diff --git a/src/web/audit-policy.jsp b/src/web/audit-policy.jsp
index 2fa8f48cf7..bc8afa3e6a 100644
--- a/src/web/audit-policy.jsp
+++ b/src/web/audit-policy.jsp
@@ -17,9 +17,10 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
-                   org.jivesoftware.openfire.XMPPServer,
-                   org.jivesoftware.openfire.audit.AuditManager,
+                 org.jivesoftware.openfire.XMPPServer,
+                 org.jivesoftware.openfire.audit.AuditManager,
                  org.jivesoftware.openfire.user.UserNotFoundException,
+                 org.jivesoftware.util.StringUtils,
                  org.xmpp.packet.JID,
                  java.io.File"
     errorPage="error.jsp"
@@ -226,7 +227,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="50" maxlength="150" name="logDir"
-							 value="<%= ((logDir != null) ? logDir : "") %>">
+							 value="<%= ((logDir != null) ? StringUtils.escapeForXML(logDir) : "") %>">
 
 						<%  if (errors.get("logDir") != null) { %>
 
@@ -361,7 +362,7 @@
 							<fmt:message key="audit.policy.ignore" />
 						</td>
 						<td width="99%">
-							<textarea name="ignore" cols="40" rows="3" wrap="virtual"><%= ((ignore != null) ? ignore : "") %></textarea>
+							<textarea name="ignore" cols="40" rows="3" wrap="virtual"><%= ((ignore != null) ? StringUtils.escapeHTMLTags(ignore) : "") %></textarea>
 							<%  if (errors.get("ignore") != null) { %>
 
 								<span class="jive-error-text">
@@ -393,4 +394,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/available-plugins.jsp b/src/web/available-plugins.jsp
index 835d6ff517..f530954a29 100644
--- a/src/web/available-plugins.jsp
+++ b/src/web/available-plugins.jsp
@@ -15,7 +15,8 @@
 <%@ page errorPage="error.jsp" import="org.jivesoftware.util.ByteFormat,
                                        org.jivesoftware.util.Version,
                                        org.jivesoftware.openfire.XMPPServer,
-                                       org.jivesoftware.openfire.container.Plugin"
+                                       org.jivesoftware.openfire.container.Plugin,
+                                       org.jivesoftware.util.StringUtils"
     %>
 <%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
 <%@ page import="org.jivesoftware.openfire.update.AvailablePlugin" %>
@@ -284,38 +285,38 @@
 <tr id="<%= plugin.hashCode()%>">
     <td width="1%" class="line-bottom-border">
         <% if (plugin.getIcon() != null) { %>
-        <img src="<%= plugin.getIcon() %>" width="16" height="16" alt="Plugin">
+        <img src="<%= StringUtils.escapeForXML(plugin.getIcon()) %>" width="16" height="16" alt="Plugin">
         <% }
         else { %>
         <img src="images/plugin-16x16.gif" width="16" height="16" alt="Plugin">
         <% } %>
     </td>
     <td width="20%" nowrap class="line-bottom-border">
-        <%= (pluginName != null ? pluginName : "") %> &nbsp;
+        <%= (pluginName != null ? StringUtils.escapeHTMLTags(pluginName) : "") %> &nbsp;
     </td>
     <td nowrap valign="top" class="line-bottom-border">
         <% if (plugin.getReadme() != null) { %>
-        <a href="<%= plugin.getReadme() %>"
+        <a href="<%= StringUtils.escapeForXML(plugin.getReadme()) %>"
             ><img src="images/doc-readme-16x16.gif" width="16" height="16" border="0" alt="README"></a>
         <% }
         else { %> &nbsp; <% } %>
         <% if (plugin.getChangelog() != null) { %>
-        <a href="<%= plugin.getChangelog() %>"
+        <a href="<%= StringUtils.escapeForXML(plugin.getChangelog()) %>"
             ><img src="images/doc-changelog-16x16.gif" width="16" height="16" border="0" alt="changelog"></a>
         <% }
         else { %> &nbsp; <% } %>
     </td>
     <td width="60%" class="line-bottom-border">
-        <%= pluginDescription != null ? pluginDescription : "" %>
+        <%= pluginDescription != null ? StringUtils.escapeHTMLTags(pluginDescription) : "" %>
     </td>
     <td width="5%" align="center" valign="top" class="line-bottom-border">
-        <%= pluginVersion != null ? pluginVersion : "" %>
+        <%= pluginVersion != null ? StringUtils.escapeHTMLTags(pluginVersion) : "" %>
     </td>
     <td width="15%" nowrap valign="top" class="line-bottom-border">
-        <%= pluginAuthor != null ? pluginAuthor : "" %>  &nbsp;
+        <%= pluginAuthor != null ? StringUtils.escapeHTMLTags(pluginAuthor) : "" %>  &nbsp;
     </td>
     <td width="15%" nowrap valign="top" class="line-bottom-border" align="right">
-        <%= fileSize %>
+        <%= StringUtils.escapeHTMLTags(fileSize) %>
     </td>
     <td width="1%" align="center" valign="top" class="line-bottom-border">
         <%
@@ -328,7 +329,7 @@
         <%
 
         %>
-        <a href="javascript:downloadPlugin('<%=updateURL%>', '<%= plugin.hashCode()%>')"><span id="<%= plugin.hashCode() %>-image"><img src="images/add-16x16.gif" width="16" height="16" border="0"
+        <a href="javascript:downloadPlugin('<%=StringUtils.escapeForXML(updateURL)%>', '<%= plugin.hashCode()%>')"><span id="<%= plugin.hashCode() %>-image"><img src="images/add-16x16.gif" width="16" height="16" border="0"
                                                                                                                                         alt="<fmt:message key="plugin.available.download" />"></span></a>
 
         <% } %>
@@ -336,9 +337,9 @@
 </tr>
 <tr id="<%= plugin.hashCode()%>-row" style="display:none;background: #E7FBDE;">
     <td width="1%" class="line-bottom-border">
-        <img src="<%= plugin.getIcon()%>" width="16" height="16" alt=""/>
+        <img src="<%= StringUtils.escapeForXML(plugin.getIcon())%>" width="16" height="16" alt=""/>
     </td>
-    <td colspan="6" nowrap class="line-bottom-border"><%= plugin.getName()%> <fmt:message key="plugin.available.installation.success" /></td>
+    <td colspan="6" nowrap class="line-bottom-border"><%= StringUtils.escapeHTMLTags(plugin.getName())%> <fmt:message key="plugin.available.installation.success" /></td>
     <td class="line-bottom-border" align="center">
         <img src="images/success-16x16.gif" height="16" width="16" alt=""/>
     </td>
@@ -367,38 +368,38 @@
 <tr id="<%= plugin.hashCode()%>">
     <td width="1%" class="line-bottom-border">
         <% if (plugin.getIcon() != null) { %>
-        <img src="<%= plugin.getIcon() %>" width="16" height="16" alt="Plugin">
+        <img src="<%= StringUtils.escapeForXML(plugin.getIcon()) %>" width="16" height="16" alt="Plugin">
         <% }
         else { %>
         <img src="images/plugin-16x16.gif" width="16" height="16" alt="Plugin">
         <% } %>
     </td>
     <td width="20%" nowrap class="line-bottom-border">
-        <%= (pluginName != null ? pluginName : "") %> &nbsp;
+        <%= (pluginName != null ? StringUtils.escapeHTMLTags(pluginName) : "") %> &nbsp;
     </td>
     <td nowrap valign="top" class="line-bottom-border">
         <% if (plugin.getReadme() != null) { %>
-        <a href="<%= plugin.getReadme() %>"
+        <a href="<%= StringUtils.escapeForXML(plugin.getReadme()) %>"
             ><img src="images/doc-readme-16x16.gif" width="16" height="16" border="0" alt="README"></a>
         <% }
         else { %> &nbsp; <% } %>
         <% if (plugin.getChangelog() != null) { %>
-        <a href="<%= plugin.getChangelog() %>"
+        <a href="<%= StringUtils.escapeForXML(plugin.getChangelog()) %>"
             ><img src="images/doc-changelog-16x16.gif" width="16" height="16" border="0" alt="changelog"></a>
         <% }
         else { %> &nbsp; <% } %>
     </td>
     <td width="60%" class="line-bottom-border">
-        <%= pluginDescription != null ? pluginDescription : "" %>
+        <%= pluginDescription != null ? StringUtils.escapeHTMLTags(pluginDescription) : "" %>
     </td>
     <td width="5%" align="center" valign="top" class="line-bottom-border">
-        <%= pluginVersion != null ? pluginVersion : "" %>
+        <%= pluginVersion != null ? StringUtils.escapeHTMLTags(pluginVersion) : "" %>
     </td>
     <td width="15%" nowrap valign="top" class="line-bottom-border">
-        <%= pluginAuthor != null ? pluginAuthor : "" %>  &nbsp;
+        <%= pluginAuthor != null ? StringUtils.escapeHTMLTags(pluginAuthor) : "" %>  &nbsp;
     </td>
     <td width="15%" nowrap valign="top" class="line-bottom-border">
-        <%= fileSize  %>
+        <%= StringUtils.escapeHTMLTags(fileSize)  %>
     </td>
     <td width="1%" align="center" valign="top" class="line-bottom-border">
         <%
@@ -409,16 +410,16 @@
         <%  }
         else { %>
 
-        <span id="<%= plugin.hashCode() %>-image"><a href="javascript:downloadPlugin('<%=updateURL%>', '<%= plugin.hashCode()%>')"><img src="images/add-16x16.gif" width="16" height="16" border="0"
+        <span id="<%= plugin.hashCode() %>-image"><a href="javascript:downloadPlugin('<%=StringUtils.escapeForXML(updateURL) %>', '<%= plugin.hashCode() %>')"><img src="images/add-16x16.gif" width="16" height="16" border="0"
                                                                                                                                         alt="<fmt:message key="plugin.available.download" />"></a></span>
         <% } %>
     </td>
 </tr>
 <tr id="<%= plugin.hashCode()%>-row" style="display:none;background: #E7FBDE;">
      <td width="1%" class="line-bottom-border">
-        <img src="<%= plugin.getIcon()%>" width="16" height="16" alt=""/>
+        <img src="<%= StringUtils.escapeForXML(plugin.getIcon())%>" width="16" height="16" alt=""/>
     </td>
-    <td colspan="6" nowrap class="line-bottom-border"><%= plugin.getName()%> <fmt:message key="plugin.available.installation.success" /></td>
+    <td colspan="6" nowrap class="line-bottom-border"><%= StringUtils.escapeHTMLTags(plugin.getName())%> <fmt:message key="plugin.available.installation.success" /></td>
     <td class="line-bottom-border" align="center">
         <img src="images/success-16x16.gif" height="16" width="16" alt=""/>
     </td>
@@ -493,13 +494,13 @@
                     else { %> &nbsp; <% } %></p>
             </td>
             <td class="line-bottom-border">
-                <%= pluginDescription %>
+                <%= StringUtils.escapeHTMLTags(pluginDescription) %>
             </td>
             <td class="line-bottom-border">
-                <%= pluginVersion%>
+                <%= StringUtils.escapeHTMLTags(pluginVersion) %>
             </td>
             <td class="line-bottom-border">
-                <%= pluginAuthor%>
+                <%= StringUtils.escapeHTMLTags(pluginAuthor) %>
             </td>
         </tr>
         <% }%>
@@ -529,4 +530,4 @@
            <% } %>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/clearspace-status.jsp b/src/web/clearspace-status.jsp
index 7756633276..d61dde43de 100644
--- a/src/web/clearspace-status.jsp
+++ b/src/web/clearspace-status.jsp
@@ -20,6 +20,7 @@
 <%@ page import="org.jivesoftware.openfire.clearspace.ClearspaceManager" %>
 <%@ page import="org.jivesoftware.openfire.session.ComponentSession" %>
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="java.text.NumberFormat" %>
 <%@ page import="java.util.Collection" %>
 <%@ page import="java.util.Date" %>
@@ -189,17 +190,17 @@
             <fmt:message key="clearspace.status.connected.table.label.hostname" />
         </td>
         <td>
-            <%= cs.getHostAddress() %>
+            <%= StringUtils.escapeHTMLTags(cs.getHostAddress()) %>
             /
-            <%= cs.getHostName() %>
+            <%= StringUtils.escapeHTMLTags(cs.getHostName()) %>
         </td>
     </tr>
         <% } else { %>
     <tr>
         <td>
-            <%= cs.getHostAddress() %>
+            <%= StringUtils.escapeHTMLTags(cs.getHostAddress()) %>
             /
-            <%= cs.getHostName() %>
+            <%= StringUtils.escapeHTMLTags(cs.getHostName()) %>
         </td>
     </tr>
         <% } %>
@@ -268,4 +269,4 @@
 <% } %>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/component-session-details.jsp b/src/web/component-session-details.jsp
index 991899fa41..bedc9723b6 100644
--- a/src/web/component-session-details.jsp
+++ b/src/web/component-session-details.jsp
@@ -21,6 +21,7 @@
 <%@ page import="org.jivesoftware.openfire.SessionManager,
                  org.jivesoftware.openfire.session.ComponentSession,
                  org.jivesoftware.util.JiveGlobals,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.ParamUtils"
     errorPage="error.jsp"
 %>
@@ -86,7 +87,7 @@
             <fmt:message key="component.session.label.name" />
         </td>
         <td>
-            <%= componentSession.getExternalComponent().getName() %>
+            <%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getName()) %>
         </td>
     </tr>
     <tr>
@@ -94,7 +95,7 @@
             <fmt:message key="component.session.label.category" />:
         </td>
         <td>
-            <%= componentSession.getExternalComponent().getCategory() %>
+            <%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getCategory()) %>
         </td>
     </tr>
     <tr>
@@ -117,7 +118,7 @@
              <% }
             }
             %>
-            <%= componentSession.getExternalComponent().getType() %>
+            <%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getType()) %>
         </td>
     </tr>
     <tr>
@@ -150,9 +151,9 @@
             <fmt:message key="session.details.hostname" />
         </td>
         <td>
-            <%= componentSession.getHostAddress() %>
+            <%= StringUtils.escapeHTMLTags(componentSession.getHostAddress()) %>
             /
-            <%= componentSession.getHostName() %>
+            <%= StringUtils.escapeHTMLTags(componentSession.getHostName()) %>
         </td>
     </tr>
 </tbody>
@@ -167,4 +168,4 @@
 </form>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/component-session-summary.jsp b/src/web/component-session-summary.jsp
index 465587928f..f3a72f6c8e 100644
--- a/src/web/component-session-summary.jsp
+++ b/src/web/component-session-summary.jsp
@@ -22,6 +22,7 @@
                  org.jivesoftware.openfire.session.ComponentSession,
                  org.jivesoftware.openfire.session.Session,
                  org.jivesoftware.util.JiveGlobals,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.ParamUtils,
                  java.net.URLEncoder"
     errorPage="error.jsp"
@@ -187,10 +188,10 @@
             <a href="component-session-details.jsp?jid=<%= URLEncoder.encode(componentSession.getAddress().toString(), "UTF-8") %>" title="<fmt:message key="session.row.cliked" />"><%= componentSession.getAddress() %></a>
         </td>
         <td align="center" width="15%" nowrap>
-            <%= componentSession.getExternalComponent().getName() %>
+            <%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getName()) %>
         </td>
         <td align="center" width="10%" nowrap>
-            <%= componentSession.getExternalComponent().getCategory() %>
+            <%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getCategory()) %>
         </td>
         <td align="center" width="10%" nowrap>
             <table border="0">
@@ -218,7 +219,7 @@
              <% }
                }
             %>
-            <td><%= componentSession.getExternalComponent().getType() %></td>
+            <td><%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getType()) %></td>
             </tr></table>
         </td>
         <%  Date creationDate = componentSession.getCreationDate();
@@ -279,4 +280,4 @@
 </p>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/error.jsp b/src/web/error.jsp
index 7c8f67da66..b4e143a85f 100644
--- a/src/web/error.jsp
+++ b/src/web/error.jsp
@@ -7,6 +7,7 @@
 <%@ page import="java.io.*,
                  org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.JiveGlobals,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.openfire.auth.UnauthorizedException,
                  org.jivesoftware.openfire.user.UserNotFoundException,
                  org.jivesoftware.openfire.group.GroupNotFoundException"
@@ -54,7 +55,7 @@
 %>
     <fmt:message key="error.exception" />
     <pre>
-<%= sout.toString() %>
+<%= StringUtils.escapeHTMLTags(sout.toString()) %>
     </pre>
 
-<%  } %>
\ No newline at end of file
+<%  } %>
diff --git a/src/web/external-components-settings.jsp b/src/web/external-components-settings.jsp
index ea46958d77..f6c32196d0 100644
--- a/src/web/external-components-settings.jsp
+++ b/src/web/external-components-settings.jsp
@@ -25,8 +25,10 @@
                  org.jivesoftware.openfire.component.ExternalComponentConfiguration,
                  org.jivesoftware.openfire.component.ExternalComponentManager,
                  org.jivesoftware.util.ModificationNotAllowedException,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.ParamUtils,
-                 java.util.Collection"
+                 java.util.Collection,
+                 java.net.URLEncoder"
     errorPage="error.jsp"
 %>
 <%@ page import="java.util.HashMap" %>
@@ -243,7 +245,7 @@
         <tr>
             <td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""/></td>
             <td class="jive-icon-label">
-                <fmt:message key="component.settings.modification.denied" /> <%= operationFailedDetail != null ? operationFailedDetail : ""%>
+                <fmt:message key="component.settings.modification.denied" /> <%= operationFailedDetail != null ? StringUtils.escapeHTMLTags(operationFailedDetail) : ""%>
             </td>
         </tr>
     </tbody>
@@ -328,7 +330,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="70" name="defaultSecret"
-							 value="<%= ((defaultSecret != null) ? defaultSecret : "") %>">
+							 value="<%= ((defaultSecret != null) ? StringUtils.escapeForXML(defaultSecret) : "") %>">
 						</td>
 					</tr>
 					</table>
@@ -408,13 +410,13 @@
 					<%= count %>
 				</td>
 				<td>
-					<%= configuration.getSubdomain() %>
+					<%= StringUtils.escapeHTMLTags(configuration.getSubdomain()) %>
 				</td>
 				<td>
 					<%= configuration.getSecret() %>
 				</td>
 				<td align="center" style="border-right:1px #ccc solid;">
-					<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('external-components-settings.jsp?deleteConf=<%= configuration.getSubdomain() %>'); } "
+					<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('external-components-settings.jsp?deleteConf=<%= URLEncoder.encode(configuration.getSubdomain(),"UTF-8") %>'); } "
 					 title="<fmt:message key="global.click_delete" />"
 					 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
 				</td>
diff --git a/src/web/group-create.jsp b/src/web/group-create.jsp
index fc6214a789..4cae3c4194 100644
--- a/src/web/group-create.jsp
+++ b/src/web/group-create.jsp
@@ -20,6 +20,7 @@
 <%@ page import="org.jivesoftware.openfire.group.Group,
                  org.jivesoftware.openfire.group.GroupAlreadyExistsException,
                  org.jivesoftware.openfire.security.SecurityAuditManager,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.util.Log"
     errorPage="error.jsp"
 %>
@@ -188,7 +189,7 @@
 <form name="f" action="group-create.jsp" method="post">
 
    <% if (groupName != null) { %>
-    <input type="hidden" name="group" value="<%= groupName %>" id="existingName">
+    <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>" id="existingName">
    <% } %>
 
     <!-- BEGIN create group -->
@@ -213,7 +214,7 @@
         </td>
         <td width="99%">
             <input type="text" name="name" size="30" maxlength="75"
-             value="<%= ((name != null) ? name : "") %>" id="gname">
+             value="<%= ((name != null) ? StringUtils.escapeForXML(name) : "") %>" id="gname">
         </td>
     </tr>
 
@@ -238,7 +239,7 @@
         </td>
         <td width="99%">
             <textarea name="description" cols="30" rows="3" id="gdesc"
-             ><%= ((description != null) ? description : "") %></textarea>
+             ><%= ((description != null) ? StringUtils.escapeHTMLTags(description) : "") %></textarea>
         </td>
     </tr>
 
@@ -298,4 +299,4 @@ for (i=0;i<limit;i++) {
 <% } %>
 
 </body>
-</html>%>
\ No newline at end of file
+</html>%>
diff --git a/src/web/group-delete.jsp b/src/web/group-delete.jsp
index e124db79a8..e60cf553ac 100644
--- a/src/web/group-delete.jsp
+++ b/src/web/group-delete.jsp
@@ -81,7 +81,7 @@
 </p>
 
 <form action="group-delete.jsp">
-<input type="hidden" name="group" value="<%= groupName %>">
+<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
 <input type="submit" name="delete" value="<fmt:message key="group.delete.delete" />">
 <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
 </form>
@@ -101,4 +101,4 @@
     <% } %>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/group-edit.jsp b/src/web/group-edit.jsp
index 8ebd076778..0516ceb0af 100644
--- a/src/web/group-edit.jsp
+++ b/src/web/group-edit.jsp
@@ -314,7 +314,7 @@
         <td class="jive-icon-label">
         <% if(add) { %>
         <fmt:message key="group.edit.not_update" />
-        <%= errorBuf %>
+        <%= StringUtils.escapeHTMLTags(errorBuf.toString()) %>
         <% } %>
         </td></tr>
     </tbody>
@@ -325,7 +325,7 @@
 	<div class="jive-horizontalRule"></div>
 
 <form name="ff" action="group-edit.jsp">
-<input type="hidden" name="group" value="<%= groupName %>"/>
+<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>"/>
 
 
 	<!-- BEGIN group name and description -->
@@ -387,7 +387,7 @@
 
                 <div id="jive-roster" style="display: <%= !enableRosterGroups ? "none" : "block"  %>;">
 	               <b><fmt:message key="group.edit.share_display_name" /></b>
-	               <input type="text" name="groupDisplayName" size="30" maxlength="100" value="<%= (groupDisplayName != null ? groupDisplayName : "") %>"><br>
+	               <input type="text" name="groupDisplayName" size="30" maxlength="100" value="<%= (groupDisplayName != null ? StringUtils.escapeForXML(groupDisplayName) : "") %>"><br>
                        <%  if (errors.get("groupDisplayName") != null) { %>
                            <span class="jive-error-text"><fmt:message key="group.edit.share_display_name" /></span><br/>
                        <%  } %>
@@ -489,7 +489,7 @@
 		</p>
 
         <form action="group-edit.jsp" method="post" name="f">
-        <input type="hidden" name="group" value="<%= groupName %>">
+        <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
         <input type="hidden" name="add" value="Add"/>
         <table cellpadding="3" cellspacing="1" border="0" style="margin: 0 0 8px 0;">
             <tr>
@@ -507,7 +507,7 @@
         <% } %>
 
         <form action="group-edit.jsp" method="post" name="main">
-        <input type="hidden" name="group" value="<%= groupName %>">
+        <input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
         <table class="jive-table" cellpadding="3" cellspacing="0" border="0" width="435">
             <tr>
 	            <th>&nbsp;</th>
@@ -581,7 +581,7 @@
 
                     </td>
                     <% if (user != null) { %>
-                    <td><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(user.getUsername()) %></a><% if (!isLocal) { showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font><%}%></td>
+                    <td><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %></a><% if (!isLocal) { showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font><%}%></td>
                     <% } else { %>
                     <td><%= jid %><% showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font></td>
                     <% } %>
@@ -672,4 +672,4 @@
         }
         return false;
     }
-%>
\ No newline at end of file
+%>
diff --git a/src/web/group-summary.jsp b/src/web/group-summary.jsp
index 49ddcd3fc9..80c87b7f09 100644
--- a/src/web/group-summary.jsp
+++ b/src/web/group-summary.jsp
@@ -178,7 +178,7 @@ document.searchForm.search.focus();
             <%= i %>
         </td>
         <td width="60%">
-            <a href="group-edit.jsp?group=<%= groupName %>"><%= StringUtils.escapeHTMLTags(group.getName()) %></a>
+            <a href="group-edit.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"><%= StringUtils.escapeHTMLTags(group.getName()) %></a>
             <% if (group.getDescription() != null) { %>
             <br>
                 <span class="jive-description">
@@ -195,12 +195,12 @@ document.searchForm.search.focus();
         <%  // Only show edit and delete options if the groups aren't read-only.
             if (!webManager.getGroupManager().isReadOnly()) { %>
         <td width="1%" align="center">
-            <a href="group-edit.jsp?group=<%= groupName %>"
+            <a href="group-edit.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"
              title=<fmt:message key="global.click_edit" />
             ><img src="images/edit-16x16.gif" width="16" height="16" border="0" alt=""></a>
         </td>
         <td width="1%" align="center" style="border-right:1px #ccc solid;">
-            <a href="group-delete.jsp?group=<%= groupName %>"
+            <a href="group-delete.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"
              title=<fmt:message key="global.click_delete" />
              ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
         </td>
@@ -234,4 +234,4 @@ document.searchForm.search.focus();
 <%  } %>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/http-bind.jsp b/src/web/http-bind.jsp
index 90f0a81bc1..ebc74e50e7 100644
--- a/src/web/http-bind.jsp
+++ b/src/web/http-bind.jsp
@@ -17,6 +17,7 @@
   - limitations under the License.
 --%>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="java.io.File" %>
 <%@ page import="java.util.Map" %>
 <%@ page import="java.util.HashMap" %>
@@ -261,7 +262,7 @@
 						</tr>
                         <tr>
                             <td>
-                                <input id="CORSDomains" type="text" size="80" name="CORSDomains" value="<%= serverManager.getCORSAllowOrigin() %>">
+                                <input id="CORSDomains" type="text" size="80" name="CORSDomains" value="<%= StringUtils.escapeForXML(serverManager.getCORSAllowOrigin()) %>">
                             </td>
                         </tr>
                     </table>
@@ -303,7 +304,7 @@
 								<label for="XFFHeader"><fmt:message key="httpbind.settings.xff.forwarded_for"/></label>
 							</td>
                             <td>
-                                <input id="XFFHeader" type="text" size="40" name="XFFHeader"  value="<%= xffHeader == null ? "" : xffHeader %>">
+                                <input id="XFFHeader" type="text" size="40" name="XFFHeader"  value="<%= xffHeader == null ? "" : StringUtils.escapeForXML(xffHeader) %>">
                             </td>
 						</tr>
 						<tr>
@@ -311,7 +312,7 @@
 								<label for="XFFServerHeader"><fmt:message key="httpbind.settings.xff.forwarded_server"/></label>
 							</td>
                             <td>
-                                <input id="XFFServerHeader" type="text" size="40" name="XFFServerHeader" value="<%= xffServerHeader == null ? "" : xffServerHeader %>">
+                                <input id="XFFServerHeader" type="text" size="40" name="XFFServerHeader" value="<%= xffServerHeader == null ? "" : StringUtils.escapeForXML(xffServerHeader) %>">
                             </td>
 						</tr>
 						<tr>
@@ -319,7 +320,7 @@
 								<label for="XFFHostHeader"><fmt:message key="httpbind.settings.xff.forwarded_host"/></label>
 							</td>
                             <td>
-                                <input id="XFFHostHeader" type="text" size="40" name="XFFHostHeader" value="<%= xffHostHeader == null ? "" : xffHostHeader %>">
+                                <input id="XFFHostHeader" type="text" size="40" name="XFFHostHeader" value="<%= xffHostHeader == null ? "" : StringUtils.escapeForXML(xffHostHeader) %>">
                             </td>
 						</tr>
 						<tr>
@@ -327,7 +328,7 @@
 								<label for="XFFHostName"><fmt:message key="httpbind.settings.xff.host_name"/></label>
 							</td>
                             <td>
-                                <input id="XFFHostName" type="text" size="40" name="XFFHostName" value="<%= xffHostName == null ? "" : xffHostName %>">
+                                <input id="XFFHostName" type="text" size="40" name="XFFHostName" value="<%= xffHostName == null ? "" : StringUtils.escapeForXML(xffHostName) %>">
                             </td>
 						</tr>
                     </table>
@@ -363,4 +364,4 @@
                value="<fmt:message key="global.save_settings" />">
 </form>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/import-certificate.jsp b/src/web/import-certificate.jsp
index 863b732e08..c27b8410c6 100644
--- a/src/web/import-certificate.jsp
+++ b/src/web/import-certificate.jsp
@@ -1,5 +1,6 @@
 <%@ page import="org.jivesoftware.util.CertificateManager,
                 org.jivesoftware.util.ParamUtils,
+                org.jivesoftware.util.StringUtils,
                 org.jivesoftware.openfire.XMPPServer,
                 org.jivesoftware.openfire.net.SSLConfig,
                 java.io.ByteArrayInputStream,
@@ -114,7 +115,7 @@
           <td class="jive-icon-label">
           <fmt:message key="ssl.import.certificate.error.import" />
           <%  if (e != null && e.getMessage() != null) { %>
-              <fmt:message key="ssl.certificates.error_messenge" />: <%= e.getMessage() %>
+              <fmt:message key="ssl.certificates.error_messenge" />: <%= StringUtils.escapeHTMLTags(e.getMessage()) %>
           <%  } %>
           </td></tr>
       </tbody>
diff --git a/src/web/log.jsp b/src/web/log.jsp
index f99dac87ed..34ed1a59b4 100644
--- a/src/web/log.jsp
+++ b/src/web/log.jsp
@@ -156,7 +156,7 @@
 
 <html>
 <head>
-    <title><%= log %></title>
+    <title><%= StringUtils.escapeHTMLTags(log) %></title>
     <meta name="decorator" content="none"/>
     <style type="text/css">
     .log TABLE {
@@ -239,4 +239,4 @@
 </div>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/login.jsp b/src/web/login.jsp
index 7a78c717f9..21afe347c9 100644
--- a/src/web/login.jsp
+++ b/src/web/login.jsp
@@ -191,7 +191,7 @@
 
 <%  if (url != null) { try { %>
 
-    <input type="hidden" name="url" value="<%= url %>">
+    <input type="hidden" name="url" value="<%= StringUtils.escapeForXML(url) %>">
 
 <%  } catch (Exception e) { Log.error(e); } } %>
 
diff --git a/src/web/logviewer.jsp b/src/web/logviewer.jsp
index 607ac4161e..ca2f558eff 100644
--- a/src/web/logviewer.jsp
+++ b/src/web/logviewer.jsp
@@ -21,6 +21,7 @@
 <%@ page import="java.io.*,
                  org.jivesoftware.util.*,
                  java.text.*,
+                 java.net.URLEncoder,
                  org.jivesoftware.util.JiveGlobals,
                  org.jivesoftware.openfire.user.*,
                  java.util.*"
@@ -250,7 +251,7 @@ IFRAME {
 </style>
 
 <form action="logviewer.jsp" name="logViewer" method="get">
-<input type="hidden" name="log" value="<%= log %>">
+<input type="hidden" name="log" value="<%= StringUtils.escapeForXML(log) %>">
 
 <div class="logviewer">
 <table cellpadding="0" cellspacing="0" border="0" width="100%">
@@ -309,7 +310,7 @@ IFRAME {
             <table cellpadding="3" cellspacing="0" border="0" width="100%">
             <tr>
                 <td nowrap><fmt:message key="logviewer.log" /></td>
-                <td nowrap><b><%= logFile.getName() %></b> (<%= byteFormatter.format(logFile.length()) %>)</td>
+                <td nowrap><b><%= StringUtils.escapeHTMLTags(logFile.getName()) %></b> (<%= byteFormatter.format(logFile.length()) %>)</td>
                 <td width="96%" rowspan="3">&nbsp;</td>
                 <td nowrap><fmt:message key="logviewer.order" /></td>
                 <td nowrap>
@@ -446,7 +447,7 @@ IFRAME {
 
 <br><br>
 
-<iframe src="log.jsp?log=<%= log %>&mode=<%= mode %>&lines=<%= ("All".equals(numLinesParam) ? "All" : String.valueOf(numLines)) %>"
+<iframe src="log.jsp?log=<%= URLEncoder.encode(log) %>&mode=<%= URLEncoder.encode(mode) %>&lines=<%= ("All".equals(numLinesParam) ? "All" : String.valueOf(numLines)) %>"
     frameborder="0" height="400" width="100%" marginheight="0" marginwidth="0" scrolling="auto"></iframe>
 
 </form>
@@ -454,4 +455,4 @@ IFRAME {
 </div>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/manage-updates.jsp b/src/web/manage-updates.jsp
index cf2acb46cb..20ca2d45a5 100644
--- a/src/web/manage-updates.jsp
+++ b/src/web/manage-updates.jsp
@@ -23,6 +23,7 @@
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.openfire.XMPPServer,
                  org.jivesoftware.openfire.update.UpdateManager,
                  java.util.HashMap,
@@ -233,7 +234,7 @@ else if (updateSucess) { %>
 							</td>
 							<td width="99%">
 								<input type="text" size="15" maxlength="70" name="proxyHost"
-								 value="<%= ((proxyHost != null) ? proxyHost : "") %>">
+								 value="<%= ((proxyHost != null) ? StringUtils.escapeForXML(proxyHost) : "") %>">
 							</td>
 						</tr>
 						<tr valign="top">
diff --git a/src/web/media-proxy.jsp b/src/web/media-proxy.jsp
index 29fc0234ea..b49f25b371 100644
--- a/src/web/media-proxy.jsp
+++ b/src/web/media-proxy.jsp
@@ -20,6 +20,7 @@
 
 <%@ page import="org.jivesoftware.util.JiveGlobals" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxyService" %>
 <%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxySession" %>
@@ -292,7 +293,7 @@
                     <%= i %>
                 </td>
                 <td width="10%" align="left" valign="middle">
-                    <%=proxySession.getCreator()%>
+                    <%= StringUtils.escapeHTMLTags(proxySession.getCreator())%>
                 </td>
                 <td width="15%" align="left" valign="middle">
                     <%=proxySession.getHostA()%>:<%=proxySession.getLocalPortA()%>
@@ -328,4 +329,4 @@
 <% } // end enabled check %>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-create-permission.jsp b/src/web/muc-create-permission.jsp
index d326c2ac33..6d94bdc2d1 100644
--- a/src/web/muc-create-permission.jsp
+++ b/src/web/muc-create-permission.jsp
@@ -121,7 +121,7 @@
 
 <p>
 <fmt:message key="muc.create.permission.info" />
-<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
+<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
 </p>
 
 <%  if (errors.size() > 0) { %>
@@ -166,7 +166,7 @@
 
 <!-- BEGIN 'Permission Policy' -->
 <form action="muc-create-permission.jsp?save" method="post">
-    <input type="hidden" name="mucname" value="<%= mucname %>" />
+    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.policy" />
 	</div>
@@ -205,7 +205,7 @@
 <%  if (mucService.isRoomCreationRestricted()) { %>
 <!-- BEGIN 'Allowed Users' -->
 <form action="muc-create-permission.jsp?add" method="post">
-    <input type="hidden" name="mucname" value="<%= mucname %>" />
+    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.create.permission.allowed_users" />
 	</div>
@@ -262,4 +262,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-default-settings.jsp b/src/web/muc-default-settings.jsp
index 150061ee40..9dba42c052 100644
--- a/src/web/muc-default-settings.jsp
+++ b/src/web/muc-default-settings.jsp
@@ -149,7 +149,7 @@
 
 <p>
 <fmt:message key="muc.default.settings.info" />
-<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
+<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
 </p>
 
 <%  if (errors.size() > 0) { %>
@@ -182,7 +182,7 @@
 
 <!-- BEGIN 'Default Room Settings' -->
 <form action="muc-default-settings.jsp?save" method="post">
-    <input type="hidden" name="mucname" value="<%= mucname %>" />
+    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
         <fmt:message key="muc.default.settings.title" />
     </div>
diff --git a/src/web/muc-history-settings.jsp b/src/web/muc-history-settings.jsp
index c03da28628..9b5d4398d1 100644
--- a/src/web/muc-history-settings.jsp
+++ b/src/web/muc-history-settings.jsp
@@ -115,7 +115,7 @@
 
 <p>
 <fmt:message key="groupchat.history.settings.introduction" />
-<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
+<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
 </p>
 
 <%  if ("true".equals(request.getParameter("success"))) { %>
@@ -135,7 +135,7 @@
 
 <!-- BEGIN 'History Settings' -->
 <form action="muc-history-settings.jsp" method="post">
-    <input type="hidden" name="mucname" value="<%= mucname %>" />
+    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.history.settings.legend" />
 	</div>
@@ -187,4 +187,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-room-affiliations.jsp b/src/web/muc-room-affiliations.jsp
index aa6df471b2..dc451de20a 100644
--- a/src/web/muc-room-affiliations.jsp
+++ b/src/web/muc-room-affiliations.jsp
@@ -23,6 +23,7 @@
                  org.jivesoftware.openfire.muc.MUCRoom,
                  org.jivesoftware.openfire.muc.NotAllowedException,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.xmpp.packet.IQ"
     errorPage="error.jsp"
 %>
@@ -250,10 +251,10 @@
             <tr>
                 <td>&nbsp;</td>
                 <td>
-                    <%= userDisplay %>
+                    <%= StringUtils.escapeHTMLTags(userDisplay) %>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=owner"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -282,10 +283,10 @@
             <tr>
                 <td>&nbsp;</td>
                 <td>
-                    <%= userDisplay %>
+                    <%= StringUtils.escapeHTMLTags(userDisplay) %>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=admin"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -316,10 +317,10 @@
             <tr>
                 <td>&nbsp;</td>
                 <td>
-                    <%= userDisplay %><%=  nickname %>
+                    <%= StringUtils.escapeHTMLTags(userDisplay) %><%=  StringUtils.escapeHTMLTags(nickname) %>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=member"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -348,10 +349,10 @@
             <tr>
                 <td>&nbsp;</td>
                 <td>
-                    <%= userDisplay %>
+                    <%= StringUtils.escapeHTMLTags(userDisplay) %>
                 </td>
                 <td width="1%" align="center">
-                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=outcast"
+                    <a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast"
                      title="<fmt:message key="global.click_delete" />"
                      onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
                      ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
diff --git a/src/web/muc-room-delete.jsp b/src/web/muc-room-delete.jsp
index 450717e73c..767f2d0413 100644
--- a/src/web/muc-room-delete.jsp
+++ b/src/web/muc-room-delete.jsp
@@ -88,12 +88,12 @@
 
 <p>
 <fmt:message key="muc.room.delete.info" />
-<b><a href="muc-room-edit-form.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>"><%= room.getJID().toBareJID() %></a></b>
+<b><a href="muc-room-edit-form.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(room.getJID().toBareJID()) %></a></b>
 <fmt:message key="muc.room.delete.detail" />
 </p>
 
 <form action="muc-room-delete.jsp">
-<input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
+<input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 
 <fieldset>
     <legend><fmt:message key="muc.room.delete.destructon_title" /></legend>
@@ -105,7 +105,7 @@
                 <fmt:message key="muc.room.delete.room_id" />
             </td>
             <td>
-                <%= room.getJID().toBareJID() %>
+                <%= StringUtils.escapeHTMLTags(room.getJID().toBareJID()) %>
             </td>
         </tr>
         <tr>
@@ -136,4 +136,4 @@
 </form>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-room-edit-form.jsp b/src/web/muc-room-edit-form.jsp
index 5cf2eb8892..d5f7c90555 100644
--- a/src/web/muc-room-edit-form.jsp
+++ b/src/web/muc-room-edit-form.jsp
@@ -18,6 +18,7 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  java.text.DateFormat,
                  java.util.*,
                  org.jivesoftware.openfire.muc.MUCRoom,
@@ -424,7 +425,7 @@
     </thead>
     <tbody>
         <tr>
-            <td><%= room.getName() %></td>
+            <td><%= StringUtils.escapeHTMLTags(room.getName()) %></td>
             <% if (room.getOccupantsCount() == 0) { %>
             <td><%= room.getOccupantsCount() %> / <%= room.getMaxUsers() %></td>
             <% } else { %>
@@ -443,7 +444,7 @@
 <%  } %>
 <form action="muc-room-edit-form.jsp">
 <% if (!create) { %>
-    <input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
+    <input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
 <% } %>
 <input type="hidden" name="save" value="true">
 <input type="hidden" name="create" value="<%= create %>">
@@ -456,12 +457,12 @@
                 <% if (create) { %>
                 <tr>
                     <td><fmt:message key="muc.room.edit.form.room_id" />:</td>
-                    <td><input type="text" name="roomName" value="<%= roomName %>">
+                    <td><input type="text" name="roomName" value="<%= StringUtils.escapeForXML(roomName) %>">
                         <% if (webManager.getMultiUserChatManager().getMultiUserChatServicesCount() > 1) { %>
                         @<select name="mucName">
                         <% for (MultiUserChatService service : webManager.getMultiUserChatManager().getMultiUserChatServices()) { %>
                         <%      if (service.isHidden()) continue; %>
-                        <option value="<%= service.getServiceDomain() %>"<%= service.getServiceDomain().equals(mucName) ? " selected='selected'" : "" %>><%= service.getServiceDomain() %></option>
+                        <option value="<%= StringUtils.escapeForXML(service.getServiceDomain()) %>"<%= service.getServiceDomain().equals(mucName) ? " selected='selected'" : "" %>><%= StringUtils.escapeHTMLTags(service.getServiceDomain()) %></option>
                         <% } %>
                         </select>
                         <% } else { %>
@@ -472,7 +473,7 @@
                                     // Private and hidden, skip it.
                                     continue;
                                 }
-                                out.print("<input type='hidden' name='mucName' value='"+service.getServiceDomain()+"'/>"+service.getServiceDomain());
+                                out.print("<input type='hidden' name='mucName' value='"+StringUtils.escapeForXML(service.getServiceDomain())+"'/>"+StringUtils.escapeHTMLTags(service.getServiceDomain()));
                                 break;
                             }
                         %>
@@ -482,22 +483,22 @@
                 <% } else { %>
                 <tr>
                    <td><fmt:message key="muc.room.edit.form.service" />:</td>
-                   <td><%= roomJID.getDomain() %></td>
+                   <td><%= StringUtils.escapeHTMLTags(roomJID.getDomain()) %></td>
                </tr>
                 <% } %>
                  <tr>
                     <td><fmt:message key="muc.room.edit.form.room_name" />:</td>
-                    <td><input type="text" name="roomconfig_roomname" value="<%= (naturalName == null ? "" : naturalName) %>">
+                    <td><input type="text" name="roomconfig_roomname" value="<%= (naturalName == null ? "" : StringUtils.escapeForXML(naturalName)) %>">
                     </td>
                 </tr>
                  <tr>
                     <td><fmt:message key="muc.room.edit.form.description" />:</td>
-                    <td><input name="roomconfig_roomdesc" value="<%= (description == null ? "" : description) %>" type="text" size="40">
+                    <td><input name="roomconfig_roomdesc" value="<%= (description == null ? "" : StringUtils.escapeForXML(description)) %>" type="text" size="40">
                     </td>
                 </tr>
                  <tr>
                     <td><fmt:message key="muc.room.edit.form.topic" />:</td>
-                    <td><input name="room_topic" value="<%= (roomSubject == null ? "" : roomSubject) %>" type="text" size="40">
+                    <td><input name="room_topic" value="<%= (roomSubject == null ? "" : StringUtils.escapeForXML(roomSubject)) %>" type="text" size="40">
                     </td>
                 </tr>
                  <tr>
diff --git a/src/web/muc-room-occupants.jsp b/src/web/muc-room-occupants.jsp
index d54ae0b037..db5ef249b7 100644
--- a/src/web/muc-room-occupants.jsp
+++ b/src/web/muc-room-occupants.jsp
@@ -20,9 +20,9 @@
 <%@ page import="org.jivesoftware.openfire.muc.MUCRole,
                  org.jivesoftware.openfire.muc.MUCRoom,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  java.net.URLEncoder,
-                 java.text.DateFormat,
-                 java.util.List"
+                 java.text.DateFormat"
     errorPage="error.jsp"
 %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
@@ -50,23 +50,19 @@
 
     // Kick nick specified
     if (kick != null) {
-        List<MUCRole> roles = room.getOccupantsByNickname(nickName);
-        if (roles != null && roles.size() > 0) {
+        MUCRole role = room.getOccupant(nickName);
+        if (role != null) {
             try {
-            	for (MUCRole role : roles) {
-                    room.kickOccupant(role.getUserAddress(), XMPPServer.getInstance().createJID(webManager.getUser().getUsername(), null), "");
-            	}
+                room.kickOccupant(role.getUserAddress(), XMPPServer.getInstance().createJID(webManager.getUser().getUsername(), null), "");
                 // Log the event
                 webManager.logEvent("kicked MUC occupant "+nickName+" from "+roomName, null);
                 // Done, so redirect
-                response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+
-                	"&nickName="+URLEncoder.encode(nickName, "UTF-8")+"&deletesuccess=true");
+                response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+"&nickName="+URLEncoder.encode(role.getNickname(), "UTF-8")+"&deletesuccess=true");
                 return;
             }
             catch (NotAllowedException e) {
                 // Done, so redirect
-                response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+
-                	"&nickName="+URLEncoder.encode(nickName, "UTF-8")+"&deletefailed=true");
+                response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+"&nickName="+URLEncoder.encode(role.getNickname(), "UTF-8")+"&deletefailed=true");
                 return;
             }
         }
@@ -96,7 +92,7 @@
             <tr><td class="jive-icon"><img src="images/success-16x16.gif" width="16" height="16" border="0" alt=""></td>
             <td class="jive-icon-label">
             <fmt:message key="muc.room.occupants.kicked">
-                <fmt:param value="<%= nickName %>"/>
+                <fmt:param value="<%= StringUtils.escapeForXML(nickName) %>"/>
             </fmt:message>
             </td></tr>
         </tbody>
@@ -113,7 +109,7 @@
             <tr><td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""></td>
             <td class="jive-icon-label">
             <fmt:message key="muc.room.occupants.kickfailed">
-                <fmt:param value="<%= nickName %>"/>
+                <fmt:param value="<%= StringUtils.escapeForXML(nickName) %>"/>
             </fmt:message>
             </td></tr>
         </tbody>
@@ -134,7 +130,7 @@
     </thead>
     <tbody>
         <tr>
-            <td><%= room.getName() %></td>
+            <td><%= StringUtils.escapeHTMLTags(room.getName()) %></td>
             <td><%= room.getOccupantsCount() %> / <%= room.getMaxUsers() %></td>
             <td><%= dateFormatter.format(room.getCreationDate()) %></td>
             <td><%= dateFormatter.format(room.getModificationDate()) %></td>
@@ -162,10 +158,10 @@
     <tbody>
         <% for (MUCRole role : room.getOccupants()) { %>
         <tr>
-            <td><%= role.getUserAddress() %></td>
-            <td><%= role.getNickname() %></td>
-            <td><%= role.getRole() %></td>
-            <td><%= role.getAffiliation() %></td>
+            <td><%= StringUtils.escapeHTMLTags(role.getUserAddress().toString()) %></td>
+            <td><%= StringUtils.escapeHTMLTags(role.getNickname().toString()) %></td>
+            <td><%= StringUtils.escapeHTMLTags(role.getRole().toString()) %></td>
+            <td><%= StringUtils.escapeHTMLTags(role.getAffiliation().toString()) %></td>
             <td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
         </tr>
         <% } %>
diff --git a/src/web/muc-room-summary.jsp b/src/web/muc-room-summary.jsp
index 6b31449e6e..cfd14f24d0 100644
--- a/src/web/muc-room-summary.jsp
+++ b/src/web/muc-room-summary.jsp
@@ -91,7 +91,7 @@
 
 <p>
 <fmt:message key="muc.room.summary.info" />
-<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucService.getServiceName(), "UTF-8")%>"><%= mucService.getServiceDomain() %></a>
+<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucService.getServiceName(), "UTF-8")%>"><%= StringUtils.escapeHTMLTags(mucService.getServiceDomain()) %></a>
 <fmt:message key="muc.room.summary.info2" />
 </p>
 
@@ -128,7 +128,7 @@
         continue;
     }
 %>
-    <option value="<%= service.getServiceName() %>"<%= mucService.getServiceName().equals(service.getServiceName()) ? " selected='selected'" : "" %>><%= service.getServiceDomain() %></option>
+    <option value="<%= StringUtils.escapeForXML(service.getServiceName()) %>"<%= mucService.getServiceName().equals(service.getServiceName()) ? " selected='selected'" : "" %>><%= StringUtils.escapeHTMLTags(service.getServiceDomain()) %></option>
 <% } %>
     </select>
 <% } %>
@@ -144,7 +144,7 @@
             String sep = ((i+1)<numPages) ? " " : "";
             boolean isCurrent = (i+1) == curPage;
     %>
-        <a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : mucname %>&start=<%= (i*range) %>"
+        <a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : URLEncoder.encode(mucname) %>&start=<%= (i*range) %>"
          class="<%= ((isCurrent) ? "jive-current" : "") %>"
          ><%= (i+1) %></a><%= sep %>
 
@@ -248,7 +248,7 @@
             String sep = ((i+1)<numPages) ? " " : "";
             boolean isCurrent = (i+1) == curPage;
     %>
-        <a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : mucname %>&start=<%= (i*range) %>"
+        <a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : URLEncoder.encode(mucname) %>&start=<%= (i*range) %>"
          class="<%= ((isCurrent) ? "jive-current" : "") %>"
          ><%= (i+1) %></a><%= sep %>
 
@@ -259,4 +259,4 @@
 <%  } %>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-service-delete.jsp b/src/web/muc-service-delete.jsp
index f1d8416f26..89f0b655a8 100644
--- a/src/web/muc-service-delete.jsp
+++ b/src/web/muc-service-delete.jsp
@@ -73,12 +73,12 @@
 
 <p>
 <fmt:message key="muc.service.delete.info" />
-<b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
+<b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
 <fmt:message key="muc.service.delete.detail" />
 </p>
 
 <form action="muc-service-delete.jsp">
-<input type="hidden" name="mucname" value="<%= mucname %>">
+<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">
 
 <fieldset>
     <legend><fmt:message key="muc.service.delete.destructon_title" /></legend>
@@ -90,7 +90,7 @@
                 <fmt:message key="muc.service.delete.service_name" />
             </td>
             <td>
-                <%= mucname %>
+                <%= StringUtils.escapeHTMLTags(mucname) %>
             </td>
         </tr>
         <tr>
@@ -113,4 +113,4 @@
 </form>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-service-edit-form.jsp b/src/web/muc-service-edit-form.jsp
index 3cfbf13270..f3c0608d9a 100644
--- a/src/web/muc-service-edit-form.jsp
+++ b/src/web/muc-service-edit-form.jsp
@@ -17,7 +17,8 @@
   - limitations under the License.
 --%>
 
-<%@ page import="org.jivesoftware.util.ParamUtils,
+<%@ page import="org.jivesoftware.util.StringUtils,
+                 org.jivesoftware.util.ParamUtils,
                  org.jivesoftware.util.AlreadyExistsException,
                  java.util.*"
     errorPage="error.jsp"
@@ -147,7 +148,7 @@
 <form action="muc-service-edit-form.jsp" method="post">
 <input type="hidden" name="save" value="true">
 <% if (!create) { %>
-<input type="hidden" name="mucname" value="<%= mucname %>">
+<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">
 <% } else { %>
 <input type="hidden" name="create" value="true" />
 <% } %>
@@ -163,7 +164,7 @@
                 </td>
                 <td>
                     <% if (create) { %>
-                    <input type="text" size="30" maxlength="150" name="mucname" value="<%= (mucname != null ? mucname : "") %>">
+                    <input type="text" size="30" maxlength="150" name="mucname" value="<%= (mucname != null ? StringUtils.escapeForXML(mucname) : "") %>">
 
                     <%  if (errors.get("mucname") != null) { %>
 
@@ -173,7 +174,7 @@
 
                     <%  } %>
                     <% } else { %>
-                    <%= mucname %>
+                    <%= StringUtils.escapeHTMLTags(mucname) %>
                     <% } %>
                 </td>
             </tr>
@@ -182,7 +183,7 @@
                    <fmt:message key="groupchat.service.properties.label_service_description" />
                 </td>
                 <td>
-                    <input type="text" size="30" maxlength="150" name="mucdesc" value="<%= (mucdesc != null ? mucdesc : "") %>">
+                    <input type="text" size="30" maxlength="150" name="mucdesc" value="<%= (mucdesc != null ? StringUtils.escapeForXML(mucdesc) : "") %>">
                 </td>
             </tr>
         </table>
@@ -193,4 +194,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-service-summary.jsp b/src/web/muc-service-summary.jsp
index 2c6ef73c41..0ccd59ddac 100644
--- a/src/web/muc-service-summary.jsp
+++ b/src/web/muc-service-summary.jsp
@@ -19,7 +19,8 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.LocaleUtils,
-                 org.jivesoftware.util.ParamUtils"
+                 org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils"
 %><%@ page import="org.xmpp.packet.JID"%>
 <%@ page import="java.net.URLEncoder" %>
 <%@ page import="org.jivesoftware.openfire.muc.MultiUserChatService" %>
@@ -196,7 +197,7 @@
             <%= i %>
         </td>
         <td width="23%">
-            <a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= JID.unescapeNode(service.getServiceName()) %></a>
+            <a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(service.getServiceName())) %></a>
         </td>
         <td width="33%">
             <%= service.getDescription() %> &nbsp;
diff --git a/src/web/muc-sysadmins.jsp b/src/web/muc-sysadmins.jsp
index 9a0cfa1d22..02dc90db4a 100644
--- a/src/web/muc-sysadmins.jsp
+++ b/src/web/muc-sysadmins.jsp
@@ -88,7 +88,7 @@
 
 <p>
 <fmt:message key="groupchat.admins.introduction" />
-<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
+<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
 </p>
 
 <%  if ("true".equals(request.getParameter("deletesuccess"))) { %>
@@ -135,13 +135,13 @@
 
 <!-- BEGIN 'Administrators' -->
 <form action="muc-sysadmins.jsp?add" method="post">
-    <input type="hidden" name="mucname" value="<%= mucname %>" />
+    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="groupchat.admins.legend" />
 	</div>
 	<div class="jive-contentBox">
 		<label for="userJIDtf"><fmt:message key="groupchat.admins.label_add_admin" /></label>
-		<input type="text" name="userJID" size="30" maxlength="100" value="<%= (userJID != null ? userJID : "") %>"
+		<input type="text" name="userJID" size="30" maxlength="100" value="<%= (userJID != null ? StringUtils.escapeForXML(userJID) : "") %>"
 		 id="userJIDtf">
 		<input type="submit" value="<fmt:message key="groupchat.admins.add" />">
 		<br><br>
@@ -171,10 +171,10 @@
 	            %>
 					<tr>
 						<td width="99%">
-							<%= userDisplay %>
+							<%= StringUtils.escapeHTMLTags(userDisplay) %>
 						</td>
 						<td width="1%" align="center">
-							<a href="muc-sysadmins.jsp?userJID=<%= user.toString() %>&delete=true&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
+							<a href="muc-sysadmins.jsp?userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
 							 title="<fmt:message key="groupchat.admins.dialog.title" />"
 							 onclick="return confirm('<fmt:message key="groupchat.admins.dialog.text" />');"
 							 ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -191,4 +191,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/muc-tasks.jsp b/src/web/muc-tasks.jsp
index d81fcd0f95..fc144eeeea 100644
--- a/src/web/muc-tasks.jsp
+++ b/src/web/muc-tasks.jsp
@@ -137,7 +137,7 @@
 
 <p>
 <fmt:message key="muc.tasks.info" />
-<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
+<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
 </p>
 
 <%  if (kickSettingSuccess || logSettingSuccess) { %>
@@ -187,7 +187,7 @@
 
 <!-- BEGIN 'Idle User Settings' -->
 <form action="muc-tasks.jsp?kickSettings" method="post">
-    <input type="hidden" name="mucname" value="<%= mucname %>" />
+    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.user_setting" />
 	</div>
@@ -228,7 +228,7 @@
 
 <!-- BEGIN 'Conversation Logging' -->
 <form action="muc-tasks.jsp?logSettings" method="post">
-    <input type="hidden" name="mucname" value="<%= mucname %>" />
+    <input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
     <div class="jive-contentBoxHeader">
 		<fmt:message key="muc.tasks.conversation.logging" />
 	</div>
@@ -261,4 +261,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/security-audit-viewer.jsp b/src/web/security-audit-viewer.jsp
index c59449734b..634c61efea 100644
--- a/src/web/security-audit-viewer.jsp
+++ b/src/web/security-audit-viewer.jsp
@@ -116,7 +116,7 @@
     </select>
     &nbsp;&nbsp;
     <strong><fmt:message key="security.audit.viewer.username" /></strong>:
-    <input type="text" size="30" maxlength="150" name="username" value="<%= username != null ? username : "" %>"/>
+    <input type="text" size="30" maxlength="150" name="username" value="<%= username != null ? StringUtils.escapeForXML(username) : "" %>"/>
     <br/>
     <strong><fmt:message key="security.audit.viewer.date_range"/></strong>:
     <fmt:message key="security.audit.viewer.date_range.start"/>:
@@ -164,7 +164,7 @@
             <%= event.getMsgID() %>
         </td>
         <td width="10%">
-            <a href="user-properties.jsp?username=<%= URLEncoder.encode(event.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(event.getUsername()) %></a>
+            <a href="user-properties.jsp?username=<%= URLEncoder.encode(event.getUsername(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(event.getUsername())) %></a>
         </td>
         <td width="15%">
             <%= event.getNode() %>
diff --git a/src/web/server-properties.jsp b/src/web/server-properties.jsp
index 8323e9887b..d1cfe3bd70 100644
--- a/src/web/server-properties.jsp
+++ b/src/web/server-properties.jsp
@@ -298,7 +298,7 @@ function dodelete(propName) {
 
         <td>
             <div class="hidebox" style="width:200px;">
-                <span title="<%= StringUtils.escapeHTMLTags(n) %>">
+                <span title="<%= StringUtils.escapeForXML(n) %>">
                 <%= StringUtils.escapeHTMLTags(n) %>
                 </span>
             </div>
@@ -368,12 +368,12 @@ function dodelete(propName) {
         <td>
             <%  if (edit) { %>
 
-                <input type="hidden" name="propName" value="<%= StringUtils.escapeHTMLTags(propName) %>">
+                <input type="hidden" name="propName" value="<%= StringUtils.escapeForXML(propName) %>">
                 <%= StringUtils.escapeHTMLTags(propName) %>
 
             <%  } else { %>
 
-                <input type="text" name="propName" size="40" maxlength="100" value="<%= (propName != null ? StringUtils.escapeHTMLTags(propName) : "") %>">
+                <input type="text" name="propName" size="40" maxlength="100" value="<%= (propName != null ? StringUtils.escapeForXML(propName) : "") %>">
 
                 <%  if (errors.containsKey("propName")) { %>
 
@@ -432,4 +432,4 @@ function dodelete(propName) {
 <br><br><br><br><br><br>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/server-session-row.jspf b/src/web/server-session-row.jspf
index f32d6d4c9b..9b30149311 100644
--- a/src/web/server-session-row.jspf
+++ b/src/web/server-session-row.jspf
@@ -5,6 +5,7 @@
 
 <%@ page import="org.jivesoftware.openfire.session.IncomingServerSession,
                  org.jivesoftware.util.JiveGlobals,
+                 org.jivesoftware.util.StringUtils,
                  java.net.URLEncoder,
                  java.util.Calendar,
                  java.util.Date"%>
@@ -38,8 +39,8 @@
     <td width="47%" nowrap>
         <table cellpadding="0" cellspacing="0" border="0">
             <tr>
-            <td width="1%" ><img src="getFavicon?host=<%=host%>" width="16" height="16" alt=""></td>
-            <td><a href="server-session-details.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>" title="<fmt:message key='session.row.cliked' />"><%= host %></a></td>
+            <td width="1%" ><img src="getFavicon?host=<%=URLEncoder.encode(host, "UTF-8")%>" width="16" height="16" alt=""></td>
+            <td><a href="server-session-details.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>" title="<fmt:message key='session.row.cliked' />"><%= StringUtils.escapeHTMLTags(host) %></a></td>
             </tr>
         </table>
     </td>
@@ -124,4 +125,4 @@
          onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
          ><img src="images/delete-16x16.gif" width="16" height="16" border="0"></a>
     </td>
-</tr>
\ No newline at end of file
+</tr>
diff --git a/src/web/session-details.jsp b/src/web/session-details.jsp
index 2bb7fb3bf9..185ae9c138 100644
--- a/src/web/session-details.jsp
+++ b/src/web/session-details.jsp
@@ -25,6 +25,7 @@
                  org.jivesoftware.openfire.user.UserManager,
                  org.jivesoftware.util.JiveGlobals,
                  org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  java.text.NumberFormat,
                  java.util.Collection"
     errorPage="error.jsp"
@@ -114,7 +115,7 @@
             <fmt:message key="session.details.session_id" />
         </td>
         <td>
-            <%= StringUtils.escapeForXML(address.toString()) %>
+            <%= StringUtils.escapeHTMLTags(address.toString()) %>
         </td>
     </tr>
     <tr>
@@ -125,11 +126,11 @@
             <%  String n = address.getNode(); %>
             <%  if (isAnonymous) { %>
 
-                <i> <fmt:message key="session.details.anonymous" /> </i> - <%= address.getResource()==null?"":StringUtils.escapeForXML(address.getResource()) %>
+                <i> <fmt:message key="session.details.anonymous" /> </i> - <%= address.getResource()==null?"":StringUtils.escapeHTMLTags(address.getResource()) %>
 
             <%  } else { %>
 
-                <a href="user-properties.jsp?username=<%= URLEncoder.encode(n, "UTF-8") %>"><%= JID.unescapeNode(n) %></a>
+                <a href="user-properties.jsp?username=<%= URLEncoder.encode(n, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(n)) %></a>
                 - <%= address.getResource()==null?"":StringUtils.escapeForXML(address.getResource()) %>
 
             <%  } %>
@@ -190,7 +191,7 @@
                 Presence.Show show = currentSess.getPresence().getShow();
                 String statusTxt = currentSess.getPresence().getStatus();
                 if (statusTxt != null) {
-                    statusTxt = " -- " + StringUtils.escapeForXML(statusTxt);
+                    statusTxt = " -- " + StringUtils.escapeHTMLTags(statusTxt);
                 }
                 else {
                     statusTxt = "";
@@ -360,4 +361,4 @@
 </form>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/session-row.jspf b/src/web/session-row.jspf
index dc895efcb4..bb6cf21eff 100644
--- a/src/web/session-row.jspf
+++ b/src/web/session-row.jspf
@@ -39,7 +39,7 @@
             ><%= ((!sessionManager.isAnonymousRoute(sess.getUsername())) ? JID.unescapeNode(name): "<i>"+LocaleUtils.getLocalizedString("session.details.anonymous")+"</i>") %></a>
     </td>
     <td width="15%" nowrap>
-        <%= StringUtils.escapeForXML(sess.getAddress().getResource()) %>
+        <%= StringUtils.escapeHTMLTags(sess.getAddress().getResource()) %>
     </td>
     <td nowrap>
             <% if (sess instanceof LocalClientSession) { %>
@@ -94,7 +94,7 @@
         <td width="46%">
             <%  if (_stat != null) { %>
 
-                <%= _stat %>
+                <%= StringUtils.escapeHTMLTags(_stat) %>
 
             <%  } else { %>
 
@@ -120,7 +120,7 @@
         <td width="46%">
             <%  if (_stat != null) { %>
 
-                <%= sess.getPresence().getStatus() %>
+                <%= StringUtils.escapeHTMLTags(sess.getPresence().getStatus()) %>
 
             <%  } else { %>
 
@@ -146,7 +146,7 @@
         <td width="46%">
             <%  if (_stat != null) { %>
 
-                <%= sess.getPresence().getStatus() %>
+                <%= StringUtils.escapeHTMLTags(sess.getPresence().getStatus()) %>
 
             <%  } else { %>
 
@@ -177,4 +177,4 @@
          onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
          ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
     </td>
-</tr>
\ No newline at end of file
+</tr>
diff --git a/src/web/session-summary.jsp b/src/web/session-summary.jsp
index 2b8694e8df..de90708c89 100644
--- a/src/web/session-summary.jsp
+++ b/src/web/session-summary.jsp
@@ -290,4 +290,4 @@
 </p>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/ssl-certificates.jsp b/src/web/ssl-certificates.jsp
index 05805fe5b1..7e12294ec7 100644
--- a/src/web/ssl-certificates.jsp
+++ b/src/web/ssl-certificates.jsp
@@ -14,6 +14,7 @@
 <%@ page import="java.util.HashMap" %>
 <%@ page import="java.util.LinkedHashMap" %>
 <%@ page import="java.util.Map" %>
+<%@ page import="java.net.URLEncoder" %>
 <%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
 <%@ page import="org.jivesoftware.openfire.container.AdminConsolePlugin" %>
 <%@ page import="java.io.IOException" %>
@@ -356,7 +357,7 @@
       <tr valign="top">
           <td id="rs<%=i%>" width="1" rowspan="1"><%= (i) %>.</td>
           <td>
-              <%= identities.toString() %> (<%= a %>)
+              <%= StringUtils.escapeHTMLTags(identities.toString()) %> (<%= StringUtils.escapeHTMLTags(a) %>)
           </td>
           <td>
               <% boolean expired = c.getNotAfter().before(new Date());
@@ -388,7 +389,7 @@
               <%= c.getPublicKey().getAlgorithm() %>
           </td>
           <td width="1" align="center">
-              <a href="ssl-certificates.jsp?alias=<%= a %>&type=server&delete=true"
+              <a href="ssl-certificates.jsp?alias=<%= URLEncoder.encode(a) %>&type=server&delete=true"
                title="<fmt:message key="global.click_delete" />"
                onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete" />');"
                ><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
@@ -397,7 +398,7 @@
       <% if (isSigningPending) { %>
       <form action="ssl-certificates.jsp" method="post">
       <input name="importReply" type="hidden" value="true">
-      <input name="alias" type="hidden" value="<%= a%>">
+      <input name="alias" type="hidden" value="<%= StringUtils.escapeForXML(a)%>">
       <tr id="pk<%=i%>">
           <td colspan="6">
               <span class="jive-description">
diff --git a/src/web/ssl-signing-request.jsp b/src/web/ssl-signing-request.jsp
index 71642ef8c4..d3c18af2ce 100644
--- a/src/web/ssl-signing-request.jsp
+++ b/src/web/ssl-signing-request.jsp
@@ -1,5 +1,6 @@
 <%@ page import="org.jivesoftware.util.CertificateManager" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.net.SSLConfig" %>
 <%@ page import="java.security.KeyStore" %>
@@ -204,42 +205,42 @@
                     </td>
                     <td width="99%">
                         <input type="text" name="name" size="50" maxlength="75"
-                               value="<%= ((name!=null) ? name : "") %>" id="namef">
+                               value="<%= ((name!=null) ? StringUtils.escapeForXML(name) : "") %>" id="namef">
                     </td>
                 </tr>
                 <tr>
                     <td width="1%" nowrap>
                         <label for="ouf"><fmt:message key="ssl.signing-request.organizational_unit"/>:</label></td>
                     <td width="99%">
-                        <input type="text" name="ou" size="50" maxlength="75" value="<%= ((organizationalUnit!=null) ? organizationalUnit : "") %>" id="ouf">
+                        <input type="text" name="ou" size="50" maxlength="75" value="<%= ((organizationalUnit!=null) ? StringUtils.escapeForXML(organizationalUnit) : "") %>" id="ouf">
                     </td>
                 </tr>
                 <tr>
                     <td width="1%" nowrap>
                         <label for="of"><fmt:message key="ssl.signing-request.organization"/>:</label></td>
                     <td width="99%">
-                        <input type="text" name="o" size="50" maxlength="75" value="<%= ((organization!=null) ? organization : "") %>" id="of">
+                        <input type="text" name="o" size="50" maxlength="75" value="<%= ((organization!=null) ? StringUtils.escapeForXML(organization) : "") %>" id="of">
                     </td>
                 </tr>
                 <tr>
                     <td width="1%" nowrap>
                         <label for="cityf"><fmt:message key="ssl.signing-request.city"/>:</label></td>
                     <td width="99%">
-                        <input type="text" name="city" size="50" maxlength="75" value="<%= ((city!=null) ? city : "") %>" id="cityf">
+                        <input type="text" name="city" size="50" maxlength="75" value="<%= ((city!=null) ? StringUtils.escapeForXML(city) : "") %>" id="cityf">
                     </td>
                 </tr>
                 <tr>
                     <td width="1%" nowrap>
                         <label for="statef"><fmt:message key="ssl.signing-request.state"/>:</label></td>
                     <td width="99%">
-                        <input type="text" name="state" size="30" maxlength="75" value="<%= ((state!=null) ? state : "") %>" id="statef">
+                        <input type="text" name="state" size="30" maxlength="75" value="<%= ((state!=null) ? StringUtils.escapeForXML(state) : "") %>" id="statef">
                     </td>
                 </tr>
                 <tr>
                     <td width="1%" nowrap>
                         <label for="countryf"><fmt:message key="ssl.signing-request.country"/>:</label></td>
                     <td width="99%">
-                        <input type="text" name="country" size="2" maxlength="2" value="<%= ((countryCode!=null) ? countryCode : "") %>" id="countryf">
+                        <input type="text" name="country" size="2" maxlength="2" value="<%= ((countryCode!=null) ? StringUtils.escapeForXML(countryCode) : "") %>" id="countryf">
                     </td>
                 </tr>
               <tr>
@@ -254,4 +255,4 @@
   </form>
   <!-- END 'Issuer information form' -->
   </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/system-cache.jsp b/src/web/system-cache.jsp
index 50b7c65c2b..8eee0410d3 100644
--- a/src/web/system-cache.jsp
+++ b/src/web/system-cache.jsp
@@ -1,5 +1,6 @@
 <%@ page import="org.jivesoftware.util.cache.Cache"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>
 <%@ page import="java.text.DecimalFormat"%>
 <%--
   -	$RCSfile$
@@ -193,7 +194,7 @@
             <table cellpadding="0" cellspacing="0" border="0">
             <tr>
                 <td class="icon"><img src="images/cache-16x16.gif" width="16" height="16" alt="" border="0"></td>
-                <td><%= cache.getName() %></td>
+                <td><%= StringUtils.escapeHTMLTags(cache.getName()) %></td>
             </tr>
             </table>
         </td>
diff --git a/src/web/system-clustering.jsp b/src/web/system-clustering.jsp
index f13aa03570..8a7fa4f244 100644
--- a/src/web/system-clustering.jsp
+++ b/src/web/system-clustering.jsp
@@ -37,6 +37,7 @@
 <%@ page import="java.util.Collection" %>
 <%@ page import="java.util.Date" %>
 <%@ page import="java.util.Map" %>
+<%@ page import="java.net.URLEncoder" %>
 <%@ page import="org.jivesoftware.util.Base64" %>
 
 <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
@@ -282,12 +283,12 @@
             %>
               <tr class="<%= (isLocalMember ? "local" : "") %>" valign="middle">
                   <td align="center" width="1%">
-                      <a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= nodeID %>"
+                      <a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= URLEncoder.encode(nodeID) %>"
                        title="Click for more details"
                        ><img src="images/server-network-24x24.gif" width="24" height="24" border="0" alt=""></a>
                   </td>
                   <td class="jive-description" nowrap width="1%" valign="middle">
-                      <a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= nodeID %>">
+                      <a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= URLEncoder.encode(nodeID) %>">
                       <%  if (isLocalMember) { %>
                           <b><%= nodeInfo.getHostName() %></b>
                       <%  } else { %>
diff --git a/src/web/system-email.jsp b/src/web/system-email.jsp
index fe7b124e16..1c92ad4861 100644
--- a/src/web/system-email.jsp
+++ b/src/web/system-email.jsp
@@ -156,7 +156,7 @@
 				<fmt:message key="system.email.mail_host" />:
 			</td>
 			<td nowrap>
-				<input type="text" name="host" value="<%= (host != null)?host:"" %>" size="40" maxlength="150">
+				<input type="text" name="host" value="<%= (host != null)? StringUtils.escapeForXML(host):"" %>" size="40" maxlength="150">
 			</td>
 		</tr>
 
@@ -201,7 +201,7 @@
 				<fmt:message key="system.email.server_username" />:
 			</td>
 			<td nowrap>
-				<input type="text" name="server_username" value="<%= (username != null) ? username : "" %>" size="40" maxlength="150">
+				<input type="text" name="server_username" value="<%= (username != null) ? StringUtils.escapeForXML(username) : "" %>" size="40" maxlength="150">
 			</td>
 		</tr>
 		<tr>
@@ -230,4 +230,4 @@
 <!-- END SMTP settings -->
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/system-emailtest.jsp b/src/web/system-emailtest.jsp
index 0e908e94ce..b5dc51f441 100644
--- a/src/web/system-emailtest.jsp
+++ b/src/web/system-emailtest.jsp
@@ -17,6 +17,7 @@
 <%@ page import="org.jivesoftware.util.*,
                  org.jivesoftware.openfire.user.*,
                  java.util.*,
+                 java.net.URLEncoder,
                  javax.mail.*,
                  javax.mail.internet.*"
     errorPage="error.jsp"
@@ -199,7 +200,7 @@ function checkClick(el) {
                     <%  if (mex instanceof AuthenticationFailedException) { %>
                     	<fmt:message key="system.emailtest.failure_authentication" />                        
                     <%  } else { %>
-                        (Message: <%= mex.getMessage() %>)
+                        (Message: <%= StringUtils.escapeHTMLTags(mex.getMessage()) %>)
                     <%  } %>
                 <%  } %>
             </td></tr>
@@ -229,7 +230,7 @@ function checkClick(el) {
             <%
                 } else {
             %>
-                <%= host %>:<%= JiveGlobals.getIntProperty("mail.smtp.port", 25)  %>
+                <%= StringUtils.escapeHTMLTags(host) %>:<%= JiveGlobals.getIntProperty("mail.smtp.port", 25)  %>
 
                 <%  if (JiveGlobals.getBooleanProperty("mail.smtp.ssl", false)) { %>
 
@@ -244,10 +245,10 @@ function checkClick(el) {
             <fmt:message key="system.emailtest.from" />:
         </td>
         <td>
-            <input type="hidden" name="from" value="<%= from %>">
+            <input type="hidden" name="from" value="<%= StringUtils.escapeForXML(from) %>">
             <%= StringUtils.escapeHTMLTags(from) %>
             <span class="jive-description">
-            (<a href="user-edit-form.jsp?username=<%=user.getUsername()%>">Update Address</a>)
+            (<a href="user-edit-form.jsp?username=<%= URLEncoder.encode(user.getUsername())%>">Update Address</a>)
             </span>
         </td>
     </tr>
@@ -256,7 +257,7 @@ function checkClick(el) {
             <fmt:message key="system.emailtest.to" />:
         </td>
         <td>
-            <input type="text" name="to" value="<%= ((to != null) ? to : "") %>"
+            <input type="text" name="to" value="<%= ((to != null) ? StringUtils.escapeForXML(to) : "") %>"
              size="40" maxlength="100">
         </td>
     </tr>
@@ -265,7 +266,7 @@ function checkClick(el) {
             <fmt:message key="system.emailtest.subject" />:
         </td>
         <td>
-            <input type="text" name="subject" value="<%= ((subject != null) ? subject : "") %>"
+            <input type="text" name="subject" value="<%= ((subject != null) ? StringUtils.escapeForXML(subject) : "") %>"
              size="40" maxlength="100">
         </td>
     </tr>
@@ -274,7 +275,7 @@ function checkClick(el) {
             <fmt:message key="system.emailtest.body" />:
         </td>
         <td>
-            <textarea name="body" cols="45" rows="5" wrap="virtual"><%= body %></textarea>
+            <textarea name="body" cols="45" rows="5" wrap="virtual"><%= StringUtils.escapeHTMLTags(body) %></textarea>
         </td>
     </tr>
     <tr>
@@ -290,4 +291,4 @@ function checkClick(el) {
 </form>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-create.jsp b/src/web/user-create.jsp
index 14dfc1271e..08e35f6853 100644
--- a/src/web/user-create.jsp
+++ b/src/web/user-create.jsp
@@ -213,14 +213,14 @@
 		<tr>
 			<td width="1%" nowrap><label for="usernametf"><fmt:message key="user.create.username" />:</label> *</td>
 			<td width="99%">
-				<input type="text" name="username" size="30" maxlength="75" value="<%= ((username!=null) ? username : "") %>"
+				<input type="text" name="username" size="30" maxlength="75" value="<%= ((username!=null) ? StringUtils.escapeForXML(username) : "") %>"
 				 id="usernametf" autocomplete="off">
 			</td>
 		</tr>
 		<tr>
 			<td width="1%" nowrap><label for="nametf"><fmt:message key="user.create.name" />:</label> <%= UserManager.getUserProvider().isNameRequired() ? "*" : "" %></td>
 			<td width="99%">
-				<input type="text" name="name" size="30" maxlength="75" value="<%= ((name!=null) ? name : "") %>"
+				<input type="text" name="name" size="30" maxlength="75" value="<%= ((name!=null) ? StringUtils.escapeForXML(name) : "") %>"
 				 id="nametf">
 			</td>
 		</tr>
@@ -228,7 +228,7 @@
 			<td width="1%" nowrap>
 				<label for="emailtf"><fmt:message key="user.create.email" />:</label> <%= UserManager.getUserProvider().isEmailRequired() ? "*" : "" %></td>
 			<td width="99%">
-				<input type="text" name="email" size="30" maxlength="75" value="<%= ((email!=null) ? email : "") %>"
+				<input type="text" name="email" size="30" maxlength="75" value="<%= ((email!=null) ? StringUtils.escapeForXML(email) : "") %>"
 				 id="emailtf">
 			</td>
 		</tr>
@@ -299,4 +299,4 @@ if (UserManager.getUserProvider().isReadOnly()) { %>
     <% } %>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-delete.jsp b/src/web/user-delete.jsp
index 31331eb95b..c5b61b90bd 100644
--- a/src/web/user-delete.jsp
+++ b/src/web/user-delete.jsp
@@ -24,6 +24,7 @@
 %>
 <%@ page import="org.jivesoftware.openfire.user.UserManager" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.xmpp.packet.JID" %>
 <%@ page import="org.xmpp.packet.StreamError" %>
 <%@ page import="java.net.URLEncoder" %>
@@ -95,7 +96,7 @@
 
 <p>
 <fmt:message key="user.delete.info" />
-<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(user.getUsername()) %></a></b>
+<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %></a></b>
 <fmt:message key="user.delete.info1" />
 </p>
 
@@ -106,7 +107,7 @@
 </c:if>
 
 <form action="user-delete.jsp">
-<input type="hidden" name="username" value="<%= username %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="submit" name="delete" value="<fmt:message key="user.delete.delete" />">
 <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
 </form>
diff --git a/src/web/user-edit-form.jsp b/src/web/user-edit-form.jsp
index 79cbbcd9ab..8fcc32d371 100644
--- a/src/web/user-edit-form.jsp
+++ b/src/web/user-edit-form.jsp
@@ -18,6 +18,7 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.openfire.user.*,
                  java.net.URLEncoder"
     errorPage="error.jsp"
@@ -141,7 +142,7 @@
 
 <form action="user-edit-form.jsp">
 
-<input type="hidden" name="username" value="<%= username %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="hidden" name="save" value="true">
 
 <fieldset>
@@ -154,7 +155,7 @@
                 <fmt:message key="user.create.username" />:
             </td>
             <td>
-                <%= JID.unescapeNode(user.getUsername()) %>
+                <%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %>
             </td>
         </tr>
         <tr>
@@ -163,7 +164,7 @@
             </td>
             <td>
                 <input type="text" size="30" maxlength="150" name="name"
-                 value="<%= user.getName() %>">
+                 value="<%= StringUtils.escapeForXML(user.getName()) %>">
             </td>
         </tr>
         <tr>
@@ -172,7 +173,7 @@
             </td>
             <td>
                 <input type="text" size="30" maxlength="150" name="email"
-                 value="<%= ((user.getEmail()!=null) ? user.getEmail() : "") %>">
+                 value="<%= ((user.getEmail()!=null) ? StringUtils.escapeForXML(user.getEmail()) : "") %>">
             </td>
         </tr>
         <% if (!AdminManager.getAdminProvider().isReadOnly()) { %>
diff --git a/src/web/user-lockout.jsp b/src/web/user-lockout.jsp
index 8b4924d1b5..5d50133ac7 100644
--- a/src/web/user-lockout.jsp
+++ b/src/web/user-lockout.jsp
@@ -24,6 +24,7 @@
 <%@ page import="org.jivesoftware.openfire.security.SecurityAuditManager" %>
 <%@ page import="org.jivesoftware.openfire.session.ClientSession" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.xmpp.packet.JID" %>
 <%@ page import="org.xmpp.packet.StreamError" %>
 <%@ page import="java.net.URLEncoder" %>
@@ -133,7 +134,7 @@
 
 <p>
 <fmt:message key="user.lockout.locked">
-    <fmt:param value="<%= "<b><a href='user-properties.jsp?username="+URLEncoder.encode(username, "UTF-8")+"'>"+JID.unescapeNode(username)+"</a></b>" %>"/>
+    <fmt:param value="<%= "<b><a href='user-properties.jsp?username="+URLEncoder.encode(username, "UTF-8")+"'>"+StringUtils.escapeHTMLTags(JID.unescapeNode(username))+"</a></b>" %>"/>
 </fmt:message>
 <% if (flag.getStartTime() != null) { %><fmt:message key="user.lockout.locked2"><fmt:param value="<%= flag.getStartTime().toString() %>"/></fmt:message> <% } %>
 <% if (flag.getStartTime() != null && flag.getEndTime() != null) { %> <fmt:message key="user.lockout.lockedand" /> <% } %> 
@@ -141,7 +142,7 @@
 </p>
 
 <form action="user-lockout.jsp">
-    <input type="hidden" name="username" value="<%= username %>">
+    <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
     <input type="submit" name="unlock" value="<fmt:message key="user.lockout.unlock" />">
     <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
 </form>
@@ -154,7 +155,7 @@
 
 <p>
 <fmt:message key="user.lockout.info" />
-<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(username, "UTF-8") %>"><%= JID.unescapeNode(username) %></a></b>
+<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(username, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(username)) %></a></b>
 <fmt:message key="user.lockout.info1" />
 </p>
 
@@ -183,7 +184,7 @@
     <input type="radio" name="duration" value="-2" /> <fmt:message key="user.lockout.time.for" /> <input type="text" size="5" maxlength="10" name="duration_custom" /> <fmt:message key="user.lockout.time.minutes"/><br />
     <br />
     <% } %>
-    <input type="hidden" name="username" value="<%= username %>">
+    <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
     <input type="submit" name="lock" value="<fmt:message key="user.lockout.lock" />">
     <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
 </form>
diff --git a/src/web/user-message.jsp b/src/web/user-message.jsp
index de087fde0e..ee7c71f905 100644
--- a/src/web/user-message.jsp
+++ b/src/web/user-message.jsp
@@ -19,6 +19,7 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  org.jivesoftware.openfire.SessionManager,
                  org.jivesoftware.openfire.session.ClientSession,
                  org.jivesoftware.openfire.user.User,
@@ -169,7 +170,7 @@ function updateSelect(el) {
 
 <form action="user-message.jsp" method="post" name="f">
 <% if(username != null){ %>
-<input type="hidden" name="username" value="<%= username %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <% } %>
 <input type="hidden" name="tabs" value="<%= tabs %>">
 <input type="hidden" name="send" value="true">
@@ -276,4 +277,4 @@ document.f.message.focus();
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-password.jsp b/src/web/user-password.jsp
index c341c8f687..a5d954ac0e 100644
--- a/src/web/user-password.jsp
+++ b/src/web/user-password.jsp
@@ -132,7 +132,7 @@
 </p>
 
 <form action="user-password.jsp" name="passform" method="post">
-<input type="hidden" name="username" value="<%= username %>">
+<input type="hidden" name="username" value="<%=StringUtils.escapeForXML(username) %>">
 
 <fieldset>
     <legend><fmt:message key="user.password.change" /></legend>
@@ -144,7 +144,7 @@
                 <fmt:message key="user.create.username" />:
             </td>
             <td class="c2">
-                <%= JID.unescapeNode(user.getUsername()) %>
+                <%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %>
             </td>
         </tr>
         <tr>
diff --git a/src/web/user-properties.jsp b/src/web/user-properties.jsp
index 8b2ab9f7d6..dcc56e8641 100644
--- a/src/web/user-properties.jsp
+++ b/src/web/user-properties.jsp
@@ -28,6 +28,7 @@
 <%@ page import="org.jivesoftware.util.JiveGlobals"%>
 <%@ page import="org.jivesoftware.util.LocaleUtils"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>
 <%@ page import="org.xmpp.packet.JID"%><%@ page import="org.xmpp.packet.Presence"%>
 <%@ page import="java.net.URLEncoder" %>
 <%@ page import="java.util.Collection" %>
@@ -185,7 +186,7 @@
             <fmt:message key="user.create.username" />:
         </td>
         <td>
-            <%= JID.unescapeNode(user.getUsername()) %>
+            <%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %>
             <% if (lockedOut) { %><img src="/images/forbidden-16x16.gif" align="top" height="16" width="16" alt="<fmt:message key='user.properties.locked'/>" title="<fmt:message key='user.properties.locked'/>"/><% } %>
             <% if (pendingLockOut) { %><img src="/images/warning-16x16.gif" align="top" height="16" width="16" alt="<fmt:message key='user.properties.locked_set'/>" title="<fmt:message key='user.properties.locked_set'/>"/><% } %>
         </td>
@@ -241,7 +242,7 @@
                 </span>
 
             <%  } else { %>
-                <%= user.getName() %>
+                <%= StringUtils.escapeHTMLTags(user.getName()) %>
 
             <%  } %>
         </td>
@@ -257,7 +258,7 @@
                 </span>
 
             <%  } else { %>
-                <a href="mailto:<%= user.getEmail() %>"><%= user.getEmail() %></a>
+                <a href="mailto:<%= StringUtils.escapeForXML(user.getEmail()) %>"><%= StringUtils.escapeHTMLTags(user.getEmail()) %></a>
 
             <%  } %>
             &nbsp;
@@ -306,11 +307,11 @@
 <% if (user != null && !UserManager.getUserProvider().isReadOnly()) { %>
 
 <form action="user-edit-form.jsp">
-<input type="hidden" name="username" value="<%= user.getUsername() %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(user.getUsername()) %>">
 <input type="submit" value="<fmt:message key="global.edit_properties" />">
 </form>
 
 <% } %>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-roster-add.jsp b/src/web/user-roster-add.jsp
index 3ed322b893..4b5f778959 100644
--- a/src/web/user-roster-add.jsp
+++ b/src/web/user-roster-add.jsp
@@ -107,7 +107,7 @@
 
 <p>
     <fmt:message key="user.roster.add.info">
-        <fmt:param value="<%= username %>"/>
+        <fmt:param value="<%= StringUtils.escapeForXML(username) %>"/>
     </fmt:message>
 </p>
 
@@ -156,7 +156,7 @@
 
 <form name="f" action="user-roster-add.jsp" method="get">
 
-<input type="hidden" name="username" value="<%= username %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 
     <div class="jive-contentBoxHeader">
 		<fmt:message key="user.roster.add.new_item" />
@@ -167,7 +167,7 @@
 		<tr>
 			<td width="1%" nowrap><label for="jidtf"><fmt:message key="user.roster.jid" />:</label> *</td>
 			<td width="99%">
-				<input type="text" name="jid" size="30" maxlength="255" value="<%= ((jid!=null) ? jid : "") %>"
+				<input type="text" name="jid" size="30" maxlength="255" value="<%= ((jid!=null) ? StringUtils.escapeForXML(jid) : "") %>"
 				 id="jidtf">
 			</td>
 		</tr>
@@ -176,7 +176,7 @@
 				<label for="nicknametf"><fmt:message key="user.roster.nickname" />:</label>
 			</td>
 			<td width="99%">
-				<input type="text" name="nickname" size="30" maxlength="255" value="<%= ((nickname!=null) ? nickname : "") %>"
+				<input type="text" name="nickname" size="30" maxlength="255" value="<%= ((nickname!=null) ? StringUtils.escapeForXML(nickname) : "") %>"
 				 id="nicknametf">
 			</td>
 		</tr>
@@ -184,7 +184,7 @@
 			<td width="1%" nowrap>
 				<label for="groupstf"><fmt:message key="user.roster.groups" />:</label></td>
 			<td width="99%">
-				<input type="text" name="groups" size="30" maxlength="255" value="<%= ((groups!=null) ? groups : "") %>"
+				<input type="text" name="groups" size="30" maxlength="255" value="<%= ((groups!=null) ? StringUtils.escapeForXML(groups) : "") %>"
 				 id="groupstf">
 			</td>
 		</tr>
@@ -211,4 +211,4 @@
     </script>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-roster-delete.jsp b/src/web/user-roster-delete.jsp
index 0155719972..adec36e8a7 100644
--- a/src/web/user-roster-delete.jsp
+++ b/src/web/user-roster-delete.jsp
@@ -67,14 +67,14 @@
 
     <p>
     <fmt:message key="user.roster.delete.info">
-        <fmt:param value="<%= "<b>"+jid+"</b>" %>" />
-        <fmt:param value="<%= "<b>"+username+"</b>" %>" />
+        <fmt:param value="<%= "<b>"+StringUtils.escapeForXML(jid)+"</b>" %>" />
+        <fmt:param value="<%= "<b>"+StringUtils.escapeForXML(username)+"</b>" %>" />
     </fmt:message>
     </p>
 
     <form action="user-roster-delete.jsp">
-    <input type="hidden" name="username" value="<%= username %>">
-    <input type="hidden" name="jid" value="<%= jid %>">
+    <input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
+    <input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
     <input type="submit" name="delete" value="<fmt:message key="user.roster.delete.delete" />">
     <input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
     </form>
diff --git a/src/web/user-roster-edit.jsp b/src/web/user-roster-edit.jsp
index 81fd2f8501..3ed274bfc2 100644
--- a/src/web/user-roster-edit.jsp
+++ b/src/web/user-roster-edit.jsp
@@ -18,6 +18,7 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  java.net.URLEncoder"
     errorPage="error.jsp"
 %><%@ page import="org.xmpp.packet.JID"%>
@@ -85,14 +86,14 @@
 
 <p>
 <fmt:message key="user.roster.edit.info">
-    <fmt:param value="<%= username %>"/>
+    <fmt:param value="<%= StringUtils.escapeForXML(username) %>"/>
 </fmt:message>
 </p>
 
 <form action="user-roster-edit.jsp">
 
-<input type="hidden" name="username" value="<%= username %>">
-<input type="hidden" name="jid" value="<%= jid %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
+<input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
 <input type="hidden" name="save" value="true">
 
 <fieldset>
@@ -105,7 +106,7 @@
                 <fmt:message key="user.roster.jid" />:
             </td>
             <td>
-                <%= jid %>
+                <%= StringUtils.escapeHTMLTags(jid) %>
             </td>
         </tr>
         <tr>
@@ -114,7 +115,7 @@
             </td>
             <td>
                 <input type="text" size="30" maxlength="150" name="nickname"
-                 value="<%= item.getNickname() %>">
+                 value="<%= StringUtils.escapeForXML(item.getNickname()) %>">
             </td>
         </tr>
         <tr>
@@ -131,7 +132,7 @@
                         if (count != 0) {
                             out.print(",");
                         }
-                        out.print(group);
+                        out.print(StringUtils.escapeForXML(group));
                         count++;
                     }
                 }
@@ -152,7 +153,7 @@
                             out.print(",");
                         }
                         out.print("<a href='group-edit.jsp?group="+URLEncoder.encode(group.getName(), "UTF-8")+"'>");
-                        out.print(group.getName());
+                        out.print(StringUtils.escapeForXML(group.getName()));
                         out.print("</a>");
                         count++;
                     }
@@ -190,4 +191,4 @@
 </form>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-roster-view.jsp b/src/web/user-roster-view.jsp
index 5155623c5c..cb0254a192 100644
--- a/src/web/user-roster-view.jsp
+++ b/src/web/user-roster-view.jsp
@@ -18,6 +18,7 @@
 --%>
 
 <%@ page import="org.jivesoftware.util.ParamUtils,
+                 org.jivesoftware.util.StringUtils,
                  java.net.URLEncoder"
     errorPage="error.jsp"
 %><%@ page import="org.xmpp.packet.JID"%>
@@ -84,7 +85,7 @@
 
 <p>
 <fmt:message key="user.roster.edit.info">
-    <fmt:param value="<%= username %>"/>
+    <fmt:param value="<%= StringUtils.escapeForXML(username) %>"/>
 </fmt:message>
 </p>
 
@@ -98,7 +99,7 @@
                 <fmt:message key="user.roster.jid" />:
             </td>
             <td>
-                <%= jid %>
+                <%= StringUtils.escapeHTMLTags(jid) %>
             </td>
         </tr>
         <tr>
@@ -106,7 +107,7 @@
                 <fmt:message key="user.roster.nickname" />:
             </td>
             <td>
-                <%= item.getNickname() %>
+                <%= StringUtils.escapeHTMLTags(item.getNickname()) %>
             </td>
         </tr>
         <tr>
@@ -122,7 +123,7 @@
                             if (count != 0) {
                                 out.print(",");
                             }
-                            out.print(group);
+                            out.print(StringUtils.escapeForXML(group));
                             count++;
                         }
                     }
@@ -146,7 +147,7 @@
                                 out.print(",");
                             }
                             out.print("<a href='group-edit.jsp?group="+URLEncoder.encode(group.getName(), "UTF-8")+"'>");
-                            out.print(group.getName());
+                            out.print(StringUtils.escapeForXML(group.getName()));
                             out.print("</a>");
                             count++;
                         }
@@ -162,7 +163,7 @@
                 <fmt:message key="user.roster.subscription" />:
             </td>
             <td>
-                <%= item.getSubStatus().getName() %>
+                <%= StringUtils.escapeHTMLTags(item.getSubStatus().getName()) %>
             </td>
         </tr>
     </tbody>
@@ -173,18 +174,18 @@
 <br><br>
 
 <form style="display: inline" action="user-roster-edit.jsp">
-<input type="hidden" name="jid" value="<%= jid %>">
-<input type="hidden" name="username" value="<%= username %>">
+<input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="submit" value="<fmt:message key="user.roster.edit" />">
 </form>
 
 <% if (sharedGroups.isEmpty()) { %>
 <form style="display: inline" action="user-roster-delete.jsp">
-<input type="hidden" name="jid" value="<%= jid %>">
-<input type="hidden" name="username" value="<%= username %>">
+<input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
+<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
 <input type="submit" value="<fmt:message key="global.delete" />">
 </form>
 <% } %>
 
     </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-roster.jsp b/src/web/user-roster.jsp
index 3fc4608d94..7ce3596707 100644
--- a/src/web/user-roster.jsp
+++ b/src/web/user-roster.jsp
@@ -149,7 +149,7 @@
 
 <p>
 <fmt:message key="user.roster.info">
-    <fmt:param value="<%= "<b>"+JID.unescapeNode(username)+"</b>" %>" />
+    <fmt:param value="<%= "<b>"+StringUtils.escapeForXML(JID.unescapeNode(username))+"</b>" %>" />
 </fmt:message>
 </p>
 
@@ -298,7 +298,7 @@
              ><%= rosterItem.getJid() %></a>
         </td>
         <td>
-            <%= (rosterItem.getNickname() != null ? rosterItem.getNickname() : "<i>None</i>") %>
+            <%= (rosterItem.getNickname() != null ? StringUtils.escapeHTMLTags(rosterItem.getNickname()) : "<i>None</i>") %>
         </td>
         <td>
             <%
@@ -363,4 +363,4 @@
 <br><br>
     
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/web/user-search.jsp b/src/web/user-search.jsp
index 252f5f1a5f..093b27ee36 100644
--- a/src/web/user-search.jsp
+++ b/src/web/user-search.jsp
@@ -65,7 +65,7 @@
       <tr class="c1">
         <td width="1%" nowrap><fmt:message key="user.create.username" />:</td>
         <td class="c2">
-          <input type="text" name="username" value="<%= ((username!=null) ? username : "") %>" size="30" maxlength="75"/>
+          <input type="text" name="username" value="<%= ((username!=null) ? StringUtils.escapeForXML(username) : "") %>" size="30" maxlength="75"/>
         </td>
       </tr>
      <tr><td colspan="2" nowrap><input type="submit" name="search" value="<fmt:message key="user.search.search" />"/><input type="submit" name="cancel" value="<fmt:message key="global.cancel" />"/></td>
diff --git a/src/web/user-summary.jsp b/src/web/user-summary.jsp
index b39019112f..b241f29784 100644
--- a/src/web/user-summary.jsp
+++ b/src/web/user-summary.jsp
@@ -230,13 +230,13 @@
             <%  } %>
         </td>
         <td width="23%">
-            <a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"<%= lockedOut ? " style='text-decoration: line-through underline;'" : "" %>><%= JID.unescapeNode(user.getUsername()) %></a>
+            <a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"<%= lockedOut ? " style='text-decoration: line-through underline;'" : "" %>><%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %></a>
             <% if (isAdmin) { %><img src="/images/star-16x16.gif" height="16" width="16" align="top" alt="<fmt:message key='user.properties.isadmin'/>" title="<fmt:message key='user.properties.isadmin'/>"/><% } %>
             <% if (lockedOut) { %><img src="/images/forbidden-16x16.gif" height="16" width="16" align="top" alt="<fmt:message key='user.properties.locked'/>" title="<fmt:message key='user.properties.locked'/>"/><% } %>
             <% if (pendingLockOut) { %><img src="/images/warning-16x16.gif" height="16" width="16" align="top" alt="<fmt:message key='user.properties.locked_set'/>" title="<fmt:message key='user.properties.locked_set'/>"/><% } %>
         </td>
         <td width="33%">
-            <%= user.getName() %> &nbsp;
+            <%= StringUtils.escapeHTMLTags(user.getName()) %> &nbsp;
         </td>
         <td width="15%">
             <%= JiveGlobals.formatDate(user.getCreationDate()) %>

	"><%= JID.unescapeNode(user.getUsername()) %><% if (!isLocal) { showRemoteJIDsWarning = true; %> *<%}%>	"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %><% if (!isLocal) { showRemoteJIDsWarning = true; %> *<%}%>	<%= jid %><% showRemoteJIDsWarning = true; %> *	- <%= StringUtils.escapeHTMLTags(group.getName()) %> + "><%= StringUtils.escapeHTMLTags(group.getName()) %> <% if (group.getDescription() != null) { %> @@ -195,12 +195,12 @@ document.searchForm.search.focus(); <% // Only show edit and delete options if the groups aren't read-only. if (!webManager.getGroupManager().isReadOnly()) { %>	- " title= >	- " title= >
- +
	<%= logFile.getName() %> (<%= byteFormatter.format(logFile.length()) %>)	<%= StringUtils.escapeHTMLTags(logFile.getName()) %> (<%= byteFormatter.format(logFile.length()) %>)			@@ -446,7 +447,7 @@ IFRAME { -" +<iframe src="log.jsp?log=<%= URLEncoder.encode(log) %>&mode=<%= URLEncoder.encode(mode) %>&lines=<%= ("All".equals(numLinesParam) ? "All" : String.valueOf(numLines)) %>" frameborder="0" height="400" width="100%" marginheight="0" marginwidth="0" scrolling="auto"> @@ -454,4 +455,4 @@ IFRAME { - \ No newline at end of file + diff --git a/src/web/manage-updates.jsp b/src/web/manage-updates.jsp index cf2acb46cb..20ca2d45a5 100644 --- a/src/web/manage-updates.jsp +++ b/src/web/manage-updates.jsp @@ -23,6 +23,7 @@ <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %> <%@ page import="org.jivesoftware.util.ParamUtils, + org.jivesoftware.util.StringUtils, org.jivesoftware.openfire.XMPPServer, org.jivesoftware.openfire.update.UpdateManager, java.util.HashMap, @@ -233,7 +234,7 @@ else if (updateSucess) { %>	"> + value="<%= ((proxyHost != null) ? StringUtils.escapeForXML(proxyHost) : "") %>">
- <%=proxySession.getCreator()%> + <%= StringUtils.escapeHTMLTags(proxySession.getCreator())%>	<%=proxySession.getHostA()%>:<%=proxySession.getLocalPortA()%> @@ -328,4 +329,4 @@ <% } // end enabled check %> - \ No newline at end of file + diff --git a/src/web/muc-create-permission.jsp b/src/web/muc-create-permission.jsp index d326c2ac33..6d94bdc2d1 100644 --- a/src/web/muc-create-permission.jsp +++ b/src/web/muc-create-permission.jsp @@ -121,7 +121,7 @@ - "><%= mucname %> + "><%= StringUtils.escapeHTMLTags(mucname) %> <% if (errors.size() > 0) { %> @@ -166,7 +166,7 @@ - + @@ -205,7 +205,7 @@ <% if (mucService.isRoomCreationRestricted()) { %> - + @@ -262,4 +262,4 @@ - \ No newline at end of file + diff --git a/src/web/muc-default-settings.jsp b/src/web/muc-default-settings.jsp index 150061ee40..9dba42c052 100644 --- a/src/web/muc-default-settings.jsp +++ b/src/web/muc-default-settings.jsp @@ -149,7 +149,7 @@ - "><%= mucname %> + "><%= StringUtils.escapeHTMLTags(mucname) %> <% if (errors.size() > 0) { %> @@ -182,7 +182,7 @@ - + diff --git a/src/web/muc-history-settings.jsp b/src/web/muc-history-settings.jsp index c03da28628..9b5d4398d1 100644 --- a/src/web/muc-history-settings.jsp +++ b/src/web/muc-history-settings.jsp @@ -115,7 +115,7 @@ - "><%= mucname %> + "><%= StringUtils.escapeHTMLTags(mucname) %> <% if ("true".equals(request.getParameter("success"))) { %> @@ -135,7 +135,7 @@ - + @@ -187,4 +187,4 @@ - \ No newline at end of file + diff --git a/src/web/muc-room-affiliations.jsp b/src/web/muc-room-affiliations.jsp index aa6df471b2..dc451de20a 100644 --- a/src/web/muc-room-affiliations.jsp +++ b/src/web/muc-room-affiliations.jsp @@ -23,6 +23,7 @@ org.jivesoftware.openfire.muc.MUCRoom, org.jivesoftware.openfire.muc.NotAllowedException, org.jivesoftware.util.ParamUtils, + org.jivesoftware.util.StringUtils, org.xmpp.packet.IQ" errorPage="error.jsp" %> @@ -250,10 +251,10 @@
	- <%= userDisplay %> + <%= StringUtils.escapeHTMLTags(userDisplay) %>	- &userJID=<%= user %>&delete=true&affiliation=owner" + &userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner" title="" onclick="return confirm('');" > @@ -282,10 +283,10 @@
	- <%= userDisplay %> + <%= StringUtils.escapeHTMLTags(userDisplay) %>	- &userJID=<%= user %>&delete=true&affiliation=admin" + &userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin" title="" onclick="return confirm('');" > @@ -316,10 +317,10 @@
	- <%= userDisplay %><%= nickname %> + <%= StringUtils.escapeHTMLTags(userDisplay) %><%= StringUtils.escapeHTMLTags(nickname) %>	- &userJID=<%= user %>&delete=true&affiliation=member" + &userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member" title="" onclick="return confirm('');" > @@ -348,10 +349,10 @@
	- <%= userDisplay %> + <%= StringUtils.escapeHTMLTags(userDisplay) %>	- &userJID=<%= user %>&delete=true&affiliation=outcast" + &userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast" title="" onclick="return confirm('');" > diff --git a/src/web/muc-room-delete.jsp b/src/web/muc-room-delete.jsp index 450717e73c..767f2d0413 100644 --- a/src/web/muc-room-delete.jsp +++ b/src/web/muc-room-delete.jsp @@ -88,12 +88,12 @@ -"><%= room.getJID().toBareJID() %> +"><%= StringUtils.escapeHTMLTags(room.getJID().toBareJID()) %> - + @@ -105,7 +105,7 @@	- <%= room.getJID().toBareJID() %> + <%= StringUtils.escapeHTMLTags(room.getJID().toBareJID()) %>
<%= room.getName() %>	<%= StringUtils.escapeHTMLTags(room.getName()) %>	<%= room.getOccupantsCount() %> / <%= room.getMaxUsers() %>
:	+	<% if (webManager.getMultiUserChatManager().getMultiUserChatServicesCount() > 1) { %> @ <% } else { %> @@ -472,7 +473,7 @@ // Private and hidden, skip it. continue; } - out.print(""+service.getServiceDomain()); + out.print(""+StringUtils.escapeHTMLTags(service.getServiceDomain())); break; } %> @@ -482,22 +483,22 @@ <% } else { %>
:	<%= roomJID.getDomain() %>	<%= StringUtils.escapeHTMLTags(roomJID.getDomain()) %>
:	"> +	">
:	" type="text" size="40"> +	" type="text" size="40">
:	" type="text" size="40"> +	" type="text" size="40">
	- +
	- +
<%= room.getName() %>	<%= StringUtils.escapeHTMLTags(room.getName()) %>	<%= room.getOccupantsCount() %> / <%= room.getMaxUsers() %>	<%= dateFormatter.format(room.getCreationDate()) %>	<%= dateFormatter.format(room.getModificationDate()) %>
<%= role.getUserAddress() %>	<%= role.getNickname() %>	<%= role.getRole() %>	<%= role.getAffiliation() %>	<%= StringUtils.escapeHTMLTags(role.getUserAddress().toString()) %>	<%= StringUtils.escapeHTMLTags(role.getNickname().toString()) %>	<%= StringUtils.escapeHTMLTags(role.getRole().toString()) %>	<%= StringUtils.escapeHTMLTags(role.getAffiliation().toString()) %>	&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1" title="">" border="0" width="16" height="16"/>
- <%= mucname %> + <%= StringUtils.escapeHTMLTags(mucname) %>
<% if (create) { %> - "> + "> <% if (errors.get("mucname") != null) { %> @@ -173,7 +174,7 @@ <% } %> <% } else { %> - <%= mucname %> + <%= StringUtils.escapeHTMLTags(mucname) %> <% } %>
- "> + ">