diff --git a/src/elogd.c b/src/elogd.c
index daf5f9fd..619184c5 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -10490,7 +10490,8 @@ void show_edit_form(LOGBOOK * lbs, int message_id, BOOL breply, BOOL bedit, BOOL
    /*---- add password in case cookie expires during edit ----*/
 
    if (getcfg(lbs->name, "Password file", str, sizeof(str)) && isparam("unm")) {
-      rsprintf("<input type=hidden name=\"unm\" value=\"%s\">\n", getparam("unm"));
+      strencode2(str, getparam("unm"), sizeof(str));
+      rsprintf("<input type=hidden name=\"unm\" value=\"%s\">\n", str);
       if (isparam("upwd"))
          strlcpy(upwd, getparam("upwd"), sizeof(upwd));
       else
@@ -10577,7 +10578,9 @@ void show_edit_form(LOGBOOK * lbs, int message_id, BOOL breply, BOOL bedit, BOOL
 
       rsprintf("<tr><td nowrap width=\"10%%\" class=\"attribname\">%s:</td>", loc("Entry time"));
       rsprintf("<td class=\"attribvalue\">%s\n", str);
-      rsprintf("<input type=hidden name=entry_date value=\"%s\"></td></tr>\n", date);
+
+      strencode2(str, date, sizeof(str));
+      rsprintf("<input type=hidden name=entry_date value=\"%s\"></td></tr>\n", str);
    }
 
    if (_condition[0])
@@ -11839,7 +11842,8 @@ void show_edit_form(LOGBOOK * lbs, int message_id, BOOL breply, BOOL bedit, BOOL
                thumb_ref[0] = 0;
 
                if (strlen(att[index]) < 14 || att[index][6] != '_' || att[index][13] != '_') {
-                  rsprintf("<b>Error: Invalid attachment \"%s\"</b><br>", att);
+                  strencode2(str, att[index], sizeof(str));
+                  rsprintf("<b>Error: Invalid attachment \"%s\"</b><br>", str);
                } else {
 
                   strlcpy(file_name, lbs->data_dir, sizeof(file_name));
@@ -11889,7 +11893,8 @@ void show_edit_form(LOGBOOK * lbs, int message_id, BOOL breply, BOOL bedit, BOOL
                      rsprintf("&nbsp;&nbsp;\n");
 
                      /* ImageMagick available, so get image size */
-                     rsprintf("<b>%s</b>&nbsp;\n", att[index] + 14);
+                     strencode2(str, att[index], sizeof(str));
+                     rsprintf("<b>%s</b>&nbsp;\n", str + 14);
                      if (chkext(file_name, ".pdf") || chkext(file_name, ".ps"))
                         sprintf(cmd, "%s -format '%%wx%%h' '%s[0]'", _identify_cmd, file_name);
                      else
@@ -12006,10 +12011,11 @@ void show_edit_form(LOGBOOK * lbs, int message_id, BOOL breply, BOOL bedit, BOOL
                      rsprintf("</td></tr></table>\n");
                }
 
+               strencode2(str, att[index], sizeof(str));
                if (thumb_ref[0])
-                  rsprintf("<input type=hidden name=\"attachment%d\" alt=\"%s\" value=\"%s\">\n", index, thumb_ref, att[index]);
+                  rsprintf("<input type=hidden name=\"attachment%d\" alt=\"%s\" value=\"%s\">\n", index, thumb_ref, str);
                else
-                  rsprintf("<input type=hidden name=\"attachment%d\" value=\"%s\">\n", index, att[index]);
+                  rsprintf("<input type=hidden name=\"attachment%d\" value=\"%s\">\n", index, str);
 
                rsprintf("</td></tr>\n");
             } else
@@ -13739,7 +13745,8 @@ void show_config_page(LOGBOOK * lbs)
    rsprintf("<!--\n\n");
    rsprintf("function chkrem()\n");
    rsprintf("{\n");
-   sprintf(str, loc("Really remove user %s?"), user);
+   strencode2(str, user, sizeof(str));
+   sprintf(str, loc("Really remove user %s?"), str);
    rsprintf("    var subm = confirm(\"%s\");\n", str);
    rsprintf("    return subm;\n");
    rsprintf("}\n\n");
@@ -13772,7 +13779,8 @@ void show_config_page(LOGBOOK * lbs)
    rsprintf("<input type=hidden name=cmd value=\"%s\">\n", loc("Config"));      // for select javascript
    rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Save"));
    rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Back"));
-   rsprintf("<input type=hidden name=config value=\"%s\">\n", user);
+   strencode2(str, user, sizeof(str));
+   rsprintf("<input type=hidden name=config value=\"%s\">\n", str);
    rsprintf("<input type=hidden name=cfgpage value=\"1\">\n");                  // needed for "Save" command
 
    rsprintf("</span></td></tr>\n\n");
@@ -13807,10 +13815,14 @@ void show_config_page(LOGBOOK * lbs)
 
       for (i = 0; i < n; i++) {
          get_user_line(lbs, user_list[i], NULL, full_name, user_email, NULL, NULL, NULL);
-         if (strcmp(user_list[i], user) == 0)
-            rsprintf("<option selected value=\"%s\">%s &lt;%s&gt;\n", user_list[i], user_list[i], user_email);
-         else
-            rsprintf("<option value=\"%s\">%s &lt;%s&gt;\n", user_list[i], user_list[i], user_email);
+         if (strcmp(user_list[i], user) == 0) {
+            strencode2(str, user_list[i], sizeof(str));
+            rsprintf("<option selected value=\"%s\">%s &lt;%s&gt;\n", str, str, user_email);
+         }
+         else {
+            strencode2(str, user_list[i], sizeof(str));
+            rsprintf("<option selected value=\"%s\">%s &lt;%s&gt;\n", str, str, user_email);
+         }
       }
 
       for (i = 0; i < n; i++)
@@ -13849,6 +13861,8 @@ void show_config_page(LOGBOOK * lbs)
    rsprintf("<tr><td nowrap width=\"15%%\">%s:</td>\n", loc("Login name"));
 
    getcfg(lbs->name, "Authentication", auth, sizeof(auth));
+
+   strencode2(str, user, sizeof(str));
    if (stristr(auth, "Kerberos") || stristr(auth, "Webserver"))
       rsprintf("<td><input type=text size=40 name=new_user_name value=\"%s\" readonly></td></tr>\n", str);
    else
@@ -14114,7 +14128,9 @@ void show_forgot_pwd_page(LOGBOOK * lbs)
             url_slash_encode(pwd, sizeof(pwd));
             sprintf(redir, "?cmd=%s&oldpwd=%s", loc("Change password"), pwd);
             url_encode(redir, sizeof(redir));
-            sprintf(str, "?redir=%s&uname=%s&upassword=%s", redir, login_name, pwd);
+
+            strencode2(str2, redir, sizeof(str2));
+            sprintf(str, "?redir=%s&uname=%s&upassword=%s", str2, login_name, pwd);
             strlcat(url, str, sizeof(url));
 
             retrieve_email_from(lbs, mail_from, mail_from_name, NULL);
@@ -14235,7 +14251,8 @@ void show_new_user_page(LOGBOOK * lbs, char *user)
 
    rsprintf("<tr><td nowrap>%s:</td>\n", loc("Login name"));
    if (user && user[0]) {
-      rsprintf("<td><input type=text size=40 name=new_user_name value=\"%s\" readonly></td>\n", user);
+      strencode2(str, user, sizeof(str));
+      rsprintf("<td><input type=text size=40 name=new_user_name value=\"%s\" readonly></td>\n", str);
       rsprintf("<td>&nbsp;</td>\n");
    } else {
       rsprintf("<td><input type=text size=40 name=new_user_name></td>\n");
@@ -26110,6 +26127,9 @@ void show_login_page(LOGBOOK * lbs, char *redir, int fail)
    strlcpy(str, redir, sizeof(str));
    if (strchr(str, '<'))
       url_encode(str, sizeof(str));
+   if (strchr(str, ' '))
+      return;
+
    rsprintf("<input type=hidden name=redir value=\"%s\">\n", str);
 
    rsprintf("<table class=\"login_frame\" cellspacing=0 align=center>");
@@ -26125,12 +26145,15 @@ void show_login_page(LOGBOOK * lbs, char *redir, int fail)
       sprintf(str, loc("User \"%s\" has no access to this logbook"), getparam("unm"));
       rsprintf("<tr><td class=\"dlgerror\">%s!</td></tr>\n", str);
    }
+   
+   if (isparam("unm"))
+      strencode2(str, getparam("unm"), sizeof(str));
 
    rsprintf("<tr><td class=\"login_form\">\n");
    rsprintf("<span class=\"overlay_wrapper\">\n");
    rsprintf("<label for=\"uname\" id=\"uname\" class=\"overlabel\">%s</label>\n", loc("Username"));
    rsprintf("<input type=\"text\" class=\"login_input\" name=\"uname\" value=\"%s\" title=\"%s\" onInput=\"document.getElementById('uname').style.display='none';\">\n",
-            isparam("unm") ? getparam("unm") : "", loc("Username"));
+            isparam("unm") ? str : "", loc("Username"));
    rsprintf("</span></td></tr>\n");
 
    rsprintf("<tr><td class=\"login_form\">\n");