diff --git a/main/announcements/announcements.php b/main/announcements/announcements.php
index 0c65e9db8e..ca66dfbaa7 100644
--- a/main/announcements/announcements.php
+++ b/main/announcements/announcements.php
@@ -1,4 +1,4 @@
-<?php //$Id: announcements.php 20442 2009-05-10 08:24:45Z ivantcholakov $
+<?php //$Id: announcements.php 20500 2009-05-11 21:41:20Z cfasanando $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -155,11 +155,15 @@ require_once(api_get_path(LIBRARY_PATH) . '/fckeditor/fckeditor.php');
 	POST TO
 -----------------------------------------------------------
 */
+
+$safe_emailTitle = Security::remove_XSS($_POST['emailTitle']);
+$safe_newContent = Security::remove_XSS($_POST['newContent'],COURSEMANAGER);
+
 if (!empty($_POST['To']))
 {
 	$display_form = true;
 
-	$form_elements= array ('emailTitle'=>$_POST['emailTitle'], 'newContent'=>$_POST['newContent'], 'id'=>$_POST['id'], 'emailoption'=>$_POST['email_ann']);
+	$form_elements= array ('emailTitle'=>$safe_emailTitle, 'newContent'=>$safe_newContent, 'id'=>$_POST['id'], 'emailoption'=>$_POST['email_ann']);
     $_SESSION['formelements']=$form_elements;
 
     $form_elements            	= $_SESSION['formelements'];
@@ -511,8 +515,8 @@ if (api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_ed
 	*/
 	//if (api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) {
 	
-	$emailTitle=(!empty($_POST['emailTitle'])?$_POST['emailTitle']:'');
-	$newContent=(!empty($_POST['newContent'])?$_POST['newContent']:'');
+	$emailTitle=(!empty($_POST['emailTitle'])?$safe_emailTitle:'');
+	$newContent=(!empty($_POST['newContent'])?$safe_newContent:'');
 	$submitAnnouncement=isset($_POST['submitAnnouncement'])?$_POST['submitAnnouncement']:0;
 
 	$id = 0;
@@ -541,10 +545,10 @@ if (api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_ed
 					$result = api_sql_query("SELECT MAX(display_order) FROM $tbl_announcement WHERE session_id=".intval($_SESSION['id_session'])." OR session_id=0",__FILE__,__LINE__);
 					list($orderMax) = Database::fetch_row($result);
 					$order = $orderMax + 1;
-					if (!empty($_SESSION['toolgroup'])) {					
-						$insert_id=store_advalvas_group_item($_POST['emailTitle'],$_POST['newContent'],$order,array('GROUP:'.$_SESSION['toolgroup']),$_POST['selectedform']);
+					if (!empty($_SESSION['toolgroup'])) {
+						$insert_id=store_advalvas_group_item($safe_emailTitle,$safe_newContent,$order,array('GROUP:'.$_SESSION['toolgroup']),$_POST['selectedform']);
 					} else {
-						$insert_id=store_advalvas_item($_POST['emailTitle'],$_POST['newContent'],$order,$_POST['selectedform']);
+						$insert_id=store_advalvas_item($safe_emailTitle,$safe_newContent,$order,$_POST['selectedform']);
 					}
 				    store_resources($_SESSION['source_type'],$insert_id);
 				    $_SESSION['select_groupusers']="hide";
@@ -1045,7 +1049,7 @@ if ($display_form == true) {
 						'.get_lang('EmailAddress').'
 					</div>
 					<div class="formw">
-						<input type="text" name="emailsAdd" value="'.$emails_add.'" size="52">(Comma separated for multiple)
+						<input type="text" name="emailsAdd" value="'.Security::remove_XSS($emails_add).'" size="52">(Comma separated for multiple)
 					</div>
 				</div>';
 		echo '	<div class="row">
@@ -1066,7 +1070,7 @@ if ($display_form == true) {
 				</div>
 				<div class="formw">	
 												
-					<input type="text" id="emailTitle" name="emailTitle" value="'.$title_to_modify.'" size="60">
+					<input type="text" id="emailTitle" name="emailTitle" value="'.Security::remove_XSS($title_to_modify).'" size="60">
 				</div>
 			</div>';
 		
diff --git a/main/blog/blog.php b/main/blog/blog.php
index f519e3c81a..23f653d826 100644
--- a/main/blog/blog.php
+++ b/main/blog/blog.php
@@ -75,34 +75,41 @@ $current_page = $_GET['action'];
 	PROCESSING
 ==============================================================================
 */
+
+$safe_post_title = Security::remove_XSS($_POST['post_title']);
+$safe_post_file_comment = Security::remove_XSS($_POST['post_file_comment']);
+$safe_post_full_text = Security::remove_XSS($_POST['post_full_text']);
+$safe_comment_text = Security::remove_XSS($_POST['comment_text']);
+$safe_comment_title = Security::remove_XSS($_POST['comment_title']);  
+$safe_task_name = Security::remove_XSS($_POST['task_name']);
+$safe_task_description = Security::remove_XSS($_POST['task_description']);
+
 if (!empty($_POST['new_post_submit']) AND !empty($_POST['post_title']))
 {	
-	$safe_post_title = Security::remove_XSS($_POST['post_title']);
-	$safe_post_file_comment = Security::remove_XSS($_POST['post_file_comment']);
-	Blog :: create_post($safe_post_title, $_POST['post_full_text'], $safe_post_file_comment,$blog_id);
+	Blog :: create_post($safe_post_title, $safe_post_full_text, $safe_post_file_comment,$blog_id);
 	$return_message = array('type' => 'confirmation', 'message' => get_lang('BlogAdded'));
 }
 if (!empty($_POST['edit_post_submit']))
 {
-	$safe_post_title = Security::remove_XSS($_POST['post_title']);	
-	Blog :: edit_post($_POST['post_id'], $safe_post_title, $_POST['post_full_text'], $blog_id);
+	$safe_post_title = Security::remove_XSS($_POST['post_title']);
+	Blog :: edit_post($_POST['post_id'], $safe_post_title, $safe_post_full_text, $blog_id);
 	$return_message = array('type' => 'confirmation', 'message' => get_lang('BlogEdited'));
 }
 if (!empty($_POST['new_comment_submit']))
 {
-	Blog :: create_comment($_POST['comment_title'], $_POST['comment_text'], $_POST['post_file_comment'],$blog_id, (int)$_GET['post_id'], $_POST['comment_parent_id']);
+	Blog :: create_comment($safe_comment_title, $safe_comment_text, $safe_post_file_comment,$blog_id, (int)$_GET['post_id'], $_POST['comment_parent_id']);
 	$return_message = array('type' => 'confirmation', 'message' => get_lang('CommentAdded'));
 }
 
 if (!empty($_POST['new_task_submit']))
 {
-	Blog :: create_task($blog_id, $_POST['task_name'], $_POST['task_description'], $_POST['chkArticleDelete'], $_POST['chkArticleEdit'], $_POST['chkCommentsDelete'], $_POST['task_color']);
+	Blog :: create_task($blog_id, $safe_task_name, $safe_task_description, $_POST['chkArticleDelete'], $_POST['chkArticleEdit'], $_POST['chkCommentsDelete'], $_POST['task_color']);
 	$return_message = array('type' => 'confirmation', 'message' => get_lang('TaskCreated'));
 }
 
 if (isset($_POST['edit_task_submit']))
 {
-	Blog :: edit_task($_POST['blog_id'], $_POST['task_id'], $_POST['task_name'], $_POST['task_description'], $_POST['chkArticleDelete'], $_POST['chkArticleEdit'],$_POST['chkCommentsDelete'], $_POST['task_color']);
+	Blog :: edit_task($_POST['blog_id'], $_POST['task_id'], $safe_task_name, $safe_task_description, $_POST['chkArticleDelete'], $_POST['chkArticleEdit'],$_POST['chkCommentsDelete'], $_POST['task_color']);
 	$return_message = array('type' => 'confirmation', 'message' => get_lang('TaskEdited'));
 }
 if (!empty($_POST['assign_task_submit']))
@@ -118,7 +125,7 @@ if (isset($_POST['assign_task_edit_submit']))
 }
 if (!empty($_POST['new_task_execution_submit']))
 {
-	Blog :: create_comment($_POST['comment_title'], $_POST['comment_text'], $blog_id, (int)$_GET['post_id'], $_POST['comment_parent_id'], $_POST['task_id']);
+	Blog :: create_comment($safe_comment_title, $safe_comment_text, $blog_id, (int)$_GET['post_id'], $_POST['comment_parent_id'], $_POST['task_id']);
 	$return_message = array('type' => 'confirmation', 'message' => get_lang('CommentCreated'));
 }
 if (!empty($_POST['register']))
diff --git a/main/wiki/index.php b/main/wiki/index.php
index 755f80a13b..fa90acfa65 100644
--- a/main/wiki/index.php
+++ b/main/wiki/index.php
@@ -2530,8 +2530,8 @@ function display_wiki_entry()
 	}
 	else
 	{
-  		$content=$row['content'];
-		$title=$row['title'];
+  		$content=Security::remove_XSS($row['content'],COURSEMANAGER);
+		$title= Security::remove_XSS($row['title']);
 	}