From 9a098895f38e1b4f708e05aaaa40a61de36c0769 Mon Sep 17 00:00:00 2001
From: AgustinSRG <agustinsanromanguzman@gmail.com>
Date: Thu, 28 Dec 2023 17:27:48 +0100
Subject: [PATCH] Control panel: Escape HTML where possible

---
 src/bot-modules/auto-invite/server-handler.js | 10 +--
 src/bot-modules/battle-log/server-handler.js  | 14 ++--
 src/bot-modules/battle/server-handler.js      | 32 ++++----
 src/bot-modules/blacklist/server-handler.js   | 10 +--
 .../chat-logger/handlers/logs-config.js       |  4 +-
 .../core/commands/cmd-admin.translations      |  2 +-
 src/bot-modules/core/handlers/autojoin.js     | 10 +--
 src/bot-modules/core/handlers/login.js        |  2 +-
 .../games/trivia/server-handler.js            |  7 +-
 .../games/wordgames/server-handler.js         | 14 ++--
 .../games/wordgames/template-group.html       |  2 +-
 src/bot-modules/github/server-handler.js      |  8 +-
 src/bot-modules/groupchats/server-handler.js  | 22 +++---
 src/bot-modules/html-box/server-handler.js    | 34 ++++-----
 .../join-phrases/commands.translations        |  4 +-
 .../join-phrases/server-handler.js            | 18 ++---
 .../moderation/handlers/bannedwords.js        | 22 +++---
 .../moderation/handlers/moderation.js         | 42 +++++-----
 .../moderation/handlers/zerotolerance.js      | 18 ++---
 .../players-auction/server-handler.js         | 16 ++--
 src/bot-modules/pokemon/server-handler.js     |  8 +-
 src/bot-modules/quote-joke/server-handler.js  |  4 +-
 src/bot-modules/rand-cmd/server-handler.js    | 26 +++----
 src/bot-modules/shortcuts/server-handler.js   | 28 +++----
 src/bot-modules/tour-cmd/server-handler.js    | 16 ++--
 .../tour-ldb-custom/server-handler.js         | 18 ++---
 .../tour-leaderboards/server-handler.js       | 18 ++---
 src/server/handlers/addons.js                 | 12 +--
 src/server/handlers/admin.js                  | 29 +++----
 src/server/handlers/bot.js                    | 16 ++--
 src/server/handlers/dyncmd.js                 | 54 ++++++-------
 src/server/handlers/language.js               | 24 +++---
 src/server/handlers/modules.js                | 19 ++---
 src/server/handlers/parser.js                 | 76 +++++++++----------
 src/server/handlers/seclog.js                 |  9 ++-
 src/server/handlers/tools.js                  | 20 ++---
 src/server/handlers/users.js                  | 36 ++++-----
 src/tools/text.js                             |  2 +-
 38 files changed, 355 insertions(+), 351 deletions(-)

diff --git a/src/bot-modules/auto-invite/server-handler.js b/src/bot-modules/auto-invite/server-handler.js
index 9bb09e9..6c2aa6b 100644
--- a/src/bot-modules/auto-invite/server-handler.js
+++ b/src/bot-modules/auto-invite/server-handler.js
@@ -47,8 +47,8 @@ exports.setup = function (App) {
 		}
 
 		let htmlVars = Object.create(null);
-		htmlVars.room = (App.config.modules.autoinvite.room || "");
-		htmlVars.publicroom = (App.config.modules.autoinvite.public || "");
+		htmlVars.room = Text.escapeHTML(App.config.modules.autoinvite.room || "");
+		htmlVars.publicroom = Text.escapeHTML(App.config.modules.autoinvite.public || "");
 		htmlVars.rank = getRankSelect('rank', App.config.modules.autoinvite.rank);
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
@@ -64,10 +64,10 @@ exports.setup = function (App) {
 			rank = App.config.parser[rank];
 		}
 		let html = '';
-		html += '<select name="' + name + '">';
+		html += '<select name="' + Text.escapeHTML(name) + '">';
 		for (let j = 0; j < App.config.parser.groups.length; j++) {
-			html += '<option value="' + App.config.parser.groups[j] + '"' +
-			(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + App.config.parser.groups[j] + '</option>';
+			html += '<option value="' + Text.escapeHTML(App.config.parser.groups[j]) + '"' +
+			(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + Text.escapeHTML(App.config.parser.groups[j]) + '</option>';
 		}
 		html += '</select>';
 		return html;
diff --git a/src/bot-modules/battle-log/server-handler.js b/src/bot-modules/battle-log/server-handler.js
index 052a0d6..dbb15da 100644
--- a/src/bot-modules/battle-log/server-handler.js
+++ b/src/bot-modules/battle-log/server-handler.js
@@ -50,12 +50,12 @@ exports.setup = function (App) {
 				App.config.modules.battlelog.maxbattles = maxbattles;
 				App.db.write();
 				App.logServerAction(context.user.id, "Set Battle Logger configuration.");
-				ok = "Changes made sucessfully.";
+				ok = "Changes made successfully.";
 			}
 		}
 
 		let htmlVars = Object.create(null);
-		htmlVars.maxbattles = (App.config.modules.battlelog.maxbattles || '0');
+		htmlVars.maxbattles = Text.escapeHTML(App.config.modules.battlelog.maxbattles || '0');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
@@ -64,13 +64,13 @@ exports.setup = function (App) {
 		let logs = App.modules.battlelog.system.getFiles();
 		for (let i = 0; i < logs.length; i++) {
 			htmlVars.log_files += '<tr>';
-			htmlVars.log_files += '<td>' + logs[i].file + '</td>';
-			htmlVars.log_files += '<td style="text-align: center; white-space: nowrap;"><a href="/battlelog/' + logs[i].file +
-				'" target="_blank" rel="noopener noreferrer"><button>View Log</button></a>&nbsp;|&nbsp;<a href="' + logs[i].psim +
+			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].file) + '</td>';
+			htmlVars.log_files += '<td style="text-align: center; white-space: nowrap;"><a href="/battlelog/' + Text.escapeHTML(logs[i].file) +
+				'" target="_blank" rel="noopener noreferrer"><button>View Log</button></a>&nbsp;|&nbsp;<a href="' + Text.escapeHTML(logs[i].psim) +
 				'" target="_blank" rel="noopener noreferrer"><button>Recreate battle</button></a></td>';
 			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].title) + '</td>';
-			htmlVars.log_files += '<td>' + logs[i].date + '</td>';
-			htmlVars.log_files += '<td>' + logs[i].size + ' KB</td>';
+			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].date) + '</td>';
+			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].size) + ' KB</td>';
 			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].state || "-") + '</td>';
 
 			htmlVars.log_files += '</tr>';
diff --git a/src/bot-modules/battle/server-handler.js b/src/bot-modules/battle/server-handler.js
index b71eaf7..5d69ca4 100644
--- a/src/bot-modules/battle/server-handler.js
+++ b/src/bot-modules/battle/server-handler.js
@@ -84,14 +84,14 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.maxbattles = Config.maxBattles;
-		htmlVars.maxladder = Config.ladderBattles;
-		htmlVars.maxturns = Config.maxTurns || 0;
+		htmlVars.maxbattles = Text.escapeHTML(Config.maxBattles);
+		htmlVars.maxladder = Text.escapeHTML(Config.ladderBattles);
+		htmlVars.maxturns = Text.escapeHTML(Config.maxTurns || 0);
 		htmlVars.jointours = Object.keys(Config.joinTours).join(', ');
 		htmlVars.join_abandoned = (!Config.ignoreAbandonedbattles ? "checked=\"checked\"" : "");
-		htmlVars.initmsg = Config.initBattleMsg.join('\n');
-		htmlVars.winmsg = Config.winmsg.join('\n');
-		htmlVars.losemsg = Config.losemsg.join('\n');
+		htmlVars.initmsg = Text.escapeHTML(Config.initBattleMsg.join('\n'));
+		htmlVars.winmsg = Text.escapeHTML(Config.winmsg.join('\n'));
+		htmlVars.losemsg = Text.escapeHTML(Config.losemsg.join('\n'));
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
@@ -152,9 +152,9 @@ exports.setup = function (App) {
 			try {
 				check(!mod.ChallManager.challenges || !mod.ChallManager.challenges.challengeTo, "There is a pending challenge request");
 				check(user, "You must specify an user to send the challenge");
-				check(App.bot.formats[format] && App.bot.formats[format].chall, "Format " + format + " is not available for challenges");
-				check(team || !App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No teams available for " + format);
-				check(!team || mod.TeamBuilder.dynTeams[team], "Team " + team + " not found");
+				check(App.bot.formats[format] && App.bot.formats[format].chall, "Format " + Text.escapeHTML(format) + " is not available for challenges");
+				check(team || !App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No teams available for " + Text.escapeHTML(format));
+				check(!team || mod.TeamBuilder.dynTeams[team], "Team " + Text.escapeHTML(team) + " not found");
 			} catch (err) {
 				error = err.message;
 			}
@@ -173,7 +173,7 @@ exports.setup = function (App) {
 				cmds.push('|/challenge ' + user + ", " + format);
 				App.bot.send(cmds);
 				App.logServerAction(context.user.id, "Send Challenge: " + user + " | " + format + " | " + (team || "-"));
-				ok = "Challenge request sent to " + user;
+				ok = "Challenge request sent to " + Text.escapeHTML(user);
 			}
 		} else if (context.post.cancelchall) {
 			if (mod.ChallManager.challenges && mod.ChallManager.challenges.challengeTo) {
@@ -218,7 +218,7 @@ exports.setup = function (App) {
 				check(!mod.LadderManager.laddering, "Already laddering");
 				check(format, "You must specify a format");
 				check(App.bot.formats[format] && App.bot.formats[format].ladder, "Invalid Format");
-				check(!App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No available teams for " + format);
+				check(!App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No available teams for " + Text.escapeHTML(format));
 				check(!isNaN(seconds) && seconds > 0, "Invalid interval");
 			} catch (err) {
 				error = err.message;
@@ -227,7 +227,7 @@ exports.setup = function (App) {
 			if (!error) {
 				mod.LadderManager.start(format, seconds * 1000);
 				App.logServerAction(context.user.id, "Start Laddering. Format: " + format + ", interval: " + seconds);
-				ok = 'Laddering in format: ' + App.bot.formats[format].name;
+				ok = 'Laddering in format: ' + Text.escapeHTML(App.bot.formats[format].name);
 			}
 		} else if (context.post.stopladder) {
 			try {
@@ -287,7 +287,7 @@ exports.setup = function (App) {
 				mod.TeamBuilder.saveTeams();
 				mod.TeamBuilder.mergeTeams();
 				App.logServerAction(context.user.id, "Delete Team: " + id);
-				ok = 'Team <strong>' + id + '</strong> deleted successfully';
+				ok = 'Team <strong>' + Text.escapeHTML(id) + '</strong> deleted successfully';
 			} else {
 				error = "Team not found";
 			}
@@ -317,7 +317,7 @@ exports.setup = function (App) {
 				mod.TeamBuilder.saveTeams();
 				mod.TeamBuilder.mergeTeams();
 				App.logServerAction(context.user.id, "Add Team: " + id);
-				ok = 'Team <strong>' + id + '</strong> added successfully';
+				ok = 'Team <strong>' + Text.escapeHTML(id) + '</strong> added successfully';
 			}
 		}
 
@@ -340,9 +340,9 @@ exports.setup = function (App) {
 			}
 			if (selectedFormat && selectedFormat !== teams[id].format) continue;
 			htmlVars.teams += teamsItemTemplate.make({
-				id: id,
+				id: Text.escapeHTML(id),
 				format: Text.escapeHTML(formatName),
-				pokemon: Teams.teamOverview(teams[id].packed),
+				pokemon: Text.escapeHTML(Teams.teamOverview(teams[id].packed)),
 			});
 		}
 
diff --git a/src/bot-modules/blacklist/server-handler.js b/src/bot-modules/blacklist/server-handler.js
index 7f0704b..85c8237 100644
--- a/src/bot-modules/blacklist/server-handler.js
+++ b/src/bot-modules/blacklist/server-handler.js
@@ -49,7 +49,7 @@ exports.setup = function (App) {
 				}
 				App.modules.blacklist.system.db.write();
 				App.logServerAction(context.user.id, "Edit Blacklist: " + room);
-				ok = "Blacklist saved for room " + room;
+				ok = "Blacklist saved for room " + Text.escapeHTML(room);
 			} else {
 				error = "You must specify a room";
 			}
@@ -60,9 +60,9 @@ exports.setup = function (App) {
 					App.modules.blacklist.system.data[room] = Object.create(null);
 					App.modules.blacklist.system.db.write();
 					App.logServerAction(context.user.id, "Added blacklist: " + room);
-					ok = "Added blacklist for room " + room;
+					ok = "Added blacklist for room " + Text.escapeHTML(room);
 				} else {
-					error = "Room " + room + " already has a blacklist";
+					error = "Room " + Text.escapeHTML(room) + " already has a blacklist";
 				}
 			} else {
 				error = "You must specify a room";
@@ -75,8 +75,8 @@ exports.setup = function (App) {
 		let data = App.modules.blacklist.system.data;
 		for (let room in data) {
 			htmlVars.rooms += roomTemplate.make({
-				room: room,
-				blacklist: Object.keys(data[room]).join(', '),
+				room: Text.escapeHTML(room),
+				blacklist: Text.escapeHTML(Object.keys(data[room]).join(', ')),
 			});
 		}
 
diff --git a/src/bot-modules/chat-logger/handlers/logs-config.js b/src/bot-modules/chat-logger/handlers/logs-config.js
index 6e593f9..819ce36 100644
--- a/src/bot-modules/chat-logger/handlers/logs-config.js
+++ b/src/bot-modules/chat-logger/handlers/logs-config.js
@@ -56,10 +56,10 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.rooms = Object.keys(App.config.modules.chatlogger.rooms).join(', ');
+		htmlVars.rooms = Text.escapeHTML(Object.keys(App.config.modules.chatlogger.rooms).join(', '));
 		htmlVars.logpm = (App.config.modules.chatlogger.logpm ? ' checked="checked"' : '');
 		htmlVars.loggroupchats = (App.config.modules.chatlogger.logGroupChats ? ' checked="checked"' : '');
-		htmlVars.age = App.config.modules.chatlogger.maxold;
+		htmlVars.age = Text.escapeHTML(App.config.modules.chatlogger.maxold);
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
diff --git a/src/bot-modules/core/commands/cmd-admin.translations b/src/bot-modules/core/commands/cmd-admin.translations
index f4d4e58..e131149 100644
--- a/src/bot-modules/core/commands/cmd-admin.translations
+++ b/src/bot-modules/core/commands/cmd-admin.translations
@@ -8,7 +8,7 @@ $0 = The command
 $1 = does not exists
 $2 = The alias
 $3 = now references the command
-$4 = was removed sucessfully
+$4 = was removed successfully
 $5 = was not found
 $6 = This command is only available for chat rooms
 $7 = Language for room
diff --git a/src/bot-modules/core/handlers/autojoin.js b/src/bot-modules/core/handlers/autojoin.js
index d946db3..2d90759 100644
--- a/src/bot-modules/core/handlers/autojoin.js
+++ b/src/bot-modules/core/handlers/autojoin.js
@@ -36,7 +36,7 @@ function setup(App) {
 			App.config.modules.core.joinall = !!context.post.joinall;
 			App.db.write();
 			App.logServerAction(context.user.id, 'Edit Bot Autojoin details (Core Module)');
-			ok = "Bot Auto-Join details have been set sucessfully. Restart the bot to make them effective.";
+			ok = "Bot Auto-Join details have been set successfully. Restart the bot to make them effective.";
 
 			let cmds = [];
 
@@ -55,11 +55,11 @@ function setup(App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.rooms = (App.config.modules.core.rooms || []).join(', ');
-		htmlVars.privaterooms = (App.config.modules.core.privaterooms || []).join(', ');
+		htmlVars.rooms = Text.escapeHTML((App.config.modules.core.rooms || []).join(', '));
+		htmlVars.privaterooms = Text.escapeHTML((App.config.modules.core.privaterooms || []).join(', '));
 
-		htmlVars.avatar = (App.config.modules.core.avatar || '');
-		htmlVars.status = (App.config.modules.core.status || '');
+		htmlVars.avatar = Text.escapeHTML(App.config.modules.core.avatar || '');
+		htmlVars.status = Text.escapeHTML(App.config.modules.core.status || '');
 
 		htmlVars.joinofficial = App.config.modules.core.joinofficial ? 'checked="checked"' : '';
 		htmlVars.joinall = App.config.modules.core.joinall ? 'checked="checked"' : '';
diff --git a/src/bot-modules/core/handlers/login.js b/src/bot-modules/core/handlers/login.js
index f076a82..4fc3ff2 100644
--- a/src/bot-modules/core/handlers/login.js
+++ b/src/bot-modules/core/handlers/login.js
@@ -39,7 +39,7 @@ function setup(App) {
 				App.config.modules.core.pass = pass;
 				App.db.write();
 				App.logServerAction(context.user.id, 'Edit Bot Login details (Core Module)');
-				ok = "Bot login details have been set sucessfully. Restart the bot to make them effective.";
+				ok = "Bot login details have been set successfully. Restart the bot to make them effective.";
 			}
 		}
 
diff --git a/src/bot-modules/games/trivia/server-handler.js b/src/bot-modules/games/trivia/server-handler.js
index f3a2682..a5cd7b2 100644
--- a/src/bot-modules/games/trivia/server-handler.js
+++ b/src/bot-modules/games/trivia/server-handler.js
@@ -7,6 +7,7 @@
 const Path = require('path');
 const check = Tools('check');
 const Template = Tools('html-template');
+const Text = Tools('text');
 
 const mainTemplate = new Template(Path.resolve(__dirname, 'template.html'));
 const questionTemplate = new Template(Path.resolve(__dirname, 'template-question.html'));
@@ -105,9 +106,9 @@ exports.setup = function (App) {
 		htmlVars.questions = '';
 		for (let id in mod.data) {
 			htmlVars.questions += questionTemplate.make({
-				id: id,
-				clue: mod.data[id].clue,
-				answers: mod.data[id].answers.join(', '),
+				id: Text.escapeHTML(id),
+				clue: Text.escapeHTML(mod.data[id].clue),
+				answers: Text.escapeHTML(mod.data[id].answers.join(', ')),
 			});
 		}
 
diff --git a/src/bot-modules/games/wordgames/server-handler.js b/src/bot-modules/games/wordgames/server-handler.js
index 6bd55b8..9f43ce8 100644
--- a/src/bot-modules/games/wordgames/server-handler.js
+++ b/src/bot-modules/games/wordgames/server-handler.js
@@ -7,6 +7,7 @@
 const Path = require('path');
 const check = Tools('check');
 const Template = Tools('html-template');
+const Text = Tools('text');
 
 const mainTemplate = new Template(Path.resolve(__dirname, 'template.html'));
 const groupTemplate = new Template(Path.resolve(__dirname, 'template-group.html'));
@@ -53,7 +54,7 @@ exports.setup = function (App) {
 				mod.data[group] = words;
 				mod.db.write();
 				App.logServerAction(context.user.id, "Words of Games: Add");
-				ok = "Group <strong>" + group + "</strong> added sucessfully.";
+				ok = "Group <strong>" + Text.escapeHTML(group) + "</strong> added successfully.";
 			}
 		} else if (context.post.delgroup) {
 			let group = (context.post.wordgroup || "");
@@ -68,7 +69,7 @@ exports.setup = function (App) {
 				delete mod.data[group];
 				mod.db.write();
 				App.logServerAction(context.user.id, "Words of Games: Delete");
-				ok = "Group <strong>" + group + "</strong> deleted sucessfully.";
+				ok = "Group <strong>" + Text.escapeHTML(group) + "</strong> deleted successfully.";
 			}
 		} else if (context.post.edit) {
 			let group = (context.post.wordgroup || "");
@@ -93,7 +94,7 @@ exports.setup = function (App) {
 				mod.data[group] = words;
 				mod.db.write();
 				App.logServerAction(context.user.id, "Words of Games: Edit");
-				ok = "Group <strong>" + group + "</strong> sucessfully modified.";
+				ok = "Group <strong>" + Text.escapeHTML(group) + "</strong> successfully modified.";
 			}
 		}
 
@@ -102,13 +103,12 @@ exports.setup = function (App) {
 		htmlVars.groups = '';
 		for (let group in mod.data) {
 			htmlVars.groups += groupTemplate.make({
-				group: group,
-				jsongroup: JSON.stringify(group),
-				words: mod.data[group].join(', '),
+				group: Text.escapeHTML(group),
+				words: Text.escapeHTM(mod.data[group].join(', ')),
 			});
 		}
 
-		htmlVars.words = (errAdd ? (context.post.words || "") : '');
+		htmlVars.words = Text.escapeHTML(errAdd ? (context.post.words || "") : '');
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
 
diff --git a/src/bot-modules/games/wordgames/template-group.html b/src/bot-modules/games/wordgames/template-group.html
index 7132156..a034ae7 100644
--- a/src/bot-modules/games/wordgames/template-group.html
+++ b/src/bot-modules/games/wordgames/template-group.html
@@ -1,7 +1,7 @@
 <hr />
 <form method="post" action="">
 	<p>Group <strong>${GROUP}</strong> (words separated by commas)</p>
-	<input type="hidden" name="wordgroup" value=${JSONGROUP} />
+	<input type="hidden" name="wordgroup" value=${GROUP} />
 	<p><textarea name="words" cols="100" rows="3">${WORDS}</textarea></p>
 	<p><input type="submit" name="edit" value="Edit Group" /></p>
 </form>
diff --git a/src/bot-modules/github/server-handler.js b/src/bot-modules/github/server-handler.js
index 22cd27e..8c230de 100644
--- a/src/bot-modules/github/server-handler.js
+++ b/src/bot-modules/github/server-handler.js
@@ -59,10 +59,10 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.room = config.room;
-		htmlVars.port = config.port;
-		htmlVars.secret = config.secret;
-		htmlVars.bl = Object.keys(config.blacklist).join(', ');
+		htmlVars.room = Text.escapeHTML(config.room);
+		htmlVars.port = Text.escapeHTML(config.port);
+		htmlVars.secret = Text.escapeHTML(config.secret);
+		htmlVars.bl = Text.escapeHTML(Object.keys(config.blacklist).join(', '));
 		htmlVars.enabled = (config.enabled ? ' checked="checked"' : '');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
diff --git a/src/bot-modules/groupchats/server-handler.js b/src/bot-modules/groupchats/server-handler.js
index 3643760..68b2be0 100644
--- a/src/bot-modules/groupchats/server-handler.js
+++ b/src/bot-modules/groupchats/server-handler.js
@@ -42,7 +42,7 @@ exports.setup = function (App) {
 			let room = Text.toRoomid(context.post.room);
 			try {
 				check(room, 'You must specify a room');
-				check(!data[room], 'Groupchat <strong>' + room + '</strong> already exists in this list.');
+				check(!data[room], 'Groupchat <strong>' + Text.escapeHTML(room) + '</strong> already exists in this list.');
 			} catch (err) {
 				error = err.message;
 			}
@@ -58,14 +58,14 @@ exports.setup = function (App) {
 				App.modules.groupchats.system.cacheRooms();
 				App.modules.groupchats.system.tick();
 				App.logServerAction(context.user.id, "Add groupchat: " + room);
-				ok = 'Groupchat <strong>' + room + '</strong> added to the groupchats feature.';
+				ok = 'Groupchat <strong>' + Text.escapeHTML(room) + '</strong> added to the groupchats feature.';
 			}
 		} else if (context.post.remove) {
 			let data = App.modules.groupchats.system.config;
 			let room = Text.toRoomid(context.post.room);
 			try {
 				check(room, 'You must specify a room');
-				check(data[room], 'Groupchat <strong>' + room + '</strong> does not exists in this list.');
+				check(data[room], 'Groupchat <strong>' + Text.escapeHTML(room) + '</strong> does not exists in this list.');
 			} catch (err) {
 				error = err.message;
 			}
@@ -76,7 +76,7 @@ exports.setup = function (App) {
 				App.modules.groupchats.system.cacheRooms();
 				App.modules.groupchats.system.tick();
 				App.logServerAction(context.user.id, "Delete groupchat: " + room);
-				ok = 'Groupchat <strong>' + room + '</strong> removed sucessfully.';
+				ok = 'Groupchat <strong>' + Text.escapeHTML(room) + '</strong> removed successfully.';
 			}
 		}
 
@@ -84,7 +84,7 @@ exports.setup = function (App) {
 
 		let opts = [];
 		for (let room in App.modules.groupchats.system.config) {
-			opts.push('<a class="submenu-option" href="/groupchats/room/' + room + '/">' +
+			opts.push('<a class="submenu-option" href="/groupchats/room/' + Text.escapeHTML(room) + '/">' +
 					  Text.escapeHTML(App.modules.groupchats.system.config[room].name) + '</a>');
 		}
 		htmlVars.submenu = opts.join(' | ');
@@ -121,7 +121,7 @@ exports.setup = function (App) {
 				App.modules.groupchats.system.cacheRooms();
 				App.modules.groupchats.system.tick();
 				App.logServerAction(context.user.id, "Edit groupchat: " + room);
-				ok = 'Changes saved sucessfully.';
+				ok = 'Changes saved successfully.';
 			}
 		} else if (context.post.modintro) {
 			let data = App.modules.groupchats.system.config;
@@ -130,7 +130,7 @@ exports.setup = function (App) {
 			App.modules.groupchats.system.saveData();
 			App.modules.groupchats.system.setRoomIntro(room);
 			App.logServerAction(context.user.id, "Edit groupchat (roomintro): " + room);
-			ok = 'Changes saved sucessfully.';
+			ok = 'Changes saved successfully.';
 		} else if (context.post.setauth) {
 			let data = App.modules.groupchats.system.config;
 			let user = Text.toId(context.post.user);
@@ -151,22 +151,22 @@ exports.setup = function (App) {
 				App.modules.groupchats.system.saveData();
 				App.modules.groupchats.system.setAuth(room, user, group);
 				App.logServerAction(context.user.id, "Edit groupchat (auth): " + room + " / " + user + " / " + group);
-				ok = 'Changes saved sucessfully.';
+				ok = 'Changes saved successfully.';
 			}
 		}
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.room = room;
+		htmlVars.room = Text.escapeHTML(room);
 		htmlVars.name = Text.escapeHTML(config[room].name);
 		htmlVars.private = config[room].private ? 'checked="checked"' : '';
-		htmlVars.authfrom = config[room].authfrom || "";
+		htmlVars.authfrom = Text.escapeHTML(config[room].authfrom || "");
 
 		htmlVars.intro = JSON.stringify(config[room].intro);
 
 		let opts = [];
 		for (let room in App.modules.groupchats.system.config) {
-			opts.push('<a class="submenu-option" href="/groupchats/room/' + room + '/">' +
+			opts.push('<a class="submenu-option" href="/groupchats/room/' + Text.escapeHTML(room) + '/">' +
 					  Text.escapeHTML(App.modules.groupchats.system.config[room].name) + '</a>');
 		}
 		htmlVars.submenu = opts.join(' | ');
diff --git a/src/bot-modules/html-box/server-handler.js b/src/bot-modules/html-box/server-handler.js
index 4cbfd1f..9560603 100644
--- a/src/bot-modules/html-box/server-handler.js
+++ b/src/bot-modules/html-box/server-handler.js
@@ -51,7 +51,7 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd, "You must specify a command");
-				check(!Mod.data.commands[cmd], "Command " + cmd + " already exists");
+				check(!Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " already exists");
 				check(content, "Content cannot be blank");
 				check(content.length <= 500, "Command content cannot be longer than 500 characters");
 			} catch (err) {
@@ -63,7 +63,7 @@ exports.setup = function (App) {
 				Mod.data.commands[cmd] = content;
 				Mod.db.write();
 				App.logServerAction(context.user.id, "HtmlBox CMD | Crete command: " + cmd);
-				ok = 'Html command "' + cmd + '" was created';
+				ok = 'Html command "' + Text.escapeHTML(cmd) + '" was created';
 			}
 		} else if (context.post.edit) {
 			let cmd = Text.toCmdid(context.post.cmd);
@@ -71,7 +71,7 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd, "You must specify a command");
-				check(Mod.data.commands[cmd], "Command " + cmd + " not found");
+				check(Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " not found");
 				check(content, "Content cannot be blank");
 				check(content.length <= 500, "Command content cannot be longer than 500 characters");
 			} catch (err) {
@@ -82,14 +82,14 @@ exports.setup = function (App) {
 				Mod.data.commands[cmd] = content;
 				Mod.db.write();
 				App.logServerAction(context.user.id, "HtmlBox CMD | Edit command: " + cmd);
-				ok = 'Html command "' + cmd + '" was modified sucessfully';
+				ok = 'Html command "' + Text.escapeHTML(cmd) + '" was modified successfully';
 			}
 		} else if (context.post.delcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
 
 			try {
 				check(cmd, "You must specify a command");
-				check(Mod.data.commands[cmd], "Command " + cmd + " not found");
+				check(Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " not found");
 			} catch (err) {
 				error = err.message;
 			}
@@ -98,7 +98,7 @@ exports.setup = function (App) {
 				delete Mod.data.commands[cmd];
 				Mod.db.write();
 				App.logServerAction(context.user.id, "HtmlBox CMD | Delete command: " + cmd);
-				ok = 'Html command "' + cmd + '" was deleted';
+				ok = 'Html command "' + Text.escapeHTML(cmd) + '" was deleted';
 			}
 		}
 
@@ -108,13 +108,13 @@ exports.setup = function (App) {
 		let commands = Mod.data.commands;
 		for (let cmd in commands) {
 			htmlVars.cmds += cmdTemplate.make({
-				cmd: cmd,
-				content: commands[cmd],
+				cmd: Text.escapeHTML(cmd),
+				content: Text.escapeHTML(commands[cmd]),
 			});
 		}
 
-		htmlVars.cmd = (adderror ? (context.post.cmd || '') : '');
-		htmlVars.content = (adderror ? (context.post.content || '') : '');
+		htmlVars.cmd = Text.escapeHTML(adderror ? (context.post.cmd || '') : '');
+		htmlVars.content = Text.escapeHTML(adderror ? (context.post.content || '') : '');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
@@ -135,9 +135,9 @@ exports.setup = function (App) {
 						Mod.data.aliases[alias] = cmd;
 						Mod.db.write();
 						App.logServerAction(context.user.id, "HtmlBox CMD | Set alias: " + alias + " to the command: " + cmd);
-						ok = 'Command "' + alias + '" is now alias of "' + cmd + '"';
+						ok = 'Command "' + Text.escapeHTML(alias) + '" is now alias of "' + Text.escapeHTML(cmd) + '"';
 					} else {
-						error = "The command <strong>" + cmd + "</strong> does not exists.";
+						error = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> does not exists.";
 					}
 				} else {
 					error = "You must specify a command";
@@ -152,9 +152,9 @@ exports.setup = function (App) {
 					delete Mod.data.aliases[alias];
 					Mod.db.write();
 					App.logServerAction(context.user.id, "HtmlBox CMD | Delete alias: " + alias);
-					ok = 'Alias <strong>' + alias + '</strong> was deleted sucessfully.';
+					ok = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was deleted successfully.';
 				} else {
-					error = 'Alias <strong>' + alias + '</strong> was not found.';
+					error = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was not found.';
 				}
 			} else {
 				error = "You must specify an alias id.";
@@ -165,16 +165,16 @@ exports.setup = function (App) {
 
 		htmlVars.aliases = '';
 		for (let alias in Mod.data.aliases) {
-			htmlVars.aliases += '<tr><td>' + alias + '</td><td>' + Mod.data.aliases[alias] +
+			htmlVars.aliases += '<tr><td>' + Text.escapeHTML(alias) + '</td><td>' + Text.escapeHTML(Mod.data.aliases[alias]) +
 			'</td><td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="alias" value="' + alias +
+			'<input type="hidden" name="alias" value="' + Text.escapeHTML(alias) +
 			'" /><input type="submit" name="remove" value="Remove Alias" /></form></div></td></tr>';
 		}
 
 		htmlVars.cmd_select = '<select name="cmd">';
 		let cmds = Object.keys(Mod.data.commands).sort();
 		for (let i = 0; i < cmds.length; i++) {
-			htmlVars.cmd_select += '<option value="' + cmds[i] + '">' + cmds[i] + '</option>';
+			htmlVars.cmd_select += '<option value="' + Text.escapeHTML(cmds[i]) + '">' + Text.escapeHTML(cmds[i]) + '</option>';
 		}
 		htmlVars.cmd_select += '</select>';
 
diff --git a/src/bot-modules/join-phrases/commands.translations b/src/bot-modules/join-phrases/commands.translations
index 0d344f0..c4bf3c5 100644
--- a/src/bot-modules/join-phrases/commands.translations
+++ b/src/bot-modules/join-phrases/commands.translations
@@ -7,9 +7,9 @@
 $nochat = This command is only available for chat rooms
 $inv = Invalid username
 
-$0 = Join-Phrase sucessfully set for user
+$0 = Join-Phrase successfully set for user
 $1 = in room
-$2 = Join-Phrase sucessfully removed for user
+$2 = Join-Phrase successfully removed for user
 $3 = There is not a Join-Phrase set for user
 $4 = There are not join-phrases set for room
 $5 = Upload error. Try again later.
diff --git a/src/bot-modules/join-phrases/server-handler.js b/src/bot-modules/join-phrases/server-handler.js
index a55ceb7..4e16068 100644
--- a/src/bot-modules/join-phrases/server-handler.js
+++ b/src/bot-modules/join-phrases/server-handler.js
@@ -42,7 +42,7 @@ exports.setup = function (App) {
 			let room = Text.toRoomid(context.post.room);
 			try {
 				check(room, 'You must specify a room');
-				check(!data[room], 'Room <strong>' + room + '</strong> already exists in this list.');
+				check(!data[room], 'Room <strong>' + Text.escapeHTML(room) + '</strong> already exists in this list.');
 			} catch (err) {
 				error = err.message;
 			}
@@ -50,7 +50,7 @@ exports.setup = function (App) {
 				data[room] = Object.create(null);
 				App.modules.joinphrases.system.db.write();
 				App.logServerAction(context.user.id, "Add Join-phrases Room: " + room);
-				ok = 'Room <strong>' + room + '</strong> added to the join-phrases feature.';
+				ok = 'Room <strong>' + Text.escapeHTML(room) + '</strong> added to the join-phrases feature.';
 			}
 		}
 
@@ -58,7 +58,7 @@ exports.setup = function (App) {
 
 		let opts = [];
 		for (let room in App.modules.joinphrases.system.config.rooms) {
-			opts.push('<a class="submenu-option" href="/joinphrases/room/' + room + '/">' + room + '</a>');
+			opts.push('<a class="submenu-option" href="/joinphrases/room/' + Text.escapeHTML(room) + '/">' + Text.escapeHTML(room) + '</a>');
 		}
 		htmlVars.submenu = opts.join(' | ');
 
@@ -89,7 +89,7 @@ exports.setup = function (App) {
 				config.rooms[room][user] = phrase;
 				App.modules.joinphrases.system.db.write();
 				App.logServerAction(context.user.id, "Set Join-phrase. Room: " + room + ", User: " + user);
-				ok = 'Join-Phrase successfully set for user <strong>' + user + '</strong>.';
+				ok = 'Join-Phrase successfully set for user <strong>' + Text.escapeHTML(user) + '</strong>.';
 			}
 		} else if (context.post.remove) {
 			let user = Text.toId(context.post.user);
@@ -106,18 +106,18 @@ exports.setup = function (App) {
 				}
 				App.modules.joinphrases.system.db.write();
 				App.logServerAction(context.user.id, "Delete Join-phrase. Room: " + room + ", User: " + user);
-				ok = 'Join-Phrase successfully deleted for user <strong>' + user + '</strong>.';
+				ok = 'Join-Phrase successfully deleted for user <strong>' + Text.escapeHTML(user) + '</strong>.';
 			}
 		}
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.room = room;
+		htmlVars.room = Text.escapeHTML(room);
 		htmlVars.name = Text.escapeHTML(App.parser.getRoomTitle(room));
 
 		let opts = [];
 		for (let k in config.rooms) {
-			opts.push('<a class="submenu-option' + (room === k ? '-selected' : '') + '" href="/joinphrases/room/' + k + '/">' + k + '</a>');
+			opts.push('<a class="submenu-option' + (room === k ? '-selected' : '') + '" href="/joinphrases/room/' + Text.escapeHTML(k) + '/">' + Text.escapeHTML(k) + '</a>');
 		}
 		htmlVars.submenu = opts.join(' | ');
 
@@ -125,10 +125,10 @@ exports.setup = function (App) {
 		if (config.rooms[room]) {
 			for (let user in config.rooms[room]) {
 				htmlVars.phrases += '<tr>';
-				htmlVars.phrases += '<td>' + user + '</td>';
+				htmlVars.phrases += '<td>' + Text.escapeHTML(user) + '</td>';
 				htmlVars.phrases += '<td>' + Text.escapeHTML(config.rooms[room][user]) + '</td>';
 				htmlVars.phrases += '<td><div align="center"><form style="display:inline;" method="post" action="">' +
-					'<input type="hidden" name="user" value="' + user +
+					'<input type="hidden" name="user" value="' + Text.escapeHTML(user) +
 					'" /><input type="submit" name="remove" value="Delete" /></form></div></td>';
 				htmlVars.phrases += '</tr>';
 			}
diff --git a/src/bot-modules/moderation/handlers/bannedwords.js b/src/bot-modules/moderation/handlers/bannedwords.js
index bc1eb49..60877fb 100644
--- a/src/bot-modules/moderation/handlers/bannedwords.js
+++ b/src/bot-modules/moderation/handlers/bannedwords.js
@@ -39,15 +39,15 @@ exports.setup = function (App) {
 			let room = Text.toRoomid(context.post.room);
 			try {
 				check(room, 'You must specify a room');
-				check(!data[room], 'Room <strong>' + room + '</strong> already exists in this list.');
+				check(!data[room], 'Room <strong>' + Text.escapeHTML(room) + '</strong> already exists in this list.');
 			} catch (err) {
 				error = err.message;
 			}
 			if (!error) {
 				data[room] = Object.create(null);
 				App.modules.moderation.system.db.write();
-				App.logServerAction(context.user.id, "Add Banwords Room: " + room);
-				ok = 'Room <strong>' + room + '</strong> added to the banwords feature.';
+				App.logServerAction(context.user.id, "Add Banned words Room: " + room);
+				ok = 'Room <strong>' + Text.escapeHTML(room) + '</strong> added to the banned words feature.';
 			}
 		}
 
@@ -55,7 +55,7 @@ exports.setup = function (App) {
 
 		let opts = [];
 		for (let room in App.modules.moderation.system.data.bannedWords) {
-			opts.push('<a class="submenu-option" href="/banwords/room/' + room + '/">' + room + '</a>');
+			opts.push('<a class="submenu-option" href="/banwords/room/' + Text.escapeHTML(room) + '/">' + Text.escapeHTML(room) + '</a>');
 		}
 		htmlVars.submenu = opts.join(' | ');
 
@@ -105,7 +105,7 @@ exports.setup = function (App) {
 				config.bannedWords[room][word].val = config.punishments.indexOf(punishment) + 1;
 				App.modules.moderation.system.db.write();
 				App.logServerAction(context.user.id, "Add Banword. Room: " + room + " | Word: " + word);
-				ok = "Added Banword: " + Text.escapeHTML(word);
+				ok = "Added Banned word: " + Text.escapeHTML(word);
 			}
 		} else if (context.post.remove) {
 			let word = context.post.word;
@@ -123,7 +123,7 @@ exports.setup = function (App) {
 				}
 				App.modules.moderation.system.db.write();
 				App.logServerAction(context.user.id, "Delete Banword. Room: " + room + " | Word: " + word);
-				ok = "Removed Banword: " + Text.escapeHTML(word);
+				ok = "Removed Banned word: " + Text.escapeHTML(word);
 			}
 		}
 
@@ -142,7 +142,7 @@ exports.setup = function (App) {
 		for (let word in wordsData) {
 			htmlVars.words += '<tr>';
 			htmlVars.words += '<td>' + Text.escapeHTML(word) + '</td>';
-			htmlVars.words += '<td>' + App.modules.moderation.system.modBot.getPunishment(wordsData[word].val) + '</td>';
+			htmlVars.words += '<td>' + Text.escapeHTML(App.modules.moderation.system.modBot.getPunishment(wordsData[word].val)) + '</td>';
 			switch (wordsData[word].type) {
 			case 'i':
 				htmlVars.words += '<td>Inappropriate</td>';
@@ -168,16 +168,16 @@ exports.setup = function (App) {
 				htmlVars.words += '<td>No</td>';
 			}
 			htmlVars.words += '<td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="word" value=' + JSON.stringify(word) +
-			' /><input type="submit" name="remove" value="Delete" /></form></div></td>';
+			'<input type="hidden" name="word" value="' + Text.escapeHTML(word) +
+			'" /><input type="submit" name="remove" value="Delete" /></form></div></td>';
 			htmlVars.words += '</tr>';
 		}
 
 		htmlVars.punishments = '<select name="punishment">';
 		let punishments = App.modules.moderation.system.data.punishments;
 		for (let i = 0; i < punishments.length; i++) {
-			htmlVars.punishments += ' <option value="' + punishments[i] + '"' + (punishments[i] === 'mute' ? ' selected="selected"' : '') +
-			' >' + punishments[i] + '</option>';
+			htmlVars.punishments += ' <option value="' + Text.escapeHTML(punishments[i]) + '"' + (punishments[i] === 'mute' ? ' selected="selected"' : '') +
+			' >' + Text.escapeHTML(punishments[i]) + '</option>';
 		}
 		htmlVars.punishments += '</select>';
 
diff --git a/src/bot-modules/moderation/handlers/moderation.js b/src/bot-modules/moderation/handlers/moderation.js
index 66ce1ea..4561120 100644
--- a/src/bot-modules/moderation/handlers/moderation.js
+++ b/src/bot-modules/moderation/handlers/moderation.js
@@ -78,12 +78,12 @@ exports.setup = function (App) {
 		htmlVars.rooms = '';
 		for (let k in App.modules.moderation.system.modBot.filters) {
 			let val = config.values[k] || 0;
-			htmlVars.rooms += '<tr><td>' + k + '</td>';
-			htmlVars.rooms += '<td><select name="' + k + '">';
+			htmlVars.rooms += '<tr><td>' + Text.escapeHTML(k) + '</td>';
+			htmlVars.rooms += '<td><select name="' + Text.escapeHTML(k) + '">';
 			let punishments = config.punishments;
 			for (let i = 0; i < punishments.length; i++) {
-				htmlVars.rooms += '<option value="' + punishments[i] + '"' + (val === (i + 1) ? ' selected="selected"' : '') +
-				' >' + punishments[i] + '</option>';
+				htmlVars.rooms += '<option value="' + Text.escapeHTML(punishments[i]) + '"' + (val === (i + 1) ? ' selected="selected"' : '') +
+				' >' + Text.escapeHTML(punishments[i]) + '</option>';
 			}
 			htmlVars.rooms += '<option value=""' + (val === 0 ? ' selected="selected"' : '') + ' >Default</option>';
 			htmlVars.rooms += '</select></td></tr>';
@@ -100,9 +100,9 @@ exports.setup = function (App) {
 		let opts = [];
 		for (let k in App.modules.moderation.system.modBot.filters) {
 			if (App.modules.moderation.system.modBot.modEnabled(k, room)) {
-				opts.push('<input name="' + k + '" type="checkbox" value="true" checked="checked" />&nbsp;' + k);
+				opts.push('<input name="' + Text.escapeHTML(k) + '" type="checkbox" value="true" checked="checked" />&nbsp;' + Text.escapeHTML(k));
 			} else {
-				opts.push('<input name="' + k + '" type="checkbox" value="true" />&nbsp;' + k);
+				opts.push('<input name="' + Text.escapeHTML(k) + '" type="checkbox" value="true" />&nbsp;' + Text.escapeHTML(k));
 			}
 		}
 		return '<p>' + opts.join(' | ') + '</p>';
@@ -125,7 +125,7 @@ exports.setup = function (App) {
 				config.roomSettings[room] = Object.create(null);
 				App.modules.moderation.system.db.write();
 				App.logServerAction(context.user.id, "Moderation Settings: Add Room: " + room);
-				ok = "Added room: " + room;
+				ok = "Added room: " + Text.escapeHTML(room);
 			}
 		} else if (context.post.delroom) {
 			let room = Text.toRoomid(context.post.room);
@@ -140,7 +140,7 @@ exports.setup = function (App) {
 				delete config.roomSettings[room];
 				App.modules.moderation.system.db.write();
 				App.logServerAction(context.user.id, "Moderation Settings: Delete Room: " + room);
-				ok = "Removed room: " + room;
+				ok = "Removed room: " + Text.escapeHTML(room);
 			}
 		} else if (context.post.edit) {
 			let room = Text.toRoomid(context.post.room);
@@ -163,14 +163,14 @@ exports.setup = function (App) {
 		htmlVars.global = getSettingsForm('');
 		htmlVars.rooms = '';
 		for (let room in config.roomSettings) {
-			htmlVars.rooms += '<h3>Room: ' + room + '</h3>';
+			htmlVars.rooms += '<h3>Room: ' + Text.escapeHTML(room) + '</h3>';
 			htmlVars.rooms += '<form method="post" action="">';
-			htmlVars.rooms += '<input type="hidden" name="room" value="' + room + '" />';
+			htmlVars.rooms += '<input type="hidden" name="room" value="' + Text.escapeHTML(room) + '" />';
 			htmlVars.rooms += getSettingsForm(room);
 			htmlVars.rooms += '<p><input type="submit" name="edit" value="Save Changes" /></p>';
 			htmlVars.rooms += '</form>';
-			htmlVars.rooms += '<p><button onclick="removeRoom(\'' + room +
-			'\');">Use Default Settings</button>&nbsp;<span id="confirm-' + room + '">&nbsp;</span></p>';
+			htmlVars.rooms += '<p><button onclick="removeRoom(\'' + Text.escapeHTML(room) +
+			'\');">Use Default Settings</button>&nbsp;<span id="confirm-' + Text.escapeHTML(room) + '">&nbsp;</span></p>';
 			htmlVars.rooms += '<hr />';
 		}
 
@@ -187,12 +187,12 @@ exports.setup = function (App) {
 			rank = App.config.parser[rank];
 		}
 		let html = '';
-		html += '<select name="' + name + '">';
+		html += '<select name="' + Text.escapeHTML(name) + '">';
 		html += '<option value="user"' + (rank === 'user' ? ' selected="selected"' : '') + '>Regular Users</option>';
 		html += '<option value="excepted"' + (rank === 'excepted' ? ' selected="selected"' : '') + '>Excepted Users</option>';
 		for (let j = 0; j < App.config.parser.groups.length; j++) {
-			html += '<option value="' + App.config.parser.groups[j] + '"' +
-			(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + App.config.parser.groups[j] + '</option>';
+			html += '<option value="' + Text.escapeHTML(App.config.parser.groups[j]) + '"' +
+			(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + Text.escapeHTML(App.config.parser.groups[j]) + '</option>';
 		}
 		html += '</select>';
 		return html;
@@ -250,7 +250,7 @@ exports.setup = function (App) {
 		htmlVars.dme = getRankSelect('rank', config.modexception.global);
 		htmlVars.rooms = '';
 		for (let room in config.modexception.rooms) {
-			htmlVars.rooms += '<tr><td>' + room + '</td>';
+			htmlVars.rooms += '<tr><td>' + Text.escapeHTML(room) + '</td>';
 			switch (config.modexception.rooms[room]) {
 			case 'user':
 				htmlVars.rooms += '<td>All Users</td>';
@@ -263,7 +263,7 @@ exports.setup = function (App) {
 				break;
 			}
 			htmlVars.rooms += '<td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="room" value="' + room +
+			'<input type="hidden" name="room" value="' + Text.escapeHTML(room) +
 			'" /><input type="submit" name="delroom" value="Delete" /></form></div></td></tr>';
 		}
 
@@ -311,10 +311,10 @@ exports.setup = function (App) {
 
 		htmlVars.rooms = '';
 		for (let room in config.rulesLink) {
-			htmlVars.rooms += '<tr><td>' + room + '</td>';
-			htmlVars.rooms += '<td><a href="' + config.rulesLink[room] + '">' + Text.escapeHTML(config.rulesLink[room]) + '</a></td>';
+			htmlVars.rooms += '<tr><td>' + Text.escapeHTML(room) + '</td>';
+			htmlVars.rooms += '<td>' + Text.escapeHTML(config.rulesLink[room]) + '</td>';
 			htmlVars.rooms += '<td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="room" value="' + room +
+			'<input type="hidden" name="room" value="' + Text.escapeHTML(room) +
 			'" /><input type="submit" name="delroom" value="Delete" /></form></div></td></tr>';
 		}
 
@@ -346,7 +346,7 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.wservers = config.serversWhitelist.join(', ');
+		htmlVars.wservers = Text.escapeHTML(config.serversWhitelist.join(', '));
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
diff --git a/src/bot-modules/moderation/handlers/zerotolerance.js b/src/bot-modules/moderation/handlers/zerotolerance.js
index f0f1aee..c9700cb 100644
--- a/src/bot-modules/moderation/handlers/zerotolerance.js
+++ b/src/bot-modules/moderation/handlers/zerotolerance.js
@@ -80,14 +80,14 @@ exports.setup = function (App) {
 				}
 				App.modules.moderation.system.db.write();
 				App.logServerAction(context.user.id, "Edit Zero Tolerance. Room: " + room);
-				ok = 'Zero Tolerance list for room <strong>' + room + '</strong> saved.';
+				ok = 'Zero Tolerance list for room <strong>' + Text.escapeHTML(room) + '</strong> saved.';
 			}
 		} else if (context.post.add) {
 			let data = App.modules.moderation.system.data.zeroTolerance;
 			let room = Text.toRoomid(context.post.room);
 			try {
 				check(room, 'You must specify a room');
-				check(!data[room], 'Room <strong>' + room + '</strong> already exists in this list.');
+				check(!data[room], 'Room <strong>' + Text.escapeHTML(room) + '</strong> already exists in this list.');
 			} catch (err) {
 				error = err.message;
 			}
@@ -95,7 +95,7 @@ exports.setup = function (App) {
 				data[room] = Object.create(null);
 				App.modules.moderation.system.db.write();
 				App.logServerAction(context.user.id, "Add Zero Tolerance Room: " + room);
-				ok = 'Room <strong>' + room + '</strong> added to the zero tolerance feature.';
+				ok = 'Room <strong>' + Text.escapeHTML(room) + '</strong> added to the zero tolerance feature.';
 			}
 		}
 
@@ -125,14 +125,14 @@ exports.setup = function (App) {
 				}
 			}
 			htmlVars.rooms += roomTemplate.make({
-				room: room,
+				room: Text.escapeHTML(room),
 				name: Text.escapeHTML(App.parser.getRoomTitle(room)),
 				enabled: (App.modules.moderation.system.data.enableZeroTol[room] ? ' checked="checked"' : ''),
-				min: minTol.join(', '),
-				low: lowTol.join(', '),
-				normal: normalTol.join(', '),
-				high: highTol.join(', '),
-				max:  maxTol.join(', '),
+				min: Text.escapeHTML(minTol.join(', ')),
+				low: Text.escapeHTML(lowTol.join(', ')),
+				normal: Text.escapeHTML(normalTol.join(', ')),
+				high: Text.escapeHTML(highTol.join(', ')),
+				max: Text.escapeHTML(maxTol.join(', ')),
 			});
 		}
 
diff --git a/src/bot-modules/players-auction/server-handler.js b/src/bot-modules/players-auction/server-handler.js
index 440371f..dbf1652 100644
--- a/src/bot-modules/players-auction/server-handler.js
+++ b/src/bot-modules/players-auction/server-handler.js
@@ -43,7 +43,7 @@ exports.setup = function (App) {
 			let room = Text.toRoomid(context.post.room);
 			try {
 				check(room, 'You must specify a room');
-				check(!Mod.rooms[room], 'Room <strong>' + room + '</strong> already exists in this list.');
+				check(!Mod.rooms[room], 'Room <strong>' + Text.escapeHTML(room) + '</strong> already exists in this list.');
 			} catch (err) {
 				error = err.message;
 			}
@@ -51,13 +51,13 @@ exports.setup = function (App) {
 				Mod.createAuction(room);
 				Mod.saveData();
 				App.logServerAction(context.user.id, "Add Players-Auction Room: " + room);
-				ok = 'Room <strong>' + room + '</strong> added to the players-auction feature.';
+				ok = 'Room <strong>' + Text.escapeHTML(room) + '</strong> added to the players-auction feature.';
 			}
 		} else if (context.post.remove) {
 			let room = Text.toRoomid(context.post.room);
 			try {
 				check(room, 'You must specify a room');
-				check(Mod.rooms[room], 'Room <strong>' + room + '</strong> does not exists in this list.');
+				check(Mod.rooms[room], 'Room <strong>' + Text.escapeHTML(room) + '</strong> does not exists in this list.');
 			} catch (err) {
 				error = err.message;
 			}
@@ -65,7 +65,7 @@ exports.setup = function (App) {
 				Mod.removeAuction(room);
 				Mod.saveData();
 				App.logServerAction(context.user.id, "Remove Players-Auction Room: " + room);
-				ok = 'Room <strong>' + room + '</strong> removed from players-auction feature.';
+				ok = 'Room <strong>' + Text.escapeHTML(room) + '</strong> removed from players-auction feature.';
 			}
 		}
 
@@ -73,7 +73,7 @@ exports.setup = function (App) {
 
 		let opts = [];
 		for (let room in Mod.rooms) {
-			opts.push('<a class="submenu-option" href="/auction/room/' + room + '/">' + room + '</a>');
+			opts.push('<a class="submenu-option" href="/auction/room/' + Text.escapeHTML(room) + '/">' + Text.escapeHTML(room) + '</a>');
 		}
 		htmlVars.submenu = opts.join(' | ');
 
@@ -108,7 +108,7 @@ exports.setup = function (App) {
 				Mod.createAuction(room);
 				Mod.saveData();
 				App.logServerAction(context.user.id, "Edit Players-Auction Room: " + room);
-				ok = 'Players-Auction data modified sucessfully.';
+				ok = 'Players-Auction data modified successfully.';
 			}
 		}
 
@@ -116,12 +116,12 @@ exports.setup = function (App) {
 
 		let opts = [];
 		for (let k in Mod.rooms) {
-			opts.push('<a class="submenu-option' + (room === k ? '-selected' : '') + '" href="/auction/room/' + k + '/">' + k + '</a>');
+			opts.push('<a class="submenu-option' + (room === k ? '-selected' : '') + '" href="/auction/room/' + Text.escapeHTML(k) + '/">' + Text.escapeHTML(k) + '</a>');
 		}
 		htmlVars.submenu = opts.join(' | ');
 
 		htmlVars.content = JSON.stringify(JSON.stringify(Mod.rooms[room].data));
-		htmlVars.room = room;
+		htmlVars.room = Text.escapeHTML(room);
 		htmlVars.name = Text.escapeHTML(App.parser.getRoomTitle(room));
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
diff --git a/src/bot-modules/pokemon/server-handler.js b/src/bot-modules/pokemon/server-handler.js
index b8f2897..bab2869 100644
--- a/src/bot-modules/pokemon/server-handler.js
+++ b/src/bot-modules/pokemon/server-handler.js
@@ -85,14 +85,14 @@ exports.setup = function (App) {
 		}
 
 		let htmlVars = Object.create(null);
-		htmlVars.usage_link = Config.usagelink || "";
-		htmlVars.def_format = (Config.gtier || "");
+		htmlVars.usage_link = Text.escapeHTML(Config.usagelink || "");
+		htmlVars.def_format = Text.escapeHTML(Config.gtier || "");
 		htmlVars.rooms = '';
 
 		for (let room in Config.roomtier) {
-			htmlVars.rooms += '<tr><td>' + room + '</td><td>' + Config.roomtier[room] +
+			htmlVars.rooms += '<tr><td>' + Text.escapeHTML(room) + '</td><td>' + Text.escapeHTML(Config.roomtier[room]) +
 				'</td><td><div align="center"><form method="post" action="" style="display:inline;"><input type="hidden" name="room" value="' +
-				room + '" /><label><input type="submit" name="deleteroom" value="Delete" /></label></form></div></td></tr>';
+				Text.escapeHTML(room) + '" /><label><input type="submit" name="deleteroom" value="Delete" /></label></form></div></td></tr>';
 		}
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
diff --git a/src/bot-modules/quote-joke/server-handler.js b/src/bot-modules/quote-joke/server-handler.js
index 6c8f252..111fc98 100644
--- a/src/bot-modules/quote-joke/server-handler.js
+++ b/src/bot-modules/quote-joke/server-handler.js
@@ -81,7 +81,7 @@ exports.setup = function (App) {
 		for (let id in quotes) {
 			htmlVars.quotes += '<tr><td style="word-wrap: break-word;">' + Text.escapeHTML(quotes[id]) + '</td>';
 			htmlVars.quotes += ' <td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="id" value="' + id + '" /><input type="submit" name="remove" value="Remove" /></form></div></td></tr>';
+			'<input type="hidden" name="id" value="' + Text.escapeHTML(id) + '" /><input type="submit" name="remove" value="Remove" /></form></div></td></tr>';
 		}
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
@@ -130,7 +130,7 @@ exports.setup = function (App) {
 		for (let id in jokes) {
 			htmlVars.jokes += '<tr><td style="word-wrap: break-word;">' + Text.escapeHTML(jokes[id]) + '</td>';
 			htmlVars.jokes += ' <td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="id" value="' + id + '" /><input type="submit" name="remove" value="Remove" /></form></div></td></tr>';
+			'<input type="hidden" name="id" value="' + Text.escapeHTML(id) + '" /><input type="submit" name="remove" value="Remove" /></form></div></td></tr>';
 		}
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
diff --git a/src/bot-modules/rand-cmd/server-handler.js b/src/bot-modules/rand-cmd/server-handler.js
index 5070cb8..23d394d 100644
--- a/src/bot-modules/rand-cmd/server-handler.js
+++ b/src/bot-modules/rand-cmd/server-handler.js
@@ -47,7 +47,7 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd, "You must specify a command");
-				check(!Mod.data.commands[cmd], "Command " + cmd + " already exists");
+				check(!Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " already exists");
 				check(content, "Content cannot be blank");
 			} catch (err) {
 				error = err.message;
@@ -58,7 +58,7 @@ exports.setup = function (App) {
 				Mod.data.commands[cmd] = content;
 				Mod.db.write();
 				App.logServerAction(context.user.id, "Random CMD | Create command: " + cmd);
-				ok = 'Random command "' + cmd + '" was created';
+				ok = 'Random command "' + Text.escapeHTML(cmd) + '" was created';
 			}
 		} else if (context.post.edit) {
 			let cmd = Text.toCmdid(context.post.cmd);
@@ -66,7 +66,7 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd, "You must specify a command");
-				check(Mod.data.commands[cmd], "Command " + cmd + " not found");
+				check(Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " not found");
 				check(content, "Content cannot be blank");
 			} catch (err) {
 				error = err.message;
@@ -76,14 +76,14 @@ exports.setup = function (App) {
 				Mod.data.commands[cmd] = content;
 				Mod.db.write();
 				App.logServerAction(context.user.id, "Random CMD | Edit command: " + cmd);
-				ok = 'Random command "' + cmd + '" was modified sucessfully';
+				ok = 'Random command "' + Text.escapeHTML(cmd) + '" was modified successfully';
 			}
 		} else if (context.post.delcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
 
 			try {
 				check(cmd, "You must specify a command");
-				check(Mod.data.commands[cmd], "Command " + cmd + " not found");
+				check(Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " not found");
 			} catch (err) {
 				error = err.message;
 			}
@@ -92,7 +92,7 @@ exports.setup = function (App) {
 				delete Mod.data.commands[cmd];
 				Mod.db.write();
 				App.logServerAction(context.user.id, "Random CMD | Delete command: " + cmd);
-				ok = 'Random command "' + cmd + '" was deleted';
+				ok = 'Random command "' + Text.escapeHTML(cmd) + '" was deleted';
 			}
 		}
 
@@ -102,7 +102,7 @@ exports.setup = function (App) {
 		let commands = Mod.data.commands;
 		for (let cmd in commands) {
 			htmlVars.cmds += cmdTemplate.make({
-				cmd: cmd,
+				cmd: Text.escapeHTML(cmd),
 				content: Text.escapeHTML(commands[cmd]),
 			});
 		}
@@ -131,7 +131,7 @@ exports.setup = function (App) {
 						App.logServerAction(context.user.id, "Random CMD | Set alias: " + alias + " to the command: " + cmd);
 						ok = 'Command "' + alias + '" is now alias of "' + cmd + '"';
 					} else {
-						error = "The command <strong>" + cmd + "</strong> does not exists.";
+						error = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> does not exists.";
 					}
 				} else {
 					error = "You must specify a command";
@@ -146,9 +146,9 @@ exports.setup = function (App) {
 					delete Mod.data.aliases[alias];
 					Mod.db.write();
 					App.logServerAction(context.user.id, "Random CMD | Delete alias: " + alias);
-					ok = 'Alias <strong>' + alias + '</strong> was deleted sucessfully.';
+					ok = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was deleted successfully.';
 				} else {
-					error = 'Alias <strong>' + alias + '</strong> was not found.';
+					error = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was not found.';
 				}
 			} else {
 				error = "You must specify an alias id.";
@@ -159,16 +159,16 @@ exports.setup = function (App) {
 
 		htmlVars.aliases = '';
 		for (let alias in Mod.data.aliases) {
-			htmlVars.aliases += '<tr><td>' + alias + '</td><td>' + Mod.data.aliases[alias] +
+			htmlVars.aliases += '<tr><td>' + Text.escapeHTML(alias) + '</td><td>' + Text.escapeHTML(Mod.data.aliases[alias]) +
 			'</td><td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="alias" value="' + alias +
+			'<input type="hidden" name="alias" value="' + Text.escapeHTML(alias) +
 			'" /><input type="submit" name="remove" value="Remove Alias" /></form></div></td></tr>';
 		}
 
 		htmlVars.cmd_select = '<select name="cmd">';
 		let cmds = Object.keys(Mod.data.commands).sort();
 		for (let i = 0; i < cmds.length; i++) {
-			htmlVars.cmd_select += '<option value="' + cmds[i] + '">' + cmds[i] + '</option>';
+			htmlVars.cmd_select += '<option value="' + Text.escapeHTML(cmds[i]) + '">' + Text.escapeHTML(cmds[i]) + '</option>';
 		}
 		htmlVars.cmd_select += '</select>';
 
diff --git a/src/bot-modules/shortcuts/server-handler.js b/src/bot-modules/shortcuts/server-handler.js
index cada156..bd6f182 100644
--- a/src/bot-modules/shortcuts/server-handler.js
+++ b/src/bot-modules/shortcuts/server-handler.js
@@ -47,7 +47,7 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd, "You must specify a command");
-				check(!Mod.data.commands[cmd], "Command " + cmd + " already exists");
+				check(!Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " already exists");
 				check(content, "Content cannot be blank");
 			} catch (err) {
 				error = err.message;
@@ -58,7 +58,7 @@ exports.setup = function (App) {
 				Mod.data.commands[cmd] = content;
 				Mod.db.write();
 				App.logServerAction(context.user.id, "Shortcut CMD | Create command: " + cmd);
-				ok = 'Shortcut command "' + cmd + '" was created';
+				ok = 'Shortcut command "' + Text.escapeHTML(cmd) + '" was created';
 			}
 		} else if (context.post.edit) {
 			let cmd = Text.toCmdid(context.post.cmd);
@@ -66,7 +66,7 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd, "You must specify a command");
-				check(Mod.data.commands[cmd], "Command " + cmd + " not found");
+				check(Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " not found");
 				check(content, "Content cannot be blank");
 			} catch (err) {
 				error = err.message;
@@ -76,14 +76,14 @@ exports.setup = function (App) {
 				Mod.data.commands[cmd] = content;
 				Mod.db.write();
 				App.logServerAction(context.user.id, "Shortcut CMD | Edit command: " + cmd);
-				ok = 'Shortcut command "' + cmd + '" was modified successfully';
+				ok = 'Shortcut command "' + Text.escapeHTML(cmd) + '" was modified successfully';
 			}
 		} else if (context.post.delcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
 
 			try {
 				check(cmd, "You must specify a command");
-				check(Mod.data.commands[cmd], "Command " + cmd + " not found");
+				check(Mod.data.commands[cmd], "Command " + Text.escapeHTML(cmd) + " not found");
 			} catch (err) {
 				error = err.message;
 			}
@@ -92,7 +92,7 @@ exports.setup = function (App) {
 				delete Mod.data.commands[cmd];
 				Mod.db.write();
 				App.logServerAction(context.user.id, "Shortcut CMD | Delete command: " + cmd);
-				ok = 'Shortcut command "' + cmd + '" was deleted';
+				ok = 'Shortcut command "' + Text.escapeHTML(cmd) + '" was deleted';
 			}
 		}
 
@@ -102,7 +102,7 @@ exports.setup = function (App) {
 		let commands = Mod.data.commands;
 		for (let cmd in commands) {
 			htmlVars.cmds += cmdTemplate.make({
-				cmd: cmd,
+				cmd: Text.escapeHTML(cmd),
 				content: Text.escapeHTML(commands[cmd]),
 			});
 		}
@@ -129,9 +129,9 @@ exports.setup = function (App) {
 						Mod.data.aliases[alias] = cmd;
 						Mod.db.write();
 						App.logServerAction(context.user.id, "Shortcut CMD | Set alias: " + alias + " to the command: " + cmd);
-						ok = 'Command "' + alias + '" is now alias of "' + cmd + '"';
+						ok = 'Command "' + Text.escapeHTML(alias) + '" is now alias of "' + Text.escapeHTML(cmd) + '"';
 					} else {
-						error = "The command <strong>" + cmd + "</strong> does not exists.";
+						error = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> does not exists.";
 					}
 				} else {
 					error = "You must specify a command";
@@ -146,9 +146,9 @@ exports.setup = function (App) {
 					delete Mod.data.aliases[alias];
 					Mod.db.write();
 					App.logServerAction(context.user.id, "Shortcut CMD | Delete alias: " + alias);
-					ok = 'Alias <strong>' + alias + '</strong> was deleted successfully.';
+					ok = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was deleted successfully.';
 				} else {
-					error = 'Alias <strong>' + alias + '</strong> was not found.';
+					error = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was not found.';
 				}
 			} else {
 				error = "You must specify an alias id.";
@@ -159,16 +159,16 @@ exports.setup = function (App) {
 
 		htmlVars.aliases = '';
 		for (let alias in Mod.data.aliases) {
-			htmlVars.aliases += '<tr><td>' + alias + '</td><td>' + Mod.data.aliases[alias] +
+			htmlVars.aliases += '<tr><td>' + Text.escapeHTML(alias) + '</td><td>' + Text.escapeHTML(Mod.data.aliases[alias]) +
 			'</td><td><div align="center"><form style="display:inline;" method="post" action="">' +
-			'<input type="hidden" name="alias" value="' + alias +
+			'<input type="hidden" name="alias" value="' + Text.escapeHTML(alias) +
 			'" /><input type="submit" name="remove" value="Remove Alias" /></form></div></td></tr>';
 		}
 
 		htmlVars.cmd_select = '<select name="cmd">';
 		let cmds = Object.keys(Mod.data.commands).sort();
 		for (let i = 0; i < cmds.length; i++) {
-			htmlVars.cmd_select += '<option value="' + cmds[i] + '">' + cmds[i] + '</option>';
+			htmlVars.cmd_select += '<option value="' + Text.escapeHTML(cmds[i]) + '">' + Text.escapeHTML(cmds[i]) + '</option>';
 		}
 		htmlVars.cmd_select += '</select>';
 
diff --git a/src/bot-modules/tour-cmd/server-handler.js b/src/bot-modules/tour-cmd/server-handler.js
index 57d257a..917463e 100644
--- a/src/bot-modules/tour-cmd/server-handler.js
+++ b/src/bot-modules/tour-cmd/server-handler.js
@@ -95,25 +95,25 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.format = Config.format;
+		htmlVars.format = Text.escapeHTML(Config.format);
 		htmlVars.elimination = (Config.type === 'elimination' ? ' selected="selected"' : '');
 		htmlVars.roundrobin = (Config.type === 'roundrobin' ? ' selected="selected"' : '');
-		htmlVars.users = Config.maxUsers;
-		htmlVars.time = Math.floor(Config.time / 1000);
-		htmlVars.autodq = Config.autodq;
+		htmlVars.users = Text.escapeHTML(Config.maxUsers);
+		htmlVars.time = Text.escapeHTML(Math.floor(Config.time / 1000));
+		htmlVars.autodq = Text.escapeHTML(Config.autodq);
 		htmlVars.scout_yes = (!Config.scoutProtect ? 'selected="selected"' : '');
 		htmlVars.scout_no = (Config.scoutProtect ? 'selected="selected"' : '');
 		htmlVars.timer_yes = (Config.forcedTimer ? 'selected="selected"' : '');
 		htmlVars.timer_no = (!Config.forcedTimer ? 'selected="selected"' : '');
-		htmlVars.creationmsg = Config.createMessage;
-		htmlVars.finals = Config.finalAnnouncement ? (Object.keys(Config.finalAnnouncement).join(", ")) : "";
-		htmlVars.winnergrats = Config.congratsWinner ? (Object.keys(Config.congratsWinner).join(", ")) : "";
+		htmlVars.creationmsg = Text.escapeHTML(Config.createMessage);
+		htmlVars.finals = Config.finalAnnouncement ? Text.escapeHTML(Object.keys(Config.finalAnnouncement).join(", ")) : "";
+		htmlVars.winnergrats = Config.congratsWinner ? Text.escapeHTML(Object.keys(Config.congratsWinner).join(", ")) : "";
 
 		let aliases = [];
 		for (let format in Config.aliases) {
 			aliases.push(format + ', ' + Config.aliases[format]);
 		}
-		htmlVars.aliases = aliases.join('\n');
+		htmlVars.aliases = Text.escapeHTML(aliases.join('\n'));
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
diff --git a/src/bot-modules/tour-ldb-custom/server-handler.js b/src/bot-modules/tour-ldb-custom/server-handler.js
index 49b146f..5957d01 100644
--- a/src/bot-modules/tour-ldb-custom/server-handler.js
+++ b/src/bot-modules/tour-ldb-custom/server-handler.js
@@ -93,7 +93,7 @@ exports.setup = function (App) {
 				App.modules.tourldbcustom.system.db.write();
 				App.modules.tourldbcustom.system.generateTable(leaderboardsId);
 				App.logServerAction(context.user.id, "Leaderboards custom: Clear: " + leaderboardsId);
-				ok = "Leaderboards data cleared for " + leaderboardsId;
+				ok = "Leaderboards data cleared for " + Text.escapeHTML(leaderboardsId);
 			}
 		} else if (context.post.gentable) {
 			let leaderboardsId = Text.toId(context.post.name);
@@ -107,7 +107,7 @@ exports.setup = function (App) {
 			if (!error) {
 				App.modules.tourldbcustom.system.generateTable(leaderboardsId);
 				App.logServerAction(context.user.id, "Leaderboards custom: Generate Table: " + leaderboardsId);
-				ok = "Leaderboards table generated for " + leaderboardsId;
+				ok = "Leaderboards table generated for " + Text.escapeHTML(leaderboardsId);
 			}
 		} else if (context.post.restoredata) {
 			let leaderboardsId = Text.toId(context.post.name);
@@ -120,7 +120,7 @@ exports.setup = function (App) {
 
 				check(typeof restoredData === "object" && !!restoredData, "Invalid data provided");
 			} catch (err) {
-				error = err.message;
+				error = Text.escapeHTML(err.message);
 			}
 
 			if (!error) {
@@ -144,7 +144,7 @@ exports.setup = function (App) {
 				App.modules.tourldbcustom.system.db.write();
 				App.modules.tourldbcustom.system.generateTable(leaderboardsId);
 				App.logServerAction(context.user.id, "Leaderboards custom: Restore data: " + leaderboardsId);
-				ok = "Leaderboards data restored for " + leaderboardsId;
+				ok = "Leaderboards data restored for " + Text.escapeHTML(leaderboardsId);
 			}
 		} else if (context.post.edit) {
 			let leaderboardsId = Text.toId(context.post.name);
@@ -214,12 +214,12 @@ exports.setup = function (App) {
 		htmlVars.tables = '';
 		for (let leaderboardsId in Config) {
 			htmlVars.tables += tableTemplate.make({
-				id: leaderboardsId,
+				id: Text.escapeHTML(leaderboardsId),
 				name: Text.escapeHTML(Config[leaderboardsId].name || leaderboardsId),
-				room: Config[leaderboardsId].room || "",
-				winner: Config[leaderboardsId].winner,
-				finalist: Config[leaderboardsId].finalist,
-				semifinalist: Config[leaderboardsId].semifinalist,
+				room: Text.escapeHTML(Config[leaderboardsId].room || ""),
+				winner: Text.escapeHTML(Config[leaderboardsId].winner),
+				finalist: Text.escapeHTML(Config[leaderboardsId].finalist),
+				semifinalist: Text.escapeHTML(Config[leaderboardsId].semifinalist),
 				ctitle: Text.escapeHTML(Config[leaderboardsId].customTitle || ""),
 				description: Text.escapeHTML(Config[leaderboardsId].description || ""),
 				aliases: Text.escapeHTML(Config[leaderboardsId].aliases || ""),
diff --git a/src/bot-modules/tour-leaderboards/server-handler.js b/src/bot-modules/tour-leaderboards/server-handler.js
index eecbd0e..2434108 100644
--- a/src/bot-modules/tour-leaderboards/server-handler.js
+++ b/src/bot-modules/tour-leaderboards/server-handler.js
@@ -95,7 +95,7 @@ exports.setup = function (App) {
 				App.modules.tourleaderboards.system.db.write();
 				App.modules.tourleaderboards.system.generateTable(room);
 				App.logServerAction(context.user.id, "Leaderboards: Clear Room: " + room);
-				ok = "Leaderboards data cleared for room " + room;
+				ok = "Leaderboards data cleared for room " + Text.escapeHTML(room);
 			}
 		} else if (context.post.gentable) {
 			let room = Text.toRoomid(context.post.room);
@@ -109,7 +109,7 @@ exports.setup = function (App) {
 			if (!error) {
 				App.modules.tourleaderboards.system.generateTable(room);
 				App.logServerAction(context.user.id, "Leaderboards: Generate Table: " + room);
-				ok = "Leaderboards table generated for room " + room;
+				ok = "Leaderboards table generated for room " + Text.escapeHTML(room);
 			}
 		} else if (context.post.restoredata) {
 			let room = Text.toRoomid(context.post.room);
@@ -122,7 +122,7 @@ exports.setup = function (App) {
 
 				check(typeof restoredData === "object" && !!restoredData, "Invalid data provided");
 			} catch (err) {
-				error = err.message;
+				error = Text.escapeHTML(err.message);
 			}
 
 			if (!error) {
@@ -146,7 +146,7 @@ exports.setup = function (App) {
 				App.modules.tourleaderboards.system.db.write();
 				App.modules.tourleaderboards.system.generateTable(room);
 				App.logServerAction(context.user.id, "Leaderboards: Restore data: " + room);
-				ok = "Leaderboards data restored for room " + room;
+				ok = "Leaderboards data restored for room " + Text.escapeHTML(room);
 			}
 		} else if (context.post.edit) {
 			let room = Text.toRoomid(context.post.room);
@@ -187,12 +187,12 @@ exports.setup = function (App) {
 		htmlVars.rooms = '';
 		for (let room in Config) {
 			htmlVars.rooms += roomTemplate.make({
-				room: room,
+				room: Text.escapeHTML(room),
 				name: Text.escapeHTML(App.parser.getRoomTitle(room)),
-				winner: Config[room].winner,
-				finalist: Config[room].finalist,
-				semifinalist: Config[room].semifinalist,
-				battle: Config[room].battle,
+				winner: Text.escapeHTML(Config[room].winner),
+				finalist: Text.escapeHTML(Config[room].finalist),
+				semifinalist: Text.escapeHTML(Config[room].semifinalist),
+				battle: Text.escapeHTML(Config[room].battle),
 				banned: Text.escapeHTML(Config[room].banned || ""),
 				onlyofficial: (Config[room].onlyOfficial ? ' checked="checked"' : ''),
 				useratio: (Config[room].useratio ? ' checked="checked"' : ''),
diff --git a/src/server/handlers/addons.js b/src/server/handlers/addons.js
index f3532ad..6eb8930 100644
--- a/src/server/handlers/addons.js
+++ b/src/server/handlers/addons.js
@@ -48,7 +48,7 @@ exports.setup = function (App) {
 					App.reportCrash(err);
 				}
 				App.logServerAction(context.user.id, 'Add-on uninstalled: ' + addon);
-				ok = "Addon " + addon + " deleted sucessfully";
+				ok = "Addon " + Text.escapeHTML(addon) + " deleted successfully";
 			} else {
 				error = "Invalid add-on";
 			}
@@ -59,7 +59,7 @@ exports.setup = function (App) {
 
 		for (let file in App.addons) {
 			htmlVars.addons_list += addonItemTemplate.make({
-				file: file,
+				file: Text.escapeHTML(file),
 				desc: (App.addons[file].desc ? ('<p>' + Text.escapeHtml(App.addons[file].desc) + '</p>') : ""),
 			});
 		}
@@ -81,7 +81,7 @@ exports.setup = function (App) {
 				check(addon, "You must specify an addon filename");
 				check(addon.length <= 20, "Addon filename is too long");
 				check(content, "Addon content cannot be blank");
-				check(!App.addons[file], "Addon " + file + " already exists");
+				check(!App.addons[file], "Addon " + Text.escapeHTML(file) + " already exists");
 			} catch (err) {
 				error = err.message;
 			}
@@ -131,7 +131,7 @@ exports.setup = function (App) {
 			try {
 				check(addon, "You must specify an addon filename");
 				check(content, "Addon content cannot be blank");
-				check(App.addons[addon], "Addon " + addon + " not found");
+				check(App.addons[addon], "Addon " + Text.escapeHTML(addon) + " not found");
 			} catch (err) {
 				error = err.message;
 			}
@@ -146,14 +146,14 @@ exports.setup = function (App) {
 					error = "Failed to re-install the add-on";
 				} else {
 					App.logServerAction(context.user.id, 'Add-on re-installed: ' + addon);
-					ok = "Add-on re-installed sucessfully";
+					ok = "Add-on re-installed successfully";
 				}
 			}
 		}
 
 		let htmlVars = Object.create(null);
 		htmlVars.content = JSON.stringify(addonContent);
-		htmlVars.file = path;
+		htmlVars.file = Text.escapeHTML(path);
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
 
diff --git a/src/server/handlers/admin.js b/src/server/handlers/admin.js
index 2c02aa2..1f7ce2e 100644
--- a/src/server/handlers/admin.js
+++ b/src/server/handlers/admin.js
@@ -8,6 +8,7 @@ const Path = require('path');
 const FileSystem = require('fs');
 const check = Tools('check');
 const Template = Tools('html-template');
+const Text = Tools('text');
 
 const mainTemplate = new Template(Path.resolve(__dirname, 'templates', 'admin.html'));
 
@@ -32,7 +33,7 @@ exports.setup = function (App) {
 				App.reportCrash(err);
 			}
 			let buf = '';
-			buf += '<html><head><title>Process Exited</title></head><body><p>The application exits sucessfully.</p>' +
+			buf += '<html><head><title>Process Exited</title></head><body><p>The application exits successfully.</p>' +
 			'<a href=""><button>Refresh Page</button></a></body></html>';
 			context.response.writeHead(200, {'Content-Type': 'text/html; charset=utf-8'});
 			context.response.end(buf);
@@ -92,7 +93,7 @@ exports.setup = function (App) {
 				App.bot.sendBufferMaxlength = App.config.bot.buflen;
 				App.bot.chatThrottleDelay = App.config.bot.senddelay;
 				ok = "Changes made successfuly.";
-				App.logServerAction(context.user.id, 'Administration options were editted');
+				App.logServerAction(context.user.id, 'Administration options were edited');
 			}
 		}
 
@@ -100,18 +101,18 @@ exports.setup = function (App) {
 
 		htmlVars.uptime = Math.floor(process.uptime() * 1000);
 		htmlVars.memusage = (Math.floor(((process.memoryUsage().rss / 1024) / 1024) * 1000) / 1000) + ' MB';
-		htmlVars.port = App.config.server.port;
-		htmlVars.sslport = (App.config.server.https ? App.config.server.httpsPort : "");
-		htmlVars.sslcert = (App.config.server.sslcert || "");
-		htmlVars.sslkey = (App.config.server.sslkey || "");
-		htmlVars.bindaddress = (App.config.server.bindaddress || '');
-		htmlVars.appurl = (App.config.server.url || "");
-		htmlVars.apptitle = (App.config.apptitle || 'Showdown ChatBot');
-		htmlVars.loginserv = (App.config.bot.loginserv || 'play.pokemonshowdown.com');
-		htmlVars.maxlines = (App.config.bot.maxlines || '3');
-		htmlVars.buflen = (App.config.bot.buflen || '6');
-		htmlVars.senddelay = (App.config.bot.senddelay || '200');
-		htmlVars.maxmsglen = (App.config.bot.maxMessageLength || '300');
+		htmlVars.port = Text.escapeHTML(App.config.server.port);
+		htmlVars.sslport = Text.escapeHTML(App.config.server.https ? App.config.server.httpsPort : "");
+		htmlVars.sslcert = Text.escapeHTML(App.config.server.sslcert || "");
+		htmlVars.sslkey = Text.escapeHTML(App.config.server.sslkey || "");
+		htmlVars.bindaddress = Text.escapeHTML(App.config.server.bindaddress || '');
+		htmlVars.appurl = Text.escapeHTML(App.config.server.url || "");
+		htmlVars.apptitle = Text.escapeHTML(App.config.apptitle || 'Showdown ChatBot');
+		htmlVars.loginserv = Text.escapeHTML(App.config.bot.loginserv || 'play.pokemonshowdown.com');
+		htmlVars.maxlines = Text.escapeHTML(App.config.bot.maxlines || '3');
+		htmlVars.buflen = Text.escapeHTML(App.config.bot.buflen || '6');
+		htmlVars.senddelay = Text.escapeHTML(App.config.bot.senddelay || '200');
+		htmlVars.maxmsglen = Text.escapeHTML(App.config.bot.maxMessageLength || '300');
 		htmlVars.debugmode = (App.config.debug ? 'checked="checked"' : '');
 		htmlVars.useproxy = (App.config.useproxy ? 'checked="checked"' : '');
 		htmlVars.blockautodownload = (App.config.blockautodownload ? 'checked="checked"' : '');
diff --git a/src/server/handlers/bot.js b/src/server/handlers/bot.js
index e72f918..c9bfd49 100644
--- a/src/server/handlers/bot.js
+++ b/src/server/handlers/bot.js
@@ -101,7 +101,7 @@ exports.setup = function (App) {
 				}
 				App.saveConfig();
 				App.logServerAction(context.user.id, 'Edit Bot configuration');
-				ok = "Bot configuration changed sucessfully. Restart the bot to make the changes effective.";
+				ok = "Bot configuration changed successfully. Restart the bot to make the changes effective.";
 			}
 		}
 
@@ -125,7 +125,7 @@ exports.setup = function (App) {
 			htmlVars.conntime = '<span id="bot-conntime"><i>&nbsp;</i></span>';
 		}
 
-		htmlVars.nick = (App.bot.getBotNick().substr(1) || "-");
+		htmlVars.nick = Text.escapeHTML(App.bot.getBotNick().substr(1) || "-");
 
 		let rooms = [];
 		for (let r in App.bot.rooms) {
@@ -133,20 +133,20 @@ exports.setup = function (App) {
 				rooms.push(App.bot.rooms[r].id);
 			}
 		}
-		htmlVars.rooms = rooms.join(', ');
+		htmlVars.rooms = Text.escapeHTML(rooms.join(', '));
 		let battles = [];
 		for (let r in App.bot.rooms) {
 			if (App.bot.rooms[r].type === 'battle') {
 				battles.push(App.bot.rooms[r].id);
 			}
 		}
-		htmlVars.battles = battles.join(', ');
+		htmlVars.battles = Text.escapeHTML(battles.join(', '));
 
-		htmlVars.server = App.bot.server;
-		htmlVars.port = App.bot.port;
+		htmlVars.server = Text.escapeHTML(App.bot.server);
+		htmlVars.port = Text.escapeHTML(App.bot.port);
 		htmlVars.secure = (App.bot.secure ? 'checked="checked"' : '');
-		htmlVars.serverid = App.bot.loginUrl.serverId;
-		htmlVars.retry = Math.floor(App.config.bot.retrydelay / 1000);
+		htmlVars.serverid = Text.escapeHTML(App.bot.loginUrl.serverId);
+		htmlVars.retry = Text.escapeHTML(Math.floor(App.config.bot.retrydelay / 1000));
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
diff --git a/src/server/handlers/dyncmd.js b/src/server/handlers/dyncmd.js
index 46e95c5..f32a891 100644
--- a/src/server/handlers/dyncmd.js
+++ b/src/server/handlers/dyncmd.js
@@ -49,7 +49,7 @@ exports.setup = function (App) {
 				check(cmd, "You must specify a command.");
 				check(content, "The command content must not be blank.");
 				check(content.length <= 300, "The command content must not be longer than 300 characters.");
-				check(!App.parser.data.dyncmds[cmd], "The command <strong>" + cmd + "</strong> already exists.");
+				check(!App.parser.data.dyncmds[cmd], "The command <strong>" + Text.escapeHTML(cmd) + "</strong> already exists.");
 			} catch (err) {
 				error = err.message;
 				addFail.id = cmd || "";
@@ -60,14 +60,14 @@ exports.setup = function (App) {
 				App.parser.data.dyncmds[cmd] = content;
 				App.parser.saveData();
 				App.logServerAction(context.user.id, 'Add dynamic command (Type: Text) cmd: ' + cmd);
-				ok = "The command <strong>" + cmd + "</strong> was added as a text command.";
+				ok = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> was added as a text command.";
 			}
 		} else if (context.post.addindexcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
 
 			try {
 				check(cmd, "You must specify a command.");
-				check(!App.parser.data.dyncmds[cmd], "The command <strong>" + cmd + "</strong> already exists.");
+				check(!App.parser.data.dyncmds[cmd], "The command <strong>" + Text.escapeHTML(cmd) + "</strong> already exists.");
 			} catch (err) {
 				error = err.message;
 				addFail.id = cmd || "";
@@ -78,14 +78,14 @@ exports.setup = function (App) {
 				App.parser.data.dyncmds[cmd] = Object.create(null);
 				App.parser.saveData();
 				App.logServerAction(context.user.id, 'Add dynamic command (Type: Index) cmd: ' + cmd);
-				ok = "The command <strong>" + cmd + "</strong> was added as an index command.";
+				ok = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> was added as an index command.";
 			}
 		} else if (context.post.delcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
 
 			try {
 				check(cmd, "You must specify a command.");
-				check(App.parser.data.dyncmds[cmd], "The command <strong>" + cmd + "</strong> does not exists.");
+				check(App.parser.data.dyncmds[cmd], "The command <strong>" + Text.escapeHTML(cmd) + "</strong> does not exists.");
 			} catch (err) {
 				error = err.message;
 			}
@@ -94,7 +94,7 @@ exports.setup = function (App) {
 				delete App.parser.data.dyncmds[cmd];
 				App.parser.saveData();
 				App.logServerAction(context.user.id, 'Delete dynamic command. cmd: ' + cmd);
-				ok = "The command <strong>" + cmd + "</strong> was deleted sucessfully.";
+				ok = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> was deleted successfully.";
 			}
 		} else if (context.post.delsubcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
@@ -103,7 +103,7 @@ exports.setup = function (App) {
 			try {
 				check(cmd && sub, "You must specify a subcommand.");
 				check(typeof App.parser.data.dyncmds[cmd] === 'object' && App.parser.data.dyncmds[cmd][sub],
-					"The command <strong>" + cmd + "&nbsp;" + sub + "</strong> does not exists.");
+					"The command <strong>" + Text.escapeHTML(cmd) + "&nbsp;" + Text.escapeHTML(sub) + "</strong> does not exists.");
 			} catch (err) {
 				error = err.message;
 			}
@@ -112,7 +112,7 @@ exports.setup = function (App) {
 				delete App.parser.data.dyncmds[cmd][sub];
 				App.parser.saveData();
 				App.logServerAction(context.user.id, 'Delete dynamic sub-command. cmd: ' + cmd + '. sub: ' + sub);
-				ok = "The command <strong>" + cmd + "&nbsp;" + sub + "</strong> was deleted sucessfully.";
+				ok = "The command <strong>" + Text.escapeHTML(cmd) + "&nbsp;" + Text.escapeHTML(sub) + "</strong> was deleted successfully.";
 			}
 		} else if (context.post.editcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
@@ -120,7 +120,7 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd, "You must specify a command.");
-				check(typeof App.parser.data.dyncmds[cmd] === 'string', "The command <strong>" + cmd + "</strong> is not a text command.");
+				check(typeof App.parser.data.dyncmds[cmd] === 'string', "The command <strong>" + Text.escapeHTML(cmd) + "</strong> is not a text command.");
 				check(content, "The command content must not be blank.");
 				check(content.length <= 300, "The command content must not be longer than 300 characters.");
 			} catch (err) {
@@ -131,7 +131,7 @@ exports.setup = function (App) {
 				App.parser.data.dyncmds[cmd] = content;
 				App.parser.saveData();
 				App.logServerAction(context.user.id, 'Edit dynamic command. cmd: ' + cmd);
-				ok = "The command <strong>" + cmd + "</strong> was editted sucessfully.";
+				ok = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> was edited successfully.";
 			}
 		} else if (context.post.addsubcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
@@ -140,10 +140,10 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd && sub, "You must specify a subcommand.");
-				check(typeof App.parser.data.dyncmds[cmd] === 'object', "The command <strong>" + cmd + "</strong> is not an index command.");
+				check(typeof App.parser.data.dyncmds[cmd] === 'object', "The command <strong>" + Text.escapeHTML(cmd) + "</strong> is not an index command.");
 				check(content, "The command content must not be blank.");
 				check(content.length <= 300, "The command content must not be longer than 300 characters.");
-				check(!App.parser.data.dyncmds[cmd][sub], "The command <strong>" + cmd + "&nbsp;" + sub + "</strong> already exists.");
+				check(!App.parser.data.dyncmds[cmd][sub], "The command <strong>" + Text.escapeHTML(cmd) + "&nbsp;" + Text.escapeHTML(sub) + "</strong> already exists.");
 			} catch (err) {
 				error = err.message;
 				addFail.id = sub || "";
@@ -155,7 +155,7 @@ exports.setup = function (App) {
 				App.parser.data.dyncmds[cmd][sub] = content;
 				App.parser.saveData();
 				App.logServerAction(context.user.id, 'Add dynamic sub-command (Type: Text) cmd: ' + cmd + '. sub: ' + sub);
-				ok = "The command <strong>" + cmd + "&nbsp;" + sub + "</strong> was added as a text subcommand.";
+				ok = "The command <strong>" + Text.escapeHTML(cmd) + "&nbsp;" + Text.escapeHTML(sub) + "</strong> was added as a text subcommand.";
 			}
 		} else if (context.post.editsubcmd) {
 			let cmd = Text.toCmdid(context.post.cmd);
@@ -164,10 +164,10 @@ exports.setup = function (App) {
 
 			try {
 				check(cmd && sub, "You must specify a subcommand.");
-				check(typeof App.parser.data.dyncmds[cmd] === 'object', "The command <strong>" + cmd + "</strong> is not an index command.");
+				check(typeof App.parser.data.dyncmds[cmd] === 'object', "The command <strong>" + Text.escapeHTML(cmd) + "</strong> is not an index command.");
 				check(content, "The command content must not be blank.");
 				check(content.length <= 300, "The command content must not be longer than 300 characters.");
-				check(App.parser.data.dyncmds[cmd][sub], "The command <strong>" + cmd + "&nbsp;" + sub + "</strong> does not exists.");
+				check(App.parser.data.dyncmds[cmd][sub], "The command <strong>" + Text.escapeHTML(cmd) + "&nbsp;" + Text.escapeHTML(sub) + "</strong> does not exists.");
 			} catch (err) {
 				error = err.message;
 			}
@@ -176,18 +176,18 @@ exports.setup = function (App) {
 				App.parser.data.dyncmds[cmd][sub] = content;
 				App.parser.saveData();
 				App.logServerAction(context.user.id, 'Edit dynamic sub-command. cmd: ' + cmd + '. sub: ' + sub);
-				ok = "The command <strong>" + cmd + "&nbsp;" + sub + "</strong> was editted sucessfully.";
+				ok = "The command <strong>" + Text.escapeHTML(cmd) + "&nbsp;" + Text.escapeHTML(sub) + "</strong> was edited successfully.";
 			}
 		}
 
 		let htmlVars = Object.create(null);
-		htmlVars.fail_id = ((!addFail.cmd) ? addFail.id : '');
-		htmlVars.fail_text = ((!addFail.cmd) ? addFail.content : '');
-		htmlVars.fail_index_id = (addFail.index ? addFail.id : '');
+		htmlVars.fail_id = Text.escapeHTML((!addFail.cmd) ? addFail.id : '');
+		htmlVars.fail_text = Text.escapeHTML((!addFail.cmd) ? addFail.content : '');
+		htmlVars.fail_index_id = Text.escapeHTML(addFail.index ? addFail.id : '');
 
 		htmlVars.commands = '';
 		for (let cmd in App.parser.data.dyncmds) {
-			htmlVars.commands += '<a id="a" name="Cmd-' + cmd + '"></a>';
+			htmlVars.commands += '<a id="a" name="Cmd-' + Text.escapeHTML(cmd) + '"></a>';
 			htmlVars.commands += getCommandTable(cmd, addFail);
 			htmlVars.commands += '<br />';
 		}
@@ -409,21 +409,21 @@ exports.setup = function (App) {
 	function getCommandTable(cmdid, addFail) {
 		let dynCmds = App.parser.data.dyncmds;
 		let htmlVars = Object.create(null);
-		htmlVars.cmdid = cmdid;
+		htmlVars.cmdid = Text.escapeHTML(cmdid);
 		if (typeof dynCmds[cmdid] === 'string') {
-			htmlVars.text = dynCmds[cmdid];
+			htmlVars.text = Text.escapeHTML(dynCmds[cmdid]);
 			return textCommandTemplate.make(htmlVars);
 		} else if (typeof dynCmds[cmdid] === 'object') {
 			htmlVars.subcmds = '';
 			for (let k in dynCmds[cmdid]) {
 				htmlVars.subcmds += subCommandTemplate.make({
-					cmdid: cmdid,
-					subcmd: k,
-					text: dynCmds[cmdid][k],
+					cmdid: Text.escapeHTML(cmdid),
+					subcmd: Text.escapeHTML(k),
+					text: Text.escapeHTML(dynCmds[cmdid][k]),
 				});
 			}
-			htmlVars.fail_id = (addFail.cmd === cmdid ? addFail.id : '');
-			htmlVars.fail_text = (addFail.cmd === cmdid ? addFail.content : '');
+			htmlVars.fail_id = Text.escapeHTML(addFail.cmd === cmdid ? addFail.id : '');
+			htmlVars.fail_text = Text.escapeHTML(addFail.cmd === cmdid ? addFail.content : '');
 			return indexCommandTemplate.make(htmlVars);
 		}
 		return textCommandTemplate.make(htmlVars);
diff --git a/src/server/handlers/language.js b/src/server/handlers/language.js
index 8f73264..ec8602f 100644
--- a/src/server/handlers/language.js
+++ b/src/server/handlers/language.js
@@ -56,7 +56,7 @@ exports.setup = function (App) {
 				App.config.language['default'] = lang;
 				App.db.write();
 				App.logServerAction(context.user.id, "Set Default language");
-				ok = "Default language set to <strong>" + languages[lang] + "</strong>";
+				ok = "Default language set to <strong>" + Text.escapeHTML(languages[lang]) + "</strong>";
 			}
 		} else if (context.post.addroom) {
 			let lang = Text.toId(context.post.language);
@@ -71,7 +71,7 @@ exports.setup = function (App) {
 				App.config.language.rooms[room] = lang;
 				App.db.write();
 				App.logServerAction(context.user.id, "Set Room language. Room: " + room + ", Lang: " + lang);
-				ok = "Language for room " + room + " set to <strong>" + languages[lang] + "</strong>";
+				ok = "Language for room " + Text.escapeHTML(room) + " set to <strong>" + Text.escapeHTML(languages[lang]) + "</strong>";
 			}
 		} else if (context.post.deleteroom) {
 			let room = Text.toRoomid(context.post.room);
@@ -85,7 +85,7 @@ exports.setup = function (App) {
 				delete App.config.language.rooms[room];
 				App.db.write();
 				App.logServerAction(context.user.id, "Set Room language to default. Room: " + room);
-				ok = "Language for room " + room + " set to default";
+				ok = "Language for room " + Text.escapeHTML(room) + " set to default";
 			}
 		} else if (context.post.addcustomlang) {
 			let customlang = Text.toId(context.post.lang);
@@ -124,15 +124,15 @@ exports.setup = function (App) {
 
 		htmlVars.langchecks = '';
 		for (let lang in languages) {
-			htmlVars.langchecks += '<p><input type="checkbox" name="lang-' + lang + '" value="true" ' +
+			htmlVars.langchecks += '<p><input type="checkbox" name="lang-' + Text.escapeHTML(lang) + '" value="true" ' +
 				(App.config.langfilter[lang] === false ? '' : 'checked="checked"') + ' />&nbsp;' +
 				Text.escapeHTML(languages[lang]) + '</p>';
 		}
 
 		htmlVars.langdefs = '';
 		for (let lang in App.multilang.data.langdefs) {
-			let rmbutton = '<button onclick="showRemoveConfirm(\'' + lang +
-					'\');">Remove</button><span id="confirm-remove-' + lang + '">&nbsp;</span>';
+			let rmbutton = '<button onclick="showRemoveConfirm(\'' + Text.escapeHTML(lang) +
+					'\');">Remove</button><span id="confirm-remove-' + Text.escapeHTML(lang) + '">&nbsp;</span>';
 			htmlVars.langdefs += '<tr><td>' + Text.escapeHTML(languages[lang]) + '</td><td>' + rmbutton + '</td></tr>';
 		}
 
@@ -141,7 +141,7 @@ exports.setup = function (App) {
 
 		htmlVars.rooms = '';
 		for (let room in App.config.language.rooms) {
-			htmlVars.rooms += '<tr><td>' + room + '</td><td>' + App.config.language.rooms[room] +
+			htmlVars.rooms += '<tr><td>' + Text.escapeHTML(room) + '</td><td>' + Text.escapeHTML(App.config.language.rooms[room]) +
 			'</td><td><div align="center"><form method="post" action="" style="display:inline;"><input type="hidden" name="room" value="' +
 			room + '" /><label><input type="submit" name="deleteroom" value="Use Default" /></label></form></div></td></tr>';
 		}
@@ -202,7 +202,7 @@ exports.setup = function (App) {
 		let files = Object.keys(langfiles).sort();
 		for (let tfile of files) {
 			opts.push('<a class="submenu-option' + (tfile === selectedFile ? '-selected' : '') +
-				'" href="/lang/custom/?tfile=' + tfile + '&lang=english">' + Text.escapeHTML(tfile) + '</a>');
+				'" href="/lang/custom/?tfile=' + encodeURIComponent(tfile) + '&lang=english">' + Text.escapeHTML(tfile) + '</a>');
 		}
 		htmlVars.files_menu = opts.join('&nbsp;| ');
 
@@ -212,7 +212,7 @@ exports.setup = function (App) {
 			opts = [];
 			for (let l in languages) {
 				opts.push('<a class="submenu-option' + (l === selectedLang ? '-selected' : '') +
-					'" href="/lang/custom/?tfile=' + selectedFile + '&lang=' + l + '">' + Text.escapeHTML(languages[l]) + '</a>');
+					'" href="/lang/custom/?tfile=' + encodeURIComponent(selectedFile) + '&lang=' + encodeURIComponent(l) + '">' + Text.escapeHTML(languages[l]) + '</a>');
 			}
 			content += "<big><b><u>Current Language:</u></b></big> " + opts.join('&nbsp;| ') + "<hr />";
 
@@ -262,14 +262,14 @@ exports.setup = function (App) {
 				langdata[selectedLang] = importLanguage(context.post.content || "");
 				App.multilang.saveData();
 				App.logServerAction(context.user.id, "Edit Custom Language: " + selectedLang + " (Import)");
-				ok = "Language customization loaded for: " + selectedLang;
+				ok = "Language customization loaded for: " + Text.escapeHTML(selectedLang);
 			}
 		}
 
 		let opts = [];
 		for (let l in languages) {
 			opts.push('<a class="submenu-option' + (l === selectedLang ? '-selected' : '') +
-				'" href="/lang/export/?lang=' + l + '">' + Text.escapeHTML(languages[l]) + '</a>');
+				'" href="/lang/export/?lang=' + encodeURIComponent(l) + '">' + Text.escapeHTML(languages[l]) + '</a>');
 		}
 		htmlVars.menu = "<big><b><u>Current Language:</u></b></big> " + opts.join('&nbsp;| ') + "<hr />";
 
@@ -290,7 +290,7 @@ exports.setup = function (App) {
 		html += '<select name="language">';
 		for (let lang in languages) {
 			if (!App.multilang.isLangEnabled(lang)) continue;
-			html += '<option value="' + lang + '" ' + (lang === selected ? 'selected="selected"' : '') + '>' + languages[lang] + '</option>';
+			html += '<option value="' + Text.escapeHTML(lang) + '" ' + (lang === selected ? 'selected="selected"' : '') + '>' + Text.escapeHTML(languages[lang]) + '</option>';
 		}
 		html += '</select>';
 		return html;
diff --git a/src/server/handlers/modules.js b/src/server/handlers/modules.js
index c59459d..27bd54b 100644
--- a/src/server/handlers/modules.js
+++ b/src/server/handlers/modules.js
@@ -8,6 +8,7 @@
 const Path = require('path');
 const SubMenu = Tools('submenu');
 const Template = Tools('html-template');
+const Text = Tools('text');
 
 const mainTemplate = new Template(Path.resolve(__dirname, 'templates', 'modules.html'));
 const menuTemplate = new Template(Path.resolve(__dirname, 'templates', 'modules-menu.html'));
@@ -42,8 +43,8 @@ exports.setup = function (App) {
 				}
 			}
 			App.saveConfig();
-			ok = "Modules configuration saved sucessfully.";
-			App.logServerAction(context.user.id, 'Modules configuration was editted');
+			ok = "Modules configuration saved successfully.";
+			App.logServerAction(context.user.id, 'Modules configuration was edited');
 		}
 
 		let htmlVars = Object.create(null);
@@ -51,8 +52,8 @@ exports.setup = function (App) {
 		htmlVars.modules = '<table border="0">';
 		for (let id in App.modules) {
 			htmlVars.modules += '<tr>';
-			htmlVars.modules += '<td><strong>' + App.modules[id].name + '</strong>&nbsp;</td>';
-			htmlVars.modules += '<td><select name="' + id + '">';
+			htmlVars.modules += '<td><strong>' + Text.escapeHTML(App.modules[id].name) + '</strong>&nbsp;</td>';
+			htmlVars.modules += '<td><select name="' + Text.escapeHTML(id) + '">';
 			htmlVars.modules += '<option value="e"' + (App.config.loadmodules[id] !== false ? ' selected="selected"' : '') + '>Enabled</option>';
 			htmlVars.modules += '<option value="d"' + (App.config.loadmodules[id] === false ? ' selected="selected"' : '') + '>Disabled</option>';
 			htmlVars.modules += '</select></td>';
@@ -78,8 +79,8 @@ exports.setup = function (App) {
 			}
 			App.config.menuOrder = menuOrder;
 			App.saveConfig();
-			ok = "Control panel menu configuration saved sucessfully.";
-			App.logServerAction(context.user.id, 'Control panel menu configuration was editted');
+			ok = "Control panel menu configuration saved successfully.";
+			App.logServerAction(context.user.id, 'Control panel menu configuration was edited');
 		}
 		let htmlVars = Object.create(null);
 
@@ -90,9 +91,9 @@ exports.setup = function (App) {
 				level = App.config.menuOrder[opt];
 			}
 			htmlVars.opts += '<tr>';
-			htmlVars.opts += '<td><strong>' + App.server.menu[opt].name + '</strong></td>';
-			htmlVars.opts += '<td><input name="' + opt + '" type="text" value="' +
-			level + '" size="15" placeholder="default" autocomplete="off" /></td>';
+			htmlVars.opts += '<td><strong>' + Text.escapeHTML(App.server.menu[opt].name) + '</strong></td>';
+			htmlVars.opts += '<td><input name="' + Text.escapeHTML(opt) + '" type="text" value="' +
+			Text.escapeHTML(level) + '" size="15" placeholder="default" autocomplete="off" /></td>';
 			htmlVars.opts += '<tr>';
 			htmlVars.opts += '</tr>';
 		}
diff --git a/src/server/handlers/parser.js b/src/server/handlers/parser.js
index d393f85..ce7b2d7 100644
--- a/src/server/handlers/parser.js
+++ b/src/server/handlers/parser.js
@@ -49,7 +49,7 @@ exports.setup = function (App) {
 			let defGroups = ['voice', 'driver', 'mod', 'bot', 'owner', 'admin'];
 			for (let group of defGroups) {
 				if (groups.indexOf(context.post[group]) < 0) {
-					error = 'Group corresponding to defined group <strong>' + group + '</strong> must be defined.';
+					error = 'Group corresponding to defined group <strong>' + Text.escapeHTML(group) + '</strong> must be defined.';
 					break;
 				}
 			}
@@ -72,7 +72,7 @@ exports.setup = function (App) {
 				App.parser.data.lockedUsers = Object.createFromKeys((context.post.locklist || "").split(',').map(Text.toId).filter(u => u));
 				App.saveConfig();
 				App.parser.saveData();
-				ok = 'Command parser configuration editted sucessfully.';
+				ok = 'Command parser configuration edited successfully.';
 				App.logServerAction(context.user.id, "Edit command-parser configuration");
 			}
 		}
@@ -92,11 +92,11 @@ exports.setup = function (App) {
 		htmlVars.infocmds = Text.escapeHTML(App.parser.data.infocmds || "");
 		htmlVars.sleep = Text.escapeHTML(Object.keys(App.parser.data.sleep).join(', '));
 		htmlVars.locklist = Text.escapeHTML(Object.keys(App.parser.data.lockedUsers).join(', '));
-		htmlVars.antispam = Text.escapeHTML(App.parser.data.antispam ? ' checked="checked"' : '');
-		htmlVars.antirepeat = Text.escapeHTML(App.parser.data.antirepeat ? ' checked="checked"' : '');
+		htmlVars.antispam = (App.parser.data.antispam ? ' checked="checked"' : '');
+		htmlVars.antirepeat = (App.parser.data.antirepeat ? ' checked="checked"' : '');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
-		htmlVars.request_msg = Text.escapeHTML(ok ? ok : (error || ""));
+		htmlVars.request_msg = (ok ? ok : (error || ""));
 
 		html += configTemplate.make(htmlVars);
 		context.endWithWebPage(html, {title: "Command Parser Configuration - Showdown ChatBot"});
@@ -113,10 +113,10 @@ exports.setup = function (App) {
 						App.parser.data.aliases[alias] = cmd;
 						App.parser.saveData();
 						App.logServerAction(context.user.id, "Set alias: " + alias + " to the command: " + cmd);
-						ok = 'Command "' + alias + '" is now alias of "' + cmd +
+						ok = 'Command "' + Text.escapeHTML(alias) + '" is now alias of "' + Text.escapeHTML(cmd) +
 						'" (Note: If the original command does not exists, the alias will be useless)';
 					} else {
-						error = "The command <strong>" + cmd + "</strong> does not exists.";
+						error = "The command <strong>" + Text.escapeHTML(cmd) + "</strong> does not exists.";
 					}
 				} else {
 					error = "You must specify a command";
@@ -131,9 +131,9 @@ exports.setup = function (App) {
 					delete App.parser.data.aliases[alias];
 					App.parser.saveData();
 					App.logServerAction(context.user.id, "Delete alias: " + alias);
-					ok = 'Alias <strong>' + alias + '</strong> was deleted sucessfully.';
+					ok = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was deleted successfully.';
 				} else {
-					error = 'Alias <strong>' + alias + '</strong> was not found.';
+					error = 'Alias <strong>' + Text.escapeHTML(alias) + '</strong> was not found.';
 				}
 			} else {
 				error = "You must specify an alias id.";
@@ -156,8 +156,8 @@ exports.setup = function (App) {
 			htmlVars.cmd_list += '<option value="' + Text.escapeHTML(cmds[i]) + '">' + Text.escapeHTML(cmds[i]) + '</option>';
 		}
 
-		htmlVars.request_result = Text.escapeHTML(ok ? 'ok-msg' : (error ? 'error-msg' : ''));
-		htmlVars.request_msg = Text.escapeHTML(ok ? ok : (error || ""));
+		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
+		htmlVars.request_msg = (ok ? ok : (error || ""));
 
 		html += aliasesTemplate.make(htmlVars);
 		context.endWithWebPage(html, {title: "Commands Aliases - Showdown ChatBot"});
@@ -174,9 +174,9 @@ exports.setup = function (App) {
 					App.parser.data.roompermissions[room] = Object.create(null);
 					App.parser.saveData();
 					App.logServerAction(context.user.id, "Add custom perrmission room: " + room);
-					ok = 'Room <strong>' + room + '</strong> added to the custom permission configuration list.';
+					ok = 'Room <strong>' + Text.escapeHTML(room) + '</strong> added to the custom permission configuration list.';
 				} else {
-					error = "Room <strong>" + room + "</strong> already has custom configuration.";
+					error = "Room <strong>" + Text.escapeHTML(room) + "</strong> already has custom configuration.";
 				}
 			}
 		} else if (context.post.delroom) {
@@ -191,9 +191,9 @@ exports.setup = function (App) {
 					}
 					App.parser.saveData();
 					App.logServerAction(context.user.id, "Delete custom permission room: " + room);
-					ok = 'Room <strong>' + room + '</strong> removed from the custom permission configuration list.';
+					ok = 'Room <strong>' + Text.escapeHTML(room) + '</strong> removed from the custom permission configuration list.';
 				} else {
-					error = "Room <strong>" + room + "</strong> not found.";
+					error = "Room <strong>" + Text.escapeHTML(room) + "</strong> not found.";
 				}
 			}
 		} else if (context.post.editroom) {
@@ -230,7 +230,7 @@ exports.setup = function (App) {
 				}
 				App.parser.saveData();
 				App.logServerAction(context.user.id, "Edit custom permission room: " + room);
-				ok = 'Configuration for room <strong>' + room + '</strong> was edited successfully.';
+				ok = 'Configuration for room <strong>' + Text.escapeHTML(room) + '</strong> was edited successfully.';
 			}
 		} else if (context.post.editexp) {
 			let expcmds = [];
@@ -269,8 +269,8 @@ exports.setup = function (App) {
 			htmlVars.rooms_charts += getPermissionChart(r, 'Room: ' + r);
 		}
 
-		htmlVars.request_result = Text.escapeHTML(ok ? 'ok-msg' : (error ? 'error-msg' : ''));
-		htmlVars.request_msg = Text.escapeHTML(ok ? ok : (error || ""));
+		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
+		htmlVars.request_msg = (ok ? ok : (error || ""));
 
 		html += permissionsTemplate.make(htmlVars);
 		context.endWithWebPage(html, {title: "Commands Permissions - Showdown ChatBot"});
@@ -286,7 +286,7 @@ exports.setup = function (App) {
 					App.parser.data.roomctrl[control] = room;
 					App.parser.saveData();
 					App.logServerAction(context.user.id, "Set control room: " + control + " for: " + room);
-					ok = 'Control room "' + control + '" was set for the room "' + room + '.';
+					ok = 'Control room "' + Text.escapeHTML(control) + '" was set for the room "' + Text.escapeHTML(room) + '.';
 				} else {
 					error = "You must specify a control room";
 				}
@@ -300,9 +300,9 @@ exports.setup = function (App) {
 					delete App.parser.data.roomctrl[control];
 					App.parser.saveData();
 					App.logServerAction(context.user.id, "Delete control room: " + control);
-					ok = 'Control room <strong>' + control + '</strong> was deleted sucessfully.';
+					ok = 'Control room <strong>' + Text.escapeHTML(control) + '</strong> was deleted successfully.';
 				} else {
-					error = 'Control room <strong>' + control + '</strong> was not found.';
+					error = 'Control room <strong>' + Text.escapeHTML(control) + '</strong> was not found.';
 				}
 			} else {
 				error = "You must specify a control room.";
@@ -318,8 +318,8 @@ exports.setup = function (App) {
 			control + '" /><input type="submit" name="remove" value="Remove Control Room" /></form></div></td></tr>';
 		}
 
-		htmlVars.request_result = Text.escapeHTML(ok ? 'ok-msg' : (error ? 'error-msg' : ''));
-		htmlVars.request_msg = Text.escapeHTML(ok ? ok : (error || ""));
+		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
+		htmlVars.request_msg = (ok ? ok : (error || ""));
 
 		html += roomControlTemplate.make(htmlVars);
 		context.endWithWebPage(html, {title: "Control Rooms - Showdown ChatBot"});
@@ -335,7 +335,7 @@ exports.setup = function (App) {
 					App.parser.data.roomaliases[alias] = room;
 					App.parser.saveData();
 					App.logServerAction(context.user.id, "Set room alias: " + alias + " for: " + room);
-					ok = 'Alias "' + alias + '" was set for the room "' + room + '.';
+					ok = 'Alias "' + Text.escapeHTML(alias) + '" was set for the room "' + Text.escapeHTML(room) + '.';
 				} else {
 					error = "You must specify an alias";
 				}
@@ -349,9 +349,9 @@ exports.setup = function (App) {
 					delete App.parser.data.roomaliases[alias];
 					App.parser.saveData();
 					App.logServerAction(context.user.id, "Delete room alias: " + alias);
-					ok = 'Room alias <strong>' + alias + '</strong> was deleted sucessfully.';
+					ok = 'Room alias <strong>' + Text.escapeHTML(alias) + '</strong> was deleted successfully.';
 				} else {
-					error = 'Room alias <strong>' + alias + '</strong> was not found.';
+					error = 'Room alias <strong>' + Text.escapeHTML(alias) + '</strong> was not found.';
 				}
 			} else {
 				error = "You must specify an alias";
@@ -364,7 +364,7 @@ exports.setup = function (App) {
 		for (let alias in App.parser.data.roomaliases) {
 			htmlVars.rooms += '<tr><td>' + Text.escapeHTML(alias) + '</td><td>' + Text.escapeHTML(App.parser.data.roomaliases[alias]) +
 			'</td><td><div align="center"><form style="display:inline;" method="post" action=""><input type="hidden" name="alias" value="' +
-			alias + '" /><input type="submit" name="remove" value="Remove Room Alias" /></form></div></td></tr>';
+			Text.escapeHTML(alias) + '" /><input type="submit" name="remove" value="Remove Room Alias" /></form></div></td></tr>';
 		}
 
 		htmlVars.request_result = Text.escapeHTML(ok ? 'ok-msg' : (error ? 'error-msg' : ''));
@@ -382,7 +382,7 @@ exports.setup = function (App) {
 				if (!App.parser.monitor.isLocked(locked)) {
 					App.parser.monitor.lock(locked, "Locked via control panel");
 					App.logServerAction(context.user.id, "PARSER LOCK: " + locked);
-					ok = "User <strong>" + locked + "<strong> was locked from using commands";
+					ok = "User <strong>" + Text.escapeHTML(locked) + "<strong> was locked from using commands";
 				} else {
 					error = "Error: User already locked";
 				}
@@ -395,7 +395,7 @@ exports.setup = function (App) {
 				if (App.parser.monitor.isLocked(locked)) {
 					App.parser.monitor.unlock(locked);
 					App.logServerAction(context.user.id, "PARSER UNLOCK: " + locked);
-					ok = "User <strong>" + locked + "<strong> was unlocked";
+					ok = "User <strong>" + Text.escapeHTML(locked) + "<strong> was unlocked";
 				} else {
 					error = "Error: User not locked";
 				}
@@ -413,8 +413,8 @@ exports.setup = function (App) {
 			'" /><input type="submit" name="unlock" value="Unlock" /></form></div></td></tr>';
 		}
 
-		htmlVars.request_result = Text.escapeHTML(ok ? 'ok-msg' : (error ? 'error-msg' : ''));
-		htmlVars.request_msg = Text.escapeHTML(ok ? ok : (error || ""));
+		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
+		htmlVars.request_msg = (ok ? ok : (error || ""));
 
 		html += abuseMonitorTemplate.make(htmlVars);
 		context.endWithWebPage(html, {title: "Control Rooms - Showdown ChatBot"});
@@ -423,9 +423,9 @@ exports.setup = function (App) {
 	/* Auxiliar Functions */
 	function getPermissionChart(room, title) {
 		let html = '';
-		html += '<h3>' + title + '</h3>';
+		html += '<h3>' + Text.escapeHTML(title) + '</h3>';
 		html += '<form method="post" action="">';
-		html += '<input type="hidden" name="room" value="' + room + '" />';
+		html += '<input type="hidden" name="room" value="' + Text.escapeHTML(room) + '" />';
 
 		if (room !== 'global-room') {
 			html += '<p><strong>Command Tokens (override)</strong>:&nbsp;<input name="tokens_override" type="text" size="50" value="' + Text.escapeHTML(App.parser.data.roomTokensOverride[room] || '') + '" autocomplete="off" />&nbsp;(Separated by spaces)</p>';
@@ -453,12 +453,12 @@ exports.setup = function (App) {
 				rank = App.config.parser[rank];
 			}
 			html += '<td>';
-			html += '<select name="perm-' + i + '">';
+			html += '<select name="perm-' + Text.escapeHTML(i) + '">';
 			html += '<option value="excepted"' + (rank === 'excepted' ? ' selected="selected"' : '') + '>Excepted Users</option>';
 			html += '<option value="user"' + (rank === 'user' ? ' selected="selected"' : '') + '>Regular Users</option>';
 			for (let j = 0; j < App.config.parser.groups.length; j++) {
-				html += '<option value="' + App.config.parser.groups[j] + '"' +
-				(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + App.config.parser.groups[j] + '</option>';
+				html += '<option value="' + Text.escapeHTML(App.config.parser.groups[j]) + '"' +
+				(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + Text.escapeHTML(App.config.parser.groups[j]) + '</option>';
 			}
 			html += '</select>';
 			html += '</td>';
@@ -468,8 +468,8 @@ exports.setup = function (App) {
 		html += '<p><label><input type="submit" name="editroom" value="Save Changes" /></label></p>';
 		html += '</form>';
 		if (room !== 'global-room') {
-			html += '<p><button onclick="removeRoom(\'' + room +
-			'\');">Use Default Values</button>&nbsp;<span id="confirm-' + room + '">&nbsp;</span></p>';
+			html += '<p><button onclick="removeRoom(\'' + Text.escapeHTML(room) +
+			'\');">Use Default Values</button>&nbsp;<span id="confirm-' + Text.escapeHTML(room) + '">&nbsp;</span></p>';
 		}
 		return html;
 	}
diff --git a/src/server/handlers/seclog.js b/src/server/handlers/seclog.js
index 68bea47..5ca115a 100644
--- a/src/server/handlers/seclog.js
+++ b/src/server/handlers/seclog.js
@@ -7,6 +7,7 @@
 const Path = require('path');
 const check = Tools('check');
 const Template = Tools('html-template');
+const Text = Tools('text');
 
 const mainTemplate = new Template(Path.resolve(__dirname, 'templates', 'seclog.html'));
 
@@ -48,12 +49,12 @@ exports.setup = function (App) {
 				App.config.logMaxOld = duration;
 				App.db.write();
 				App.logServerAction(context.user.id, "Set Logger configuration.");
-				ok = "Changes made sucessfully. Restart the application to make them effective.";
+				ok = "Changes made successfully. Restart the application to make them effective.";
 			}
 		}
 
 		let htmlVars = Object.create(null);
-		htmlVars.oldsec = (App.config.logMaxOld || '0');
+		htmlVars.oldsec = Text.escapeHTML(App.config.logMaxOld || '0');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
@@ -61,8 +62,8 @@ exports.setup = function (App) {
 		htmlVars.log_files = '';
 		let logs = App.logger.getFilesList();
 		for (let i = 0; i < logs.length; i++) {
-			htmlVars.log_files += '<tr><td>' + logs[i].file + '</td><td>' + logs[i].size + ' KB</td><td>' + logs[i].date +
-			'</td><td><a href="/seclog/' + logs[i].file +
+			htmlVars.log_files += '<tr><td>' + Text.escapeHTML(logs[i].file) + '</td><td>' + Text.escapeHTML(logs[i].size) + ' KB</td><td>' + Text.escapeHTML(logs[i].date) +
+			'</td><td><a href="/seclog/' + encodeURIComponent(logs[i].file) +
 			'" target="_blank"><div align="center"><button>View Log</button></div></a></td></tr>';
 		}
 
diff --git a/src/server/handlers/tools.js b/src/server/handlers/tools.js
index 80e31fb..3a79c54 100644
--- a/src/server/handlers/tools.js
+++ b/src/server/handlers/tools.js
@@ -82,7 +82,7 @@ exports.setup = function (App) {
 					App.bot.sendTo(context.post.room || "", context.post.msg.split('\n'));
 					App.logServerAction(context.user.id, "Tool Bot-Send used. Room: " + (context.post.room || '-') +
 						" | Message: " + context.post.msg);
-					result += '<p style="padding:5px;"><span class="ok-msg">Message sucessfully sent.</span></p>';
+					result += '<p style="padding:5px;"><span class="ok-msg">Message successfully sent.</span></p>';
 				} else {
 					result += '<p style="padding:5px;"><span class="error-msg">Error: The bot is not connected.</span></p>';
 				}
@@ -102,7 +102,7 @@ exports.setup = function (App) {
 				if (App.bot.isConnected()) {
 					App.bot.rename(context.post.botuser, context.post.botpass);
 					App.logServerAction(context.user.id, "Tool Bot-Login used. Bot Username: " + context.post.botuser);
-					result += '<p style="padding:5px;"><span class="ok-msg">Login request sucessfully sent.</span></p>';
+					result += '<p style="padding:5px;"><span class="ok-msg">Login request successfully sent.</span></p>';
 				} else {
 					result += '<p style="padding:5px;"><span class="error-msg">Error: The bot is not connected.</span></p>';
 				}
@@ -206,7 +206,7 @@ exports.setup = function (App) {
 				App.logServerAction(context.user.id, 'Hotpatch Commands.');
 				ok = "Commands hotpatched";
 			} catch (err) {
-				error = "Error: " + err.code + " - " + err.message;
+				error = Text.escapeHTML("Error: " + err.code + " - " + err.message);
 			}
 		}
 
@@ -245,7 +245,7 @@ exports.setup = function (App) {
 			}
 			cache.write();
 			App.logServerAction(context.user.id, 'Clear Web Cache');
-			ok = "Web Cache cleared sucessfully.";
+			ok = "Web Cache cleared successfully.";
 		}
 
 		let htmlVars = Object.create(null);
@@ -262,11 +262,11 @@ exports.setup = function (App) {
 		if (context.post.clearusers) {
 			App.userdata.clean();
 			App.logServerAction(context.user.id, 'Clear User-Data');
-			ok = "User-Data cleared sucessfully.";
+			ok = "User-Data cleared successfully.";
 		} else if (context.post.clearalts) {
 			App.userdata.cleanAlts();
 			App.logServerAction(context.user.id, 'Clear Alts Tree');
-			ok = "Alts tree cleared sucessfully.";
+			ok = "Alts tree cleared successfully.";
 		}
 
 		let htmlVars = Object.create(null);
@@ -302,9 +302,9 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.interv = App.config.connmonitor.checktime;
-		htmlVars.room = App.config.connmonitor.room;
-		htmlVars.cmd = App.config.connmonitor.msg;
+		htmlVars.interv = Text.escapeHTML(App.config.connmonitor.checktime);
+		htmlVars.room = Text.escapeHTML(App.config.connmonitor.room);
+		htmlVars.cmd = Text.escapeHTML(App.config.connmonitor.msg);
 		htmlVars.enabled = (App.config.connmonitor.enabled ? ' checked="checked"' : '');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
@@ -380,7 +380,7 @@ exports.setup = function (App) {
 								App.logServerAction(context.user.id, 'Exit due to backup restore.');
 								let buf = '';
 								buf += '<html><head><title>Process Exited</title></head><body><p>Backup Completed.' +
-									' The application exits sucessfully.</p><a href=""><button>Refresh Page</button></a></body></html>';
+									' The application exits successfully.</p><a href=""><button>Refresh Page</button></a></body></html>';
 								context.response.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
 								context.response.end(buf);
 								console.log("Backup Completed | Exit via server, By: " + context.user.id);
diff --git a/src/server/handlers/users.js b/src/server/handlers/users.js
index ef1fae1..1fb119b 100644
--- a/src/server/handlers/users.js
+++ b/src/server/handlers/users.js
@@ -37,7 +37,7 @@ exports.setup = function (App) {
 			let group = context.post.usergroup;
 			try {
 				check(userid, "You must specify an user.");
-				check(!App.server.users[userid], "User <strong>" + userid + "</strong> already exists.");
+				check(!App.server.users[userid], "User <strong>" + Text.escapeHTML(userid) + "</strong> already exists.");
 				check(pass, "You must specify a password");
 				check(pass === pass2, "The passwords do not match.");
 			} catch (err) {
@@ -55,7 +55,7 @@ exports.setup = function (App) {
 					App.server.users[userid].permissions['root'] = true;
 				}
 				App.server.userdb.write();
-				ok = 'User <strong>' + userid + '</strong> sucessfully created.';
+				ok = 'User <strong>' + Text.escapeHTML(userid) + '</strong> successfully created.';
 				App.logServerAction(context.user.id, "Create User: " + userid);
 			}
 		} else if (context.post.edituser) {
@@ -64,7 +64,7 @@ exports.setup = function (App) {
 			let group = context.post.usergroup;
 			try {
 				check(userid, "You must specify an user.");
-				check(App.server.users[userid], "User <strong>" + userid + "</strong> does not exist.");
+				check(App.server.users[userid], "User <strong>" + Text.escapeHTML(userid) + "</strong> does not exist.");
 			} catch (err) {
 				error = err.message;
 			}
@@ -79,14 +79,14 @@ exports.setup = function (App) {
 					}
 				}
 				App.server.userdb.write();
-				ok = 'User <strong>' + userid + '</strong> sucessfully editted.';
+				ok = 'User <strong>' + Text.escapeHTML(userid) + '</strong> successfully edited.';
 				App.logServerAction(context.user.id, "Edit User: " + userid);
 			}
 		} else if (context.post.deluser) {
 			let userid = Text.toId(context.post.user);
 			try {
 				check(userid, "You must specify an user.");
-				check(App.server.users[userid], "User <strong>" + userid + "</strong> does not exist.");
+				check(App.server.users[userid], "User <strong>" + Text.escapeHTML(userid) + "</strong> does not exist.");
 				check(userid !== context.user.id, "You cannot delete your own account.");
 			} catch (err) {
 				error = err.message;
@@ -94,7 +94,7 @@ exports.setup = function (App) {
 			if (!error) {
 				delete App.server.users[userid];
 				App.server.userdb.write();
-				ok = 'User <strong>' + userid + '</strong> sucessfully deleted.';
+				ok = 'User <strong>' + Text.escapeHTML(userid) + '</strong> successfully deleted.';
 				App.logServerAction(context.user.id, "Delete User: " + userid);
 			}
 		}
@@ -104,23 +104,23 @@ exports.setup = function (App) {
 			let user = Text.toId(parts[0]);
 			if (users[user]) {
 				let htmlVars = Object.create(null);
-				htmlVars.id = user;
-				htmlVars.name = users[user].name;
-				htmlVars.group = users[user].group;
+				htmlVars.id = Text.escapeHTML(user);
+				htmlVars.name = Text.escapeHTML(users[user].name);
+				htmlVars.group = Text.escapeHTML(users[user].group);
 				htmlVars.permissions = '';
 				for (let i in App.server.permissions) {
 					htmlVars.permissions += '<div class="user-perm-option">';
-					htmlVars.permissions += '<input name="perm-' + i + '" type="checkbox" value="true"' +
+					htmlVars.permissions += '<input name="perm-' + Text.escapeHTML(i) + '" type="checkbox" value="true"' +
 					(users[user].permissions[i] ? 'checked="checked"' : '') + ' />';
-					htmlVars.permissions += '&nbsp;<strong>' + i + '</strong>&nbsp;(' + App.server.permissions[i].desc + ')';
+					htmlVars.permissions += '&nbsp;<strong>' + Text.escapeHTML(i) + '</strong>&nbsp;(' + Text.escapeHTML(App.server.permissions[i].desc) + ')';
 					htmlVars.permissions += '</div>';
 				}
 				htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 				htmlVars.request_msg = (ok ? ok : (error || ""));
 
-				context.endWithWebPage(editTemplate.make(htmlVars), {title: 'User ' + user + ' - Showdown ChatBot'});
+				context.endWithWebPage(editTemplate.make(htmlVars), {title: 'User ' + Text.escapeHTML(user) + ' - Showdown ChatBot'});
 			} else {
-				context.endWithWebPage('<h1>User Not Found</h1><p>The user <b>' + user + '</b> was not found</p>', {title: 'User not found'});
+				context.endWithWebPage('<h1>User Not Found</h1><p>The user <b>' + Text.escapeHTML(user) + '</b> was not found</p>', {title: 'User not found'});
 			}
 		} else {
 			let htmlVars = Object.create(null);
@@ -131,11 +131,11 @@ exports.setup = function (App) {
 			for (let u in users) {
 				let target = users[u];
 				htmlVars.users_list += '<tr>';
-				htmlVars.users_list += '<td>' + target.id + '</td>';
-				htmlVars.users_list += '<td>' + target.name + '</td>';
-				htmlVars.users_list += '<td>' + (target.group || '-') + '</td>';
-				htmlVars.users_list += '<td><a href="/users/' + u + '"><button>Edit</button></a>&nbsp;&nbsp;<button onclick="deleteUser(\'' +
-				u + '\')">Delete</button>&nbsp;<span id=\'confirm-del-' + u + '\'></span></td>';
+				htmlVars.users_list += '<td>' + Text.escapeHTML(target.id) + '</td>';
+				htmlVars.users_list += '<td>' + Text.escapeHTML(target.name) + '</td>';
+				htmlVars.users_list += '<td>' + Text.escapeHTML(target.group || '-') + '</td>';
+				htmlVars.users_list += '<td><a href="/users/' + encodeURIComponent(u) + '"><button>Edit</button></a>&nbsp;&nbsp;<button onclick="deleteUser(\'' +
+				Text.escapeHTML(u) + '\')">Delete</button>&nbsp;<span id=\'confirm-del-' + Text.escapeHTML(u) + '\'></span></td>';
 				htmlVars.users_list += '</tr>';
 			}
 			htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
diff --git a/src/tools/text.js b/src/tools/text.js
index 33e29b1..76d6436 100644
--- a/src/tools/text.js
+++ b/src/tools/text.js
@@ -75,7 +75,7 @@ exports.trim = function (str) {
  * @returns {String}
  */
 exports.escapeHTML = function (str) {
-	if (!str) return '';
+	if (str === undefined || str === null) return '';
 	return ('' + str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;').replace(/\//g, '&#x2f;');
 };