diff --git a/main/admin/configure_extensions.php b/main/admin/configure_extensions.php
index 63898ba7ac..9976366e32 100755
--- a/main/admin/configure_extensions.php
+++ b/main/admin/configure_extensions.php
@@ -4,9 +4,7 @@
  * Edition of extensions configuration
  * @package chamilo.admin
  */
-/**
- * Code
- */
+
 // name of the language file that needs to be included
 $language_file='admin';
 $cidReset=true;
@@ -154,17 +152,18 @@ if (isset($_POST['activeExtension'])) {
 $listActiveServices = array();
 
 // get the list of active services
-$sql = 'SELECT variable FROM '.$tbl_settings_current.' WHERE variable LIKE "service_%" AND subkey="active" and selected_value="true"';
+$sql = 'SELECT variable FROM '.$tbl_settings_current.'
+		WHERE variable LIKE "service_%" AND subkey="active" and selected_value="true"';
 
 $rs = Database::query($sql);
 while($row = Database::fetch_array($rs)){
 	$listActiveServices[] = $row['variable'];
 }
 
-$javascript_service_displayed = '';
-if(isset($_GET['display'])){
+/*$javascript_service_displayed = '';
+if (isset($_GET['display'])) {
 	$javascript_service_displayed = 'document.getElementById("extension_content_'.$_GET['display'].'").style.display = "block"';
-}
+}*/
 
 // javascript to handle accordion behaviour
 $javascript_message = '';
@@ -223,8 +222,6 @@ $nameTool = get_lang('ConfigureExtensions');
 Display::display_header($nameTool);
 
 ?>
-
-
 <div id="message" style="display: none">
 	<?php
 	if(!empty($message))
@@ -299,7 +296,7 @@ Display::display_header($nameTool);
 	</div>
 
  */ ?>
-    
+
 	<!-- PPT2LP -->
 	<div id="main_ppt2lp">
 		<div id="extension_header_ppt2lp" class="accordion_header">
@@ -441,7 +438,7 @@ Display::display_header($nameTool);
 	</div>
 	*/
     /*
-   
+
 	<!-- SEARCH -->
 	<div id="main_search">
 		<div id="extension_header_search" class="accordion_header">
diff --git a/main/admin/course_category.php b/main/admin/course_category.php
index 40aa13cdcc..adbdb1f748 100755
--- a/main/admin/course_category.php
+++ b/main/admin/course_category.php
@@ -73,7 +73,7 @@ if ($action == 'add' || $action == 'edit') {
         echo '<div class="actions">';
         echo Display::url(
             Display::return_icon('folder_up.png', get_lang("Back"), '', ICON_SIZE_MEDIUM),
-            api_get_path(WEB_CODE_PATH).'admin/course_category.php?category='.$category
+            api_get_path(WEB_CODE_PATH).'admin/course_category.php?category='.Security::remove_XSS($category)
         );
         echo '</div>';
 
@@ -81,7 +81,7 @@ if ($action == 'add' || $action == 'edit') {
         if (!empty($category)) {
             $form_title .= ' ' . get_lang('Into') . ' ' . Security::remove_XSS($category);
         }
-        $url = api_get_self().'?action='.Security::remove_XSS($action).'&category='.Security::remove_XSS($category).'&id='.$category;
+        $url = api_get_self().'?action='.Security::remove_XSS($action).'&category='.Security::remove_XSS($category).'&id='.Security::remove_XSS($category);
         $form = new FormValidator('course_category', 'post', $url);
         $form->addElement('header', '', $form_title);
         $form->addElement('hidden', 'formSent', 1);
@@ -129,7 +129,7 @@ if ($action == 'add' || $action == 'edit') {
     if (empty($parentInfo) || $parentInfo['auth_cat_child'] == 'TRUE') {
         echo Display::url(
             Display::return_icon('new_folder.png', get_lang("AddACategory"), '', ICON_SIZE_MEDIUM),
-            api_get_path(WEB_CODE_PATH).'admin/course_category.php?action=add&category='.$category
+            api_get_path(WEB_CODE_PATH).'admin/course_category.php?action=add&category='.Security::remove_XSS($category)
         );
     }
 
diff --git a/main/admin/session_edit.php b/main/admin/session_edit.php
index 30f9bcc6a6..cdc486fbf4 100755
--- a/main/admin/session_edit.php
+++ b/main/admin/session_edit.php
@@ -4,9 +4,6 @@
  * Sessions edition script
  * @package chamilo.admin
  */
-/**
- * Code
- */
 
 // name of the language file that needs to be included
 $language_file ='admin';
diff --git a/main/calendar/agenda.lib.php b/main/calendar/agenda.lib.php
index 59579625e4..3c36ac36ee 100755
--- a/main/calendar/agenda.lib.php
+++ b/main/calendar/agenda.lib.php
@@ -68,7 +68,11 @@ class Agenda
      */
     public function setType($type)
     {
-        $this->type = $type;
+        $typeList = $this->getTypes();
+
+        if (in_array($type, $typeList)) {
+            $this->type = $type;
+        }
     }
 
     /**
diff --git a/main/calendar/agenda_list.php b/main/calendar/agenda_list.php
index a59e543356..7bf24eb298 100755
--- a/main/calendar/agenda_list.php
+++ b/main/calendar/agenda_list.php
@@ -18,7 +18,7 @@ $interbreadcrumb[] = array(
 
 $agenda = new Agenda();
 $type = isset($_REQUEST['type']) ? $_REQUEST['type'] : null;
-$agenda->type = $type;
+$agenda->setType($type);
 $events = $agenda->get_events(
     null,
     null,
diff --git a/main/inc/lib/diagnoser.lib.php b/main/inc/lib/diagnoser.lib.php
index d669e6395e..dc3faeb7a4 100755
--- a/main/inc/lib/diagnoser.lib.php
+++ b/main/inc/lib/diagnoser.lib.php
@@ -27,7 +27,7 @@ class Diagnoser
 
         $sections = array('chamilo', 'php', 'mysql', 'webserver');
 
-        if (!in_array($_GET['section'], $sections)) {
+        if (!in_array(trim($_GET['section']), $sections)) {
             $current_section = 'chamilo';
         } else {
             $current_section = $_GET['section'];
diff --git a/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php b/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php
index 27239e37e7..098d651139 100755
--- a/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php
+++ b/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php
@@ -19,7 +19,7 @@ if (!isset($manager)) {
     $pagination    = new pagination(false);
     $search_folder = null;
     if (isset($_GET['search_folder'])) {
-        $search_folder = str_replace("'", "", $_GET['search_folder']); //security fix for Chamilo by cfasanando
+        $search_folder = str_replace("'", "", Security::remove_XSS($_GET['search_folder']));
     }
 
     if (!empty($_GET['search'])) {
diff --git a/main/inc/lib/message.lib.php b/main/inc/lib/message.lib.php
index 20a9154d7c..f546fb827f 100755
--- a/main/inc/lib/message.lib.php
+++ b/main/inc/lib/message.lib.php
@@ -823,13 +823,13 @@ class MessageManager
                 $message[4] = '&nbsp;&nbsp;<a onclick="delete_one_message_outbox('.$result[0].')" href="javascript:void(0)"  >'.Display::return_icon('delete.png', get_lang('DeleteMessage')).'</a>';
             } else {
                 $link = '';
-                if ($_GET['f'] == 'social') {
+                if (isset($_GET['f']) && $_GET['f'] == 'social') {
                     $link = '&f=social';
                 }
                 $message[1] = '<a '.$class.' onclick="show_sent_message ('.$result[0].')" href="../messages/view_message.php?id_send='.$result[0].$link.'">'.$result[2].'</a><br />'.GetFullUserName($result[4]);
                 //$message[2] = '<a '.$class.' onclick="show_sent_message ('.$result[0].')" href="../messages/view_message.php?id_send='.$result[0].$link.'">'.$result[2].'</a>';
                 $message[2] = api_convert_and_format_date($result[3], DATE_TIME_FORMAT_LONG); //date stays the same
-                $message[3] = '<a href="outbox.php?action=deleteone&id='.$result[0].'&f='.Security::remove_XSS($_GET['f']).'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang('ConfirmDeleteMessage')))."'".')) return false;" >'.Display::return_icon('delete.png', get_lang('DeleteMessage')).'</a>';
+                $message[3] = '<a href="outbox.php?action=deleteone&id='.$result[0].'&'.$link.'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang('ConfirmDeleteMessage')))."'".')) return false;" >'.Display::return_icon('delete.png', get_lang('DeleteMessage')).'</a>';
             }
 
             foreach ($message as $key => $value) {
@@ -1527,7 +1527,7 @@ class MessageManager
         // display sortable table with messages of the current user
         $table = new SortableTable('message_outbox', array('MessageManager', 'get_number_of_messages_sent'), array('MessageManager', 'get_message_data_sent'), 3, 20, 'DESC');
 
-        $parameters['f'] = Security::remove_XSS($_GET['f']);
+        $parameters['f'] = isset($_GET['f']) && $_GET['f'] == 'social' ? 'social' : null;
         $table->set_additional_parameters($parameters);
         $table->set_header(0, '', false, array('style' => 'width:15px;'));
 
diff --git a/main/messages/new_message.php b/main/messages/new_message.php
index 7b63fee8d3..8ef36337b6 100755
--- a/main/messages/new_message.php
+++ b/main/messages/new_message.php
@@ -164,7 +164,7 @@ function show_compose_to_user ($receiver_id) {
 function manage_form($default, $select_from_user_list = null, $sent_to = null) {
 	$group_id 		= isset($_REQUEST['group_id']) ? intval($_REQUEST['group_id']) : null;
 	$message_id 	= isset($_GET['message_id'])  ?  intval($_GET['message_id']) : null;
-	$param_f 		= isset($_GET['f']) ? Security::remove_XSS($_GET['f']):'';
+	$param_f 		= isset($_GET['f']) && $_GET['f'] == 'social' ? 'social' : null;
 
 	$form = new FormValidator('compose_message', null, api_get_self().'?f='.$param_f, null, array('enctype'=>'multipart/form-data'));
 	if (empty($group_id)) {
diff --git a/main/messages/outbox.php b/main/messages/outbox.php
index 52145d0f35..8f5bf96952 100755
--- a/main/messages/outbox.php
+++ b/main/messages/outbox.php
@@ -6,13 +6,15 @@
 
 // name of the language file that needs to be included
 $language_file = array('registration','messages','userInfo');
-$cidReset=true;
+$cidReset = true;
 require_once '../inc/global.inc.php';
 
 api_block_anonymous_users();
 
 if (isset($_GET['messages_page_nr'])) {
-	if (api_get_setting('allow_social_tool')=='true' &&  api_get_setting('allow_message_tool')=='true') {
+	if (api_get_setting('allow_social_tool')=='true' &&
+        api_get_setting('allow_message_tool')=='true'
+    ) {
 		$social_link = '';
 		if ($_REQUEST['f']=='social') {
 			$social_link = '&f=social';
diff --git a/main/mySpace/student.php b/main/mySpace/student.php
index 62d59444cd..cf94fbffb1 100755
--- a/main/mySpace/student.php
+++ b/main/mySpace/student.php
@@ -4,9 +4,7 @@
  * Student report
  * @package chamilo.reporting
  */
-/**
- * Code
- */
+
  // name of the language file that needs to be included
 $language_file = array ('registration', 'index', 'tracking', 'admin');
 $cidReset = true;
@@ -198,8 +196,14 @@ if (api_is_drh()) {
 }
 
 $actions .= '<span style="float:right">';
-$actions .= Display::url(Display::return_icon('printer.png', get_lang('Print'), array(), ICON_SIZE_MEDIUM), 'javascript: void(0);', array('onclick'=>'javascript: window.print();'));
-$actions .= Display::url(Display::return_icon('export_csv.png', get_lang('ExportAsCSV'), array(), ICON_SIZE_MEDIUM), api_get_self().'?export=csv&keyword='.$keyword);
+$actions .= Display::url(
+    Display::return_icon('printer.png', get_lang('Print'), array(), ICON_SIZE_MEDIUM), 'javascript: void(0);',
+    array('onclick'=>'javascript: window.print();')
+);
+$actions .= Display::url(
+    Display::return_icon('export_csv.png', get_lang('ExportAsCSV'), array(), ICON_SIZE_MEDIUM),
+    api_get_self().'?export=csv&keyword='.$keyword
+);
 $actions .= '</span>';
 $actions .= '</div>';