From 5902e62cfddf66aaaea82f08d817a656f803dc7e Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 12:10:30 +0100
Subject: [PATCH 01/10] - Added internal htmlentities function with array
 support and ENT_QUOTES. - Fixed #4893 Stored XSS issue in email name field

---
 interface/lib/classes/functions.inc.php     | 19 +++++++++++++++++++
 interface/lib/classes/listform.inc.php      | 14 +++-----------
 interface/lib/classes/quota_lib.inc.php     |  3 ++-
 interface/lib/classes/tform_base.inc.php    | 18 +++++++++++++-----
 interface/web/mail/form/mail_user.tform.php |  6 ++++++
 5 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/interface/lib/classes/functions.inc.php b/interface/lib/classes/functions.inc.php
index da35a37002..136448eefd 100644
--- a/interface/lib/classes/functions.inc.php
+++ b/interface/lib/classes/functions.inc.php
@@ -454,6 +454,25 @@ class functions {
 			$app->log("Failed to create SSH keypair for ".$username, LOGLEVEL_WARN);
 		}
 	}
+	
+	public function htmlentities($value) {
+		global $conf;
+
+		if(is_array($value)) {
+			$out = array();
+			foreach($values as $key => $val) {
+				if(is_array($val)) {
+					$out[$key] = $this->htmlentities($val);
+				} else {
+					$out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);
+				}
+			}
+		} else {
+			$out = htmlentities($value, ENT_QUOTES, $conf["html_content_encoding"]);
+		}
+		
+		return $out;
+	}
 }
 
 ?>
diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php
index 4999f7e542..15a1a53add 100644
--- a/interface/lib/classes/listform.inc.php
+++ b/interface/lib/classes/listform.inc.php
@@ -179,6 +179,7 @@ class listform {
 								&& $k == $_SESSION['search'][$list_name][$search_prefix.$field]
 								&& $_SESSION['search'][$list_name][$search_prefix.$field] != '')
 								? ' SELECTED' : '';
+							$v = $app->functions->htmlentities($v);
 							$out .= "<option value='$k'$selected>$v</option>\r\n";
 						}
 					}
@@ -610,17 +611,8 @@ class listform {
 	}
 
 	function escapeArrayValues($search_values) {
-		global $conf;
-
-		$out = array();
-		if(is_array($search_values)) {
-			foreach($search_values as $key => $val) {
-				$out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);
-			}
-		}
-
-		return $out;
-
+		global $app;
+		return $app->functions->htmlentities($search_values);
 	}
 
 }
diff --git a/interface/lib/classes/quota_lib.inc.php b/interface/lib/classes/quota_lib.inc.php
index 93d8baa5de..e5d55ff80c 100644
--- a/interface/lib/classes/quota_lib.inc.php
+++ b/interface/lib/classes/quota_lib.inc.php
@@ -243,7 +243,8 @@ class quota_lib {
 		if(is_array($emails) && !empty($emails)){
 			for($i=0;$i<sizeof($emails);$i++){
 				$email = $emails[$i]['email'];
-		
+				
+				$emails[$i]['name'] = $app->functions->htmlentities($emails[$i]['name']);
 				$emails[$i]['used'] = isset($monitor_data[$email]['used']) ? $monitor_data[$email]['used'] : array(1 => 0);
 		
 				if (!is_numeric($emails[$i]['used'])) $emails[$i]['used']=$emails[$i]['used'][1];
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 8bb8cb7b7d..2df1cd24bc 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -475,6 +475,7 @@ class tform_base {
 								$selected = ($k == $val)?' SELECTED':'';
 								if(isset($this->wordbook[$v]))
 									$v = $this->wordbook[$v];
+								$v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
 							}
 						}
@@ -494,7 +495,7 @@ class tform_base {
 								foreach($vals as $tvl) {
 									if(trim($tvl) == trim($k)) $selected = ' SELECTED';
 								}
-
+								$v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>$v</option>\r\n";
 							}
 						}
@@ -577,7 +578,7 @@ class tform_base {
 					
 					default:
 						if(isset($record[$key])) {
-							$new_record[$key] = htmlspecialchars($record[$key]);
+							$new_record[$key] = $app->functions->htmlentities($record[$key]);
 						} else {
 							$new_record[$key] = '';
 						}
@@ -608,7 +609,8 @@ class tform_base {
 						$out = '';
 						foreach($field['value'] as $k => $v) {
 							$selected = ($k == $field["default"])?' SELECTED':'';
-							$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
+							$v = $app->functions->htmlentities($this->lng($v));
+							$out .= "<option value='$k'$selected>".$v."</option>\r\n";
 						}
 					}
 					if(isset($out)) $new_record[$key] = $out;
@@ -622,7 +624,7 @@ class tform_base {
 						// HTML schreiben
 						$out = '';
 						foreach($field['value'] as $k => $v) {
-
+							$v = $app->functions->htmlentities($v);
 							$out .= "<option value='$k'>$v</option>\r\n";
 						}
 					}
@@ -693,7 +695,7 @@ class tform_base {
 					break;
 
 				default:
-					$new_record[$key] = htmlspecialchars($field['default']);
+					$new_record[$key] = $app->functions->htmlentities($field['default']);
 				}
 			}
 
@@ -911,6 +913,12 @@ class tform_base {
 				case 'NOWHITESPACE':
 					$returnval = preg_replace('/\s+/', '', $returnval);
 					break;
+				case 'STRIPTAGS':
+					$returnval = strip_tags(preg_replace('/<script[^>]*>/is', '', $returnval));
+					break;
+				case 'STRIPNL':
+					$returnval = str_replace(array("\n","\r"),'', $returnval);
+					break;
 				default:
 					$this->errorMessage .= "Unknown Filter: ".$filter['type'];
 					break;
diff --git a/interface/web/mail/form/mail_user.tform.php b/interface/web/mail/form/mail_user.tform.php
index 7ba5688829..3d2b66daac 100644
--- a/interface/web/mail/form/mail_user.tform.php
+++ b/interface/web/mail/form/mail_user.tform.php
@@ -144,6 +144,12 @@ $form["tabs"]['mailuser'] = array(
 		'name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
-- 
GitLab


From 79d6be9acc40911ec83d723f182b771b75003047 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Fri, 29 Dec 2017 12:29:16 +0100
Subject: [PATCH 02/10] Fixed a typo in htmlentities function and added
 htmlentities to dashlet output.

---
 interface/lib/classes/functions.inc.php            | 2 +-
 interface/web/dashboard/dashlets/databasequota.php | 1 +
 interface/web/dashboard/dashlets/limits.php        | 1 +
 interface/web/dashboard/dashlets/mailquota.php     | 2 ++
 interface/web/dashboard/dashlets/quota.php         | 1 +
 5 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/interface/lib/classes/functions.inc.php b/interface/lib/classes/functions.inc.php
index 136448eefd..a646e1be0a 100644
--- a/interface/lib/classes/functions.inc.php
+++ b/interface/lib/classes/functions.inc.php
@@ -460,7 +460,7 @@ class functions {
 
 		if(is_array($value)) {
 			$out = array();
-			foreach($values as $key => $val) {
+			foreach($value as $key => $val) {
 				if(is_array($val)) {
 					$out[$key] = $this->htmlentities($val);
 				} else {
diff --git a/interface/web/dashboard/dashlets/databasequota.php b/interface/web/dashboard/dashlets/databasequota.php
index 6880d780a0..6439cdee12 100644
--- a/interface/web/dashboard/dashlets/databasequota.php
+++ b/interface/web/dashboard/dashlets/databasequota.php
@@ -21,6 +21,7 @@ class dashlet_databasequota {
 
 		$has_databasequota = false;
 		if(is_array($databases) && !empty($databases)){
+			$databases = $app->functions->htmlentities($databases);
 			$tpl->setloop('databasequota', $databases);
 			$has_databasequota = isset($databases[0]['used']);
 		}
diff --git a/interface/web/dashboard/dashlets/limits.php b/interface/web/dashboard/dashlets/limits.php
index 2455da87bd..d58c3eb8e0 100644
--- a/interface/web/dashboard/dashlets/limits.php
+++ b/interface/web/dashboard/dashlets/limits.php
@@ -154,6 +154,7 @@ class dashlet_limits {
 					'percentage' => $percentage);
 			}
 		}
+		$rows = $app->functions->htmlentities($rows);
 		$tpl->setLoop('rows', $rows);
 
 
diff --git a/interface/web/dashboard/dashlets/mailquota.php b/interface/web/dashboard/dashlets/mailquota.php
index 27b8333775..4629d6a463 100644
--- a/interface/web/dashboard/dashlets/mailquota.php
+++ b/interface/web/dashboard/dashlets/mailquota.php
@@ -21,6 +21,8 @@ class dashlet_mailquota {
 
 		$has_mailquota = false;
 		if(is_array($emails) && !empty($emails)){
+			// email username is quoted in quota.lib already, so no htmlentities here to prevent double encoding
+			//$emails = $app->functions->htmlentities($emails);
 			$tpl->setloop('mailquota', $emails);
 			$has_mailquota = isset($emails[0]['used']);
 		}
diff --git a/interface/web/dashboard/dashlets/quota.php b/interface/web/dashboard/dashlets/quota.php
index a72e1fd237..6ff975b623 100644
--- a/interface/web/dashboard/dashlets/quota.php
+++ b/interface/web/dashboard/dashlets/quota.php
@@ -21,6 +21,7 @@ class dashlet_quota {
 
 		$has_quota = false;
 		if(is_array($sites) && !empty($sites)){
+			$sites = $app->functions->htmlentities($sites);
 			$tpl->setloop('quota', $sites);
 			$has_quota = isset($sites[0]['used']);
 		}
-- 
GitLab


From c17ea82a805bef2183ad2cc3b8c145c6d971e0bb Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Fri, 29 Dec 2017 12:32:45 +0100
Subject: [PATCH 03/10] Fixed #4894 XSS vulnerability in global search

---
 interface/web/dashboard/ajax_get_json.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/interface/web/dashboard/ajax_get_json.php b/interface/web/dashboard/ajax_get_json.php
index 30a668a77f..32fc8912e0 100644
--- a/interface/web/dashboard/ajax_get_json.php
+++ b/interface/web/dashboard/ajax_get_json.php
@@ -189,6 +189,7 @@ function _search($module, $section, $additional_sql = '', $params = ''){
 
 		$sql = "SELECT * FROM ?? WHERE ".$where_clause.$authsql.$order_clause." LIMIT 0,10";
 		$results = $app->db->queryAllRecords($sql, $db_table);
+		$results = $app->functions->htmlentities($results);
 
 		if(is_array($results) && !empty($results)){
 			$lng_file = '../'.$module.'/lib/lang/'.$_SESSION['s']['language'].'_'.$section.'.lng';
-- 
GitLab


From 7ed34ac5bc4552277e445e537d6b560ec73dd05f Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 13:31:46 +0100
Subject: [PATCH 04/10] - fixed regex for stripping <script> tags - no entities
 on wordbook entries

---
 interface/lib/classes/tform_base.inc.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 2df1cd24bc..d06072e830 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -473,9 +473,8 @@ class tform_base {
 						if(is_array($field['value'])) {
 							foreach($field['value'] as $k => $v) {
 								$selected = ($k == $val)?' SELECTED':'';
-								if(isset($this->wordbook[$v]))
-									$v = $this->wordbook[$v];
-								$v = $app->functions->htmlentities($v);
+								if(isset($this->wordbook[$v])) $v = $this->wordbook[$v];
+								else $v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
 							}
 						}
@@ -914,7 +913,7 @@ class tform_base {
 					$returnval = preg_replace('/\s+/', '', $returnval);
 					break;
 				case 'STRIPTAGS':
-					$returnval = strip_tags(preg_replace('/<script[^>]*>/is', '', $returnval));
+					$returnval = strip_tags(preg_replace('/<script[^>]*?>.*?<\/script>/is', '', $returnval));
 					break;
 				case 'STRIPNL':
 					$returnval = str_replace(array("\n","\r"),'', $returnval);
-- 
GitLab


From 1caeea6a6ebd068882e4fe0292bbda2f44283c3d Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 13:44:15 +0100
Subject: [PATCH 05/10] - fixed missing htmlentities on formtype SELECT in list
 entries

---
 interface/lib/classes/listform_actions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/interface/lib/classes/listform_actions.inc.php b/interface/lib/classes/listform_actions.inc.php
index 1bf615e857..b4366feaa6 100644
--- a/interface/lib/classes/listform_actions.inc.php
+++ b/interface/lib/classes/listform_actions.inc.php
@@ -180,7 +180,7 @@ class listform_actions {
 						$rec['_'.$key.'_'] = (strtolower($rec[$key]) == 'y')?'x16/tick_circle.png':'x16/cross_circle.png';
 					}
 					//* substitute value for select field
-					$rec[$key] = @$field['value'][$rec[$key]];
+					$rec[$key] = $app->functions->htmlentities(@$field['value'][$rec[$key]]);
 				}
 			}
 		}
-- 
GitLab


From 2e2f1dc4cf296d0ff8593abb403eb85ad89535de Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 14:09:42 +0100
Subject: [PATCH 06/10] - fixed XSS vulnerability in select2 usage

---
 .../themes/default/assets/javascripts/ispconfig.js   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/interface/web/themes/default/assets/javascripts/ispconfig.js b/interface/web/themes/default/assets/javascripts/ispconfig.js
index fcd5167a88..e18bd20f58 100644
--- a/interface/web/themes/default/assets/javascripts/ispconfig.js
+++ b/interface/web/themes/default/assets/javascripts/ispconfig.js
@@ -103,13 +103,13 @@ var ISPConfig = {
 				width: 'element',
 				selectOnBlur: true,
 				allowClear: true,
-				formatResult: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatResult: function(o, cont, qry, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				},
-				formatSelection: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatSelection: function(o, cont, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				}
 			}).on('change', function(e) {
 				if ($("#pageForm .table #Filter").length > 0) {
-- 
GitLab


From 5076ce90d2629302ab9dc937bb98c9f0c929ba94 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 14:30:07 +0100
Subject: [PATCH 07/10] - removed inline-styling from list files for
 active/inactive switches - fixed escaping in lists

---
 interface/lib/classes/listform_actions.inc.php     |  3 ++-
 .../web/admin/list/directive_snippets.list.php     |  4 ++--
 interface/web/admin/list/firewall.list.php         |  2 +-
 interface/web/admin/list/iptables.list.php         |  2 +-
 interface/web/admin/list/server.list.php           | 14 +++++++-------
 interface/web/admin/list/server_ip.list.php        |  2 +-
 interface/web/admin/list/server_ip_map.list.php    |  2 +-
 interface/web/admin/list/software_repo.list.php    |  2 +-
 interface/web/admin/list/users.list.php            |  2 +-
 interface/web/client/list/client_circle.list.php   |  2 +-
 interface/web/client/templates/clients_list.htm    |  2 +-
 interface/web/client/templates/resellers_list.htm  |  2 +-
 interface/web/dns/list/dns_a.list.php              |  2 +-
 interface/web/dns/list/dns_slave.list.php          |  2 +-
 interface/web/dns/list/dns_soa.list.php            |  2 +-
 interface/web/dns/list/dns_template.list.php       |  2 +-
 interface/web/mail/backup_stats.php                |  4 ++--
 interface/web/mail/list/mail_alias.list.php        |  2 +-
 interface/web/mail/list/mail_aliasdomain.list.php  |  2 +-
 interface/web/mail/list/mail_blacklist.list.php    |  2 +-
 .../web/mail/list/mail_content_filter.list.php     |  2 +-
 interface/web/mail/list/mail_domain.list.php       |  2 +-
 .../web/mail/list/mail_domain_catchall.list.php    |  2 +-
 interface/web/mail/list/mail_forward.list.php      |  2 +-
 interface/web/mail/list/mail_get.list.php          |  2 +-
 .../web/mail/list/mail_relay_recipient.list.php    |  2 +-
 interface/web/mail/list/mail_spamfilter.list.php   |  2 +-
 interface/web/mail/list/mail_transport.list.php    |  2 +-
 interface/web/mail/list/mail_user.list.php         | 10 +++++-----
 interface/web/mail/list/mail_whitelist.list.php    |  2 +-
 .../web/mail/list/spamfilter_blacklist.list.php    |  2 +-
 interface/web/mail/list/spamfilter_policy.list.php |  8 ++++----
 interface/web/mail/list/spamfilter_users.list.php  |  2 +-
 .../web/mail/list/spamfilter_whitelist.list.php    |  2 +-
 interface/web/mail/list/xmpp_domain.list.php       |  2 +-
 interface/web/sites/backup_stats.php               |  4 ++--
 interface/web/sites/list/cron.list.php             |  2 +-
 interface/web/sites/list/database.list.php         |  4 ++--
 interface/web/sites/list/ftp_user.list.php         |  2 +-
 interface/web/sites/list/shell_user.list.php       |  2 +-
 interface/web/sites/list/web_childdomain.list.php  |  2 +-
 interface/web/sites/list/web_folder.list.php       |  2 +-
 interface/web/sites/list/web_folder_user.list.php  |  2 +-
 interface/web/sites/list/web_vhost_domain.list.php |  2 +-
 interface/web/sites/list/webdav_user.list.php      |  2 +-
 .../web/sites/templates/web_vhost_domain_list.htm  |  2 +-
 .../themes/default/assets/javascripts/ispconfig.js |  2 ++
 interface/web/vm/list/openvz_ip.list.php           |  2 +-
 interface/web/vm/list/openvz_ostemplate.list.php   |  4 ++--
 interface/web/vm/list/openvz_template.list.php     |  2 +-
 interface/web/vm/list/openvz_vm.list.php           |  2 +-
 51 files changed, 71 insertions(+), 68 deletions(-)

diff --git a/interface/lib/classes/listform_actions.inc.php b/interface/lib/classes/listform_actions.inc.php
index b4366feaa6..0ec9e5f115 100644
--- a/interface/lib/classes/listform_actions.inc.php
+++ b/interface/lib/classes/listform_actions.inc.php
@@ -180,7 +180,8 @@ class listform_actions {
 						$rec['_'.$key.'_'] = (strtolower($rec[$key]) == 'y')?'x16/tick_circle.png':'x16/cross_circle.png';
 					}
 					//* substitute value for select field
-					$rec[$key] = $app->functions->htmlentities(@$field['value'][$rec[$key]]);
+					if(isset($field['datasource']) && $field['datasource']) $rec[$key] = $app->functions->htmlentities(@$field['value'][$rec[$key]]);
+					else $rec[$key] = @$field['value'][$rec[$key]];
 				}
 			}
 		}
diff --git a/interface/web/admin/list/directive_snippets.list.php b/interface/web/admin/list/directive_snippets.list.php
index c41bcd5786..31332e5ecf 100644
--- a/interface/web/admin/list/directive_snippets.list.php
+++ b/interface/web/admin/list/directive_snippets.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "name",
@@ -82,7 +82,7 @@ $liste["item"][] = array( 'field'  => "customer_viewable",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 	
 $liste["item"][] = array( 'field'  => "master_directive_snippets_id",
 	'datatype' => "BOOLEAN",
diff --git a/interface/web/admin/list/firewall.list.php b/interface/web/admin/list/firewall.list.php
index 786b7b848a..884779110a 100644
--- a/interface/web/admin/list/firewall.list.php
+++ b/interface/web/admin/list/firewall.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "server_id",
 	'datatype' => "VARCHAR",
diff --git a/interface/web/admin/list/iptables.list.php b/interface/web/admin/list/iptables.list.php
index 3ad78404ea..beaf1d7e5e 100644
--- a/interface/web/admin/list/iptables.list.php
+++ b/interface/web/admin/list/iptables.list.php
@@ -18,7 +18,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array("y" => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", "n" => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array("y" => $app->lng('yes_txt'), "n" => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "server_id",
 	'datatype' => "INTEGER",
diff --git a/interface/web/admin/list/server.list.php b/interface/web/admin/list/server.list.php
index 9ca54c07d5..58779eec9c 100644
--- a/interface/web/admin/list/server.list.php
+++ b/interface/web/admin/list/server.list.php
@@ -63,7 +63,7 @@ $liste['item'][] = array( 'field'  => 'mail_server',
 	'prefix' => '%',
 	'suffix' => '%',
 	'width'  => '',
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 $liste['item'][] = array( 'field'  => 'web_server',
 	'datatype' => 'VARCHAR',
@@ -72,7 +72,7 @@ $liste['item'][] = array( 'field'  => 'web_server',
 	'prefix' => '%',
 	'suffix' => '%',
 	'width'  => '',
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 $liste['item'][] = array( 'field'  => 'dns_server',
 	'datatype' => 'VARCHAR',
@@ -81,7 +81,7 @@ $liste['item'][] = array( 'field'  => 'dns_server',
 	'prefix' => '%',
 	'suffix' => '%',
 	'width'  => '',
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 $liste['item'][] = array( 'field'  => 'file_server',
 	'datatype' => 'VARCHAR',
@@ -90,7 +90,7 @@ $liste['item'][] = array( 'field'  => 'file_server',
 	'prefix' => '%',
 	'suffix' => '%',
 	'width'  => '',
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 $liste['item'][] = array( 'field'  => 'db_server',
 	'datatype' => 'VARCHAR',
@@ -99,7 +99,7 @@ $liste['item'][] = array( 'field'  => 'db_server',
 	'prefix' => '%',
 	'suffix' => '%',
 	'width'  => '',
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 $liste['item'][] = array( 'field'  => 'vserver_server',
 	'datatype' => 'VARCHAR',
@@ -108,7 +108,7 @@ $liste['item'][] = array( 'field'  => 'vserver_server',
 	'prefix' => '%',
 	'suffix' => '%',
 	'width'  => '',
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 $liste['item'][] = array( 'field'  => 'xmpp_server',
 	'datatype' => 'VARCHAR',
@@ -117,6 +117,6 @@ $liste['item'][] = array( 'field'  => 'xmpp_server',
 	'prefix' => '%',
 	'suffix' => '%',
 	'width'  => '',
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 ?>
diff --git a/interface/web/admin/list/server_ip.list.php b/interface/web/admin/list/server_ip.list.php
index 6340172b0e..1e9bd8f4ec 100644
--- a/interface/web/admin/list/server_ip.list.php
+++ b/interface/web/admin/list/server_ip.list.php
@@ -95,7 +95,7 @@ $liste["item"][] = array( 'field'  => "virtualhost",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste['item'][] = array( 'field'  => 'virtualhost_port',
diff --git a/interface/web/admin/list/server_ip_map.list.php b/interface/web/admin/list/server_ip_map.list.php
index a70a76081b..6f9e60cfe8 100644
--- a/interface/web/admin/list/server_ip_map.list.php
+++ b/interface/web/admin/list/server_ip_map.list.php
@@ -18,7 +18,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste['item'][] = array( 'field'  => 'server_id',
 	'datatype' => 'INTEGER',
diff --git a/interface/web/admin/list/software_repo.list.php b/interface/web/admin/list/software_repo.list.php
index 824c66d6d9..0e172ace99 100644
--- a/interface/web/admin/list/software_repo.list.php
+++ b/interface/web/admin/list/software_repo.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "repo_name",
 	'datatype' => "VARCHAR",
diff --git a/interface/web/admin/list/users.list.php b/interface/web/admin/list/users.list.php
index 53e3f440a6..f241cd8506 100644
--- a/interface/web/admin/list/users.list.php
+++ b/interface/web/admin/list/users.list.php
@@ -60,7 +60,7 @@ $liste["item"][] = array(   'field' => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width' => "",
-	'value' => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value' => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 $liste['item'][] = array(   'field' => 'username',
 	'datatype' => 'VARCHAR',
diff --git a/interface/web/client/list/client_circle.list.php b/interface/web/client/list/client_circle.list.php
index 56085c4c36..292b0d6797 100644
--- a/interface/web/client/list/client_circle.list.php
+++ b/interface/web/client/list/client_circle.list.php
@@ -63,7 +63,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "circle_name",
 	'datatype' => "VARCHAR",
diff --git a/interface/web/client/templates/clients_list.htm b/interface/web/client/templates/clients_list.htm
index 644c770d34..25d0dfcaf3 100644
--- a/interface/web/client/templates/clients_list.htm
+++ b/interface/web/client/templates/clients_list.htm
@@ -33,7 +33,7 @@
 						<td><input class="form-control" type="text" name="search_customer_no" value="{tmpl_var name='search_customer_no'}" /></td>
                         <td><input class="form-control" type="text" name="search_username" value="{tmpl_var name='search_username'}" /></td>
                         <td><input class="form-control" type="text" name="search_city" value="{tmpl_var name='search_city'}" /></td>
-                        <td><select class="form-control" name="search_country">{tmpl_var name='search_country'}</select></td>
+                        <td><select class="form-control flags" name="search_country">{tmpl_var name='search_country'}</select></td>
 						<tmpl_if name="has_robot"><td><select class="form-control" name="search_validation_status">{tmpl_var name='search_validation_status'}</select></td></tmpl_if>
                         <td class="text-right">
                             <button type="button" class="btn btn-default formbutton-default formbutton-narrow" name="Filter" id="Filter" value="{tmpl_var name="filter_txt"}" data-submit-form="pageForm" data-form-action="client/client_list.php"><span class="icon icon-filter"></span></button>
diff --git a/interface/web/client/templates/resellers_list.htm b/interface/web/client/templates/resellers_list.htm
index 50a9ec239c..8edfa08546 100644
--- a/interface/web/client/templates/resellers_list.htm
+++ b/interface/web/client/templates/resellers_list.htm
@@ -32,7 +32,7 @@
 						<td><input class="form-control" type="text" name="search_customer_no" value="{tmpl_var name='search_customer_no'}" /></td>
                         <td><input class="form-control" type="text" name="search_username" value="{tmpl_var name='search_username'}" /></td>
                         <td><input class="form-control" type="text" name="search_city" value="{tmpl_var name='search_city'}" /></td>
-                        <td><select class="form-control" name="search_country">{tmpl_var name='search_country'}</select></td>
+                        <td><select class="form-control flags" name="search_country">{tmpl_var name='search_country'}</select></td>
                         <td class="text-right">
                             <button type="button" class="btn btn-default formbutton-default formbutton-narrow" name="Filter" id="Filter" value="{tmpl_var name="filter_txt"}" data-submit-form="pageForm" data-form-action="client/reseller_list.php"><span class="icon icon-filter"></span></button>
                         </td>
diff --git a/interface/web/dns/list/dns_a.list.php b/interface/web/dns/list/dns_a.list.php
index b65fdf677c..748bc405d8 100644
--- a/interface/web/dns/list/dns_a.list.php
+++ b/interface/web/dns/list/dns_a.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/dns/list/dns_slave.list.php b/interface/web/dns/list/dns_slave.list.php
index 529a189662..de0fd3a211 100644
--- a/interface/web/dns/list/dns_slave.list.php
+++ b/interface/web/dns/list/dns_slave.list.php
@@ -59,7 +59,7 @@ $liste["item"][] = array(   'field'     => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width' => "",
-	'value' => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value' => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array(   'field' => "server_id",
diff --git a/interface/web/dns/list/dns_soa.list.php b/interface/web/dns/list/dns_soa.list.php
index 2f4233e066..c08a3802cb 100644
--- a/interface/web/dns/list/dns_soa.list.php
+++ b/interface/web/dns/list/dns_soa.list.php
@@ -59,7 +59,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/dns/list/dns_template.list.php b/interface/web/dns/list/dns_template.list.php
index be5d693416..534f3eb77d 100644
--- a/interface/web/dns/list/dns_template.list.php
+++ b/interface/web/dns/list/dns_template.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array(   'field'     => "visible",
 	'prefix' => "",
 	'suffix' => "",
 	'width' => "",
-	'value' => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value' => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array(   'field' => "name",
diff --git a/interface/web/mail/backup_stats.php b/interface/web/mail/backup_stats.php
index ec32d35f8e..1317326573 100644
--- a/interface/web/mail/backup_stats.php
+++ b/interface/web/mail/backup_stats.php
@@ -22,9 +22,9 @@ class list_action extends listform_actions {
 
 		$rec = parent::prepareDataRow($rec);
 
-		$rec['active'] = "<div id=\"ir-Yes\" class=\"swap\"><span>Yes</span></div>";
+		$rec['active'] = "Yes";
 		if ($rec['backup_interval'] === 'none') {
-			$rec['active']        = "<div class=\"swap\" id=\"ir-No\"><span>No</span></div>";
+			$rec['active']        = "No";
 			$rec['backup_copies'] = 0;
 		}
 		$recBackup = $app->db->queryOneRecord('SELECT COUNT(backup_id) AS backup_count FROM mail_backup WHERE mailuser_id = ?', $rec['mailuser_id']);
diff --git a/interface/web/mail/list/mail_alias.list.php b/interface/web/mail/list/mail_alias.list.php
index 044fc84baa..97716401f1 100644
--- a/interface/web/mail/list/mail_alias.list.php
+++ b/interface/web/mail/list/mail_alias.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "source",
diff --git a/interface/web/mail/list/mail_aliasdomain.list.php b/interface/web/mail/list/mail_aliasdomain.list.php
index b97d265e48..b2cb315394 100644
--- a/interface/web/mail/list/mail_aliasdomain.list.php
+++ b/interface/web/mail/list/mail_aliasdomain.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "source",
diff --git a/interface/web/mail/list/mail_blacklist.list.php b/interface/web/mail/list/mail_blacklist.list.php
index 45a3a9987c..a2f3997fd7 100644
--- a/interface/web/mail/list/mail_blacklist.list.php
+++ b/interface/web/mail/list/mail_blacklist.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 
diff --git a/interface/web/mail/list/mail_content_filter.list.php b/interface/web/mail/list/mail_content_filter.list.php
index c585a1601a..53767a153c 100644
--- a/interface/web/mail/list/mail_content_filter.list.php
+++ b/interface/web/mail/list/mail_content_filter.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 
diff --git a/interface/web/mail/list/mail_domain.list.php b/interface/web/mail/list/mail_domain.list.php
index 7946f4c51a..5304ab6226 100644
--- a/interface/web/mail/list/mail_domain.list.php
+++ b/interface/web/mail/list/mail_domain.list.php
@@ -59,7 +59,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 if($_SESSION['s']['user']['typ'] == 'admin') {
diff --git a/interface/web/mail/list/mail_domain_catchall.list.php b/interface/web/mail/list/mail_domain_catchall.list.php
index e2aa2d63aa..0f179ead77 100644
--- a/interface/web/mail/list/mail_domain_catchall.list.php
+++ b/interface/web/mail/list/mail_domain_catchall.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "source",
diff --git a/interface/web/mail/list/mail_forward.list.php b/interface/web/mail/list/mail_forward.list.php
index bd334d7434..decf14c37e 100644
--- a/interface/web/mail/list/mail_forward.list.php
+++ b/interface/web/mail/list/mail_forward.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "source",
diff --git a/interface/web/mail/list/mail_get.list.php b/interface/web/mail/list/mail_get.list.php
index 3163f4e108..0a8c0dcc88 100644
--- a/interface/web/mail/list/mail_get.list.php
+++ b/interface/web/mail/list/mail_get.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/mail_relay_recipient.list.php b/interface/web/mail/list/mail_relay_recipient.list.php
index 3e3fd91012..af00d7c90c 100644
--- a/interface/web/mail/list/mail_relay_recipient.list.php
+++ b/interface/web/mail/list/mail_relay_recipient.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/mail_spamfilter.list.php b/interface/web/mail/list/mail_spamfilter.list.php
index f1f4e612c2..09d3292bc7 100644
--- a/interface/web/mail/list/mail_spamfilter.list.php
+++ b/interface/web/mail/list/mail_spamfilter.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('1' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", '0' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('1' => $app->lng('yes_txt'), '0' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/mail_transport.list.php b/interface/web/mail/list/mail_transport.list.php
index 9124b937fd..3dd87e1710 100644
--- a/interface/web/mail/list/mail_transport.list.php
+++ b/interface/web/mail/list/mail_transport.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/mail_user.list.php b/interface/web/mail/list/mail_user.list.php
index 1c56140cb2..4513a516c9 100644
--- a/interface/web/mail/list/mail_user.list.php
+++ b/interface/web/mail/list/mail_user.list.php
@@ -87,7 +87,7 @@ $liste["item"][] = array(   'field'     => "autoresponder",
 	'prefix' => "",
 	'suffix' => "",
 	'width' => "",
-	'value' => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value' => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "postfix",
 	'datatype' => "VARCHAR",
@@ -96,7 +96,7 @@ $liste["item"][] = array( 'field'  => "postfix",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "disablesmtp",
 	'datatype' => "VARCHAR",
@@ -105,7 +105,7 @@ $liste["item"][] = array( 'field'  => "disablesmtp",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('n' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'y' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('n' => $app->lng('yes_txt'), 'y' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "disableimap",
 	'datatype' => "VARCHAR",
@@ -114,7 +114,7 @@ $liste["item"][] = array( 'field'  => "disableimap",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('n' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'y' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('n' => $app->lng('yes_txt'), 'y' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "disablepop3",
 	'datatype' => "VARCHAR",
@@ -123,6 +123,6 @@ $liste["item"][] = array( 'field'  => "disablepop3",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('n' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'y' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('n' => $app->lng('yes_txt'), 'y' => $app->lng('no_txt')));
 
 ?>
diff --git a/interface/web/mail/list/mail_whitelist.list.php b/interface/web/mail/list/mail_whitelist.list.php
index 321db85992..e27edad6da 100644
--- a/interface/web/mail/list/mail_whitelist.list.php
+++ b/interface/web/mail/list/mail_whitelist.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/spamfilter_blacklist.list.php b/interface/web/mail/list/spamfilter_blacklist.list.php
index b4be804fbe..33e0b433a3 100644
--- a/interface/web/mail/list/spamfilter_blacklist.list.php
+++ b/interface/web/mail/list/spamfilter_blacklist.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/spamfilter_policy.list.php b/interface/web/mail/list/spamfilter_policy.list.php
index e7e0def682..646a45c870 100644
--- a/interface/web/mail/list/spamfilter_policy.list.php
+++ b/interface/web/mail/list/spamfilter_policy.list.php
@@ -65,7 +65,7 @@ $liste["item"][] = array( 'field'  => "virus_lover",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "spam_lover",
@@ -75,7 +75,7 @@ $liste["item"][] = array( 'field'  => "spam_lover",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "banned_files_lover",
@@ -85,7 +85,7 @@ $liste["item"][] = array( 'field'  => "banned_files_lover",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "bad_header_lover",
@@ -95,7 +95,7 @@ $liste["item"][] = array( 'field'  => "bad_header_lover",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 
diff --git a/interface/web/mail/list/spamfilter_users.list.php b/interface/web/mail/list/spamfilter_users.list.php
index e9d703b942..d952640283 100644
--- a/interface/web/mail/list/spamfilter_users.list.php
+++ b/interface/web/mail/list/spamfilter_users.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "local",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('Y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'N' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('Y' => $app->lng('yes_txt'), 'N' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/spamfilter_whitelist.list.php b/interface/web/mail/list/spamfilter_whitelist.list.php
index 713187e008..0cd3333e69 100644
--- a/interface/web/mail/list/spamfilter_whitelist.list.php
+++ b/interface/web/mail/list/spamfilter_whitelist.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/mail/list/xmpp_domain.list.php b/interface/web/mail/list/xmpp_domain.list.php
index be87ec735e..191508db39 100644
--- a/interface/web/mail/list/xmpp_domain.list.php
+++ b/interface/web/mail/list/xmpp_domain.list.php
@@ -59,7 +59,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 if($_SESSION['s']['user']['typ'] == 'admin') {
diff --git a/interface/web/sites/backup_stats.php b/interface/web/sites/backup_stats.php
index 640b0c17bb..7a3b81553c 100644
--- a/interface/web/sites/backup_stats.php
+++ b/interface/web/sites/backup_stats.php
@@ -22,9 +22,9 @@ class list_action extends listform_actions {
 
 		$rec = parent::prepareDataRow($rec);
 
-		$rec['active'] = "<div id=\"ir-Yes\" class=\"swap\"><span>Yes</span></div>";
+		$rec['active'] = "Yes";
 		if ($rec['backup_interval'] === 'none') {
-			$rec['active']        = "<div class=\"swap\" id=\"ir-No\"><span>No</span></div>";
+			$rec['active']        = "No";
 			$rec['backup_copies'] = 0;
 		}
 
diff --git a/interface/web/sites/list/cron.list.php b/interface/web/sites/list/cron.list.php
index 7679a2e1c1..fc8c9691a6 100644
--- a/interface/web/sites/list/cron.list.php
+++ b/interface/web/sites/list/cron.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/sites/list/database.list.php b/interface/web/sites/list/database.list.php
index b4d1196b59..25e1b8de7f 100644
--- a/interface/web/sites/list/database.list.php
+++ b/interface/web/sites/list/database.list.php
@@ -59,7 +59,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "remote_access",
 	'datatype' => "VARCHAR",
@@ -68,7 +68,7 @@ $liste["item"][] = array( 'field'  => "remote_access",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "type",
 	'datatype' => "VARCHAR",
diff --git a/interface/web/sites/list/ftp_user.list.php b/interface/web/sites/list/ftp_user.list.php
index 7657406382..20a8a327ac 100644
--- a/interface/web/sites/list/ftp_user.list.php
+++ b/interface/web/sites/list/ftp_user.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/sites/list/shell_user.list.php b/interface/web/sites/list/shell_user.list.php
index 9ea244ed0b..3f51082d6e 100644
--- a/interface/web/sites/list/shell_user.list.php
+++ b/interface/web/sites/list/shell_user.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/sites/list/web_childdomain.list.php b/interface/web/sites/list/web_childdomain.list.php
index 1e38b24a41..202744e8de 100644
--- a/interface/web/sites/list/web_childdomain.list.php
+++ b/interface/web/sites/list/web_childdomain.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/sites/list/web_folder.list.php b/interface/web/sites/list/web_folder.list.php
index fce8cfd1ef..dc2fb0418a 100644
--- a/interface/web/sites/list/web_folder.list.php
+++ b/interface/web/sites/list/web_folder.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/sites/list/web_folder_user.list.php b/interface/web/sites/list/web_folder_user.list.php
index c8f078a4be..f0a1cd8ad2 100644
--- a/interface/web/sites/list/web_folder_user.list.php
+++ b/interface/web/sites/list/web_folder_user.list.php
@@ -57,7 +57,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "web_folder_id",
diff --git a/interface/web/sites/list/web_vhost_domain.list.php b/interface/web/sites/list/web_vhost_domain.list.php
index 1d167a77bc..e6b0cd2519 100644
--- a/interface/web/sites/list/web_vhost_domain.list.php
+++ b/interface/web/sites/list/web_vhost_domain.list.php
@@ -78,7 +78,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 if($_SESSION['s']['user']['typ'] == 'admin' && $vhostdomain_type == 'domain') {
 	$liste["item"][] = array( 'field'  => "sys_groupid",
diff --git a/interface/web/sites/list/webdav_user.list.php b/interface/web/sites/list/webdav_user.list.php
index 5d1aeec94a..04b772d156 100644
--- a/interface/web/sites/list/webdav_user.list.php
+++ b/interface/web/sites/list/webdav_user.list.php
@@ -55,7 +55,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "server_id",
diff --git a/interface/web/sites/templates/web_vhost_domain_list.htm b/interface/web/sites/templates/web_vhost_domain_list.htm
index 1ece7aca9a..b784f15965 100644
--- a/interface/web/sites/templates/web_vhost_domain_list.htm
+++ b/interface/web/sites/templates/web_vhost_domain_list.htm
@@ -41,7 +41,7 @@
                 </tr>
                 <tr>
                     <tmpl_if name="vhostdomain_type" value="domain"><td><input class="form-control" type="text" name="search_domain_id" value="{tmpl_var name='search_domain_id'}" /></td></tmpl_if>
-                    <td><select class="form-control" name="search_active">{tmpl_var name='search_active'}</select></td>
+                    <td><select class="form-control active-switch" name="search_active">{tmpl_var name='search_active'}</select></td>
                     <td><select class="form-control" name="search_server_id">{tmpl_var name='search_server_id'}</select></td>
 					<tmpl_if name="vhostdomain_type" op="!=" value="domain"><td><select class="form-control" name="search_parent_domain_id">{tmpl_var name='search_parent_domain_id'}</select></td></tmpl_if>
                     <td><input class="form-control" type="text" name="search_domain" value="{tmpl_var name='search_domain'}" /></td>
diff --git a/interface/web/themes/default/assets/javascripts/ispconfig.js b/interface/web/themes/default/assets/javascripts/ispconfig.js
index e18bd20f58..5f797af328 100644
--- a/interface/web/themes/default/assets/javascripts/ispconfig.js
+++ b/interface/web/themes/default/assets/javascripts/ispconfig.js
@@ -105,10 +105,12 @@ var ISPConfig = {
 				allowClear: true,
 				formatResult: function(o, cont, qry, escapeMarkup) {
 					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else if(o.id && $(o.element).parent().hasClass('active-switch')) return '<span class="active active-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
 					else return escapeMarkup(o.text);
 				},
 				formatSelection: function(o, cont, escapeMarkup) {
 					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else if(o.id && $(o.element).parent().hasClass('active-switch')) return '<span class="active active-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
 					else return escapeMarkup(o.text);
 				}
 			}).on('change', function(e) {
diff --git a/interface/web/vm/list/openvz_ip.list.php b/interface/web/vm/list/openvz_ip.list.php
index 77a52dbcf9..80869918ad 100644
--- a/interface/web/vm/list/openvz_ip.list.php
+++ b/interface/web/vm/list/openvz_ip.list.php
@@ -91,7 +91,7 @@ $liste["item"][] = array( 'field'  => "reserved",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 
diff --git a/interface/web/vm/list/openvz_ostemplate.list.php b/interface/web/vm/list/openvz_ostemplate.list.php
index ca6132d827..c2df7eb386 100644
--- a/interface/web/vm/list/openvz_ostemplate.list.php
+++ b/interface/web/vm/list/openvz_ostemplate.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "ostemplate_id",
 	'datatype' => "INTEGER",
@@ -96,7 +96,7 @@ $liste["item"][] = array( 'field'  => "allservers",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 
diff --git a/interface/web/vm/list/openvz_template.list.php b/interface/web/vm/list/openvz_template.list.php
index e87314e98e..2d92f7baf4 100644
--- a/interface/web/vm/list/openvz_template.list.php
+++ b/interface/web/vm/list/openvz_template.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 
 $liste["item"][] = array( 'field'  => "template_name",
diff --git a/interface/web/vm/list/openvz_vm.list.php b/interface/web/vm/list/openvz_vm.list.php
index 51e23b3ab2..261427491b 100644
--- a/interface/web/vm/list/openvz_vm.list.php
+++ b/interface/web/vm/list/openvz_vm.list.php
@@ -54,7 +54,7 @@ $liste["item"][] = array( 'field'  => "active",
 	'prefix' => "",
 	'suffix' => "",
 	'width'  => "",
-	'value'  => array('y' => "<div id=\"ir-Yes\" class=\"swap\"><span>".$app->lng('yes_txt')."</span></div>", 'n' => "<div class=\"swap\" id=\"ir-No\"><span>".$app->lng('no_txt')."</span></div>"));
+	'value'  => array('y' => $app->lng('yes_txt'), 'n' => $app->lng('no_txt')));
 
 $liste["item"][] = array( 'field'  => "veid",
 	'datatype' => "VARCHAR",
-- 
GitLab


From 0a60ff4818d8a2ae45a009a0f3e73817a58aa0e7 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 14:32:54 +0100
Subject: [PATCH 08/10] - fixed missing commit from previous commit

---
 interface/lib/classes/listform_actions.inc.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/interface/lib/classes/listform_actions.inc.php b/interface/lib/classes/listform_actions.inc.php
index 0ec9e5f115..b4366feaa6 100644
--- a/interface/lib/classes/listform_actions.inc.php
+++ b/interface/lib/classes/listform_actions.inc.php
@@ -180,8 +180,7 @@ class listform_actions {
 						$rec['_'.$key.'_'] = (strtolower($rec[$key]) == 'y')?'x16/tick_circle.png':'x16/cross_circle.png';
 					}
 					//* substitute value for select field
-					if(isset($field['datasource']) && $field['datasource']) $rec[$key] = $app->functions->htmlentities(@$field['value'][$rec[$key]]);
-					else $rec[$key] = @$field['value'][$rec[$key]];
+					$rec[$key] = $app->functions->htmlentities(@$field['value'][$rec[$key]]);
 				}
 			}
 		}
-- 
GitLab


From c3ab7bc0bc014bb394b73292c29f12617df34620 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 29 Dec 2017 14:34:58 +0100
Subject: [PATCH 09/10] - removed further inline html from list definition file

---
 interface/web/sites/list/aps_availablepackages.list.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/interface/web/sites/list/aps_availablepackages.list.php b/interface/web/sites/list/aps_availablepackages.list.php
index 812e57fd60..9fd1943422 100644
--- a/interface/web/sites/list/aps_availablepackages.list.php
+++ b/interface/web/sites/list/aps_availablepackages.list.php
@@ -80,7 +80,7 @@ if($_SESSION['s']['user']['typ'] == 'admin')
 		'prefix'   => '',
 		'suffix'   => '',
 		'width'    => '',
-		'value'    => array(PACKAGE_ENABLED => '<div class="swap" id="ir-Yes"><span>'.$app->lng('Yes').'</span></div>',
-			PACKAGE_LOCKED => '<div class="swap" id="ir-No"><span>'.$app->lng('No').'</span></div>'));
+		'value'    => array(PACKAGE_ENABLED => $app->lng('Yes'),
+			PACKAGE_LOCKED => $app->lng('No')));
 }
 ?>
-- 
GitLab


From ecbdda9b88a611f1653079ae64e4d7012157ce55 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Fri, 29 Dec 2017 18:06:04 +0100
Subject: [PATCH 10/10] Added new input filters.

---
 .../admin/form/directive_snippets.tform.php   |   6 +
 interface/web/admin/form/groups.tform.php     |  10 ++
 interface/web/admin/form/iptables.tform.php   |  30 ++++
 interface/web/admin/form/server.tform.php     |   6 +
 .../web/admin/form/server_config.tform.php    |  84 +++++++++++
 interface/web/admin/form/server_php.tform.php |  36 +++++
 .../web/admin/form/software_package.tform.php |  12 ++
 .../web/admin/form/software_repo.tform.php    |  18 +++
 .../web/admin/form/system_config.tform.php    | 100 ++++++++++++-
 .../web/admin/form/tpl_default.tform.php      |  12 ++
 interface/web/client/client_edit.php          |   4 +-
 interface/web/client/domain_edit.php          |   5 +-
 interface/web/client/form/client.tform.php    | 132 +++++++++++++++++-
 .../web/client/form/client_circle.tform.php   |  10 ++
 .../web/client/form/client_template.tform.php |   6 +
 .../client/form/message_template.tform.php    |  12 ++
 interface/web/client/form/reseller.tform.php  | 132 +++++++++++++++++-
 interface/web/client/reseller_edit.php        |   3 +-
 interface/web/dns/dns_import.php              |   4 +-
 interface/web/dns/dns_slave_edit.php          |   3 +
 interface/web/dns/dns_soa_edit.php            |   5 +-
 interface/web/dns/dns_wizard.php              |   4 +-
 interface/web/dns/form/dns_soa.tform.php      |  10 ++
 .../web/help/form/faq_sections.tform.php      |   6 +
 .../web/help/form/support_message.tform.php   |  10 ++
 .../web/mail/form/mail_aliasdomain.tform.php  |   6 +-
 .../web/mail/form/mail_blacklist.tform.php    |   6 +
 .../web/mail/form/mail_forward.tform.php      |   6 +-
 interface/web/mail/form/mail_get.tform.php    |   6 +
 .../web/mail/form/mail_mailinglist.tform.php  |   6 +
 .../mail/form/mail_relay_recipient.tform.php  |  12 ++
 .../web/mail/form/mail_spamfilter.tform.php   |   6 +
 .../web/mail/form/mail_transport.tform.php    |  12 +-
 interface/web/mail/form/mail_user.tform.php   |  28 ++++
 .../web/mail/form/mail_user_filter.tform.php  |  10 ++
 .../web/mail/form/mail_whitelist.tform.php    |  12 ++
 .../mail/form/spamfilter_blacklist.tform.php  |  17 +++
 .../web/mail/form/spamfilter_policy.tform.php | 114 +++++++++++++++
 .../web/mail/form/spamfilter_users.tform.php  |  12 +-
 .../mail/form/spamfilter_whitelist.tform.php  |  12 +-
 interface/web/mail/form/xmpp_domain.tform.php |  10 ++
 interface/web/mail/mail_domain_edit.php       |   3 +
 interface/web/mail/mail_mailinglist_edit.php  |   3 +
 interface/web/mail/xmpp_domain_edit.php       |   3 +
 .../form/mail_user_autoresponder.tform.php    |  10 ++
 interface/web/sites/database_user_edit.php    |   2 +
 .../web/sites/form/web_vhost_domain.tform.php |  22 +++
 .../web/sites/form/webdav_user.tform.php      |   6 +
 interface/web/sites/web_vhost_domain_edit.php |   3 +
 .../web/vm/form/openvz_ostemplate.tform.php   |  16 +++
 .../web/vm/form/openvz_template.tform.php     |  22 +++
 interface/web/vm/form/openvz_vm.tform.php     |  10 +-
 interface/web/vm/openvz_vm_edit.php           |   4 +-
 53 files changed, 1018 insertions(+), 21 deletions(-)

diff --git a/interface/web/admin/form/directive_snippets.tform.php b/interface/web/admin/form/directive_snippets.tform.php
index 4d34fefb59..544cb8b855 100644
--- a/interface/web/admin/form/directive_snippets.tform.php
+++ b/interface/web/admin/form/directive_snippets.tform.php
@@ -71,6 +71,12 @@ $form["tabs"]['directive_snippets'] = array (
 				1 => array ( 'type' => 'UNIQUE',
 					'errmsg'=> 'directive_snippets_name_error_unique'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/admin/form/groups.tform.php b/interface/web/admin/form/groups.tform.php
index c7b3f74fdb..5bcbe6279f 100644
--- a/interface/web/admin/form/groups.tform.php
+++ b/interface/web/admin/form/groups.tform.php
@@ -81,6 +81,12 @@ $form["tabs"]['groups'] = array (
 		'name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'regex'  => '/^.{1,30}$/',
 			'errmsg' => 'name_err',
 			'default' => '',
@@ -94,6 +100,10 @@ $form["tabs"]['groups'] = array (
 		'description' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'regex'  => '',
 			'errmsg' => '',
 			'default' => '',
diff --git a/interface/web/admin/form/iptables.tform.php b/interface/web/admin/form/iptables.tform.php
index 7d09ca3f5e..76d747020d 100644
--- a/interface/web/admin/form/iptables.tform.php
+++ b/interface/web/admin/form/iptables.tform.php
@@ -52,6 +52,12 @@ $form["tabs"]['iptables'] = array (
 		'source_ip' => array (
 			'datatype'      => 'VARCHAR',
 			'formtype'      => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default'       => '',
 			'value'         => '',
 			'width'         => '',
@@ -60,6 +66,12 @@ $form["tabs"]['iptables'] = array (
 		'destination_ip' => array (
 			'datatype'      => 'VARCHAR',
 			'formtype'      => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default'       => '',
 			'value'         => '',
 			'width'         => '',
@@ -68,6 +80,12 @@ $form["tabs"]['iptables'] = array (
 		'singleport' => array (
 			'datatype'      => 'VARCHAR',
 			'formtype'      => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default'       => '',
 			'value'         => '',
 			'width'         => '',
@@ -76,6 +94,12 @@ $form["tabs"]['iptables'] = array (
 		'multiport' => array (
 			'datatype'      => 'VARCHAR',
 			'formtype'      => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default'       => '',
 			'value'         => '',
 			'width'         => '',
@@ -84,6 +108,12 @@ $form["tabs"]['iptables'] = array (
 		'state' => array (
 			'datatype'      => 'VARCHAR',
 			'formtype'      => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default'       => '',
 			'value'         => '',
 			'width'         => '',
diff --git a/interface/web/admin/form/server.tform.php b/interface/web/admin/form/server.tform.php
index 1bf079e1b0..95dca6c33b 100644
--- a/interface/web/admin/form/server.tform.php
+++ b/interface/web/admin/form/server.tform.php
@@ -61,6 +61,12 @@ $form["tabs"]['services'] = array (
 		'server_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php
index 6c9e56772b..70aac48e07 100644
--- a/interface/web/admin/form/server_config.tform.php
+++ b/interface/web/admin/form/server_config.tform.php
@@ -145,6 +145,12 @@ $form["tabs"]['server'] = array(
 			'validators' => array(0 => array('type' => 'NOTEMPTY',
 					'errmsg' => 'nameservers_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value' => '',
 			'width' => '40',
 			'maxlength' => '255'
@@ -316,6 +322,12 @@ $form["tabs"]['server'] = array(
 		'monit_user' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -344,6 +356,12 @@ $form["tabs"]['server'] = array(
 		'munin_user' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -426,6 +444,12 @@ $form["tabs"]['mail'] = array(
 		'dkim_path' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '/var/lib/amavis/dkim',
 			'value' => '',
 			'width' => '40',
@@ -527,6 +551,12 @@ $form["tabs"]['mail'] = array(
 		'relayhost' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -535,6 +565,12 @@ $form["tabs"]['mail'] = array(
 		'relayhost_user' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -719,6 +755,12 @@ $form["tabs"]['web'] = array(
 		'website_autoalias' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -1135,6 +1177,12 @@ $form["tabs"]['web'] = array(
 			'validators' => array(	0 => array('type' => 'NOTEMPTY',
 										'errmsg' => 'htaccess_allow_override_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value' => '',
 			'width' => '40',
 			'maxlength' => '255'
@@ -1161,6 +1209,12 @@ $form["tabs"]['web'] = array(
 			'validators' => array(0 => array('type' => 'NOTEMPTY',
 					'errmsg' => 'apps_vhost_port_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value' => '',
 			'width' => '40',
 			'maxlength' => '255'
@@ -1172,6 +1226,12 @@ $form["tabs"]['web'] = array(
 			'validators' => array(0 => array('type' => 'NOTEMPTY',
 					'errmsg' => 'apps_vhost_ip_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value' => '',
 			'width' => '40',
 			'maxlength' => '255'
@@ -1179,6 +1239,12 @@ $form["tabs"]['web'] = array(
 		'apps_vhost_servername' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -1187,6 +1253,12 @@ $form["tabs"]['web'] = array(
 		'awstats_conf_dir' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -1486,6 +1558,12 @@ $form["tabs"]['xmpp'] = array(
         'xmpp_server_admins' => array(
             'datatype' => 'VARCHAR',
             'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
             'default' => 'admin@service.com, superuser@service.com',
             'value' => '',
             'width' => '15'
@@ -1494,6 +1572,12 @@ $form["tabs"]['xmpp'] = array(
         'xmpp_modules_enabled' => array(
             'datatype' => 'TEXT',
             'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
             'default' => "saslauth, tls, dialback, disco, discoitems, version, uptime, time, ping, admin_adhoc, admin_telnet, bosh, posix, announce, offline, webpresence, mam, stream_management, message_carbons",
             'value' => '',
             'separator' => ","
diff --git a/interface/web/admin/form/server_php.tform.php b/interface/web/admin/form/server_php.tform.php
index d5b0c5ff73..c94bb38c01 100644
--- a/interface/web/admin/form/server_php.tform.php
+++ b/interface/web/admin/form/server_php.tform.php
@@ -112,6 +112,12 @@ $form["tabs"]['php_name'] = array (
 			'validators' => array(0 => array('type' => 'NOTEMPTY',
 					'errmsg' => 'server_php_name_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -135,6 +141,12 @@ $form["tabs"]['php_fastcgi'] = array(
 		'php_fastcgi_binary' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -143,6 +155,12 @@ $form["tabs"]['php_fastcgi'] = array(
 		'php_fastcgi_ini_dir' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -165,6 +183,12 @@ $form["tabs"]['php_fpm'] = array(
 		'php_fpm_init_script' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -173,6 +197,12 @@ $form["tabs"]['php_fpm'] = array(
 		'php_fpm_ini_dir' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
@@ -181,6 +211,12 @@ $form["tabs"]['php_fpm'] = array(
 		'php_fpm_pool_dir' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value' => '',
 			'width' => '40',
diff --git a/interface/web/admin/form/software_package.tform.php b/interface/web/admin/form/software_package.tform.php
index 1db7056acc..b8368d5457 100644
--- a/interface/web/admin/form/software_package.tform.php
+++ b/interface/web/admin/form/software_package.tform.php
@@ -87,6 +87,12 @@ $form["tabs"]['software_package'] = array (
 		'package_title' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'validators' => '',
 			'default' => '',
 			'value'  => '',
@@ -99,6 +105,12 @@ $form["tabs"]['software_package'] = array (
 		'package_key' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'validators' => '',
 			'default' => '',
 			'value'  => '',
diff --git a/interface/web/admin/form/software_repo.tform.php b/interface/web/admin/form/software_repo.tform.php
index 6d1c50f921..cbf68b3a35 100644
--- a/interface/web/admin/form/software_repo.tform.php
+++ b/interface/web/admin/form/software_repo.tform.php
@@ -92,6 +92,12 @@ $form["tabs"]['software_repo'] = array (
 				1 => array ( 'type' => 'UNIQUE',
 					'errmsg'=> 'repo_name_unique'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -108,6 +114,12 @@ $form["tabs"]['software_repo'] = array (
 				1 => array ( 'type' => 'UNIQUE',
 					'errmsg'=> 'repo_name_unique'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -119,6 +131,12 @@ $form["tabs"]['software_repo'] = array (
 		'repo_username' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/admin/form/system_config.tform.php b/interface/web/admin/form/system_config.tform.php
index 7261865796..681d166b34 100644
--- a/interface/web/admin/form/system_config.tform.php
+++ b/interface/web/admin/form/system_config.tform.php
@@ -282,7 +282,11 @@ $form["tabs"]['mail'] = array (
 				1 => array( 'event' => 'SHOW',
 					'type' => 'IDNTOUTF8'),
 				2 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'formtype' => 'TEXT',
 			'default' => '',
@@ -293,6 +297,12 @@ $form["tabs"]['mail'] = array (
 		'admin_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -311,7 +321,11 @@ $form["tabs"]['mail'] = array (
 				1 => array( 'event' => 'SHOW',
 					'type' => 'IDNTOUTF8'),
 				2 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'formtype' => 'TEXT',
 			'default' => '',
@@ -322,6 +336,12 @@ $form["tabs"]['mail'] = array (
 		'smtp_port' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '25',
 			'value'  => '',
 			'width'  => '30',
@@ -330,6 +350,12 @@ $form["tabs"]['mail'] = array (
 		'smtp_user' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -419,6 +445,10 @@ $form["tabs"]['domains'] = array (
 		'new_domain_html' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => ''
 		),
@@ -463,12 +493,24 @@ $form["tabs"]['misc'] = array (
 		'company_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
 		'custom_login_text' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
@@ -485,18 +527,36 @@ $form["tabs"]['misc'] = array (
 		'dashboard_atom_url_admin' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'http://www.ispconfig.org/atom',
 			'value'  => ''
 		),
 		'dashboard_atom_url_reseller' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'http://www.ispconfig.org/atom',
 			'value'  => ''
 		),
 		'dashboard_atom_url_client' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'http://www.ispconfig.org/atom',
 			'value'  => ''
 		),
@@ -539,36 +599,72 @@ $form["tabs"]['misc'] = array (
 		'admin_dashlets_left' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
 		'admin_dashlets_right' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
 		'reseller_dashlets_left' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
 		'reseller_dashlets_right' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
 		'client_dashlets_left' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
 		'client_dashlets_right' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => ''
 		),
diff --git a/interface/web/admin/form/tpl_default.tform.php b/interface/web/admin/form/tpl_default.tform.php
index df52bbec5f..baa84d7b30 100644
--- a/interface/web/admin/form/tpl_default.tform.php
+++ b/interface/web/admin/form/tpl_default.tform.php
@@ -87,6 +87,12 @@ $form["tabs"]['basic'] = array (
 		'username' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'validators'    => '',
 			'default' => 'global',
 			'value'  => 'global',
@@ -97,6 +103,12 @@ $form["tabs"]['basic'] = array (
 		'logo_url' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'validators'    => '',
 			'default' => '',
 			'value'  => '',
diff --git a/interface/web/client/client_edit.php b/interface/web/client/client_edit.php
index 10e3f3cadd..8577a1b32d 100644
--- a/interface/web/client/client_edit.php
+++ b/interface/web/client/client_edit.php
@@ -133,6 +133,7 @@ class page_action extends tform_actions {
 		$tpls = $app->db->queryAllRecords($sql);
 		$option = '';
 		$tpl = array();
+		$tpls = $app->functions->htmlentities($tpls);
 		foreach($tpls as $item){
 			$option .= '<option value="' . $item['template_id'] . '|' .  $item['template_name'] . '">' . $item['template_name'] . '</option>';
 			$tpl[$item['template_id']] = $item['template_name'];
@@ -154,7 +155,7 @@ class page_action extends tform_actions {
 					$tmp->id = $item['assigned_template_id'];
 					$tmp->data = '';
 					$app->plugin->raiseEvent('get_client_template_details', $tmp);
-					if($tmp->data != '') $text .= '<br /><em>' . $tmp->data . '</em>';
+					if($tmp->data != '') $text .= '<br /><em>' . $app->functions->htmlentities($tmp->data) . '</em>';
 
 					$text .= '</li>';
 					$items[] = $item['assigned_template_id'] . ':' . $item['client_template_id'];
@@ -219,6 +220,7 @@ class page_action extends tform_actions {
 			// Fill the client select field
 			$sql = "SELECT client.client_id, sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 AND client.limit_client != 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$clients = $app->db->queryAllRecords($sql);
+			$clients = $app->functions->htmlentities($clients);
 			$client_select = "<option value='0'>- ".$app->tform->lng('none_txt')." -</option>";
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
 			if(is_array($clients)) {
diff --git a/interface/web/client/domain_edit.php b/interface/web/client/domain_edit.php
index 67be43e04c..8867e29578 100644
--- a/interface/web/client/domain_edit.php
+++ b/interface/web/client/domain_edit.php
@@ -83,6 +83,7 @@ class page_action extends tform_actions {
 			//$sql = "SELECT groupid, name FROM sys_group WHERE client_id > 0 ORDER BY name";
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$clients = $app->db->queryAllRecords($sql);
+			$clients = $app->functions->htmlentities($clients);
 			$client_select = '';
 			if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 			if($this->id > 0) $tmp_data_record = $app->tform->getDataRecord($this->id); else $tmp_data_record = $this->dataRecord;
@@ -98,11 +99,13 @@ class page_action extends tform_actions {
 			// Get the limits of the client
 			$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
 			$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
-	
+			$client = $app->functions->htmlentities($client);
+			
 			// Fill the client select field
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 			//die($sql);
 			$records = $app->db->queryAllRecords($sql, $client['client_id']);
+			$records = $app->functions->htmlentities($records);
 			$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 			$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
diff --git a/interface/web/client/form/client.tform.php b/interface/web/client/form/client.tform.php
index 3a8d4f2fcc..151c5dc959 100644
--- a/interface/web/client/form/client.tform.php
+++ b/interface/web/client/form/client.tform.php
@@ -91,6 +91,12 @@ $form["tabs"]['address'] = array (
 		'company_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -119,6 +125,10 @@ $form["tabs"]['address'] = array (
 			'searchable' => 1,
 			'filters'   => array( 0 => array( 'event' => 'SAVE',
 												'type' => 'TRIM'),
+								  1 => array( 'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								  2 => array( 'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'contact_name' => array (
@@ -137,6 +147,10 @@ $form["tabs"]['address'] = array (
 			'searchable' => 1,
 			'filters'   => array( 0 => array( 'event' => 'SAVE',
 												'type' => 'TRIM'),
+								  1 => array( 'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								  2 => array( 'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'customer_no' => array (
@@ -146,6 +160,12 @@ $form["tabs"]['address'] = array (
 					'errmsg'=> 'customer_no_error_unique',
 					'allowempty' => 'y'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -226,6 +246,12 @@ $form["tabs"]['address'] = array (
 		'street' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -238,6 +264,12 @@ $form["tabs"]['address'] = array (
 		'zip' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -250,6 +282,12 @@ $form["tabs"]['address'] = array (
 		'city' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -262,6 +300,12 @@ $form["tabs"]['address'] = array (
 		'state' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -285,6 +329,12 @@ $form["tabs"]['address'] = array (
 		'telephone' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -297,6 +347,12 @@ $form["tabs"]['address'] = array (
 		'mobile' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -309,6 +365,12 @@ $form["tabs"]['address'] = array (
 		'fax' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -345,6 +407,12 @@ $form["tabs"]['address'] = array (
 		'internet' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'http://',
 			'value'  => '',
 			'separator' => '',
@@ -357,6 +425,12 @@ $form["tabs"]['address'] = array (
 		'icq' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -385,12 +459,22 @@ $form["tabs"]['address'] = array (
 								1 => array( 	'event' => 'SAVE',
 												'type' => 'TOUPPER'),
 								2 => array( 	'event' => 'SAVE',
-												'type' => 'NOWHITESPACE')
+												'type' => 'NOWHITESPACE'),
+								3 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								4 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'company_id' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -402,6 +486,12 @@ $form["tabs"]['address'] = array (
 		'bank_account_owner' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -413,6 +503,12 @@ $form["tabs"]['address'] = array (
 		'bank_account_number' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -424,6 +520,12 @@ $form["tabs"]['address'] = array (
 		'bank_code' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -435,6 +537,12 @@ $form["tabs"]['address'] = array (
 		'bank_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -458,7 +566,11 @@ $form["tabs"]['address'] = array (
 								1 => array( 	'event' => 'SAVE',
 												'type' => 'TOUPPER'),
 								2 => array( 	'event' => 'SAVE',
-												'type' => 'NOWHITESPACE')
+												'type' => 'NOWHITESPACE'),
+								3 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								4 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'bank_account_swift' => array (
@@ -476,12 +588,20 @@ $form["tabs"]['address'] = array (
 								1 => array( 	'event' => 'SAVE',
 												'type' => 'TOUPPER'),
 								2 => array( 	'event' => 'SAVE',
-												'type' => 'NOWHITESPACE')
+												'type' => 'NOWHITESPACE'),
+								3 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								4 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'notes' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -538,6 +658,12 @@ $form["tabs"]['address'] = array (
 		'added_by' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => $_SESSION['s']['user']['username'],
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/client/form/client_circle.tform.php b/interface/web/client/form/client_circle.tform.php
index 91b96b3549..64eee542d7 100644
--- a/interface/web/client/form/client_circle.tform.php
+++ b/interface/web/client/form/client_circle.tform.php
@@ -91,6 +91,12 @@ $form["tabs"]['circle'] = array (
 		'circle_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -115,6 +121,10 @@ $form["tabs"]['circle'] = array (
 		'description' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/client/form/client_template.tform.php b/interface/web/client/form/client_template.tform.php
index 13e8cfbcce..5d9f81de0b 100644
--- a/interface/web/client/form/client_template.tform.php
+++ b/interface/web/client/form/client_template.tform.php
@@ -82,6 +82,12 @@ $form["tabs"]['template'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'error_template_name_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/client/form/message_template.tform.php b/interface/web/client/form/message_template.tform.php
index 14dfea1cd0..ab2d191340 100644
--- a/interface/web/client/form/message_template.tform.php
+++ b/interface/web/client/form/message_template.tform.php
@@ -67,6 +67,12 @@ $form["tabs"]['template'] = array (
 		'template_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -81,6 +87,12 @@ $form["tabs"]['template'] = array (
 			'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY',
 				'errmsg'=> 'subject_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/client/form/reseller.tform.php b/interface/web/client/form/reseller.tform.php
index 903c8d8c0c..706219f76a 100644
--- a/interface/web/client/form/reseller.tform.php
+++ b/interface/web/client/form/reseller.tform.php
@@ -91,6 +91,12 @@ $form["tabs"]['address'] = array (
 		'company_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -119,6 +125,10 @@ $form["tabs"]['address'] = array (
 			'searchable' => 1,
 			'filters'   => array( 0 => array( 'event' => 'SAVE',
 												'type' => 'TRIM'),
+								  1 => array( 'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								  2 => array( 'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'contact_name' => array (
@@ -137,6 +147,10 @@ $form["tabs"]['address'] = array (
 			'searchable' => 1,
 			'filters'   => array( 0 => array( 'event' => 'SAVE',
 												'type' => 'TRIM'),
+								  1 => array( 'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								  2 => array( 'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'customer_no' => array (
@@ -146,6 +160,12 @@ $form["tabs"]['address'] = array (
 					'errmsg'=> 'customer_no_error_unique',
 					'allowempty' => 'y'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -226,6 +246,12 @@ $form["tabs"]['address'] = array (
 		'street' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -238,6 +264,12 @@ $form["tabs"]['address'] = array (
 		'zip' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -250,6 +282,12 @@ $form["tabs"]['address'] = array (
 		'city' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -262,6 +300,12 @@ $form["tabs"]['address'] = array (
 		'state' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -286,6 +330,12 @@ $form["tabs"]['address'] = array (
 		'telephone' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -298,6 +348,12 @@ $form["tabs"]['address'] = array (
 		'mobile' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -310,6 +366,12 @@ $form["tabs"]['address'] = array (
 		'fax' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -343,6 +405,12 @@ $form["tabs"]['address'] = array (
 		'internet' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'http://',
 			'value'  => '',
 			'separator' => '',
@@ -355,6 +423,12 @@ $form["tabs"]['address'] = array (
 		'icq' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -383,12 +457,22 @@ $form["tabs"]['address'] = array (
 								1 => array( 	'event' => 'SAVE',
 												'type' => 'TOUPPER'),
 								2 => array( 	'event' => 'SAVE',
-												'type' => 'NOWHITESPACE')
+												'type' => 'NOWHITESPACE'),
+								3 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								4 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'company_id' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -400,6 +484,12 @@ $form["tabs"]['address'] = array (
 		'bank_account_owner' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -411,6 +501,12 @@ $form["tabs"]['address'] = array (
 		'bank_account_number' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -422,6 +518,12 @@ $form["tabs"]['address'] = array (
 		'bank_code' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -433,6 +535,12 @@ $form["tabs"]['address'] = array (
 		'bank_name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -456,7 +564,11 @@ $form["tabs"]['address'] = array (
 								1 => array( 	'event' => 'SAVE',
 												'type' => 'TOUPPER'),
 								2 => array( 	'event' => 'SAVE',
-												'type' => 'NOWHITESPACE')
+												'type' => 'NOWHITESPACE'),
+								3 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								4 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'bank_account_swift' => array (
@@ -474,12 +586,20 @@ $form["tabs"]['address'] = array (
 								1 => array( 	'event' => 'SAVE',
 												'type' => 'TOUPPER'),
 								2 => array( 	'event' => 'SAVE',
-												'type' => 'NOWHITESPACE')
+												'type' => 'NOWHITESPACE'),
+								3 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPTAGS'),
+								4 => array( 	'event' => 'SAVE',
+												'type' => 'STRIPNL')
 			),
 		),
 		'notes' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
@@ -536,6 +656,12 @@ $form["tabs"]['address'] = array (
 		'added_by' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => $_SESSION['s']['user']['username'],
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/client/reseller_edit.php b/interface/web/client/reseller_edit.php
index 8ab091ef4d..7a84be5253 100644
--- a/interface/web/client/reseller_edit.php
+++ b/interface/web/client/reseller_edit.php
@@ -127,6 +127,7 @@ class page_action extends tform_actions {
 		$tpls = $app->db->queryAllRecords($sql);
 		$option = '';
 		$tpl = array();
+		$tpls = $app->functions->htmlentities($tpls);
 		foreach($tpls as $item){
 			$option .= '<option value="' . $item['template_id'] . '|' .  $item['template_name'] . '">' . $item['template_name'] . '</option>';
 			$tpl[$item['template_id']] = $item['template_name'];
@@ -148,7 +149,7 @@ class page_action extends tform_actions {
 					$tmp->id = $item['assigned_template_id'];
 					$tmp->data = '';
 					$app->plugin->raiseEvent('get_client_template_details', $tmp);
-					if($tmp->data != '') $text .= '<br /><em>' . $tmp->data . '</em>';
+					if($tmp->data != '') $text .= '<br /><em>' . $app->functions->htmlentities($tmp->data) . '</em>';
 
 					$text .= '</li>';
 					$items[] = $item['assigned_template_id'] . ':' . $item['client_template_id'];
diff --git a/interface/web/dns/dns_import.php b/interface/web/dns/dns_import.php
index 814db71db8..fb66b7b176 100644
--- a/interface/web/dns/dns_import.php
+++ b/interface/web/dns/dns_import.php
@@ -102,6 +102,7 @@ if($_SESSION['s']['user']['typ'] == 'admin') {
 	// load the list of clients
 	$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 	$clients = $app->db->queryAllRecords($sql);
+	$clients = $app->functions->htmlentities($clients);
 	$client_select = '';
 	if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 	if(is_array($clients)) {
@@ -119,11 +120,12 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO
 	// Get the limits of the client
 	$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
 	$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
-
+	$client = $app->functions->htmlentities($client);
 
 	// load the list of clients
 	$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 	$clients = $app->db->queryAllRecords($sql, $client['client_id']);
+	$clients = $app->functions->htmlentities($clients);
 	$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 	$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 	if(is_array($clients)) {
diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php
index 44103608eb..4d588ef8e0 100644
--- a/interface/web/dns/dns_slave_edit.php
+++ b/interface/web/dns/dns_slave_edit.php
@@ -85,6 +85,7 @@ class page_action extends tform_actions {
 				// Getting Domains of the user
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$clients = $app->db->queryAllRecords($sql);
+				$clients = $app->functions->htmlentities($clients);
 				$client_select = '';
 				if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -100,10 +101,12 @@ class page_action extends tform_actions {
 				// Get the limits of the client
 				$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
 				$client = $app->db->queryOneRecord("SELECT client.client_id, sys_group.name, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
+				$client = $app->functions->htmlentities($client);
 
 				// Fill the client select field
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$clients = $app->db->queryAllRecords($sql, $client['client_id']);
+				$clients = $app->functions->htmlentities($clients);
 				$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 				$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php
index 8997146bb6..6faefac390 100644
--- a/interface/web/dns/dns_soa_edit.php
+++ b/interface/web/dns/dns_soa_edit.php
@@ -107,6 +107,7 @@ class page_action extends tform_actions {
 				// Getting Domains of the user
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$clients = $app->db->queryAllRecords($sql);
+				$clients = $app->functions->htmlentities($clients);
 				$client_select = '';
 				if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -122,10 +123,12 @@ class page_action extends tform_actions {
 				// Get the limits of the client
 				$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
 				$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
-
+				$client = $app->functions->htmlentities($client);
+				
 				// Fill the client select field
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$clients = $app->db->queryAllRecords($sql, $client['client_id']);
+				$clients = $app->functions->htmlentities($clients);
 				$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 				$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
index e163e4eeab..0e955bee09 100644
--- a/interface/web/dns/dns_wizard.php
+++ b/interface/web/dns/dns_wizard.php
@@ -102,6 +102,7 @@ if($_SESSION['s']['user']['typ'] == 'admin') {
 		// load the list of clients
 		$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 		$clients = $app->db->queryAllRecords($sql);
+		$clients = $app->functions->htmlentities($clients);
 		$client_select = '';
 		if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 		if(is_array($clients)) {
@@ -120,12 +121,13 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO
 	// Get the limits of the client
 	$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
 	$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
-
+	$client = $app->functions->htmlentities($client);
 
 	if ($domains_settings['use_domain_module'] != 'y') {
 		// load the list of clients
 		$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 		$clients = $app->db->queryAllRecords($sql, $client['client_id']);
+		$clients = $app->functions->htmlentities($clients);
 		$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 		$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 		if(is_array($clients)) {
diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php
index d76c403447..910b2e6bb3 100644
--- a/interface/web/dns/form/dns_soa.tform.php
+++ b/interface/web/dns/form/dns_soa.tform.php
@@ -253,6 +253,12 @@ $form["tabs"]['dns_soa'] = array (
 		'update_acl' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -273,6 +279,10 @@ $form["tabs"]['dns_soa'] = array (
  		'dnssec_info' => array (
  			'datatype' => 'TEXT',
  			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
  			'default' => '',
  			'value'  => '',
  			'width'  => '30',
diff --git a/interface/web/help/form/faq_sections.tform.php b/interface/web/help/form/faq_sections.tform.php
index 1a1076876e..86c9520f15 100644
--- a/interface/web/help/form/faq_sections.tform.php
+++ b/interface/web/help/form/faq_sections.tform.php
@@ -63,6 +63,12 @@ $form['tabs']['message'] = array(
 					'errmsg'=> 'subject_is_empty'
 				),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/help/form/support_message.tform.php b/interface/web/help/form/support_message.tform.php
index d80cc15815..caf1a010c6 100644
--- a/interface/web/help/form/support_message.tform.php
+++ b/interface/web/help/form/support_message.tform.php
@@ -100,6 +100,12 @@ $form["tabs"]['message'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'subject_is_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => $sm_default_subject,
 			'value'  => '',
 			'width'  => '30',
@@ -111,6 +117,10 @@ $form["tabs"]['message'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'message_is_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'cols'  => '30',
diff --git a/interface/web/mail/form/mail_aliasdomain.tform.php b/interface/web/mail/form/mail_aliasdomain.tform.php
index 64c5992483..66db01e5aa 100644
--- a/interface/web/mail/form/mail_aliasdomain.tform.php
+++ b/interface/web/mail/form/mail_aliasdomain.tform.php
@@ -103,7 +103,11 @@ $form["tabs"]['alias'] = array (
 				1 => array( 'event' => 'SHOW',
 					'type' => 'IDNTOUTF8'),
 				2 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'default' => '',
 			'value'  => '',
diff --git a/interface/web/mail/form/mail_blacklist.tform.php b/interface/web/mail/form/mail_blacklist.tform.php
index f0b35d21ce..8b268147fb 100644
--- a/interface/web/mail/form/mail_blacklist.tform.php
+++ b/interface/web/mail/form/mail_blacklist.tform.php
@@ -76,6 +76,12 @@ $form["tabs"]['blacklist'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'source_error_notempty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value'  => '',
 			'width'  => '30',
 			'maxlength' => '255'
diff --git a/interface/web/mail/form/mail_forward.tform.php b/interface/web/mail/form/mail_forward.tform.php
index 3c891506b9..260d953982 100644
--- a/interface/web/mail/form/mail_forward.tform.php
+++ b/interface/web/mail/form/mail_forward.tform.php
@@ -98,7 +98,11 @@ $form["tabs"]['forward'] = array (
 				1 => array( 'event' => 'SHOW',
 					'type' => 'IDNTOUTF8'),
 				2 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'default' => '',
 			'value'  => '',
diff --git a/interface/web/mail/form/mail_get.tform.php b/interface/web/mail/form/mail_get.tform.php
index 4521e40028..9f7de76e01 100644
--- a/interface/web/mail/form/mail_get.tform.php
+++ b/interface/web/mail/form/mail_get.tform.php
@@ -109,6 +109,12 @@ $form["tabs"]['mailget'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'source_username_error_isempty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/mail/form/mail_mailinglist.tform.php b/interface/web/mail/form/mail_mailinglist.tform.php
index 24c4f003c9..ba877f410c 100644
--- a/interface/web/mail/form/mail_mailinglist.tform.php
+++ b/interface/web/mail/form/mail_mailinglist.tform.php
@@ -104,6 +104,12 @@ $form["tabs"]['mailinglist'] = array (
 				1 => array ( 'type' => 'UNIQUE',
 					'errmsg'=> 'listname_error_unique'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/mail/form/mail_relay_recipient.tform.php b/interface/web/mail/form/mail_relay_recipient.tform.php
index 4c5b2b1db1..34c23861e4 100644
--- a/interface/web/mail/form/mail_relay_recipient.tform.php
+++ b/interface/web/mail/form/mail_relay_recipient.tform.php
@@ -76,6 +76,12 @@ $form["tabs"]['relay_recipient'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'source_error_notempty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value'  => '',
 			'width'  => '30',
 			'maxlength' => '255'
@@ -83,6 +89,12 @@ $form["tabs"]['relay_recipient'] = array (
 		'access' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'OK',
 			'value'  => 'OK',
 			'width'  => '30',
diff --git a/interface/web/mail/form/mail_spamfilter.tform.php b/interface/web/mail/form/mail_spamfilter.tform.php
index fe3f6c0f26..fb9a3c311b 100644
--- a/interface/web/mail/form/mail_spamfilter.tform.php
+++ b/interface/web/mail/form/mail_spamfilter.tform.php
@@ -108,6 +108,12 @@ $form["tabs"]['spamfilter'] = array (
 		'spam_rewrite_subject' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '***SPAM***',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/mail/form/mail_transport.tform.php b/interface/web/mail/form/mail_transport.tform.php
index 000584246b..ee3c52b447 100644
--- a/interface/web/mail/form/mail_transport.tform.php
+++ b/interface/web/mail/form/mail_transport.tform.php
@@ -82,7 +82,11 @@ $form["tabs"]['transport'] = array (
 				1 => array( 'event' => 'SHOW',
 					'type' => 'IDNTOUTF8'),
 				2 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'default' => '',
 			'value'  => '',
@@ -93,6 +97,12 @@ $form["tabs"]['transport'] = array (
 		'transport' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/mail/form/mail_user.tform.php b/interface/web/mail/form/mail_user.tform.php
index 3d2b66daac..631c507f90 100644
--- a/interface/web/mail/form/mail_user.tform.php
+++ b/interface/web/mail/form/mail_user.tform.php
@@ -211,6 +211,12 @@ $form["tabs"]['mailuser'] = array(
 		'maildir' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -219,6 +225,12 @@ $form["tabs"]['mailuser'] = array(
 		'maildir_format' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -227,6 +239,12 @@ $form["tabs"]['mailuser'] = array(
 		'homedir' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -310,6 +328,12 @@ if ($global_config['mail']['mailbox_show_autoresponder_tab'] === 'y') {
 			'autoresponder_subject' => array (
 				'datatype'  => 'VARCHAR',
 				'formtype'  => 'TEXT',
+				'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 				'default'   => 'Out of office reply',
 				'value'     => '',
 				'width'  => '30',
@@ -318,6 +342,10 @@ if ($global_config['mail']['mailbox_show_autoresponder_tab'] === 'y') {
 			'autoresponder_text' => array (
 				'datatype' => 'TEXT',
 				'formtype' => 'TEXTAREA',
+				'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 				'default' => '',
 				'value'  => '',
 				'cols'  => '30',
diff --git a/interface/web/mail/form/mail_user_filter.tform.php b/interface/web/mail/form/mail_user_filter.tform.php
index d5f6a0ab5b..becb09351e 100644
--- a/interface/web/mail/form/mail_user_filter.tform.php
+++ b/interface/web/mail/form/mail_user_filter.tform.php
@@ -73,6 +73,12 @@ $form["tabs"]['filter'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'rulename_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -97,6 +103,10 @@ $form["tabs"]['filter'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'searchterm_is_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/mail/form/mail_whitelist.tform.php b/interface/web/mail/form/mail_whitelist.tform.php
index ce8f954e5b..00fc971647 100644
--- a/interface/web/mail/form/mail_whitelist.tform.php
+++ b/interface/web/mail/form/mail_whitelist.tform.php
@@ -76,6 +76,12 @@ $form["tabs"]['whitelist'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'source_error_notempty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value'  => '',
 			'width'  => '30',
 			'maxlength' => '255'
@@ -83,6 +89,12 @@ $form["tabs"]['whitelist'] = array (
 		'access' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'OK',
 			'value'  => 'OK',
 			'width'  => '30',
diff --git a/interface/web/mail/form/spamfilter_blacklist.tform.php b/interface/web/mail/form/spamfilter_blacklist.tform.php
index a6637473eb..3514eed434 100644
--- a/interface/web/mail/form/spamfilter_blacklist.tform.php
+++ b/interface/web/mail/form/spamfilter_blacklist.tform.php
@@ -72,6 +72,12 @@ $form["tabs"]['blacklist'] = array (
 		'wb' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'B',
 			'value'  => array('W' => 'blacklist', 'B' => 'Blacklist')
 		),
@@ -90,6 +96,17 @@ $form["tabs"]['blacklist'] = array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
 			'default' => '',
+			'filters'   => array( 0 => array( 'event' => 'SAVE',
+					'type' => 'IDNTOASCII'),
+				1 => array( 'event' => 'SHOW',
+					'type' => 'IDNTOUTF8'),
+				2 => array( 'event' => 'SAVE',
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'email_error_notempty'),
 			),
diff --git a/interface/web/mail/form/spamfilter_policy.tform.php b/interface/web/mail/form/spamfilter_policy.tform.php
index da63732c80..31e8b8092a 100644
--- a/interface/web/mail/form/spamfilter_policy.tform.php
+++ b/interface/web/mail/form/spamfilter_policy.tform.php
@@ -65,6 +65,12 @@ $form["tabs"]['policy'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'policyname_error_notempty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value'  => '',
 			'width'  => '30',
 			'maxlength' => '255'
@@ -129,6 +135,12 @@ $form["tabs"]['quarantine'] = array (
 		'virus_quarantine_to' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -137,6 +149,12 @@ $form["tabs"]['quarantine'] = array (
 		'spam_quarantine_to' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -145,6 +163,12 @@ $form["tabs"]['quarantine'] = array (
 		'banned_quarantine_to' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -153,6 +177,12 @@ $form["tabs"]['quarantine'] = array (
 		'bad_header_quarantine_to' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -161,6 +191,12 @@ $form["tabs"]['quarantine'] = array (
 		'clean_quarantine_to' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -169,6 +205,12 @@ $form["tabs"]['quarantine'] = array (
 		'other_quarantine_to' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -237,6 +279,12 @@ $form["tabs"]['taglevel'] = array (
 		'spam_subject_tag' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -245,6 +293,12 @@ $form["tabs"]['taglevel'] = array (
 		'spam_subject_tag2' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -268,6 +322,12 @@ $form["tabs"]['other'] = array (
 		'addr_extension_virus' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -276,6 +336,12 @@ $form["tabs"]['other'] = array (
 		'addr_extension_spam' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -284,6 +350,12 @@ $form["tabs"]['other'] = array (
 		'addr_extension_banned' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -292,6 +364,12 @@ $form["tabs"]['other'] = array (
 		'addr_extension_bad_header' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -318,6 +396,12 @@ $form["tabs"]['other'] = array (
 		'newvirus_admin' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -326,6 +410,12 @@ $form["tabs"]['other'] = array (
 		'virus_admin' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -334,6 +424,12 @@ $form["tabs"]['other'] = array (
 		'banned_admin' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -342,6 +438,12 @@ $form["tabs"]['other'] = array (
 		'bad_header_admin' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -350,6 +452,12 @@ $form["tabs"]['other'] = array (
 		'spam_admin' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -367,6 +475,12 @@ $form["tabs"]['other'] = array (
 		'banned_rulenames' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/mail/form/spamfilter_users.tform.php b/interface/web/mail/form/spamfilter_users.tform.php
index 0eba0bbefb..1ed9e54b0d 100644
--- a/interface/web/mail/form/spamfilter_users.tform.php
+++ b/interface/web/mail/form/spamfilter_users.tform.php
@@ -91,7 +91,11 @@ $form["tabs"]['users'] = array (
 			'formtype' => 'TEXT',
 			'default' => '',
 			'filters'   => array( 0 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				2 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'email_error_notempty'),
@@ -107,6 +111,12 @@ $form["tabs"]['users'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'fullname_error_notempty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'value'  => '',
 			'width'  => '30',
 			'maxlength' => '255'
diff --git a/interface/web/mail/form/spamfilter_whitelist.tform.php b/interface/web/mail/form/spamfilter_whitelist.tform.php
index 5f8a176be7..f0802fa491 100644
--- a/interface/web/mail/form/spamfilter_whitelist.tform.php
+++ b/interface/web/mail/form/spamfilter_whitelist.tform.php
@@ -72,6 +72,12 @@ $form["tabs"]['whitelist'] = array (
 		'wb' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => 'W',
 			'value'  => array('W' => 'Whitelist', 'B' => 'Blacklist')
 		),
@@ -95,7 +101,11 @@ $form["tabs"]['whitelist'] = array (
 				1 => array( 'event' => 'SHOW',
 					'type' => 'IDNTOUTF8'),
 				2 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'email_error_notempty'),
diff --git a/interface/web/mail/form/xmpp_domain.tform.php b/interface/web/mail/form/xmpp_domain.tform.php
index 095c72fba2..bbe694f9fd 100644
--- a/interface/web/mail/form/xmpp_domain.tform.php
+++ b/interface/web/mail/form/xmpp_domain.tform.php
@@ -139,12 +139,22 @@ $form["tabs"]['domain'] = array (
         'registration_message' => array(
             'datatype' => 'TEXT',
             'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
             'default' => "",
             'value' => ''
         ),
         'domain_admins' => array(
             'datatype' => 'VARCHAR',
             'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
             'default' => '',
             'value' => '',
             'width' => '15',
diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php
index ad383c474b..7565752bd3 100644
--- a/interface/web/mail/mail_domain_edit.php
+++ b/interface/web/mail/mail_domain_edit.php
@@ -80,6 +80,7 @@ class page_action extends tform_actions {
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 
 			$clients = $app->db->queryAllRecords($sql);
+			$clients = $app->functions->htmlentities($clients);
 			$client_select = '';
 			if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -96,6 +97,7 @@ class page_action extends tform_actions {
 			// Get the limits of the client
 			$client_group_id = $_SESSION["s"]["user"]["default_group"];
 			$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.default_mailserver, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ? order by client.contact_name", $client_group_id);
+			$client = $app->functions->htmlentities($client);
 
 			// Set the mailserver to the default server of the client
 			$tmp = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $client['default_mailserver']);
@@ -106,6 +108,7 @@ class page_action extends tform_actions {
 				// Fill the client select field
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$clients = $app->db->queryAllRecords($sql, $client['client_id']);
+				$clients = $app->functions->htmlentities($clients);
 				$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 				$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php
index 5515670734..1419627529 100644
--- a/interface/web/mail/mail_mailinglist_edit.php
+++ b/interface/web/mail/mail_mailinglist_edit.php
@@ -74,6 +74,7 @@ class page_action extends tform_actions {
 			// Getting Clients of the user
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$clients = $app->db->queryAllRecords($sql);
+			$clients = $app->functions->htmlentities($clients);
 			$client_select = '';
 			if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 			$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -90,10 +91,12 @@ class page_action extends tform_actions {
 			// Get the limits of the client
 			$client_group_id = $_SESSION["s"]["user"]["default_group"];
 			$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.default_mailserver, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ? order by contact_name", $client_group_id);
+			$client = $app->functions->htmlentities($client);
 
 			// Fill the client select field
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$clients = $app->db->queryAllRecords($sql, $client['client_id']);
+			$clients = $app->functions->htmlentities($clients);
 			$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 			$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 			$tmp_data_record = $app->tform->getDataRecord($this->id);
diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php
index ec5a5fc11b..3913201114 100644
--- a/interface/web/mail/xmpp_domain_edit.php
+++ b/interface/web/mail/xmpp_domain_edit.php
@@ -108,6 +108,7 @@ class page_action extends tform_actions {
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 
 			$clients = $app->db->queryAllRecords($sql);
+			$clients = $app->functions->htmlentities($clients);
 			$client_select = '';
 			if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= "<option value='0'></option>";
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -124,11 +125,13 @@ class page_action extends tform_actions {
 			// Get the limits of the client
 			$client_group_id = $_SESSION["s"]["user"]["default_group"];
 			$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ? order by client.contact_name", $client_group_id);
+			$client = $app->functions->htmlentities($client);
 
 			if ($settings['use_domain_module'] != 'y') {
 				// Fill the client select field
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$clients = $app->db->queryAllRecords($sql, $client['client_id']);
+				$clients = $app->functions->htmlentities($clients);
 				$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 				$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
diff --git a/interface/web/mailuser/form/mail_user_autoresponder.tform.php b/interface/web/mailuser/form/mail_user_autoresponder.tform.php
index 44ce15cd5c..e642534c13 100644
--- a/interface/web/mailuser/form/mail_user_autoresponder.tform.php
+++ b/interface/web/mailuser/form/mail_user_autoresponder.tform.php
@@ -62,6 +62,12 @@ $form["tabs"]['autoresponder'] = array (
 		'autoresponder_subject' => array (
 			'datatype'      => 'VARCHAR',
 			'formtype'      => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default'       => 'Out of office reply',
 			'value'         => '',
 			'width'  => '30',
@@ -70,6 +76,10 @@ $form["tabs"]['autoresponder'] = array (
 		'autoresponder_text' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'cols'  => '30',
diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php
index 5224cc50a8..e7bfa611a9 100644
--- a/interface/web/sites/database_user_edit.php
+++ b/interface/web/sites/database_user_edit.php
@@ -87,6 +87,7 @@ class page_action extends tform_actions {
 			// Fill the client select field
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$records = $app->db->queryAllRecords($sql, $client['client_id']);
+			$records = $app->functions->htmlentities($records);
 			$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 			$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contact_name'].'</option>';
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -101,6 +102,7 @@ class page_action extends tform_actions {
 			// Fill the client select field
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$clients = $app->db->queryAllRecords($sql);
+			$clients = $app->functions->htmlentities($clients);
 			$client_select = "<option value='0'></option>";
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
 			if(is_array($clients)) {
diff --git a/interface/web/sites/form/web_vhost_domain.tform.php b/interface/web/sites/form/web_vhost_domain.tform.php
index 4b709eeda4..071efbb9a9 100644
--- a/interface/web/sites/form/web_vhost_domain.tform.php
+++ b/interface/web/sites/form/web_vhost_domain.tform.php
@@ -520,6 +520,12 @@ if($ssl_available) {
 			'ssl_domain' => array (
 				'datatype' => 'VARCHAR',
 				'formtype' => 'TEXT',
+				'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+				),
 				'default' => '',
 				'value'  => '',
 				'width'  => '30',
@@ -528,6 +534,10 @@ if($ssl_available) {
 			'ssl_key' => array (
 				'datatype' => 'TEXT',
 				'formtype' => 'TEXTAREA',
+				'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+				),
 				'default' => '',
 				'value'  => '',
 				'cols'  => '30',
@@ -536,6 +546,10 @@ if($ssl_available) {
 			'ssl_request' => array (
 				'datatype' => 'TEXT',
 				'formtype' => 'TEXTAREA',
+				'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+				),
 				'default' => '',
 				'value'  => '',
 				'cols'  => '30',
@@ -544,6 +558,10 @@ if($ssl_available) {
 			'ssl_cert' => array (
 				'datatype' => 'TEXT',
 				'formtype' => 'TEXTAREA',
+				'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+				),
 				'default' => '',
 				'value'  => '',
 				'cols'  => '30',
@@ -552,6 +570,10 @@ if($ssl_available) {
 			'ssl_bundle' => array (
 				'datatype' => 'TEXT',
 				'formtype' => 'TEXTAREA',
+				'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+				),
 				'default' => '',
 				'value'  => '',
 				'cols'  => '30',
diff --git a/interface/web/sites/form/webdav_user.tform.php b/interface/web/sites/form/webdav_user.tform.php
index a1bfd3056d..8d5c0c561f 100644
--- a/interface/web/sites/form/webdav_user.tform.php
+++ b/interface/web/sites/form/webdav_user.tform.php
@@ -130,6 +130,12 @@ $form["tabs"]['webdav'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'directory_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php
index 82cf226a37..023f8db0c5 100644
--- a/interface/web/sites/web_vhost_domain_edit.php
+++ b/interface/web/sites/web_vhost_domain_edit.php
@@ -290,6 +290,7 @@ class page_action extends tform_actions {
 			} elseif($this->_vhostdomain_type == 'aliasdomain') {
 				$client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_aliasdomain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
 			}
+			$client = $app->functions->htmlentities($client);
 
 			$client['web_servers_ids'] = explode(',', $client['web_servers']);
 			$only_one_server = count($client['web_servers_ids']) === 1;
@@ -326,6 +327,7 @@ class page_action extends tform_actions {
 				// Fill the client select field
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$records = $app->db->queryAllRecords($sql, $client['client_id']);
+				$records = $app->functions->htmlentities($records);
 				$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 				$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -585,6 +587,7 @@ class page_action extends tform_actions {
 				// Fill the client select field
 				$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 				$clients = $app->db->queryAllRecords($sql);
+				$clients = $app->functions->htmlentities($clients);
 				$client_select = "<option value='0'></option>";
 				//$tmp_data_record = $app->tform->getDataRecord($this->id);
 				if(is_array($clients)) {
diff --git a/interface/web/vm/form/openvz_ostemplate.tform.php b/interface/web/vm/form/openvz_ostemplate.tform.php
index 07eeafef0f..a28bbc6ade 100644
--- a/interface/web/vm/form/openvz_ostemplate.tform.php
+++ b/interface/web/vm/form/openvz_ostemplate.tform.php
@@ -69,6 +69,12 @@ $form["tabs"]['main'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'template_name_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -81,6 +87,12 @@ $form["tabs"]['main'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'template_file_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -113,6 +125,10 @@ $form["tabs"]['main'] = array (
 		'description' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/vm/form/openvz_template.tform.php b/interface/web/vm/form/openvz_template.tform.php
index 8279ce085c..1a069361cb 100644
--- a/interface/web/vm/form/openvz_template.tform.php
+++ b/interface/web/vm/form/openvz_template.tform.php
@@ -69,6 +69,12 @@ $form["tabs"]['main'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'template_name_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -155,6 +161,12 @@ $form["tabs"]['main'] = array (
 		'hostname' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',
@@ -172,6 +184,12 @@ $form["tabs"]['main'] = array (
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'template_nameserver_error_empty'),
 			),
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '8.8.8.8 8.8.4.4',
 			'value'  => '',
 			'width'  => '30',
@@ -187,6 +205,10 @@ $form["tabs"]['main'] = array (
 		'description' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/vm/form/openvz_vm.tform.php b/interface/web/vm/form/openvz_vm.tform.php
index 44f20dc6ec..fe61e27c45 100644
--- a/interface/web/vm/form/openvz_vm.tform.php
+++ b/interface/web/vm/form/openvz_vm.tform.php
@@ -122,7 +122,11 @@ $form["tabs"]['main'] = array (
 				1 => array( 'event' => 'SHOW',
 					'type' => 'IDNTOUTF8'),
 				2 => array( 'event' => 'SAVE',
-					'type' => 'TOLOWER')
+					'type' => 'TOLOWER'),
+				3 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+				4 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
 			),
 			'validators' => array (  0 => array ( 'type' => 'NOTEMPTY',
 					'errmsg'=> 'hostname_error_empty'),
@@ -178,6 +182,10 @@ $form["tabs"]['main'] = array (
 		'description' => array (
 			'datatype' => 'TEXT',
 			'formtype' => 'TEXTAREA',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS')
+			),
 			'default' => '',
 			'value'  => '',
 			'separator' => '',
diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php
index 69265885cd..2a5b12f3d7 100644
--- a/interface/web/vm/openvz_vm_edit.php
+++ b/interface/web/vm/openvz_vm_edit.php
@@ -97,11 +97,12 @@ class page_action extends tform_actions {
 			//* Get the limits of the client
 			$client_group_id = $_SESSION["s"]["user"]["default_group"];
 			$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.limit_openvz_vm_template_id, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
-
+			$client = $app->functions->htmlentities($client);
 
 			//* Fill the client select field
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$records = $app->db->queryAllRecords($sql, $client['client_id']);
+			$records = $app->functions->htmlentities($records);
 			$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']);
 			$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
@@ -134,6 +135,7 @@ class page_action extends tform_actions {
 			//* Fill the client select field
 			$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
 			$clients = $app->db->queryAllRecords($sql);
+			$clients = $app->functions->htmlentities($clients);
 			$client_select = "<option value='0'></option>";
 			//$tmp_data_record = $app->tform->getDataRecord($this->id);
 			if(is_array($clients)) {
-- 
GitLab