diff --git a/main/calendar/agenda.inc.php b/main/calendar/agenda.inc.php
index c1eb450f53..0c393c88f9 100644
--- a/main/calendar/agenda.inc.php
+++ b/main/calendar/agenda.inc.php
@@ -1,4 +1,4 @@
-<?php //$Id: agenda.inc.php 20999 2009-05-26 20:38:01Z aportugal $
+<?php //$Id: agenda.inc.php 21101 2009-05-30 14:56:54Z iflorespaz $
 /* For licensing terms, see /dokeos_license.txt */
 /*
 ==============================================================================
@@ -283,8 +283,8 @@ function display_minimonthcalendar($agendaitems, $month, $year, $monthName)
 	$dayone = getdate(mktime(0, 0, 0, $month, 1, $year));
 	//Start the week on monday
 	$startdayofweek = $dayone['wday'] <> 0 ? ($dayone['wday'] - 1) : 6;
-	$backwardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':$_GET['coursePath'])."&amp;courseCode=".(empty($_GET['courseCode'])?'':$_GET['courseCode'])."&amp;month=". ($month == 1 ? 12 : $month -1)."&amp;year=". ($month == 1 ? $year -1 : $year);
-	$forewardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':$_GET['coursePath'])."&amp;courseCode=".(empty($_GET['courseCode'])?'':$_GET['courseCode'])."&amp;month=". ($month == 12 ? 1 : $month +1)."&amp;year=". ($month == 12 ? $year +1 : $year);
+	$backwardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':Security::remove_XSS($_GET['coursePath']))."&amp;courseCode=".(empty($_GET['courseCode'])?'':Security::remove_XSS($_GET['courseCode']))."&amp;month=". ($month == 1 ? 12 : $month -1)."&amp;year=". ($month == 1 ? $year -1 : $year);
+	$forewardsURL = api_get_self()."?".api_get_cidreq()."&amp;coursePath=".(empty($_GET['coursePath'])?'':Security::remove_XSS($_GET['coursePath']))."&amp;courseCode=".(empty($_GET['courseCode'])?'':Security::remove_XSS($_GET['courseCode']))."&amp;month=". ($month == 12 ? 1 : $month +1)."&amp;year=". ($month == 12 ? $year +1 : $year);
 
 	echo 	"<table class=\"data_table\">\n",
 			"<tr>\n",
@@ -1460,11 +1460,11 @@ function display_student_links()
 	global $show;
 	if ($_SESSION['sort'] == 'DESC')
 	{
-		echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=asc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".$_GET['origin']."'>".Display::return_icon('calendar_up.gif',get_lang('AgendaSortChronologicallyUp')).' '.get_lang("AgendaSortChronologicallyUp")."</a> ";
+		echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=asc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".Security::remove_XSS($_GET['origin'])."'>".Display::return_icon('calendar_up.gif',get_lang('AgendaSortChronologicallyUp')).' '.get_lang("AgendaSortChronologicallyUp")."</a> ";
 	}
 	else
 	{
-		echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=desc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".$_GET['origin']."'>".Display::return_icon('calendar_down.gif',get_lang('AgendaSortChronologicallyDown')).' '.get_lang("AgendaSortChronologicallyDown")."</a> ";
+		echo "<a href='".api_get_self()."?".api_get_cidreq()."&amp;sort=desc&amp;toolgroup=".Security::remove_XSS($_GET['toolgroup'])."&amp;origin=".Security::remove_XSS($_GET['origin'])."'>".Display::return_icon('calendar_down.gif',get_lang('AgendaSortChronologicallyDown')).' '.get_lang("AgendaSortChronologicallyDown")."</a> ";
 	}
 
 	// showing the link to show all items or only those of the current month
@@ -4529,7 +4529,7 @@ function agenda_add_repeat_item($course_info,$orig_id,$type,$end,$orig_dest,$fil
 	$t_agenda   = Database::get_course_table(TABLE_AGENDA,$course_info['dbName']);
     $t_agenda_r = Database::get_course_table(TABLE_AGENDA_REPEAT,$course_info['dbName']);
     //$sql = "SELECT title, content, UNIX_TIMESTAMP(start_date) as sd, UNIX_TIMESTAMP(end_date) as ed FROM $t_agenda WHERE id = $orig_id";
-    $sql = "SELECT title, content, start_date as sd, end_date as ed FROM $t_agenda WHERE id = $orig_id";
+    $sql = 'SELECT title, content, start_date as sd, end_date as ed FROM '. $t_agenda.' WHERE id ="'.Database::escape_string($orig_id).'" ';
     $res = Database::query($sql,__FILE__,__LINE__);
     if(Database::num_rows($res)!==1){return false;}
     $row = Database::fetch_array($res);
diff --git a/main/calendar/agenda.php b/main/calendar/agenda.php
index c625177296..85660aaa1d 100644
--- a/main/calendar/agenda.php
+++ b/main/calendar/agenda.php
@@ -1,4 +1,4 @@
-<?php //$Id: agenda.php 20413 2009-05-08 16:23:16Z cfasanando $
+<?php //$Id: agenda.php 21101 2009-05-30 14:56:54Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -38,7 +38,7 @@ include('../inc/global.inc.php');
 //session
 if(isset($_GET['id_session']))
 {
-	$_SESSION['id_session'] = $_GET['id_session'];
+	$_SESSION['id_session'] = Security::remove_XSS($_GET['id_session']);
 }
 
 $this_section=SECTION_COURSES;
@@ -58,25 +58,24 @@ api_protect_course_script();
 -----------------------------------------------------------
 */
 $_SESSION['source_type'] = 'Agenda';
-include('../resourcelinker/resourcelinker.inc.php');
-require_once(api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
+require_once '../resourcelinker/resourcelinker.inc.php';
+require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
 
 if (!empty($addresources)) // When the "Add Resource" button is clicked we store all the form data into a session
 {
-$form_elements= array ('day'=>$_POST['fday'], 'month'=>$_POST['fmonth'], 'year'=>$_POST['fyear'], 'hour'=>$_POST['fhour'], 'minutes'=>$_POST['fminute'],
-						'end_day'=>$_POST['end_fday'], 'end_month'=>$_POST['end_fmonth'], 'end_year'=>$_POST['end_fyear'], 'end_hours'=>$_POST['end_fhour'], 'end_minutes'=>$_POST['end_fminute'],
-						'title'=>stripslashes($_POST['title']), 'content'=>stripslashes($_POST['content']), 'id'=>$_POST['id'], 'action'=>$_POST['action'], 'to'=>$_POST['selectedform']);
+$form_elements= array ('day'=>Security::remove_XSS($_POST['fday']), 'month'=>Security::remove_XSS($_POST['fmonth']), 'year'=>Security::remove_XSS($_POST['fyear']), 'hour'=>Security::remove_XSS($_POST['fhour']), 'minutes'=>Security::remove_XSS($_POST['fminute']),
+						'end_day'=>Security::remove_XSS($_POST['end_fday']), 'end_month'=>Security::remove_XSS($_POST['end_fmonth']), 'end_year'=>Security::remove_XSS($_POST['end_fyear']), 'end_hours'=>Security::remove_XSS($_POST['end_fhour']), 'end_minutes'=>Security::remove_XSS($_POST['end_fminute']),
+						'title'=>Security::remove_XSS(stripslashes($_POST['title'])), 'content'=>Security::remove_XSS(stripslashes($_POST['content'])), 'id'=>Security::remove_XSS($_POST['id']), 'action'=>Security::remove_XSS($_POST['action']), 'to'=>Security::remove_XSS($_POST['selectedform']));
 $_SESSION['formelements']=$form_elements;
-if($id) // this is to correctly handle edits
-	{$action="edit";}
+// this is to correctly handle edits
+if($id){$action="edit";}
 //print_r($form_elements);
 header('Location: '.api_get_path(WEB_CODE_PATH)."resourcelinker/resourcelinker.php?source_id=1&action=$action&id=$id&originalresource=no");
 exit;
 }
 
-if (!empty($_GET['view']))
-{
-	$_SESSION['view'] = $_GET['view'];
+if (!empty($_GET['view'])) {
+	$_SESSION['view'] = Security::remove_XSS($_GET['view']);
 }
 
 /*
@@ -155,7 +154,7 @@ if ((!empty($_GET['user']) and $_GET['user']=="none") or (!empty($_GET['group'])
 if (!$is_courseAdmin){
 	if (!empty($_GET['toolgroup'])){
 		//$_SESSION['toolgroup']=$_GET['toolgroup'];
-		$toolgroup=$_GET['toolgroup'];
+		$toolgroup=Security::remove_XSS($_GET['toolgroup']);
 		api_session_register('toolgroup');
 	}
 }
@@ -178,11 +177,11 @@ $nameTools = get_lang('Agenda'); // language variable in trad4all.inc.php
 // showing the header if we are not in the learning path, if we are in
 // the learning path, we do not include the banner so we have to explicitly
 // include the stylesheet, which is normally done in the header
-if ($_GET['toolgroup']){
+if (isset($_GET['toolgroup']) && $_GET['toolgroup']==strval(intval($_GET['toolgroup']))  ){
 	$_clean['toolgroup']=(int)$_GET['toolgroup'];
 	$group_properties  = GroupManager :: get_group_properties($_clean['toolgroup']);
 	$interbreadcrumb[] = array ("url" => "../group/group.php", "name" => get_lang('Groups'));
-	$interbreadcrumb[] = array ("url"=>"../group/group_space.php?gidReq=".$_SESSION['toolgroup'], "name"=> get_lang('GroupSpace').' ('.$group_properties['name'].')');	
+	$interbreadcrumb[] = array ("url"=>"../group/group_space.php?gidReq=".Security::remove_XSS($_GET['toolgroup']), "name"=> get_lang('GroupSpace').' ('.$group_properties['name'].')');
 	Display::display_header($nameTools,'Agenda');
 	
 } elseif (empty($_GET['origin']) or $_GET['origin'] != 'learnpath') {
@@ -309,7 +308,7 @@ if (api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_ed
 					                    $end_m = intval($_POST['repeat_end_month']);
 					                    $end_d = intval($_POST['repeat_end_day']);
 					                    $end   = mktime(23, 59, 59, $end_m, $end_d, $end_y);
-					                    $res = agenda_add_repeat_item($course_info,$id,$_POST['repeat_type'],$end,$_POST['selectedform'],$safe_file_comment);
+					                    $res = agenda_add_repeat_item($course_info,$id,Security::remove_XSS($_POST['repeat_type']),$end,Security::remove_XSS($_POST['selectedform']),$safe_file_comment);
 					                }                 
 								}			
 								break;
diff --git a/main/calendar/calendar.php b/main/calendar/calendar.php
index e28de7fc6f..47c680f3ba 100644
--- a/main/calendar/calendar.php
+++ b/main/calendar/calendar.php
@@ -1,4 +1,4 @@
-<?php //$Id: calendar.php 16723 2008-11-12 15:41:34Z pcool $
+<?php //$Id: calendar.php 21101 2009-05-30 14:56:54Z iflorespaz $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -25,11 +25,11 @@
 // name of the language file that needs to be included
 $language_file = 'agenda';
 // including the claroline global 
-include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 
 //session
 if(isset($_GET['id_session']))
-	$_SESSION['id_session'] = $_GET['id_session'];
+	$_SESSION['id_session'] = Security::remove_XSS($_GET['id_session']);
 
 // the variables for the days and the months
 // Defining the shorts for the days
diff --git a/main/calendar/download.php b/main/calendar/download.php
index 1150ff2f35..724d46116d 100644
--- a/main/calendar/download.php
+++ b/main/calendar/download.php
@@ -38,11 +38,11 @@
 
 session_cache_limiter('public');
 
-include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 $this_section=SECTION_COURSES;
 
-require_once(api_get_path(LIBRARY_PATH).'document.lib.php');
-include 'agenda.inc.php';
+require_once api_get_path(LIBRARY_PATH).'document.lib.php';
+require_once 'agenda.inc.php';
 // IMPORTANT to avoid caching of documents
 header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
 header('Cache-Control: public');
@@ -58,10 +58,9 @@ $doc_url = str_replace('///', '&', $doc_url);
 $doc_url = str_replace(' ', '+', $doc_url);
 $doc_url = str_replace('/..', '', $doc_url); //echo $doc_url;
 
-include(api_get_path(LIBRARY_PATH).'events.lib.inc.php');
+require_once api_get_path(LIBRARY_PATH).'events.lib.inc.php';
 
-if (! isset($_course))
-{
+if (!isset($_course)) {
 	api_not_allowed(true);	
 }
 
diff --git a/main/calendar/ical_export.php b/main/calendar/ical_export.php
index 313fbf0ec0..7c64b5e332 100644
--- a/main/calendar/ical_export.php
+++ b/main/calendar/ical_export.php
@@ -12,11 +12,11 @@ $language_file = 'agenda';
 // we are not inside a course, so we reset the course id
 $cidReset = true;
 // setting the global file that gets the general configuration, the databases, the languages, ...
-require_once ('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 $this_section = SECTION_MYAGENDA;
 api_block_anonymous_users();
-require_once (api_get_path(LIBRARY_PATH).'groupmanager.lib.php');
-require_once (api_get_path(LIBRARY_PATH).'icalcreator/iCalcreator.class.php');
+require_once api_get_path(LIBRARY_PATH).'groupmanager.lib.php';
+require_once api_get_path(LIBRARY_PATH).'icalcreator/iCalcreator.class.php';
 // setting the name of the tool
 $nameTools = get_lang('MyAgenda');
 
@@ -67,7 +67,7 @@ if(!empty($_GET['id']) && $_GET['id']==strval(intval($_GET['id'])))
 				require_once (api_get_path(SYS_CODE_PATH).'calendar/myagenda.inc.php');
 				$ai = get_personal_agenda_item($_GET['id']);
                 $vevent->setProperty( 'summary', api_convert_encoding($ai['title'],'UTF-8',$charset));
-				if(empty($ai['date'])){header('location:'.$_SERVER['HTTP_REFERER']);}
+				if(empty($ai['date'])){header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));}
 				list($y,$m,$d,$h,$M,$s) = preg_split('/[\s:-]/',$ai['date']);
 				$vevent->setProperty('dtstart',array('year'=>$y,'month'=>$m,'day'=>$d,'hour'=>$h,'min'=>$M,'sec'=>$s));
 				if(empty($ai['enddate']))
@@ -97,7 +97,7 @@ if(!empty($_GET['id']) && $_GET['id']==strval(intval($_GET['id'])))
 				require_once (api_get_path(SYS_CODE_PATH).'calendar/agenda.inc.php');
 				$ai = get_agenda_item($_GET['id']);
 		        $vevent->setProperty( 'summary', api_convert_encoding($ai['title'],'UTF-8',$charset));
-        		if(empty($ai['start_date'])){header('location:'.$_SERVER['HTTP_REFERER']);}
+        		if(empty($ai['start_date'])){header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));}
 				list($y,$m,$d,$h,$M,$s) = preg_split('/[\s:-]/',$ai['start_date']);
 				$vevent->setProperty('dtstart',array('year'=>$y,'month'=>$m,'day'=>$d,'hour'=>$h,'min'=>$M,'sec'=>$s));
 				if(empty($ai['end_date']))
@@ -130,14 +130,14 @@ if(!empty($_GET['id']) && $_GET['id']==strval(intval($_GET['id'])))
 				$ical->returnCalendar();
 				break;
 			default:
-				header('location:'.$_SERVER['HTTP_REFERER']);
+				header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));
 				die();	
 		}
 	}
 }
 else
 {
-	header('location:'.$_SERVER['HTTP_REFERER']);
+	header('location:'.Security::remove_XSS($_SERVER['HTTP_REFERER']));
 	die();	
 }
 ?>
diff --git a/main/calendar/print.php b/main/calendar/print.php
index 496cf66c84..c74079a945 100644
--- a/main/calendar/print.php
+++ b/main/calendar/print.php
@@ -19,7 +19,7 @@ else
 }
 
 // setting the global file that gets the general configuration, the databases, the languages, ...
-require('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 
 
 
diff --git a/main/inc/lib/groupmanager.lib.php b/main/inc/lib/groupmanager.lib.php
index f1a49dbbb2..bf09b15590 100644
--- a/main/inc/lib/groupmanager.lib.php
+++ b/main/inc/lib/groupmanager.lib.php
@@ -33,11 +33,11 @@
 *	@package dokeos.library
 ==============================================================================
 */
-require_once ('database.lib.php');
-require_once ('course.lib.php');
-require_once ('tablesort.lib.php');
-require_once ('fileManage.lib.php');
-require_once ('fileUpload.lib.php');
+require_once 'database.lib.php';
+require_once 'course.lib.php';
+require_once 'tablesort.lib.php';
+require_once 'fileManage.lib.php';
+require_once 'fileUpload.lib.php';
 /**
  * infinite
  */
@@ -973,11 +973,16 @@ class GroupManager
 		if (!$user_id > 0)
 			return false;
 		$table_group = Database :: get_course_table(TABLE_GROUP);
-		$group_id = Database::escape_string($group_id);
-		$sql = 'SELECT  self_registration_allowed FROM '.$table_group.' WHERE id = '.$group_id;
-		$db_result = api_sql_query($sql,__FILE__,__LINE__);
-		$db_object = Database::fetch_object($db_result);
+		$group_id=(int)$group_id;
+		if (isset($group_id)) {
+			$group_id = Database::escape_string($group_id);
+			$sql = 'SELECT  self_registration_allowed FROM '.$table_group.' WHERE id = "'.$group_id.'" ';
+			$db_result = api_sql_query($sql,__FILE__,__LINE__);
+			$db_object = Database::fetch_object($db_result);
 		return $db_object->self_registration_allowed == 1 && GroupManager :: can_user_subscribe($user_id, $group_id);
+		} else {
+			return false;
+		}
 	}
 	/**
 	 * Is sef-unregistration allowed?