diff --git a/main/course_description/index.php b/main/course_description/index.php
index 31f5be4300..8c54044be5 100644
--- a/main/course_description/index.php
+++ b/main/course_description/index.php
@@ -1,4 +1,4 @@
-<?php // $Id: index.php 20447 2009-05-10 10:07:04Z ivantcholakov $
+<?php // $Id: index.php 20496 2009-05-11 21:05:32Z cvargas1 $
 /* For licensing terms, see /dokeos_license.txt */
 /**
 ==============================================================================
@@ -209,11 +209,11 @@ if (api_is_allowed_to_edit() && !is_null($description_id) || $action =='add') {
 			$title = $description['title'];
 			if ($description['description_id'] >= ADD_BLOCK) {
 				if ($description['edit']=='1') {					
-					$sql = "UPDATE $tbl_course_description SET  title = '".Database::escape_string($title)."', content = '".Database::escape_string($content)."' WHERE id = '".$description_id."' ";				
+					$sql = "UPDATE $tbl_course_description SET  title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."' WHERE id = '".$description_id."' ";				
 					api_sql_query($sql, __FILE__, __LINE__);					
 				} else {								
 					$result = api_sql_query($sql, __FILE__, __LINE__);
-					$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string($title)."', content = '".Database::escape_string($content)."'";				
+					$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'";				
 					api_sql_query($sql, __FILE__, __LINE__);
 				}
 				/*$sql = "SELECT id FROM $tbl_course_description WHERE id = ".ADD_BLOCK;
@@ -230,7 +230,7 @@ if (api_is_allowed_to_edit() && !is_null($description_id) || $action =='add') {
 				}
 				$sql = "DELETE FROM $tbl_course_description WHERE id = '".$description_id."'";
 				api_sql_query($sql, __FILE__, __LINE__);
-				$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string($title)."', content = '".Database::escape_string($content)."'";
+				$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'";
 				api_sql_query($sql, __FILE__, __LINE__);
 			}
 			Display :: display_confirmation_message(get_lang('CourseDescriptionUpdated'));
diff --git a/main/course_info/infocours.php b/main/course_info/infocours.php
index 9f492a21e0..7869b82767 100644
--- a/main/course_info/infocours.php
+++ b/main/course_info/infocours.php
@@ -1,4 +1,4 @@
-<?php // $Id: infocours.php 20343 2009-05-05 20:31:47Z juliomontoya $
+<?php // $Id: infocours.php 20496 2009-05-11 21:05:32Z cvargas1 $
 
 /*
 ==============================================================================
@@ -158,16 +158,16 @@ $form->applyFilter('tutor_name','html_filter');
 
 $prof -> setSelected($s_selected_tutor);
 $form->add_textfield('title', get_lang('Title'), true, array ('size' => '60'));
-$form->applyFilter('title','html_filter');
+//$form->applyFilter('title','html_filter');
 $form->applyFilter('title','trim');
 
 $form->addElement('select', 'category_code', get_lang('Fac'), $categories);
 $form->add_textfield('department_name', get_lang('Department'), false, array ('size' => '60'));
-$form->applyFilter('department_name','html_filter');
+//$form->applyFilter('department_name','html_filter');
 $form->applyFilter('department_name','trim');
 
 $form->add_textfield('department_url', get_lang('DepartmentUrl'), false, array ('size' => '60'));
-$form->applyFilter('department_url','html_filter');
+//$form->applyFilter('department_url','html_filter');
 
 $form->addRule('tutor_name', get_lang('ThisFieldIsRequired'), 'required');
 $form->addElement('select_language', 'course_language', get_lang('Ln'));
@@ -305,12 +305,12 @@ if ($form->validate() && is_settings_editable()) {
 		$update_values[$index] = Database::escape_string($value);
 	}	
 	$table_course = Database :: get_main_table(TABLE_MAIN_COURSE);
-	$sql = "UPDATE $table_course SET title 			= '".$update_values['title']."',
+	$sql = "UPDATE $table_course SET title 			= '".Security::remove_XSS($update_values['title'])."',
 										 visual_code 	= '".$update_values['visual_code']."',
 										 course_language = '".$update_values['course_language']."',
 										 category_code  = '".$update_values['category_code']."',
-										 department_name  = '".$update_values['department_name']."',
-										 department_url  = '".$update_values['department_url']."',
+										 department_name  = '".Security::remove_XSS($update_values['department_name'])."',
+										 department_url  = '".Security::remove_XSS($update_values['department_url'])."',
 										 visibility  = '".$update_values['visibility']."',
 										 subscribe  = '".$update_values['subscribe']."',
 										 unsubscribe  = '".$update_values['unsubscribe']."',