diff --git a/application/controllers/admin/responses.php b/application/controllers/admin/responses.php
index 9710065a200..483e166f06f 100644
--- a/application/controllers/admin/responses.php
+++ b/application/controllers/admin/responses.php
@@ -756,8 +756,8 @@ public function getResponses_json($iSurveyID)
                     {
                         if (isset($aFilesInfo[$iFileIndex]))
                         {
-                            $aSurveyEntry[] = $aFilesInfo[$iFileIndex]['title'];
-                            $aSurveyEntry[] = $aFilesInfo[$iFileIndex]['comment'];
+                            $aSurveyEntry[] = htmlspecialchars($aFilesInfo[$iFileIndex]['title'],ENT_QUOTES, 'UTF-8');
+                            $aSurveyEntry[] = htmlspecialchars($aFilesInfo[$iFileIndex]['comment'],ENT_QUOTES, 'UTF-8');
                             $aSurveyEntry[] = CHtml::link(rawurldecode($aFilesInfo[$iFileIndex]['name']), $this->getController()->createUrl("/admin/responses",array("sa"=>"actionDownloadfile","surveyid"=>$surveyid,"iResponseId"=>$row['id'],"sFileName"=>$aFilesInfo[$iFileIndex]['name'])) );
                             $aSurveyEntry[] = sprintf('%s Mb',round($aFilesInfo[$iFileIndex]['size']/1000,2));
                         }
diff --git a/application/core/LSYii_Validators.php b/application/core/LSYii_Validators.php
index a8bf8dc3547..42de01106cb 100644
--- a/application/core/LSYii_Validators.php
+++ b/application/core/LSYii_Validators.php
@@ -42,7 +42,7 @@ class LSYii_Validators extends CValidator {
 
     public function __construct()
     {
-        if(Yii::app()->getConfig('DBVersion')< 172) // Permssion::model exist only after 172 DB version
+        if(Yii::app()->getConfig('DBVersion')< 172) // Permission::model exist only after 172 DB version
             return $this->xssfilter=($this->xssfilter && Yii::app()->getConfig('filterxsshtml'));
         $this->xssfilter=($this->xssfilter && Yii::app()->getConfig('filterxsshtml') && !Permission::model()->hasGlobalPermission('superadmin','read'));
     }
@@ -52,6 +52,10 @@ protected function validateAttribute($object,$attribute)
         if($this->xssfilter)
         {
             $object->$attribute=$this->xssFilter($object->$attribute);
+            if($this->isUrl)
+            {
+                $object->$attribute=str_replace('javascript:','',html_entity_decode($object->$attribute, ENT_QUOTES, "UTF-8")); 
+            }
         }
         if($this->isUrl)
         {
diff --git a/application/helpers/frontend_helper.php b/application/helpers/frontend_helper.php
index 4239466be28..774a19eef0e 100644
--- a/application/helpers/frontend_helper.php
+++ b/application/helpers/frontend_helper.php
@@ -888,10 +888,10 @@ function buildsurveysession($surveyid,$preview=false)
             && isset($_GET['loadname']) && isset($_GET['loadpass']))
             {
                 echo "
-                <input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
+                <input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
                 <input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
-                <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
-                <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
+                <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
+                <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
             }
 
             echo "
@@ -972,10 +972,10 @@ function buildsurveysession($surveyid,$preview=false)
             && isset($_GET['loadname']) && isset($_GET['loadpass']))
             {
                 echo "
-                <input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
+                <input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
                 <input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
-                <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
-                <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
+                <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
+                <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
             }
             echo "</li>";
 
@@ -1114,10 +1114,10 @@ function buildsurveysession($surveyid,$preview=false)
                         if (isset($_GET['loadall']) && isset($_GET['scid'])
                         && isset($_GET['loadname']) && isset($_GET['loadpass']))
                         {
-                            echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
+                            echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
                             <input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
-                            <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
-                            <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
+                            <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
+                            <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
                         }
 
                         echo '<label for="token">'.gT("Token")."</label><input class='text' type='password' id='token' name='token'></li>";
@@ -1133,10 +1133,10 @@ function buildsurveysession($surveyid,$preview=false)
                     if (isset($_GET['loadall']) && isset($_GET['scid'])
                     && isset($_GET['loadname']) && isset($_GET['loadpass']))
                     {
-                        echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
+                        echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
                         <input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
-                        <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
-                        <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
+                        <input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
+                        <input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
                     }
                     echo '<label for="token">'.gT("Token:")."</label><span id='token'>$gettoken</span>"
                     ."<input type='hidden' name='token' value='$gettoken'></li>";
diff --git a/application/views/admin/usergroup/editUserGroup_view.php b/application/views/admin/usergroup/editUserGroup_view.php
index c23d4581f73..987d6b0e8b4 100644
--- a/application/views/admin/usergroup/editUserGroup_view.php
+++ b/application/views/admin/usergroup/editUserGroup_view.php
@@ -2,9 +2,9 @@
     <?php echo CHtml::form(array("admin/usergroups/sa/edit/ugid/{$ugid}"), 'post', array('class'=>'form30', 'id'=>'usergroupform', 'name'=>'usergroupform')); ?>
         <ul>
         <li><label for='name'><?php eT("Name:"); ?></label>
-        <input type='text' size='50' maxlength='20' id='name' name='name' value="<?php echo $esrow['name']; ?>" /></li>
+        <input type='text' size='50' maxlength='20' id='name' name='name' value="<?php echo htmlspecialchars($esrow['name'],ENT_QUOTES, 'UTF-8'); ?>" /></li>
         <li><label for='description'><?php eT("Description:"); ?></label>
-        <textarea cols='50' rows='4' id='description' name='description'><?php echo $esrow['description']; ?></textarea></li>
+        <textarea cols='50' rows='4' id='description' name='description'><?php echo htmlspecialchars($esrow['description'],ENT_QUOTES, 'UTF-8'); ?></textarea></li>
         <ul><p><input type='submit' value='<?php eT("Update user group"); ?>' />
         <input type='hidden' name='action' value='editusergroupindb' />
         <input type='hidden' name='owner_id' value='<?php echo Yii::app()->session['loginID']; ?>' />