diff --git a/lam/templates/help.php b/lam/templates/help.php
index 97e62938..88c18376 100644
--- a/lam/templates/help.php
+++ b/lam/templates/help.php
@@ -97,8 +97,7 @@ function displayHelp($helpEntry,$helpVariables) {
 }
 
 /* If no help number was submitted print error message */
-if(!isset($_GET['HelpNumber']))
-{
+if (!isset($_GET['HelpNumber'])) {
 	$errorMessage = "Sorry no help number submitted.";
 	echoHTMLHead();
 	statusMessage("ERROR","",$errorMessage);
@@ -111,16 +110,16 @@ $helpEntry = array();
 // module help
 if(isset($_GET['module']) && !($_GET['module'] == 'main') && !($_GET['module'] == '')) {
 	include_once("../lib/modules.inc");
-	if(isset($_GET['scope'])) {
+	if (isset($_GET['scope'])) {
 		$helpEntry = getHelp($_GET['module'],$_GET['HelpNumber'],$_GET['scope']);
 	}
 	else {
 		$helpEntry = getHelp($_GET['module'],$_GET['HelpNumber']);
 	}
-	if(!$helpEntry) {
+	if (!$helpEntry) {
 		$variables = array();
-		array_push($variables,$_GET['HelpNumber']);
-		array_push($variables,$_GET['module']);
+		array_push($variables, htmlspecialchars($_GET['HelpNumber']));
+		array_push($variables, htmlspecialchars($_GET['module']));
 		$errorMessage = _("Sorry this help id ({bold}%s{endbold}) is not available for this module ({bold}%s{endbold}).");
 		echoHTMLHead();
 		statusMessage("ERROR","",$errorMessage,$variables);
@@ -131,11 +130,10 @@ if(isset($_GET['module']) && !($_GET['module'] == 'main') && !($_GET['module'] =
 // help entry in help.inc
 else {
 	/* If submitted help number is not in help/help.inc print error message */
-	if(!array_key_exists($_GET['HelpNumber'],$helpArray))
-	{
+	if (!array_key_exists($_GET['HelpNumber'],$helpArray)) {
 		$variables = array();
-		array_push($variables,$_GET['HelpNumber']);
-		$errorMessage = _("Sorry this help number ({bold}%d{endbold}) is not available.");
+		array_push($variables, htmlspecialchars($_GET['HelpNumber']));
+		$errorMessage = _("Sorry this help number ({bold}%s{endbold}) is not available.");
 		echoHTMLHead();
 		statusMessage("ERROR","",$errorMessage,$variables);
 		echoHTMLFoot();
@@ -150,8 +148,8 @@ $i = 1;
 $moreVariables = true;
 $helpVariables = array();
 while($moreVariables) {
-	if(isset($_GET['var' . $i])) {
-		array_push($helpVariables,$_GET['var' . $i]);
+	if (isset($_GET['var' . $i])) {
+		array_push($helpVariables, htmlspecialchars($_GET['var' . $i]));
 		$i++;
 	}
 	else {
diff --git a/lam/templates/initsuff.php b/lam/templates/initsuff.php
index 6efe8e52..a043b2dd 100644
--- a/lam/templates/initsuff.php
+++ b/lam/templates/initsuff.php
@@ -148,7 +148,7 @@ if (isset($_POST['add_suff']) || isset($_POST['cancel'])) {
 		if (sizeof($fail) > 0) {
 			// print error messages
 			for ($i = 0; $i < sizeof($fail); $i++) {
-				StatusMessage("ERROR", _("Failed to create entry!") . "<br>" . $error[$i], $fail[$i]);
+				StatusMessage("ERROR", _("Failed to create entry!") . "<br>" . htmlspecialchars($error[$i]), htmlspecialchars($fail[$i]));
 			}
 			include 'main_footer.php';
 		}
diff --git a/lam/templates/massBuildAccounts.php b/lam/templates/massBuildAccounts.php
index 13068133..68a4e5c7 100644
--- a/lam/templates/massBuildAccounts.php
+++ b/lam/templates/massBuildAccounts.php
@@ -87,7 +87,8 @@ if (isset($_GET['showldif'])) {
 }
 
 include 'main_header.php';
-echo '<div class="' . $_POST['scope'] . 'list-bright smallPaddingContent">';
+$scope = htmlspecialchars($_POST['scope']);
+echo '<div class="' . $scope . 'list-bright smallPaddingContent">';
 
 $selectedModules = explode(',', $_POST['selectedModules']);
 if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
@@ -95,7 +96,7 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
 	$data = array();  // input values without first row
 	$ids = array();  // <column name> => <column number for $data>
 	// get input fields from modules
-	$columns = getUploadColumns($_POST['scope'], $selectedModules);
+	$columns = getUploadColumns($scope, $selectedModules);
 	// read input file
 	$handle = fopen ($_FILES['inputfile']['tmp_name'], "r");
 	if (($head = fgetcsv($handle, 2000)) !== false ) { // head row
@@ -158,15 +159,15 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
 	// if input data is invalid just display error messages (max 50)
 	if (sizeof($errors) > 0) {
 		for ($i = 0; $i < sizeof($errors); $i++) StatusMessage("ERROR", $errors[$i][0], $errors[$i][1]);
-		massPrintBackButton($_POST['scope'], $selectedModules);
+		massPrintBackButton($scope, $selectedModules);
 	}
 	
 	// let modules build accounts
 	else {
-		$accounts = buildUploadAccounts($_POST['scope'], $data, $ids, $selectedModules);
+		$accounts = buildUploadAccounts($scope, $data, $ids, $selectedModules);
 		if ($accounts != false) {
-			$rdnList = getRDNAttributes($_POST['scope'], $selectedModules);
-			$suffix = $_SESSION['config']->get_Suffix($_POST['scope']);
+			$rdnList = getRDNAttributes($scope, $selectedModules);
+			$suffix = $_SESSION['config']->get_Suffix($scope);
 			// set DN
 			for ($i = 0; $i < sizeof($accounts); $i++) {
 				// check against list of possible RDN attributes
@@ -193,7 +194,7 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
 				$_SESSION['mass_postActions'] = array();
 				$_SESSION['mass_data'] = $_SESSION['ldap']->encrypt(serialize($data));
 				$_SESSION['mass_ids'] = $ids;
-				$_SESSION['mass_scope'] = $_POST['scope'];
+				$_SESSION['mass_scope'] = $scope;
 				$_SESSION['mass_selectedModules'] = $selectedModules;
 				if (isset($_SESSION['mass_pdf'])) {
 					unset($_SESSION['mass_pdf']);
@@ -225,13 +226,13 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
 			}
 		}
 		else {
-			massPrintBackButton($_POST['scope'], $selectedModules);
+			massPrintBackButton($scope, $selectedModules);
 		}
 	}
 }
 else {
 	StatusMessage('ERROR', _('Please provide a file to upload.'));
-	massPrintBackButton($_POST['scope'], $selectedModules);
+	massPrintBackButton($scope, $selectedModules);
 }
 
 echo '</div>';
diff --git a/lam/templates/massDoUpload.php b/lam/templates/massDoUpload.php
index 04bc6c28..93793ae8 100644
--- a/lam/templates/massDoUpload.php
+++ b/lam/templates/massDoUpload.php
@@ -58,7 +58,8 @@ if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) {
 setlanguage();
 
 include 'main_header.php';
-echo '<div class="' . $_SESSION['mass_scope'] . 'list-bright smallPaddingContent">';
+$scope = htmlspecialchars($_SESSION['mass_scope']);
+echo '<div class="' . $scope . 'list-bright smallPaddingContent">';
 
 // create accounts
 $accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts']));
@@ -120,12 +121,12 @@ if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_po
 	// do post upload actions after all accounts are created
 	if ($_SESSION['mass_counter'] >= sizeof($accounts)) {
 		$data = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_data']));
-		$return  = doUploadPostActions($_SESSION['mass_scope'], $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
+		$return  = doUploadPostActions($scope, $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
 		if ($return['status'] == 'finished') {
 			$_SESSION['mass_postActions']['finished'] = true;
 		}
 		for ($i = 0; $i < sizeof($return['errors']); $i++) $_SESSION['mass_errors'][] = $return['errors'][$i];
-		echo "<h1>" . _("Additional tasks for module:") . ' ' . getModuleAlias($return['module'], $_SESSION['mass_scope']) . "</h1>\n";
+		echo "<h1>" . _("Additional tasks for module:") . ' ' . getModuleAlias($return['module'], $scope) . "</h1>\n";
 		?>
 			<div id="progressbar<?php echo $return['module']; ?>"></div>
 			<script type="text/javascript">
@@ -138,7 +139,7 @@ if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_po
 		<?php
 		flush();
 		while (!isset($_SESSION['mass_postActions']['finished']) && (($startTime + $maxTime) > time())) {
-			$return  = doUploadPostActions($_SESSION['mass_scope'], $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
+			$return  = doUploadPostActions($scope, $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
 			if ($return['status'] == 'finished') {
 				$_SESSION['mass_postActions']['finished'] = true;
 			}
@@ -190,7 +191,7 @@ if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_po
 					}
 				}
 				// load account
-				$_SESSION['pdfAccount'] = new accountContainer($_SESSION['mass_scope'], 'pdfAccount');
+				$_SESSION['pdfAccount'] = new accountContainer($scope, 'pdfAccount');
 				$pdfErrors = $_SESSION['pdfAccount']->load_account($dn, $infoAttributes);
 				if (sizeof($pdfErrors) > 0) {
 					$_SESSION['mass_errors'] = array_merge($_SESSION['mass_errors'], $pdfErrors);
@@ -233,7 +234,7 @@ else {
 	else {
 		// redirect to list if no errors occured
 		echo "<script type=\"text/javascript\">\n";
-		echo "top.location.href = \"lists/list.php?type=" . $_SESSION['mass_scope'] . "&uploadAllOk\";\n";
+		echo "top.location.href = \"lists/list.php?type=" . $scope . "&uploadAllOk\";\n";
 		echo "</script>\n";
 	}
 }
diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php
index 754da198..4623eaf3 100644
--- a/lam/templates/masscreate.php
+++ b/lam/templates/masscreate.php
@@ -84,7 +84,7 @@ $types = array_values($types);
 // check if account specific page should be shown
 if (isset($_POST['type'])) {
 	// get selected type
-	$scope = $_POST['type'];
+	$scope = htmlspecialchars($_POST['type']);
 	// get selected modules
 	$selectedModules = array();
 	$checkedBoxes = array_keys($_POST, 'on');