diff --git a/pages/dashboard.php b/pages/dashboard.php
index 85395f1..2b70789 100644
--- a/pages/dashboard.php
+++ b/pages/dashboard.php
@@ -5,7 +5,7 @@
 	$HTML->ReplaceSeitenInhalt("%%GLOBAL-USER-COUNT%%", $RUNTIME['OPENSIM']->getUserCount()); 
 	$HTML->ReplaceSeitenInhalt("%%GLOBAL-REGION-COUNT%%", $RUNTIME['OPENSIM']->getRegionCount()); 
 
-	$HTML->ReplaceLayoutInhalt("%%USERNAME%%", $_SESSION['DISPLAYNAME']); 
+	$HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars($_SESSION['DISPLAYNAME'])); 
 
 	$HTML->build();
 	echo $HTML->ausgabe();
diff --git a/pages/friends.php b/pages/friends.php
index 2a7d5aa..d1b72bc 100644
--- a/pages/friends.php
+++ b/pages/friends.php
@@ -29,8 +29,7 @@
             $FriendData[1] = str_replace("http://", "", $FriendData[1]);
             $FriendData[1] = str_replace("https://", "", $FriendData[1]);
             $FriendData[1] = str_replace("/", "", $FriendData[1]);
-            $entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1]).'</td><td><a href="index.php?page=friends&action=remove&uuid='.$row['Friend'].'">LÖSCHEN</a></td></tr>';
-
+            $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'</td><td><a href="index.php?page=friends&action=remove&uuid='.urlencode($row['Friend']).'">LÖSCHEN</a></td></tr>';
         }
 
         $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
diff --git a/pages/groups.php b/pages/groups.php
index a5653d0..7c3d908 100644
--- a/pages/groups.php
+++ b/pages/groups.php
@@ -20,7 +20,7 @@
 
         while($rowGroups = $statementGroups->fetch()) 
         {
-            $entry = '<tr><td>'.$rowGroups['Name'].'</td><td>'.$RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID']).'</td><td><a href="index.php?page=groups&action=leave&group='.$rowGroups['GroupID'].'">VERLASSEN</a></td></tr>';
+            $entry = '<tr><td>'.htmlspecialchars($rowGroups['Name']).'</td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID'])).'</td><td><a href="index.php?page=groups&action=leave&group='.htmlspecialchars($rowGroups['GroupID']).'">VERLASSEN</a></td></tr>';
             $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
         }
     }
diff --git a/pages/identities.php b/pages/identities.php
index 1045d46..6940e0c 100644
--- a/pages/identities.php
+++ b/pages/identities.php
@@ -106,9 +106,9 @@
     {
         if($row['IdentityID'] == $_SESSION['UUID'])
         {
-            $entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).' <span class="badge badge-info">Aktiv</span></td><td>-</td></tr>';
+            $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).' <span class="badge badge-info">Aktiv</span></td><td>-</td></tr>';
         }else{
-            $entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).'</td><td><form action="index.php?page=identities" method="post"><input type="hidden" name="newuuid" value="'.$row['IdentityID'].'"><button type="submit" name="enableIdent" class="btn btn-success btn-sm">Aktievieren</button></form></td></tr>';
+            $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).'</td><td><form action="index.php?page=identities" method="post"><input type="hidden" name="newuuid" value="'.htmlspecialchars($row['IdentityID']).'"><button type="submit" name="enableIdent" class="btn btn-success btn-sm">Aktievieren</button></form></td></tr>';
         }
 
         $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
diff --git a/pages/login.php b/pages/login.php
index d8c996b..9cda6fe 100644
--- a/pages/login.php
+++ b/pages/login.php
@@ -52,7 +52,7 @@
 			}
 
 			$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']); 
-			$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", $_POST['username']); 	
+			$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username'])); 	
 		}
 	}
 
diff --git a/pages/password.php b/pages/password.php
index 0fdf060..02355b0 100644
--- a/pages/password.php
+++ b/pages/password.php
@@ -57,10 +57,10 @@
     if($PartnerUUID != null)$PartnerName = $RUNTIME['OPENSIM']->getUserName($PartnerUUID);
 
     $HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' '); 
-    $HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']); 
-    $HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']); 
-    $HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName); 
-    $HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])); 
+    $HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME'])); 
+    $HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME'])); 
+    $HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName)); 
+    $HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID']))); 
     $HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", ""); 
     $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
     $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' '); 
diff --git a/pages/profile.php b/pages/profile.php
index d784d65..178d9bf 100644
--- a/pages/profile.php
+++ b/pages/profile.php
@@ -152,10 +152,10 @@
     if($RUNTIME['OPENSIM']->allowOfflineIM($_SESSION['UUID']) == "TRUE")$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' checked'); 
 
     $HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' '); 
-    $HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']); 
-    $HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']); 
-    $HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName); 
-    $HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])); 
+    $HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME'])); 
+    $HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME'])); 
+    $HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName)); 
+    $HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID']))); 
     $HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", ""); 
     $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
     $HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", ' '); 
diff --git a/pages/regions.php b/pages/regions.php
index 715fb81..924e724 100644
--- a/pages/regions.php
+++ b/pages/regions.php
@@ -62,7 +62,7 @@
     {
         $stats = getRegionStatsData($row['uuid']);
 
-        $entry = '<tr><td>'.$row['regionName'].'<div class="blockquote-footer">Prims: '.$stats['Prims'].'; RAM-Nutzung: '.$stats['ProcMem'].'; SIM/PHYS FPS: '.$stats['SimFPS'].'/'.$stats['PhyFPS'].' ('.$stats['RegionVersion'].')</div></td><td>'.$RUNTIME['OPENSIM']->getUserName($row['owner_uuid']).'</td><td>'.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'</td><td><a href="index.php?page=regions&action=remove&region='.$row['uuid'].'">LÖSCHEN</a></td></tr>';       
+        $entry = '<tr><td>'.htmlspecialchars($row['regionName']).'<div class="blockquote-footer">Prims: '.$stats['Prims'].'; RAM-Nutzung: '.$stats['ProcMem'].'; SIM/PHYS FPS: '.$stats['SimFPS'].'/'.$stats['PhyFPS'].' ('.$stats['RegionVersion'].')</div></td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($row['owner_uuid'])).'</td><td>'.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'</td><td><a href="index.php?page=regions&action=remove&region='.$row['uuid'].'">LÖSCHEN</a></td></tr>';       
         $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
     }
 
diff --git a/pages/register.php b/pages/register.php
index 6192cbf..23a7854 100644
--- a/pages/register.php
+++ b/pages/register.php
@@ -7,7 +7,7 @@
 
 		$HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message);
 		$HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] ); 
-		$HTML->ReplaceLayoutInhalt("%%INVCODE%%", $_REQUEST['code']); 
+		$HTML->ReplaceLayoutInhalt("%%INVCODE%%", htmlspecialchars($_REQUEST['code'])); 
 	
 		$HTML->build();
 		echo $HTML->ausgabe();
diff --git a/pages/user-online-state.php b/pages/user-online-state.php
index 0f17e19..a4bef00 100644
--- a/pages/user-online-state.php
+++ b/pages/user-online-state.php
@@ -11,7 +11,7 @@
     {
         if($row['RegionID'] != "00000000-0000-0000-0000-000000000000")
         {
-            $entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['UserID'])).'</td><td>'.$RUNTIME['OPENSIM']->getRegionName($row['RegionID']).'</td></tr>';
+            $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['UserID']))).'</td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getRegionName($row['RegionID'])).'</td></tr>';
             $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
         }
     }
diff --git a/pages/users.php b/pages/users.php
index eb31a86..156688f 100644
--- a/pages/users.php
+++ b/pages/users.php
@@ -26,7 +26,7 @@
         $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); 
         $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
 
-        $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.$RUNTIME['OPENSIM']->getUserName($_REQUEST['userid']).' wurde geändert. Das neue Passwort ist <b>'.$NEWPW.'</b></div>'); 
+        $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>'); 
     }
 
     $statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))"); 
@@ -50,7 +50,7 @@
 
     while($row = $statement->fetch()) 
     {
-        $entry = '<tr><td>'.$row['FirstName'].'</td><td>'.$row['LastName'].'</td><td>'.$row['UserLevel'].'</td><td><a href="index.php?page=users&action=genpw&userid='.$row['PrincipalID'].'">PASSWORT ÄNDERN</a></td></tr>';
+        $entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><a href="index.php?page=users&action=genpw&userid='.htmlspecialchars($row['PrincipalID']).'">PASSWORT ÄNDERN</a></td></tr>';
         $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
     }
 
diff --git a/plugins/default-html.php b/plugins/default-html.php
index 6a76721..19b8314 100644
--- a/plugins/default-html.php
+++ b/plugins/default-html.php
@@ -7,6 +7,6 @@
         if(@$_SESSION['LEVEL'] > 100)
             $HTML->importHTML("style/default/dashboard-admin.html");
         
-        $HTML->ReplaceLayoutInhalt("%%USERNAME%%", @$_SESSION['DISPLAYNAME']); 
+        $HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars(@$_SESSION['DISPLAYNAME'])); 
     }
 ?>
\ No newline at end of file