?>
 	</a>
 </div>
@@ -77,21 +77,21 @@ require_once('inc_errors.php');
 	</th></tr>
 </thead>
 <tbody>
-<?php 
-if( $page['pagination.items'] ) {	
+<?php
+if( $page['pagination.items'] ) {
 	foreach( $page['pagination.items'] as $localstr ) { ?>
 	<tr>
 		<td>
 			<?php echo str_replace("\n", "<br/>",htmlspecialchars(topage($localstr['vcvalue']))) ?>
 		</td>
 		<td>
-			<a href="<?php echo $webimroot ?>/operator/cannededit.php?key=<?php echo $localstr['id'] ?>" target="_blank" 
-				onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/cannededit.php?key=<?php echo $localstr['id'] ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo getlocal("canned.actions.edit") ?></a>, 
-			<a href="<?php echo $webimroot ?>/operator/canned.php?act=delete&amp;key=<?php echo $localstr['id'] ?>&amp;lang=<?php echo form_value("lang") ?>&amp;group=<?php echo form_value("group")?><?php print_csrf_token_in_url() ?>"><?php echo getlocal("canned.actions.del") ?></a>
+			<a href="<?php echo $webimroot ?>/operator/cannededit.php?key=<?php echo urlencode($localstr['id']) ?>" target="_blank"
+				onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/cannededit.php?key=<?php echo urlencode($localstr['id']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo getlocal("canned.actions.edit") ?></a>,
+			<a href="<?php echo $webimroot ?>/operator/canned.php?act=delete&amp;key=<?php echo urlencode($localstr['id']) ?>&amp;lang=<?php echo urlencode(form_value("lang")) ?>&amp;group=<?php echo urlencode(form_value("group")) ?><?php print_csrf_token_in_url() ?>"><?php echo getlocal("canned.actions.del") ?></a>
 		</td>
 	</tr>
 <?php
-	} 
+	}
 } else {
 ?>
 	<tr>
@@ -99,20 +99,20 @@ if( $page['pagination.items'] ) {
 		<?php echo getlocal("tag.pagination.no_items.elements") ?>
 	</td>
 	</tr>
-<?php 
-} 
+<?php
+}
 ?>
 </tbody>
 </table>
 <?php
-	if( $page['pagination.items'] ) { 
+	if( $page['pagination.items'] ) {
 		echo "<br/>";
 		echo generate_pagination($page['pagination']);
 	}
-} 
+}
 ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/cannededit.php b/src/messenger/webim/view/cannededit.php
index 76306d08..e372af4a 100644
--- a/src/messenger/webim/view/cannededit.php
+++ b/src/messenger/webim/view/cannededit.php
@@ -35,16 +35,16 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo $page['key'] ? getlocal("cannededit.descr") : getlocal("cannednew.descr") ?>
 <br/>
 <br/>
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
 <form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php">
 <?php print_csrf_token_input() ?>
-<input type="hidden" name="key" value="<?php echo $page['key'] ?>"/>
+<input type="hidden" name="key" value="<?php echo htmlspecialchars($page['key']) ?>"/>
 <?php if(!$page['key']) { ?>
-<input type="hidden" name="lang" value="<?php echo $page['locale'] ?>"/>
-<input type="hidden" name="group" value="<?php echo $page['groupid'] ?>"/>
+<input type="hidden" name="lang" value="<?php echo htmlspecialchars($page['locale']) ?>"/>
+<input type="hidden" name="group" value="<?php echo htmlspecialchars($page['groupid']) ?>"/>
 <?php } ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
@@ -55,18 +55,18 @@ require_once('inc_errors.php');
 				<textarea name="message" cols="20" rows="5" class="wide"><?php echo form_value('message') ?></textarea>
 			</div>
 		</div>
-	
+
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 	</div>
-	
+
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
 </form>
 
 <?php } ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/confirm.php b/src/messenger/webim/view/confirm.php
index e252c397..c10ddc2e 100644
--- a/src/messenger/webim/view/confirm.php
+++ b/src/messenger/webim/view/confirm.php
@@ -23,16 +23,16 @@ function tpl_content() { global $page, $webimroot;
 <div id="confirmpane">
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
-		<?php echo getlocal2("confirm.take.message",array($page['user'], $page['agent'])) ?><br/><br/>
+		<?php echo getlocal2("confirm.take.message",array(htmlspecialchars($page['user']), htmlspecialchars($page['agent']))) ?><br/><br/>
 		<br/>
 
 		<div>
 		<table class="nicebutton"><tr>
-			<td><a href="<?php echo $page['link'] ?>">
+			<td><a href="<?php echo htmlspecialchars($page['link']) ?>">
 				<img src='<?php echo $webimroot ?>/images/submit.gif' width="40" height="35" border="0" alt="" /></a></td>
-			<td class="submit"><a href="<?php echo $page['link'] ?>">
+			<td class="submit"><a href="<?php echo htmlspecialchars($page['link']) ?>">
 				<?php echo getlocal("confirm.take.yes") ?></a></td>
-			<td><a href="<?php echo $page['link'] ?>">
+			<td><a href="<?php echo htmlspecialchars($page['link']) ?>">
 				<img src='<?php echo $webimroot ?>/images/submitrest.gif' width="10" height="35" border="0" alt="" /></a></td>
 		</tr></table>
 
diff --git a/src/messenger/webim/view/features.php b/src/messenger/webim/view/features.php
index bb77bfe6..2ed01b14 100644
--- a/src/messenger/webim/view/features.php
+++ b/src/messenger/webim/view/features.php
@@ -22,7 +22,7 @@ $page['title'] = getlocal("settings.title");
 $page['menuid'] = "settings";
 
 function tpl_header() { global $page, $webimroot;
-?>	
+?>
 <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/jquery-1.4.2.min.js"></script>
 <script type="text/javascript" language="javascript">
 function updateSurvey() {
@@ -61,7 +61,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page_settings.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['stored'] ) { ?>
@@ -84,7 +84,7 @@ require_once('inc_errors.php');
 			<div class="fdescr"> &mdash; <?php echo getlocal('settings.usercanchangename.description') ?></div>
 			<br clear="all"/>
 		</div>
-		
+
 		<div class="field">
 			<div class="flabel"><?php echo getlocal('settings.enablessl') ?></div>
 			<div class="fvalue">
@@ -164,7 +164,7 @@ require_once('inc_errors.php');
 				<div class="fdescr"> &mdash; <?php echo getlocal('settings.survey.askgroup.description') ?></div>
 				<br clear="all"/>
 			</div>
-			
+
 			<div class="subfield undersurvey">
 				<div class="flabel"><?php echo getlocal('settings.survey.askmessage') ?></div>
 				<div class="fvalue">
@@ -213,16 +213,16 @@ require_once('inc_errors.php');
 
     <?php if($page['canmodify']) { ?>
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
     <?php } ?>
 	</div>
 	
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/getcode_image.php b/src/messenger/webim/view/getcode_image.php
index 93b54a8c..525392e9 100644
--- a/src/messenger/webim/view/getcode_image.php
+++ b/src/messenger/webim/view/getcode_image.php
@@ -41,7 +41,7 @@ require_once('inc_errors.php');
 		<div class="fieldinrow">
 			<div class="flabel"><?php echo getlocal("page.gen_button.choose_locale") ?></div>
 			<div class="fvaluenodesc">
-				<select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("lang") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
+				<select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"" . ($k == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
 			</div>
 		</div>
 
@@ -49,7 +49,7 @@ require_once('inc_errors.php');
 		<div class="fieldinrow">
 			<div class="flabel"><?php echo getlocal("page.gen_button.choose_group") ?></div>
 			<div class="fvaluenodesc">
-				<select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"".$k['groupid']."\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">".$k['vclocalname']."</option>"; } ?></select>
+				<select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"" . htmlspecialchars($k['groupid']) . "\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k['vclocalname']) . "</option>"; } ?></select>
 			</div>
 		</div>
 <?php } ?>
@@ -58,14 +58,14 @@ require_once('inc_errors.php');
 		<div class="fieldinrow">
 			<div class="flabel"><?php echo getlocal("page.gen_button.choose_image") ?></div>
 			<div class="fvaluenodesc">
-				<select name="i" onchange="this.form.submit();"><?php foreach($page['availableImages'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("image") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
+				<select name="i" onchange="this.form.submit();"><?php foreach($page['availableImages'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("image") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
 			</div>
 		</div>
 
 		<div class="fieldinrow">
 			<div class="flabel"><?php echo getlocal("page.gen_button.choose_style") ?></div>
 			<div class="fvaluenodesc">
-				<select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"".$k."\"".($k == form_value("style") ? " selected=\"selected\"" : "").">".$v."</option>"; } ?></select>
+				<select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("style") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select>
 			</div>
 		</div>
 		<br clear="all"/>
@@ -113,7 +113,7 @@ require_once('inc_errors.php');
 	</div>
 	
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 </form>
 
 <?php 
diff --git a/src/messenger/webim/view/getcode_text.php b/src/messenger/webim/view/getcode_text.php
index 9cda65c9..5bb6a2d7 100644
--- a/src/messenger/webim/view/getcode_text.php
+++ b/src/messenger/webim/view/getcode_text.php
@@ -27,7 +27,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page.gen_button.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
@@ -37,11 +37,11 @@ require_once('inc_errors.php');
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<div class="fieldForm">
-	
+
 		<div class="fieldinrow">
 			<div class="flabel"><?php echo getlocal("page.gen_button.choose_locale") ?></div>
 			<div class="fvaluenodesc">
-				<select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("lang") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
+				<select name="lang" onchange="this.form.submit();"><?php foreach($page['availableLocales'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
 			</div>
 		</div>
 
@@ -49,7 +49,7 @@ require_once('inc_errors.php');
 		<div class="fieldinrow">
 			<div class="flabel"><?php echo getlocal("page.gen_button.choose_group") ?></div>
 			<div class="fvaluenodesc">
-				<select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"".$k['groupid']."\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">".$k['vclocalname']."</option>"; } ?></select>
+				<select name="group" onchange="this.form.submit();"><?php foreach($page['groups'] as $k) { echo "<option value=\"" . htmlspecialchars($k['groupid']) . "\"".($k['groupid'] == form_value("group") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k['vclocalname']) . "</option>"; } ?></select>
 			</div>
 		</div>
 <?php } ?>
@@ -58,7 +58,7 @@ require_once('inc_errors.php');
 		<div class="fieldinrow">
 			<div class="flabel"><?php echo getlocal("page.gen_button.choose_style") ?></div>
 			<div class="fvaluenodesc">
-				<select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"".$k."\"".($k == form_value("style") ? " selected=\"selected\"" : "").">".$v."</option>"; } ?></select>
+				<select name="style" onchange="this.form.submit();"><?php foreach($page['availableStyles'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("style") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select>
 			</div>
 		</div>
 		<br clear="all"/>
@@ -106,10 +106,10 @@ require_once('inc_errors.php');
 	</div>
 	
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/group.php b/src/messenger/webim/view/group.php
index 0c3c57f8..13af0398 100644
--- a/src/messenger/webim/view/group.php
+++ b/src/messenger/webim/view/group.php
@@ -32,7 +32,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php } ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['stored'] ) { ?>
@@ -40,7 +40,7 @@ require_once('inc_errors.php');
 <?php } ?>
 
 <form name="groupForm" method="post" action="<?php echo $webimroot ?>/operator/group.php">
-<input type="hidden" name="gid" value="<?php echo $page['grid'] ?>"/>
+<input type="hidden" name="gid" value="<?php echo htmlspecialchars($page['grid']) ?>"/>
 	<div>
 <?php print_tabbar(); ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
@@ -92,20 +92,20 @@ require_once('inc_errors.php');
 		</div>
 		
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 	</div>
-	
+
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
-	
+	</div>
+
 	<div class="asterisk">
 		<?php echo getlocal("common.asterisk_explanation") ?>
 	</div>
 
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/groupmembers.php b/src/messenger/webim/view/groupmembers.php
index 5ce7acde..566627ef 100644
--- a/src/messenger/webim/view/groupmembers.php
+++ b/src/messenger/webim/view/groupmembers.php
@@ -24,44 +24,45 @@ $page['menuid'] = "groups";
 function tpl_content() { global $page, $webimroot, $errors;
 ?>
 
-<?php echo getlocal("page.groupmembers.intro") ?>
+<?php echo htmlspecialchars(getlocal("page.groupmembers.intro")) ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['stored'] ) { ?>
-<div id="formmessage"><?php echo getlocal("data.saved") ?></div>
+<div id="formmessage"><?php echo htmlspecialchars(getlocal("data.saved")) ?></div>
 <?php } ?>
 
 <form name="membersForm" method="post" action="<?php echo $webimroot ?>/operator/groupmembers.php">
-<input type="hidden" name="gid" value="<?php echo $page['groupid'] ?>"/>
+<?php print_csrf_token_input() ?>
+<input type="hidden" name="gid" value="<?php echo htmlspecialchars($page['groupid']) ?>"/>
 	<div>
 <?php print_tabbar(); ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<p>
-		<b><?php echo $page['currentgroup'] ?></b>
+		<b><?php echo htmlspecialchars($page['currentgroup']) ?></b>
 	</p>
 <?php foreach( $page['operators'] as $pm ) { ?>
 	<div class="field">
 		<div class="fvaluenodesc">
-			<input type="checkbox" name="op<?php echo $pm['operatorid'] ?>" value="on"<?php echo form_value_mb('op',$pm['operatorid']) ? " checked=\"checked\"" : "" ?>/> 
-			<?php echo htmlspecialchars(topage($pm['vclocalename'])) ?> (<a href="operator.php?op=<?php echo $pm['operatorid'] ?>"
+			<input type="checkbox" name="op<?php echo htmlspecialchars($pm['operatorid']) ?>" value="on"<?php echo form_value_mb('op',$pm['operatorid']) ? " checked=\"checked\"" : "" ?>/>
+			<?php echo htmlspecialchars(topage($pm['vclocalename'])) ?> (<a href="operator.php?op=<?php echo urlencode($pm['operatorid']) ?>"
 				><?php echo htmlspecialchars(topage($pm['vclogin'])) ?></a>)
 		</div>
 	</div>
 <?php } ?>
 
 	<div class="fbutton">
-		<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+		<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 	</div>
 
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/groups.php b/src/messenger/webim/view/groups.php
index 15930010..25b8aa9a 100644
--- a/src/messenger/webim/view/groups.php
+++ b/src/messenger/webim/view/groups.php
@@ -20,7 +20,7 @@ $page['title'] = getlocal("page.groups.title");
 $page['menuid'] = "groups";
 
 function tpl_header() { global $page, $webimroot;
-?>	
+?>
 <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/jquery-1.4.2.min.js"></script>
 <?php
 }
@@ -31,14 +31,14 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page.groups.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
 <?php if($page['canmodify']) { ?>
 <div class="tabletool">
-	<img src='<?php echo $webimroot ?>/images/buttons/createdep.gif' border="0" alt="" />
-	<a href='<?php echo $webimroot ?>/operator/group.php' title="<?php echo getlocal("page.groups.new") ?>">
+	<img src="<?php echo $webimroot ?>/images/buttons/createdep.gif" border="0" alt="" />
+	<a href="<?php echo $webimroot ?>/operator/group.php" title="<?php echo getlocal("page.groups.new") ?>">
 		<?php echo getlocal("page.groups.new") ?>
 	</a>
 </div>
@@ -64,16 +64,16 @@ require_once('inc_errors.php');
 </thead>
 <tbody>
 <?php
-if(count($page['groups']) > 0) { 
+if(count($page['groups']) > 0) {
 	foreach( $page['groups'] as $grp ) { ?>
 <tr>
 	<td class="notlast">
-   		<a href="<?php echo $webimroot ?>/operator/group.php?gid=<?php echo $grp['groupid'] ?>" id="ti<?php echo $grp['groupid'] ?>" class="man">
-   			<?php echo htmlspecialchars(topage($grp['vclocalname'])) ?>
-   		</a>
+		<a href="<?php echo $webimroot ?>/operator/group.php?gid=<?php echo urlencode($grp['groupid']) ?>" id="ti<?php echo htmlspecialchars($grp['groupid']) ?>" class="man">
+			<?php echo htmlspecialchars(topage($grp['vclocalname'])) ?>
+		</a>
 	</td>
 	<td class="notlast">
-   		<?php echo $grp['vclocaldescription'] ? htmlspecialchars(topage($grp['vclocaldescription'])) : "&lt;none&gt;" ?>
+		<?php echo $grp['vclocaldescription'] ? htmlspecialchars(topage($grp['vclocaldescription'])) : "&lt;none&gt;" ?>
 	</td>
 	<td class="notlast">
 <?php if(is_online($grp)) { ?>
@@ -85,19 +85,19 @@ if(count($page['groups']) > 0) {
 <?php } ?>
 	</td>
 	<td>
-   		<a href="<?php echo $webimroot ?>/operator/groupmembers.php?gid=<?php echo $grp['groupid'] ?>">
-	   		<?php echo htmlspecialchars(topage($grp['inumofagents'])) ?>
-   		</a>
+		<a href="<?php echo $webimroot ?>/operator/groupmembers.php?gid=<?php echo urlencode($grp['groupid']) ?>">
+			<?php echo htmlspecialchars(topage($grp['inumofagents'])) ?>
+		</a>
 	</td>
 <?php if($page['canmodify']) { ?>
 	<td>
-		<a href="<?php echo $webimroot ?>/operator/groups.php?act=del&amp;gid=<?php echo $grp['groupid'] ?>" id="i<?php echo $grp['groupid'] ?>" class="removelink">
+		<a href="<?php echo $webimroot ?>/operator/groups.php?act=del&amp;gid=<?php echo urlencode($grp['groupid']) ?>" id="i<?php echo htmlspecialchars($grp['groupid']) ?>" class="removelink">
 			remove
 		</a>
 	</td>
 <?php } ?>
 </tr>
-<?php 
+<?php
 	}
 } else {
 ?>
@@ -106,8 +106,8 @@ if(count($page['groups']) > 0) {
 		<?php echo getlocal("tag.pagination.no_items.elements") ?>
 	</td>
 	</tr>
-<?php 
-} 
+<?php
+}
 ?>
 </tbody>
 </table>
diff --git a/src/messenger/webim/view/inc_locales.php b/src/messenger/webim/view/inc_locales.php
index 9f2f7842..284adb11 100644
--- a/src/messenger/webim/view/inc_locales.php
+++ b/src/messenger/webim/view/inc_locales.php
@@ -28,10 +28,10 @@ function tpl_menu() { global $page, $webimroot, $errors, $current_locale;
 				<h2><b><?php echo getlocal("lang.choose") ?></b></h2>
 				<ul class="locales">
 <?php foreach($page['localeLinks'] as $id => $title) { ?>
-					<li<?php menuloc($id)?> ><a href='?locale=<?php echo $id ?>'><?php echo $title ?></a></li>
+					<li<?php menuloc($id)?> ><a href="?locale=<?php echo urlencode($id) ?>"><?php echo htmlspecialchars($title) ?></a></li>
 <?php } ?>
 				</ul>
 			</li>
-<?php 
+<?php
 }
 ?>
\ No newline at end of file
diff --git a/src/messenger/webim/view/inc_main.php b/src/messenger/webim/view/inc_main.php
index 5c83c99b..c6ce015a 100644
--- a/src/messenger/webim/view/inc_main.php
+++ b/src/messenger/webim/view/inc_main.php
@@ -24,10 +24,10 @@ $isrtl = getlocal("localedirection") == 'rtl';
 <link rel="shortcut icon" href="<?php echo $webimroot ?>/images/favicon.ico" type="image/x-icon"/>
 <?php
 	if(function_exists('tpl_header'))
-		tpl_header(); 
+		tpl_header();
 ?>
 <title>
-	<?php echo $page['title'] ?> - <?php echo getlocal("app.title") ?>
+	<?php echo htmlspecialchars($page['title']) ?> - <?php echo getlocal("app.title") ?>
 </title>
 <link href="<?php echo $webimroot ?>/default.css" rel="stylesheet" type="text/css" />
 <!--[if lte IE 6]><script language="JavaScript" type="text/javascript" src="<?php echo $webimroot ?>/<?php echo jspath() ?>/ie.js"></script><![endif]-->
@@ -37,10 +37,10 @@ $isrtl = getlocal("localedirection") == 'rtl';
 	<div id="header">
 		<div id="title">
 			<h1><img src="<?php echo $webimroot ?>/images/logo.gif" alt="" width="32" height="32" class="left" />
-				<a href="#"><?php echo isset($page['headertitle']) ? $page['headertitle'] : $page['title'] ?></a></h1>
+				<a href="#"><?php echo isset($page['headertitle']) ? htmlspecialchars($page['headertitle']) : htmlspecialchars($page['title']) ?></a></h1>
 		</div>
 <?php if(isset($page) && isset($page['operator'])) { ?>
-		<div id="path"><p><?php echo getlocal2("menu.operator",array($page['operator'])) ?></p></div>
+		<div id="path"><p><?php echo getlocal2("menu.operator",array(htmlspecialchars($page['operator']))) ?></p></div>
 <?php } else if(isset($page) && isset($page['show_small_login'])) { ?>
 		<div id="loginsmallpane">
 			<form name="smallLogin" method="post" action="<?php echo $webimroot ?>/operator/login.php">
@@ -50,13 +50,13 @@ $isrtl = getlocal("localedirection") == 'rtl';
 				<input type="hidden" name="isRemember" value=""/>
 				<input type="submit" value="&gt;&gt;" class="butt"/>
 			</form>
-		
+
 		</div>
 <?php } ?>
 	</div>
-	
+
 	<br clear="all"/>
-	
+
 	<div class="contentdiv">
 <?php if(function_exists('tpl_menu')) { ?>
 	<div id="wcontent" class="contentinner">
@@ -65,25 +65,25 @@ $isrtl = getlocal("localedirection") == 'rtl';
 <?php } ?>
 <?php
 	tpl_content();
-?>	
+?>
 	</div>
 	</div>
 
-<?php if(function_exists('tpl_menu')) { ?>	
+<?php if(function_exists('tpl_menu')) { ?>
 	<div id="sidebar">
 		<ul>
-<?php 
+<?php
 	tpl_menu();
 ?>
 		</ul>
 	</div>
 <?php } ?>
 	<div style="clear: both;">&nbsp;</div>
-	
-   	<div class="empty_inner" style="">&#160;</div>
+
+	<div class="empty_inner" style="">&#160;</div>
 </div>
 <div id="footer">
-	<p id="legal"><a href="http://mibew.org/" target="_blank" class="flink">Mibew Messenger</a> <?php echo $version ?> | (c) 2011-2013 mibew.org</p>
+	<p id="legal"><a href="http://mibew.org/" target="_blank" class="flink">Mibew Messenger</a> <?php echo htmlspecialchars($version) ?> | (c) 2011-2013 mibew.org</p>
 </div>
 </body>
 </html>
\ No newline at end of file
diff --git a/src/messenger/webim/view/inc_tabbar.php b/src/messenger/webim/view/inc_tabbar.php
index 6cfb3a22..c13eba6e 100644
--- a/src/messenger/webim/view/inc_tabbar.php
+++ b/src/messenger/webim/view/inc_tabbar.php
@@ -17,7 +17,7 @@
 
 function print_tabbar($maxwidth = 4) {
 	global $page;
-	
+
 	if($page['tabs']) {
 		$tabbar = $page['tabs'];
 		$len = count($tabbar);
@@ -25,17 +25,17 @@ function print_tabbar($maxwidth = 4) {
 		$tabbar2 = array();
 		for($i = 0; $i < $len; $i++) {
 			$tabbar2[] = $i != $selected
-				? "<li><a href=\"".$tabbar[$i]['link']."\">".$tabbar[$i]['title']."</a></li>\n"
-				: "<li class=\"active\"><a href=\"#\">".$tabbar[$i]['title']."</a></li>\n";
+				? "<li><a href=\"" . htmlspecialchars($tabbar[$i]['link']) . "\">" . htmlspecialchars($tabbar[$i]['title']) . "</a></li>\n"
+				: "<li class=\"active\"><a href=\"#\">" . htmlspecialchars($tabbar[$i]['title']) . "</a></li>\n";
 		}
-		
+
 		if($len > $maxwidth) { // && $len - $selected > $maxwidth
 			if($selected < $maxwidth) {
 				$tabbar = array_splice($tabbar2, 0, $maxwidth);
 				array_splice($tabbar2, count($tabbar2),0, $tabbar);
 			} // else 3 rows menu
 		}		
-		
+
 		echo "<ul class=\"tabs\">\n";
 		$i = 0;
 		foreach($tabbar2 as $v) {
@@ -43,7 +43,7 @@ function print_tabbar($maxwidth = 4) {
 				echo "</ul><br clear=\"all\"><ul class=\"tabs\">\n";
 			}
 			echo $v;
-			$i++; 	
+			$i++;
 		}
 		echo "</ul>";
 	}
diff --git a/src/messenger/webim/view/login.php b/src/messenger/webim/view/login.php
index 37a97f63..f524e821 100644
--- a/src/messenger/webim/view/login.php
+++ b/src/messenger/webim/view/login.php
@@ -33,18 +33,18 @@ function tpl_content() { global $page, $webimroot, $errors;
 <form name="loginForm" method="post" action="<?php echo $webimroot ?>/operator/login.php">
 	<div id="loginpane">
 
-	<div class="header">	
+	<div class="header">
 		<h2><?php echo getlocal("page_login.title") ?></h2>
 	</div>
 
 	<div class="fieldForm">
-	
+
 		<?php echo getlocal("page_login.intro") ?><br/><br/>
 
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
-	
+
 		<div class="field">
 			<div class="fleftlabel"><?php echo getlocal("page_login.login") ?></div>
 			<div class="fvalue">
@@ -72,7 +72,7 @@ require_once('inc_errors.php');
 		</div>
 
 		<div class="fbutton">
-			<input type="image" name="login" src='<?php echo $webimroot.getlocal("image.button.login") ?>' alt='<?php echo getlocal("button.enter") ?>'/>
+			<input type="image" name="login" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.login")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.enter")) ?>"/>
 
 			<div class="links">
 				<a href="restore.php"><?php echo getlocal("restore.pwd.message") ?></a><br/>
@@ -81,10 +81,10 @@ require_once('inc_errors.php');
 
 	</div>
 
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/menu.php b/src/messenger/webim/view/menu.php
index bd79052b..9b14c9b5 100644
--- a/src/messenger/webim/view/menu.php
+++ b/src/messenger/webim/view/menu.php
@@ -21,7 +21,7 @@ $page['menuid'] = "main";
 
 function tpl_header() { global $page, $webimroot, $jsver;
 	if(isset($page) && isset($page['localeLinks'])) {
-?>	
+?>
 <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/jquery-1.4.2.min.js"></script>
 <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/<?php echo $jsver ?>/locale.js"></script>
 <?php
@@ -40,13 +40,13 @@ function tpl_content() { global $page, $webimroot, $current_locale, $menuItemsCo
 <br/>
 
 <?php if( $page['needChangePassword'] ) { ?>
-<div id="formmessage"><?php echo getlocal("error.no_password") ?> <?php echo getlocal2("error.no_password.visit_profile", array($page['profilePage'])) ?></div>
+<div id="formmessage"><?php echo getlocal("error.no_password") ?> <?php echo getlocal2("error.no_password.visit_profile", array(htmlspecialchars($page['profilePage']))) ?></div>
 <br/>
 <?php } else if( $page['needUpdate'] ) { ?>
-<div id="formmessage"><?php echo getlocal2("install.updatedb",array($page['updateWizard'])) ?></div>
+<div id="formmessage"><?php echo getlocal2("install.updatedb",array(htmlspecialchars($page['updateWizard']))) ?></div>
 <br/>
 <?php } else if($page['newFeatures']) { ?>
-<div><div id="formmessage"><?php echo getlocal2("install.newfeatures",array($page['featuresPage'], $version)) ?></div></div>
+<div><div id="formmessage"><?php echo getlocal2("install.newfeatures",array(htmlspecialchars($page['featuresPage'], $version))) ?></div></div>
 <br/>
 <?php } ?>
 
@@ -54,35 +54,35 @@ function tpl_content() { global $page, $webimroot, $current_locale, $menuItemsCo
 <tr>
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/visitors.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/users.php'>
+		<a href="<?php echo $webimroot ?>/operator/users.php">
 			<?php echo getlocal('topMenu.users') ?></a>
 		<?php echo getlocal('page_client.pending_users') ?>
-	</td>	
+	</td>
 
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/history.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/history.php'>
+		<a href="<?php echo $webimroot ?>/operator/history.php">
 			<?php echo getlocal('page_analysis.search.title') ?></a>
 		<?php echo getlocal('content.history') ?>
 	</td>
-<?php 
+<?php
 $menuItemsCount = 2;
 ?>
 
 <?php if($page['showstat']) { ?>
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/stat.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/statistics.php'>
+		<a href="<?php echo $webimroot ?>/operator/statistics.php">
 			<?php echo getlocal('statistics.title') ?></a>
 		<?php echo getlocal('statistics.description') ?>
 	</td>
 	<?php menuseparator(); ?>
 <?php } ?>
 
-<?php if( $page['showban'] ) { ?>	
+<?php if( $page['showban'] ) { ?>
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/blocked.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/blocked.php'>
+		<a href="<?php echo $webimroot ?>/operator/blocked.php">
 			<?php echo getlocal('menu.blocked') ?></a>
 		<?php echo getlocal('content.blocked') ?>
 	</td>
@@ -91,7 +91,7 @@ $menuItemsCount = 2;
 
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/canned.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/canned.php'>
+		<a href="<?php echo $webimroot ?>/operator/canned.php">
 			<?php echo getlocal('menu.canned') ?></a>
 		<?php echo getlocal('canned.descr') ?>
 	</td>
@@ -100,15 +100,15 @@ $menuItemsCount = 2;
 <?php if( $page['showadmin'] ) { ?>
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/getcode.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/getcode.php'>
+		<a href="<?php echo $webimroot ?>/operator/getcode.php">
 			<?php echo getlocal('leftMenu.client_gen_button') ?></a>
 		<?php echo getlocal('admin.content.client_gen_button') ?>
 	</td>
 	<?php menuseparator(); ?>
-	
+
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/operators.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/operators.php'>
+		<a href="<?php echo $webimroot ?>/operator/operators.php">
 			<?php echo getlocal('leftMenu.client_agents') ?></a>
 		<?php echo getlocal('admin.content.client_agents') ?>
 	</td>
@@ -117,16 +117,16 @@ $menuItemsCount = 2;
 <?php if($page['showgroups']) { ?>
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/dep.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/groups.php'>
+		<a href="<?php echo $webimroot ?>/operator/groups.php">
 			<?php echo getlocal('menu.groups') ?></a>
 		<?php echo getlocal('menu.groups.content') ?>
 	</td>
 	<?php menuseparator(); ?>
-<?php } ?>	
+<?php } ?>
 
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/settings.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/settings.php'>
+		<a href="<?php echo $webimroot ?>/operator/settings.php">
 			<?php echo getlocal('leftMenu.client_settings') ?></a>
 		<?php echo getlocal('admin.content.client_settings') ?>
 	</td>
@@ -135,8 +135,8 @@ $menuItemsCount = 2;
 
 <?php if(isset($page['currentopid']) && $page['currentopid']) {?>
 	<td class="dashitem">
-		<img src="<?php echo $webimroot ?>/images/dash/profile.gif"  alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/operator.php?op=<?php echo $page['currentopid'] ?>'>
+		<img src="<?php echo $webimroot ?>/images/dash/profile.gif" alt=""/>
+		<a href="<?php echo $webimroot ?>/operator/operator.php?op=<?php echo urlencode($page['currentopid']) ?>">
 			<?php echo getlocal('menu.profile') ?></a>
 		<?php echo getlocal('menu.profile.content') ?>
 	</td>
@@ -145,8 +145,8 @@ $menuItemsCount = 2;
 
 <?php if(isset($page) && isset($page['localeLinks'])) { ?>
 	<td class="dashitem">
-		<img src="<?php echo $webimroot ?>/images/dash/locale.gif"  alt=""/>
-		<a href='#' id="changelang">
+		<img src="<?php echo $webimroot ?>/images/dash/locale.gif" alt=""/>
+		<a href="#" id="changelang">
 			<?php echo getlocal('menu.locale') ?></a>
 		<?php echo getlocal('menu.locale.content') ?>
 	</td>
@@ -156,7 +156,7 @@ $menuItemsCount = 2;
 <?php if( $page['showadmin'] ) { ?>
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/updates.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/updates.php'>
+		<a href="<?php echo $webimroot ?>/operator/updates.php">
 			<?php echo getlocal('menu.updates') ?></a>
 		<?php echo getlocal('menu.updates.content') ?>
 	</td>
@@ -164,7 +164,7 @@ $menuItemsCount = 2;
 
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/notifications.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/notifications.php'>
+		<a href="<?php echo $webimroot ?>/operator/notifications.php">
 			<?php echo getlocal('menu.notifications') ?></a>
 		<?php echo getlocal('menu.notifications.content') ?>
 	</td>
@@ -173,7 +173,7 @@ $menuItemsCount = 2;
 
 	<td class="dashitem">
 		<img src="<?php echo $webimroot ?>/images/dash/exit.gif" alt=""/>
-		<a href='<?php echo $webimroot ?>/operator/logout.php'>
+		<a href="<?php echo $webimroot ?>/operator/logout.php">
 			<?php echo getlocal('topMenu.logoff') ?></a>
 		<?php echo getlocal('content.logoff') ?>
 	</td>
@@ -188,14 +188,14 @@ $menuItemsCount = 2;
 	<b><?php echo getlocal("lang.choose") ?></b></h2>
 	<ul class="locales">
 <?php foreach($page['localeLinks'] as $id => $title) { ?>
-		<li<?php echo $current_locale == $id ? " class=\"active\"" : "" ?> ><a href='?locale=<?php echo $id ?>'><?php echo $title ?></a></li>
+		<li<?php echo $current_locale == $id ? " class=\"active\"" : "" ?> ><a href="?locale=<?php echo urlencode($id) ?>"><?php echo htmlspecialchars($title) ?></a></li>
 <?php } ?>
 	</ul>
 </div>
-<div id="backgroundPopup"></div> 
+<div id="backgroundPopup"></div>
 <?php } ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/notification.php b/src/messenger/webim/view/notification.php
index d103f051..1bf31b05 100644
--- a/src/messenger/webim/view/notification.php
+++ b/src/messenger/webim/view/notification.php
@@ -54,7 +54,7 @@ $notification = $page['notification'];
 </div>
 
 <div class="message">
-<?php echo topage(prepare_html_message(htmlspecialchars($notification['tmessage']))) ?>
+<?php echo topage(prepare_html_message($notification['tmessage'])) ?>
 </div>
 </div>
 
@@ -64,7 +64,7 @@ $notification = $page['notification'];
 <br />
 
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/notifications.php b/src/messenger/webim/view/notifications.php
index 547b1659..bafebf46 100644
--- a/src/messenger/webim/view/notifications.php
+++ b/src/messenger/webim/view/notifications.php
@@ -37,19 +37,19 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page.notifications.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
 <form name="notifyFilterForm" method="get" action="<?php echo $webimroot ?>/operator/notifications.php">
-	
+
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<div class="packedFormField">
 		<?php echo getlocal("notifications.kind") ?><br/>
-		<select name="kind" onchange="this.form.submit();"><?php 
-			foreach($page['allkinds'] as $k) { 
-				echo "<option value=\"".$k."\"".($k == form_value("kind") ? " selected=\"selected\"" : "").">".getlocal("notifications.kind.".($k ? $k : "all"))."</option>";
+		<select name="kind" onchange="this.form.submit();"><?php
+			foreach($page['allkinds'] as $k) {
+				echo "<option value=\"".htmlspecialchars($k)."\"".($k == form_value("kind") ? " selected=\"selected\"" : "").">".getlocal("notifications.kind.".($k ? $k : "all"))."</option>";
 			} ?></select>
 	</div>
 
@@ -57,12 +57,12 @@ require_once('inc_errors.php');
 		<?php echo getlocal("notifications.locale") ?><br/>
 		<select name="lang" onchange="this.form.submit();"><?php
 			foreach($page['locales'] as $k) {
-				echo "<option value=\"".$k["id"]."\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">".$k["name"]."</option>";
+				echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("lang") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>";
 			} ?></select>
 	</div>
-	
+
 	<br clear="all"/>
-	
+
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
 </form>
 <br/>
@@ -84,14 +84,14 @@ require_once('inc_errors.php');
 </tr>
 </thead>
 <tbody>
-<?php 
+<?php
 if( $page['pagination.items'] ) {
 	foreach( $page['pagination.items'] as $b ) { ?>
 	<tr>
 	<td class="notlast">
-		<a href="<?php echo $webimroot ?>/operator/notification.php?id=<?php echo $b['id'] ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/notification.php?id=<?php echo $b['id'] ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;" class="<?php echo $b['vckind'] == 'xmpp' ? 'xmpp' : 'mail' ?>">
-   			<?php echo htmlspecialchars(shorten(topage($b['vcto']),30)) ?>
-   		</a>
+		<a href="<?php echo $webimroot ?>/operator/notification.php?id=<?php echo urlencode($b['id']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/notification.php?id=<?php echo urlencode($b['id']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;" class="<?php echo $b['vckind'] == 'xmpp' ? 'xmpp' : 'mail' ?>">
+			<?php echo htmlspecialchars(shorten(topage($b['vcto']),30)) ?>
+		</a>
 	</td>
 	<td class="notlast">
 		<?php echo htmlspecialchars(shorten(topage($b['vcsubject']),30)) ?>
@@ -100,11 +100,11 @@ if( $page['pagination.items'] ) {
 		<?php echo htmlspecialchars(shorten(topage($b['tmessage']),30)) ?>
 	</td>
 	<td>
-   		<?php echo date_to_text($b['created']) ?>
+		<?php echo date_to_text($b['created']) ?>
 	</td>
 	</tr>
 <?php
-	} 
+	}
 } else {
 ?>
 	<tr>
@@ -113,19 +113,19 @@ if( $page['pagination.items'] ) {
 	</td>
 	</tr>
 <?php 
-} 
+}
 ?>
 </tbody>
 </table>
 <?php
-	if( $page['pagination.items'] ) { 
+	if( $page['pagination.items'] ) {
 		echo "<br/>";
 		echo generate_pagination($page['pagination']);
 	}
-} 
+}
 ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/operator_groups.php b/src/messenger/webim/view/operator_groups.php
index 17d6e626..92004640 100644
--- a/src/messenger/webim/view/operator_groups.php
+++ b/src/messenger/webim/view/operator_groups.php
@@ -27,7 +27,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("operator.groups.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['stored'] ) { ?>
@@ -35,19 +35,20 @@ require_once('inc_errors.php');
 <?php } ?>
 
 <form name="opgroupsForm" method="post" action="<?php echo $webimroot ?>/operator/opgroups.php">
-<input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
+<?php print_csrf_token_input() ?>
+<input type="hidden" name="op" value="<?php echo htmlspecialchars($page['opid']) ?>"/>
 	<div>
 <?php print_tabbar(); ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<p>
-		<b><?php echo $page['currentop'] ?>&lrm;</b>
+		<b><?php echo htmlspecialchars($page['currentop']) ?>&lrm;</b>
 	</p>
 <?php foreach( $page['groups'] as $pm ) { ?>
 	<div class="field">
 		<div class="flabel"><?php echo htmlspecialchars(topage($pm['vclocalname'])) ?></div>
 		<div class="fvalue">
-			<input type="checkbox" name="group<?php echo $pm['groupid'] ?>" value="on"<?php echo form_value_mb('group',$pm['groupid']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/>
+			<input type="checkbox" name="group<?php echo htmlspecialchars($pm['groupid']) ?>" value="on"<?php echo form_value_mb('group',$pm['groupid']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/>
 		</div>
 		<div class="fdescr"> &mdash; <?php echo $pm['vclocaldescription'] ? htmlspecialchars(topage($pm['vclocaldescription'])) : getlocal("operator.group.no_description") ?></div>
 		<br clear="all"/>
@@ -56,14 +57,14 @@ require_once('inc_errors.php');
 
 <?php if($page['canmodify']) { ?>
 	<div class="fbutton">
-		<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+		<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 	</div>
 <?php } ?>
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/pending_users.php b/src/messenger/webim/view/pending_users.php
index 0ce48ac5..45bf188f 100644
--- a/src/messenger/webim/view/pending_users.php
+++ b/src/messenger/webim/view/pending_users.php
@@ -21,21 +21,21 @@ $page['menuid'] = "users";
 
 
 function tpl_header() { global $page, $webimroot, $jsver;
-?>	
+?>
 <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/<?php echo $jsver ?>/common.js"></script>
 <script type="text/javascript" language="javascript"><!--
 var localized = new Array(
-    "<?php echo getlocal("pending.table.speak") ?>",
-    "<?php echo getlocal("pending.table.view") ?>",
-    "<?php echo getlocal("pending.table.ban") ?>",
+    "<?php echo htmlspecialchars(getlocal("pending.table.speak")) ?>",
+    "<?php echo htmlspecialchars(getlocal("pending.table.view")) ?>",
+    "<?php echo htmlspecialchars(getlocal("pending.table.ban")) ?>",
     "<?php echo htmlspecialchars(getlocal("pending.menu.show")) ?>",
     "<?php echo htmlspecialchars(getlocal("pending.menu.hide")) ?>",
     "<?php echo htmlspecialchars(getlocal("pending.popup_notification")) ?>"
 );
 var updaterOptions = {
 	url:"<?php echo $webimroot ?>/operator/update.php",wroot:"<?php echo $webimroot ?>",
-	agentservl:"<?php echo $webimroot ?>/operator/agent.php", frequency:<?php echo $page['frequency'] ?>, istatus:<?php echo $page['istatus'] ?>,  
-	noclients:"<?php echo getlocal("clients.no_clients") ?>", havemenu: <?php echo $page['havemenu'] ?>, showpopup: <?php echo $page['showpopup'] ?>, showonline: <?php echo $page['showonline'] ?> };
+	agentservl:"<?php echo $webimroot ?>/operator/agent.php", frequency:<?php echo htmlspecialchars($page['frequency']) ?>, istatus:<?php echo htmlspecialchars($page['istatus']) ?>,
+	noclients:"<?php echo htmlspecialchars(getlocal("clients.no_clients")) ?>", havemenu: <?php echo htmlspecialchars($page['havemenu']) ?>, showpopup: <?php echo htmlspecialchars($page['showpopup']) ?>, showonline: <?php echo htmlspecialchars($page['showonline']) ?> };
 //--></script>
 <script type="text/javascript" language="javascript" src="<?php echo $webimroot ?>/js/<?php echo $jsver ?>/users.js"></script>
 <?php
@@ -59,11 +59,11 @@ function tpl_content() { global $page, $webimroot;
 <tr>
 	<th class="first"><?php echo getlocal("pending.table.head.name") ?></th>
 	<th><?php echo getlocal("pending.table.head.contactid") ?></th>
-    <th><?php echo getlocal("pending.table.head.state") ?></th>
-    <th><?php echo getlocal("pending.table.head.operator") ?></th>
-    <th><?php echo getlocal("pending.table.head.total") ?></th>
-    <th><?php echo getlocal("pending.table.head.waittime") ?></th>
-    <th><?php echo getlocal("pending.table.head.etc") ?></th>
+	<th><?php echo getlocal("pending.table.head.state") ?></th>
+	<th><?php echo getlocal("pending.table.head.operator") ?></th>
+	<th><?php echo getlocal("pending.table.head.total") ?></th>
+	<th><?php echo getlocal("pending.table.head.waittime") ?></th>
+	<th><?php echo getlocal("pending.table.head.etc") ?></th>
 </tr>
 </thead>
 <tbody>
@@ -97,7 +97,7 @@ function tpl_content() { global $page, $webimroot;
 </div>
 <?php } ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/performance.php b/src/messenger/webim/view/performance.php
index 4e8ae7b1..2ab6b9af 100644
--- a/src/messenger/webim/view/performance.php
+++ b/src/messenger/webim/view/performance.php
@@ -27,7 +27,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page_settings.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['stored'] ) { ?>
@@ -96,21 +96,21 @@ require_once('inc_errors.php');
 		</div>
 		
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 
 	</div>
-	
+
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
-	
+	</div>
+
 	<div class="asterisk">
 		<?php echo getlocal("common.asterisk_explanation") ?>
 	</div>
 
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/permissions.php b/src/messenger/webim/view/permissions.php
index 23f9f8f3..7ceda0e5 100644
--- a/src/messenger/webim/view/permissions.php
+++ b/src/messenger/webim/view/permissions.php
@@ -27,7 +27,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("permissions.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['stored'] ) { ?>
@@ -36,31 +36,31 @@ require_once('inc_errors.php');
 
 <form name="permissionsForm" method="post" action="<?php echo $webimroot ?>/operator/permissions.php">
 <?php print_csrf_token_input() ?>
-<input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
+<input type="hidden" name="op" value="<?php echo htmlspecialchars($page['opid']) ?>"/>
 	<div>
 <?php print_tabbar(); ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<p>
-		<b><?php echo $page['currentop'] ?>&lrm;</b>
+		<b><?php echo htmlspecialchars($page['currentop']) ?>&lrm;</b>
 	</p>
 <?php foreach( $page['permissionsList'] as $pm ) { ?>
 	<label>
-		<input type="checkbox" name="permissions<?php echo $pm['id'] ?>" value="on"<?php echo form_value_mb('permissions',$pm['id']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/> <?php echo $pm['descr'] ?>
+		<input type="checkbox" name="permissions<?php echo htmlspecialchars($pm['id']) ?>" value="on"<?php echo form_value_mb('permissions',$pm['id']) ? " checked=\"checked\"" : "" ?><?php echo $page['canmodify'] ? "" : " disabled=\"disabled\"" ?>/> <?php echo htmlspecialchars($pm['descr']) ?>
 	</label>
 	<br/>
 <?php } ?>
 
 <?php if($page['canmodify']) { ?>
 	<div class="fbutton">
-		<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+		<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 	</div>
 <?php } ?>
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/resetpwd.php b/src/messenger/webim/view/resetpwd.php
index bbdbde14..7eb71dec 100644
--- a/src/messenger/webim/view/resetpwd.php
+++ b/src/messenger/webim/view/resetpwd.php
@@ -23,13 +23,13 @@ $page['headertitle'] = getlocal("app.title");
 $page['show_small_login'] = true;
 $page['fixedwrap'] = true;
 
-function tpl_content() { 
+function tpl_content() {
 	global $page, $webimroot, $errors;
 	
 	if($page['isdone']) {
 ?>
 <div id="loginpane">
-	<div class="header">	
+	<div class="header">
 		<h2><?php echo getlocal("resetpwd.changed.title") ?></h2>
 	</div>
 
@@ -37,32 +37,32 @@ function tpl_content() {
 		<?php echo getlocal("resetpwd.changed") ?>
 		<br/>
 		<br/>
-		<a href="login.php?login=<?php echo $page['loginname'] ?>"><?php echo getlocal("resetpwd.login") ?></a>
+		<a href="login.php?login=<?php echo urlencode($page['loginname']) ?>"><?php echo getlocal("resetpwd.login") ?></a>
 	</div>
-</div>	
-	
-<?php 		
+</div>
+
+<?php
 	} else {
 ?>
 
 <form name="resetForm" method="post" action="<?php echo $webimroot ?>/operator/resetpwd.php">
-<input type="hidden" name="id" value="<?php echo $page['id'] ?>"/>
-<input type="hidden" name="token" value="<?php echo $page['token'] ?>"/>
+<input type="hidden" name="id" value="<?php echo htmlspecialchars($page['id']) ?>"/>
+<input type="hidden" name="token" value="<?php echo htmlspecialchars($page['token']) ?>"/>
 
 	<div id="loginpane">
 
-	<div class="header">	
+	<div class="header">
 		<h2><?php echo getlocal("resetpwd.title") ?></h2>
 	</div>
 
 	<div class="fieldForm">
-	
+
 		<?php echo getlocal("resetpwd.intro") ?><br/><br/>
 
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
-	
+
 <?php if($page['showform']) { ?>
 		<div class="field">
 			<div class="fleftlabel"><?php echo getlocal('form.field.password') ?></div>
@@ -83,11 +83,11 @@ require_once('inc_errors.php');
 		<div class="fbutton">
 			<table class="submitbutton"><tr>
 				<td><a href="javascript:document.resetForm.submit();">
-					<img src='<?php echo $webimroot ?>/images/submit.gif' width="40" height="35" border="0" alt="" /></a></td>
+					<img src="<?php echo $webimroot ?>/images/submit.gif" width="40" height="35" border="0" alt="" /></a></td>
 				<td class="submit"><a href="javascript:document.resetForm.submit();">
 					<?php echo getlocal("resetpwd.submit") ?></a></td>
 				<td><a href="javascript:document.resetForm.submit();">
-					<img src='<?php echo $webimroot ?>/images/submitrest.gif' width="10" height="35" border="0" alt="" /></a></td>
+					<img src="<?php echo $webimroot ?>/images/submitrest.gif" width="10" height="35" border="0" alt="" /></a></td>
 			</tr></table>
 
 			<div class="links">
@@ -99,10 +99,10 @@ require_once('inc_errors.php');
 <?php } ?>
 	</div>
 
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 	}
 } /* content */
 
diff --git a/src/messenger/webim/view/settings.php b/src/messenger/webim/view/settings.php
index 001aad20..914bb107 100644
--- a/src/messenger/webim/view/settings.php
+++ b/src/messenger/webim/view/settings.php
@@ -27,7 +27,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page_settings.intro") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 <?php if( $page['stored'] ) { ?>
@@ -116,7 +116,7 @@ require_once('inc_errors.php');
 		<div class="field">
 			<div class="flabel"><?php echo getlocal('settings.chatstyle') ?></div>
 			<div class="fvalue">
-				<select name="chatstyle" ><?php foreach($page['availableStyles'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("chatstyle") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
+				<select name="chatstyle" ><?php foreach($page['availableStyles'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("chatstyle") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
 			</div>
 			<div class="fdescr"> &mdash; <?php echo getlocal('settings.chatstyle.description') ?></div>
 			<br clear="all"/>
@@ -133,21 +133,21 @@ require_once('inc_errors.php');
 		</div>
 
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 
 	</div>
 	
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
-	
+	</div>
+
 	<div class="asterisk">
 		<?php echo getlocal("common.asterisk_explanation") ?>
 	</div>
 
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/statistics.php b/src/messenger/webim/view/statistics.php
index 67973aba..5e3ead84 100644
--- a/src/messenger/webim/view/statistics.php
+++ b/src/messenger/webim/view/statistics.php
@@ -25,7 +25,7 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("statistics.description") ?>
 <br />
 <br />
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
@@ -39,18 +39,18 @@ require_once('inc_errors.php');
 			<div class="fvaluenodesc">
 				<div class="searchctrl">
 					<?php echo getlocal("statistics.from") ?>
-					<select name="startday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("startday") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
-			
-					<select name="startmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"".$k."\"".($k == form_value("startmonth") ? " selected=\"selected\"" : "").">".$v."</option>"; } ?></select>
+					<select name="startday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("startday") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
+
+					<select name="startmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("startmonth") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select>
 				</div>
 				<div class="searchctrl">
 					<?php echo getlocal("statistics.till") ?>
-					<select name="endday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("endday") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
-			
-					<select name="endmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"".$k."\"".($k == form_value("endmonth") ? " selected=\"selected\"" : "").">".$v."</option>"; } ?></select>
+					<select name="endday"><?php foreach($page['availableDays'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("endday") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
+
+					<select name="endmonth"><?php foreach($page['availableMonth'] as $k => $v) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("endmonth") ? " selected=\"selected\"" : "").">" . htmlspecialchars($v) . "</option>"; } ?></select>
 				</div>
 				<div id="searchbutton">
-					<input type="image" name="search" src='<?php echo $webimroot.getlocal("image.button.search") ?>' alt='<?php echo getlocal("button.search") ?>'/>
+					<input type="image" name="search" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.search")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.search")) ?>"/>
 				</div>
 			</div>
 			<br clear="all"/>
@@ -84,17 +84,17 @@ require_once('inc_errors.php');
 <?php if( $page['reportByDate'] ) { ?>
 	<?php foreach( $page['reportByDate'] as $row ) { ?>
 	<tr>
-		<td><?php echo $row['date'] ?></td>
-		<td><?php echo $row['threads'] ?></td>
-		<td><?php echo $row['agents'] ?></td>
-		<td><?php echo $row['users'] ?></td>
+		<td><?php echo htmlspecialchars($row['date']) ?></td>
+		<td><?php echo htmlspecialchars($row['threads']) ?></td>
+		<td><?php echo htmlspecialchars($row['agents']) ?></td>
+		<td><?php echo htmlspecialchars($row['users']) ?></td>
 	</tr>
 	<?php } ?>
 	<tr>
 		<td><b><?php echo getlocal("report.total") ?></b></td>
-		<td><?php echo $page['reportByDateTotal']['threads'] ?></td>
-		<td><?php echo $page['reportByDateTotal']['agents'] ?></td>
-		<td><?php echo $page['reportByDateTotal']['users'] ?></td>
+		<td><?php echo htmlspecialchars($page['reportByDateTotal']['threads']) ?></td>
+		<td><?php echo htmlspecialchars($page['reportByDateTotal']['agents']) ?></td>
+		<td><?php echo htmlspecialchars($page['reportByDateTotal']['users']) ?></td>
 	</tr>
 <?php } else { ?>
 	<tr>
@@ -122,14 +122,14 @@ require_once('inc_errors.php');
 	<?php echo getlocal("report.byoperator.4") ?>
 </th></tr>
 </thead>
-<tbody>	
+<tbody>
 <?php if( $page['reportByAgent'] ) { ?>
 	<?php foreach( $page['reportByAgent'] as $row ) { ?>
 	<tr>
 		<td><?php echo topage(htmlspecialchars($row['name'])) ?></td>
-		<td><?php echo $row['threads'] ?></td>
-		<td><?php echo $row['msgs'] ?></td>
-    	<td><?php echo $row['avglen'] ?></td>
+		<td><?php echo htmlspecialchars($row['threads']) ?></td>
+		<td><?php echo htmlspecialchars($row['msgs']) ?></td>
+		<td><?php echo htmlspecialchars($row['avglen']) ?></td>
 	</tr>
 	<?php } ?>
 <?php } else { ?>
@@ -144,7 +144,7 @@ require_once('inc_errors.php');
 
 <?php } ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/themes.php b/src/messenger/webim/view/themes.php
index dc2b5728..f0d42ebe 100644
--- a/src/messenger/webim/view/themes.php
+++ b/src/messenger/webim/view/themes.php
@@ -37,13 +37,13 @@ function tpl_content() { global $page, $webimroot;
 		<div class="field">
 			<div class="flabel"><?php echo getlocal("page.preview.choose") ?></div>
 			<div class="fvaluenodesc">
-				<select name="preview" onchange="this.form.submit();"><?php foreach($page['availablePreviews'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("preview") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
+				<select name="preview" onchange="this.form.submit();"><?php foreach($page['availablePreviews'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("preview") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
 			</div>
 		</div>
 		<div class="field">
 			<div class="flabel"><?php echo getlocal("page.preview.choosetpl") ?></div>
 			<div class="fvaluenodesc">
-				<select name="template" onchange="this.form.submit();"><?php foreach($page['availableTemplates'] as $k) { echo "<option value=\"".$k."\"".($k == form_value("template") ? " selected=\"selected\"" : "").">".$k."</option>"; } ?></select>
+				<select name="template" onchange="this.form.submit();"><?php foreach($page['availableTemplates'] as $k) { echo "<option value=\"" . htmlspecialchars($k) . "\"".($k == form_value("template") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k) . "</option>"; } ?></select>
 			</div>
 		</div>
 <?php if( $page['canshowerrors'] ) { ?>
@@ -58,10 +58,10 @@ function tpl_content() { global $page, $webimroot;
 		<div class="field">
 			<div class="flabel">
 			<?php echo htmlspecialchars($pp['label']) ?>
-			<a href="<?php echo $page['showlink'] ?><?php echo $pp['id'] ?>" target="_blank" title="in separate window" onclick="this.newWindow = window.open('<?php echo $page['showlink'] ?><?php echo $pp['id'] ?>', '<?php echo $pp['id'] ?>', 'toolbar=0,scrollbars=0,location=0,statusbar=1,menubar=0,width=<?php echo $pp['w'] ?>,height=<?php echo $pp['h'] ?>,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;">link</a>
+			<a href="<?php echo htmlspecialchars($page['showlink']) ?><?php echo htmlspecialchars($pp['id']) ?>" target="_blank" title="in separate window" onclick="this.newWindow = window.open('<?php echo htmlspecialchars($page['showlink']) ?><?php echo htmlspecialchars($pp['id']) ?>', '<?php echo htmlspecialchars($pp['id']) ?>', 'toolbar=0,scrollbars=0,location=0,statusbar=1,menubar=0,width=<?php echo htmlspecialchars($pp['w']) ?>,height=<?php echo htmlspecialchars($pp['h']) ?>,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;">link</a>
 			</div>
 			<div class="fvalueframe">
-			<iframe id="sample<?php echo $pp['id'] ?>" width="<?php echo $pp['w'] ?>" height="<?php echo $pp['h'] ?>" src="<?php echo $page['showlink'] ?><?php echo $pp['id'] ?>" frameborder="0" scrolling="no">
+			<iframe id="sample<?php echo htmlspecialchars($pp['id']) ?>" width="<?php echo htmlspecialchars($pp['w']) ?>" height="<?php echo htmlspecialchars($pp['h']) ?>" src="<?php echo $page['showlink'] ?><?php echo htmlspecialchars($pp['id']) ?>" frameborder="0" scrolling="no">
 				No iframes
 			</iframe>
 			</div>
@@ -70,10 +70,10 @@ function tpl_content() { global $page, $webimroot;
 	</div>
 	
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-	</div>		
+	</div>
 </form>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/thread_search.php b/src/messenger/webim/view/thread_search.php
index 90188cd2..55016e62 100644
--- a/src/messenger/webim/view/thread_search.php
+++ b/src/messenger/webim/view/thread_search.php
@@ -37,13 +37,13 @@ function tpl_content() { global $page, $webimroot;
 					<input type="text" name="q" size="80" value="<?php echo form_value('q') ?>" class="formauth"/>
 				</div>
 				<div id="searchbutton">
-					<input type="image" name="search" src='<?php echo $webimroot.getlocal("image.button.search") ?>' alt='<?php echo getlocal("button.search") ?>'/>
+					<input type="image" name="search" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.search")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.search")) ?>"/>
 				</div>
 			</div>
 			<br clear="all"/>
 		</div>
 	</div>
-	
+
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
 </form>
 <br/>
@@ -67,33 +67,33 @@ function tpl_content() { global $page, $webimroot;
 </th></tr>
 </thead>
 <tbody>
-<?php 
+<?php
 if( $page['pagination.items'] ) {
 	foreach( $page['pagination.items'] as $chatthread ) { ?>
 	<tr>
 		<td>
-			<a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo $chatthread['threadid'] ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo $chatthread['threadid'] ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(htmlspecialchars($chatthread['userName'])) ?></a>
+			<a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(htmlspecialchars($chatthread['userName'])) ?></a>
 		</td>
 		<td>
-        	<?php echo get_user_addr(topage($chatthread['remote'])) ?>
+		<?php echo get_user_addr(topage($chatthread['remote'])) ?>
 		</td>
 		<td>
-        	<?php if( $chatthread['agentName'] ) {
-        		echo topage(htmlspecialchars($chatthread['agentName']));
-        	} else if($chatthread['groupid'] && $chatthread['groupid'] != 0 && isset($page['groupName'][$chatthread['groupid']])) {
-        		echo "- ".topage(htmlspecialchars($page['groupName'][$chatthread['groupid']]))." -";
-        	} 
-        	?>
+		<?php if( $chatthread['agentName'] ) {
+			echo topage(htmlspecialchars($chatthread['agentName']));
+		} else if($chatthread['groupid'] && $chatthread['groupid'] != 0 && isset($page['groupName'][$chatthread['groupid']])) {
+			echo "- ".topage(htmlspecialchars($page['groupName'][$chatthread['groupid']]))." -";
+		}
+		?>
 		</td>
 		<td>
-        	<?php echo topage(htmlspecialchars($chatthread['size'])) ?>
+		<?php echo topage(htmlspecialchars($chatthread['size'])) ?>
 		</td>
 		<td>
 			<?php echo date_diff_to_text($chatthread['modified']-$chatthread['created']) ?>, <?php echo date_to_text($chatthread['created']) ?>
 		</td>
 	</tr>
 <?php
-	} 
+	}
 } else {
 ?>
 	<tr>
@@ -101,20 +101,20 @@ if( $page['pagination.items'] ) {
 		<?php echo getlocal("tag.pagination.no_items") ?>
 	</td>
 	</tr>
-<?php 
-} 
+<?php
+}
 ?>
 </tbody>
 </table>
 <?php
-	if( $page['pagination.items'] ) { 
+	if( $page['pagination.items'] ) {
 		echo "<br/>";
 		echo generate_pagination($page['pagination']);
 	}
-} 
+}
 ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/translate.php b/src/messenger/webim/view/translate.php
index eb66b36e..950f6348 100644
--- a/src/messenger/webim/view/translate.php
+++ b/src/messenger/webim/view/translate.php
@@ -35,43 +35,44 @@ function tpl_content() { global $page, $webimroot, $errors;
 <?php echo getlocal("page.translate.one") ?>
 <br/>
 <br/>
-<?php 
+<?php
 require_once('inc_errors.php');
 ?>
 
 <form name="translateForm" method="post" action="<?php echo $webimroot ?>/operator/translate.php">
 <?php print_csrf_token_input() ?>
-<input type="hidden" name="key" value="<?php echo $page['key'] ?>"/>
-<input type="hidden" name="target" value="<?php echo $page['target'] ?>"/>
+<input type="hidden" name="key" value="<?php echo htmlspecialchars($page['key']) ?>"/>
+<input type="hidden" name="target" value="<?php echo htmlspecialchars($page['target']) ?>"/>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
 
 	<div class="fieldForm">
 		<div class="field">
-			<div class="flabel"><?php echo $page['title1'] ?></div>
+			<div class="flabel"><?php echo htmlspecialchars($page['title1']) ?></div>
 			<div class="fvaluenodesc">
 				<textarea name="original" disabled="disabled" cols="20" rows="5" class="wide"><?php echo form_value('original') ?></textarea>
 			</div>
 		</div>
 
 		<div class="field">
-			<div class="flabel"><?php echo $page['title2'] ?></div>
+			<div class="flabel"><?php echo htmlspecialchars($page['title2']) ?></div>
 			<div class="fvaluenodesc">
 				<textarea name="translation" cols="20" rows="5" class="wide"><?php echo form_value('translation') ?></textarea>
 			</div>
 		</div>
-	
+
 		<div class="fbutton">
-			<input type="image" name="save" value="" src='<?php echo $webimroot.getlocal("image.button.save") ?>' alt='<?php echo getlocal("button.save") ?>'/>
+			<input type="image" name="save" value="" src="<?php echo $webimroot . htmlspecialchars(getlocal("image.button.save")) ?>" alt="<?php echo htmlspecialchars(getlocal("button.save")) ?>"/>
 		</div>
 	</div>
-	
+
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
 </form>
 
 <?php } ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
 ?>
+
diff --git a/src/messenger/webim/view/translatelist.php b/src/messenger/webim/view/translatelist.php
index 35324356..37d84e13 100644
--- a/src/messenger/webim/view/translatelist.php
+++ b/src/messenger/webim/view/translatelist.php
@@ -34,41 +34,41 @@ function tpl_content() { global $page, $webimroot;
 		<?php echo getlocal("translate.direction") ?><br/>
 		<select name="source" onchange="this.form.submit();"><?php 
 			foreach($page['availableLocales'] as $k) { 
-				echo "<option value=\"".$k["id"]."\"".($k["id"] == form_value("source") ? " selected=\"selected\"" : "").">".$k["name"]."</option>";
+				echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("source") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>";
 			} ?></select>
 		=&gt;
-		<select name="target" onchange="this.form.submit();"><?php 
+		<select name="target" onchange="this.form.submit();"><?php
 			foreach($page['availableLocales'] as $k) { 
-				echo "<option value=\"".$k["id"]."\"".($k["id"] == form_value("target") ? " selected=\"selected\"" : "").">".$k["name"]."</option>";
+				echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("target") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>";
 			} ?></select>
 	</div>
-	
+
 	<div class="packedFormField">
 		<?php echo getlocal("translate.sort") ?><br/>
 		<select name="sort" onchange="this.form.submit();"><?php
 			foreach($page['availableOrders'] as $k) {
-				echo "<option value=\"".$k["id"]."\"".($k["id"] == form_value("sort") ? " selected=\"selected\"" : "").">".$k["name"]."</option>";
+				echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("sort") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>";
 			} ?></select>
 	</div>
-	
+
 	<div class="packedFormField">
 		<?php echo getlocal("translate.show") ?><br/>
 		<select name="show" onchange="this.form.submit();"><?php 
 			foreach($page['showOptions'] as $k) { 
-				echo "<option value=\"".$k["id"]."\"".($k["id"] == form_value("show") ? " selected=\"selected\"" : "").">".$k["name"]."</option>";
+				echo "<option value=\"" . htmlspecialchars($k["id"]) . "\"".($k["id"] == form_value("show") ? " selected=\"selected\"" : "").">" . htmlspecialchars($k["name"]) . "</option>";
 			} ?></select>
 	</div>
-	
+
 	<br clear="all"/>
-	
+
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
 </form>
 <br/>
 
 
-<?php 
-if( $page['pagination'] ) { 
-	if( $page['pagination.items'] ) { 
+<?php
+if( $page['pagination'] ) {
+	if( $page['pagination.items'] ) {
 		echo generate_pagination($page['pagination'], false);
 	}
 ?>
@@ -78,18 +78,18 @@ if( $page['pagination'] ) {
 	<tr class="header"><th>
 		Key
 	</th><th>
-		<?php echo topage($page['title1']) ?>
+		<?php echo htmlspecialchars(topage($page['title1'])) ?>
 	</th><th>
-		<?php echo topage($page['title2']) ?>
+		<?php echo htmlspecialchars(topage($page['title2'])) ?>
 	</th></tr>
 </thead>
 <tbody>
-<?php 
-if( $page['pagination.items'] ) {	
+<?php
+if( $page['pagination.items'] ) {
 	foreach( $page['pagination.items'] as $localstr ) { ?>
 	<tr>
 		<td>
-			<a href="<?php echo $webimroot ?>/operator/translate.php?source=<?php echo $page['lang1'] ?>&amp;target=<?php echo $page['lang2'] ?>&amp;key=<?php echo $localstr['id'] ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/translate.php?source=<?php echo $page['lang1'] ?>&amp;target=<?php echo $page['lang2'] ?>&amp;key=<?php echo $localstr['id'] ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage($localstr['id']) ?></a>
+			<a href="<?php echo $webimroot ?>/operator/translate.php?source=<?php echo urlencode($page['lang1']) ?>&amp;target=<?php echo urlencode($page['lang2']) ?>&amp;key=<?php echo urlencode($localstr['id']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/translate.php?source=<?php echo urlencode($page['lang1']) ?>&amp;target=<?php echo urlencode($page['lang2']) ?>&amp;key=<?php echo urlencode($localstr['id']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=640,height=480,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo htmlspecialchars(topage($localstr['id'])) ?></a>
 		</td>
 		<td>
 			<?php echo topage($localstr['l1']) ?>
@@ -99,7 +99,7 @@ if( $page['pagination.items'] ) {
 		</td>
 	</tr>
 <?php
-	} 
+	}
 } else {
 ?>
 	<tr>
@@ -107,8 +107,8 @@ if( $page['pagination.items'] ) {
 		<?php echo getlocal("tag.pagination.no_items") ?>
 	</td>
 	</tr>
-<?php 
-} 
+<?php
+}
 ?>
 </tbody>
 </table>
@@ -117,10 +117,10 @@ if( $page['pagination.items'] ) {
 		echo "<br/>";
 		echo generate_pagination($page['pagination']);
 	}
-} 
+}
 ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/updates.php b/src/messenger/webim/view/updates.php
index 88165abd..662083cb 100644
--- a/src/messenger/webim/view/updates.php
+++ b/src/messenger/webim/view/updates.php
@@ -41,29 +41,29 @@ function tpl_content() { global $page, $webimroot;
 		</div>
 		
 		<?php echo getlocal("updates.current")?><br/>
-			<div id="cver"><?php echo $page['version'] ?></div>
-			
+			<div id="cver"><?php echo htmlspecialchars($page['version']) ?></div>
+
 		<br/>
 
 		<?php echo getlocal("updates.latest")?>
 			<div id="lver"></div>
-		
+
 		<br/>
 			
 		<?php echo getlocal("updates.installed_locales")?><br/>
 			<?php foreach( $page['localizations'] as $loc ) { ?>
-				<?php echo $loc ?>
+				<?php echo htmlspecialchars($loc) ?>
 			<?php } ?>
-		
-		<br/><br/>	
-		
+
+		<br/><br/>
+
 		<?php echo getlocal("updates.env")?><br/>
-			PHP <?php echo $page['phpVersion'] ?>
+			PHP <?php echo htmlspecialchars($page['phpVersion']) ?>
 
 	</div><div class="formbottom"><div class="formbottomi"></div></div></div>
-</div>		
+</div>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');
diff --git a/src/messenger/webim/view/userhistory.php b/src/messenger/webim/view/userhistory.php
index 437163e3..fe2d363a 100644
--- a/src/messenger/webim/view/userhistory.php
+++ b/src/messenger/webim/view/userhistory.php
@@ -46,20 +46,20 @@ if( $page['pagination.items'] ) {
 	foreach( $page['pagination.items'] as $chatthread ) { ?>
 	<tr>
 		<td>
-			<a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo $chatthread['threadid'] ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo $chatthread['threadid'] ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(htmlspecialchars($chatthread['userName'])) ?></a>
+			<a href="<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>" target="_blank" onclick="this.newWindow = window.open('<?php echo $webimroot ?>/operator/threadprocessor.php?threadid=<?php echo urlencode($chatthread['threadid']) ?>', '', 'toolbar=0,scrollbars=1,location=0,status=1,menubar=0,width=720,height=520,resizable=1');this.newWindow.focus();this.newWindow.opener=window;return false;"><?php echo topage(htmlspecialchars($chatthread['userName'])) ?></a>
 		</td>
 		<td>
-        	<?php echo get_user_addr(topage($chatthread['remote'])) ?>
+		<?php echo get_user_addr(topage($chatthread['remote'])) ?>
 		</td>
 		<td>
-        	<?php if( $chatthread['agentName'] ) { ?><?php echo topage(htmlspecialchars($chatthread['agentName'])) ?><?php } ?>
+		<?php if( $chatthread['agentName'] ) { ?><?php echo topage(htmlspecialchars($chatthread['agentName'])) ?><?php } ?>
 		</td>
 		<td>
 			<?php echo date_diff_to_text($chatthread['modified']-$chatthread['created']) ?>, <?php echo date_to_text($chatthread['created']) ?>
 		</td>
 	</tr>
 <?php
-	} 
+	}
 } else {
 ?>
 	<tr>
@@ -67,8 +67,8 @@ if( $page['pagination.items'] ) {
 		<?php echo getlocal("tag.pagination.no_items") ?>
 	</td>
 	</tr>
-<?php 
-} 
+<?php
+}
 ?>
 </tbody>
 </table>
@@ -77,10 +77,10 @@ if( $page['pagination.items'] ) {
 		echo "<br/>";
 		echo generate_pagination($page['pagination']);
 	}
-} 
+}
 ?>
 
-<?php 
+<?php
 } /* content */
 
 require_once('inc_main.php');