diff --git a/WebContent/WEB-INF/dwr.xml b/WebContent/WEB-INF/dwr.xml
index 2d6c68637b..87e211ebed 100644
--- a/WebContent/WEB-INF/dwr.xml
+++ b/WebContent/WEB-INF/dwr.xml
@@ -20,11 +20,10 @@
 
 <dwr>
   <init>
-    <converter id="localizableMessage" class="com.serotonin.web.dwr.LocalizableMessageConverter"/>
-    <converter id="protocolVersionConverter" class="com.serotonin.mango.web.dwr.ProtocolVersionConverter"/>
-    <converter id="xssDataPointVoConverter" class="com.serotonin.mango.web.dwr.XssDataPointVoConverter"/>
-    <converter id="xssDataPointBeanConverter" class="com.serotonin.mango.web.dwr.XssDataPointBeanConverter"/>
-    <converter id="opcUaDataTypeConverter" class="com.serotonin.mango.web.dwr.OpcUaDataTypeConverter"/>
+    <converter id="xssLocalizableMessageString" class="org.scada_lts.web.security.dwr.XssLocalizableMessageConverter"/>
+    <converter id="protocolVersionEnum" class="com.serotonin.mango.web.dwr.ProtocolVersionConverter"/>
+    <converter id="opcUaDataTypeEnum" class="com.serotonin.mango.web.dwr.OpcUaDataTypeConverter"/>
+    <converter id="xssBean" class="org.scada_lts.web.security.dwr.XssBeanConverter"/>
   </init>
   
   <allow>
@@ -111,8 +110,8 @@
     <convert converter="bean" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaItem" />
     <convert converter="bean" match="br.org.scadabr.api.vo.*" />
 
-    <convert converter="bean" match="com.serotonin.db.IntValuePair"/>
-    <convert converter="bean" match="com.serotonin.db.KeyValuePair"/>
+    <convert converter="xssBean" match="com.serotonin.db.IntValuePair"/>
+    <convert converter="xssBean" match="com.serotonin.db.KeyValuePair"/>
 
     <convert converter="bean" match="com.serotonin.mango.rt.dataSource.http.HttpReceiverPointSample"/>
     <convert converter="bean" match="com.serotonin.mango.rt.dataSource.onewire.OneWireContainerInfo"/>
@@ -139,28 +138,28 @@
     <convert converter="bean" match="com.serotonin.mango.vo.dataSource.virtual.*"/>
 
     <convert converter="bean" match="com.serotonin.mango.vo.event.handlers.*"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.CompoundEventDetectorVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.EventHandlerVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.EventTypeVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.MaintenanceEventVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.PointEventDetectorVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.ScheduledEventVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.hierarchy.PointFolder"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.CompoundEventDetectorVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.EventHandlerVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.EventTypeVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.MaintenanceEventVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.PointEventDetectorVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.ScheduledEventVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.hierarchy.PointFolder"/>
     <convert converter="bean" match="com.serotonin.mango.vo.link.PointLinkVO"/>
     <convert converter="bean" match="com.serotonin.mango.vo.mailingList.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.permission.DataPointAccess"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.publish.PublishedPointVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.publish.PublisherVO">
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.PublishedPointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.PublisherVO">
       <param name="exclude" value="type,eventCodes"/>
     </convert>
     <convert converter="bean" match="com.serotonin.mango.vo.publish.httpSender.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.publish.pachube.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.publish.persistent.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.report.*"/>
-    <convert converter="xssDataPointVoConverter" match="com.serotonin.mango.vo.DataPointVO">
+    <convert converter="xssBean" match="com.serotonin.mango.vo.DataPointVO">
       <param name="include" value="id,xid,name,extendedName,dataSourceId,enabled,dataTypeMessage,pointLocator,engineeringUnits"/>
     </convert>
-    <convert converter="xssDataPointBeanConverter" match="com.serotonin.mango.web.dwr.beans.DataPointBean">
+    <convert converter="xssBean" match="com.serotonin.mango.web.dwr.beans.DataPointBean">
       <param name="include" value="id,xid,name,settable,dataType,dataTypeMessage,chartColour"/>
     </convert>
     <convert converter="bean" match="com.serotonin.mango.vo.User">
@@ -172,16 +171,16 @@
     <convert converter="bean" match="br.org.scadabr.vo.permission.ViewAccess">
      	<param name="include" value="id,permission"/>
     </convert>
-    <convert converter="bean" match="com.serotonin.mango.view.View">
+    <convert converter="xssBean" match="com.serotonin.mango.view.View">
      	<param name="include" value="id,name"/>
     </convert>
-    <convert converter="bean" match="br.org.scadabr.vo.usersProfiles.UsersProfileVO">
+    <convert converter="xssBean" match="br.org.scadabr.vo.usersProfiles.UsersProfileVO">
       <param name="include" value="id,name,dataSourcePermissions,dataPointPermissions, watchlistPermissions, viewPermissions"/>
     </convert>
-    <convert converter="bean" match="com.serotonin.mango.vo.WatchList">
+    <convert converter="xssBean" match="com.serotonin.mango.vo.WatchList">
       <param name="include" value="id,name"/>
     </convert>
-    <convert converter="bean" match="com.serotonin.mango.vo.UserComment"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.UserComment"/>
 
     <convert converter="bean" match="com.serotonin.mango.web.dwr.beans.*"/>
     <convert converter="bean" match="com.serotonin.mango.web.dwr.longPoll.LongPollRequest"/>
@@ -190,8 +189,8 @@
     <convert converter="bean" match="com.serotonin.web.dwr.DwrMessageI18n"/>
     <convert converter="bean" match="com.serotonin.web.dwr.DwrResponseI18n"/>
 
-    <convert converter="localizableMessage" match="com.serotonin.web.i18n.LocalizableMessage"/>
-    <convert converter="bean" match="br.org.scadabr.vo.scripting.ScriptVO">
+    <convert converter="xssLocalizableMessageString" match="com.serotonin.web.i18n.LocalizableMessage"/>
+    <convert converter="xssBean" match="br.org.scadabr.vo.scripting.ScriptVO">
     	<param name="exclude" value="type"/>
     </convert>
      <!-- MBus4J stuff-->
@@ -216,8 +215,8 @@
     <convert converter="enum" match="org.scada_lts.ds.messaging.protocol.amqp.DurabilityType" />
     <convert converter="enum" match="org.scada_lts.ds.messaging.protocol.amqp.MessageAckType" />
     <convert converter="enum" match="org.scada_lts.ds.messaging.protocol.amqp.AmqpVersion" />
-    <convert converter="protocolVersionConverter" match="org.scada_lts.ds.messaging.protocol.ProtocolVersion" />
-    <convert converter="opcUaDataTypeConverter" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaDataType" />
+    <convert converter="protocolVersionEnum" match="org.scada_lts.ds.messaging.protocol.ProtocolVersion" />
+    <convert converter="opcUaDataTypeEnum" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaDataType" />
     <convert converter="enum" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaIdentifierType" />
     <convert converter="enum" match="org.scada_lts.ds.polling.protocol.opcua.security.OpcUaMessageSecurityType" />
     <convert converter="enum" match="org.scada_lts.ds.polling.protocol.opcua.security.OpcUaSecurityPolicyType" />
@@ -240,15 +239,35 @@
     <convert converter="enum" match="net.sf.fhz4j.FhzDeviceTypes" />
     <!- - Fhz4J stuff-->
 
+    <convert converter="xssBean" match="com.serotonin.mango.web.dwr.beans.EventSourceBean"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.mailingList.AddressEntry"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.mailingList.MailingList"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.mailingList.UserEntry"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.report.ReportInstance"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.report.ReportVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.web.dwr.beans.RecipientListEntryBean"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.bean.PointHistoryCount"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.bean.ImageValueBean"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.httpSender.HttpSenderVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.httpSender.HttpPointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.pachube.PachubeSenderVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.pachube.PachubePointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.persistent.PersistentSenderVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.persistent.PersistentPointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.util.ExportCodes"/>
+    <convert converter="xssBean" match="com.serotonin.mango.util.ExportCodes.Element"/>
+    <convert converter="enum" match="com.serotonin.mango.vo.publish.PublisherVO$Type"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.dataSource.http.HttpReceiverPointLocatorVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.dataSource.sql.SqlPointLocatorVO"/>
 
-  
     <convert converter="exception" match="java.lang.Exception">
       <param name="include" value="message"/>
     </convert>
 
-    <convert converter="bean" match="org.scada_lts.dao.model.UserIdentifier"/>
-    <convert converter="bean" match="org.scada_lts.web.mvc.api.dto.MailingListJson"/>
-    <convert converter="bean" match="org.scada_lts.web.mvc.api.dto.EmailRecipientJson"/>
+    <convert converter="xssBean" match="org.scada_lts.dao.model.UserIdentifier"/>
+    <convert converter="xssBean" match="org.scada_lts.web.mvc.api.dto.MailingListJson"/>
+    <convert converter="xssBean" match="org.scada_lts.web.mvc.api.dto.UserEntryJson"/>
+    <convert converter="xssBean" match="org.scada_lts.web.mvc.api.dto.AddressEntryJson"/>
   </allow>
   <signatures>
     <![CDATA[
diff --git a/WebContent/WEB-INF/jsp/compoundEvents.jsp b/WebContent/WEB-INF/jsp/compoundEvents.jsp
index 3e86e391d5..d3571d3fa7 100644
--- a/WebContent/WEB-INF/jsp/compoundEvents.jsp
+++ b/WebContent/WEB-INF/jsp/compoundEvents.jsp
@@ -96,7 +96,7 @@
             editingCompoundEvent = ced;
             
             $set("xid", ced.xid);
-            $set("name", ced.name);
+            $set("name", unescapeHtml(ced.name));
             $set("alarmLevel", ced.alarmLevel);
             $set("rtn", ced.returnToNormal);
             $set("condition", ced.condition);
diff --git a/WebContent/WEB-INF/jsp/dataSourceEdit/editHttpReceiver.jsp b/WebContent/WEB-INF/jsp/dataSourceEdit/editHttpReceiver.jsp
index 1211019320..5f511a0cd4 100644
--- a/WebContent/WEB-INF/jsp/dataSourceEdit/editHttpReceiver.jsp
+++ b/WebContent/WEB-INF/jsp/dataSourceEdit/editHttpReceiver.jsp
@@ -182,9 +182,9 @@
   }
   
   function editPointCBImpl(locator) {
-      $set("parameterName", locator.parameterName);
+      $set("parameterName", unescapeHtml(locator.parameterName));
       $set("dataTypeId", locator.dataTypeId);
-      $set("binary0Value", locator.binary0Value);
+      $set("binary0Value", unescapeHtml(locator.binary0Value));
       changeDataTypeId();
   }
   
diff --git a/WebContent/WEB-INF/jsp/dataSourceEdit/editSql.jsp b/WebContent/WEB-INF/jsp/dataSourceEdit/editSql.jsp
index ea2dc6f8da..d35600c6fc 100644
--- a/WebContent/WEB-INF/jsp/dataSourceEdit/editSql.jsp
+++ b/WebContent/WEB-INF/jsp/dataSourceEdit/editSql.jsp
@@ -126,9 +126,9 @@
   }
   
   function editPointCBImpl(locator) {
-      $set("fieldName", locator.fieldName);
-      $set("timeOverrideName", locator.timeOverrideName);
-      $set("updateStatement", locator.updateStatement);
+      $set("fieldName", unescapeHtml(locator.fieldName));
+      $set("timeOverrideName", unescapeHtml(locator.timeOverrideName));
+      $set("updateStatement", unescapeHtml(locator.updateStatement));
       $set("dataTypeId", locator.dataTypeId);
   }
   
diff --git a/WebContent/WEB-INF/jsp/eventHandlers.jsp b/WebContent/WEB-INF/jsp/eventHandlers.jsp
index ce3d3b6fe1..ef526ca623 100644
--- a/WebContent/WEB-INF/jsp/eventHandlers.jsp
+++ b/WebContent/WEB-INF/jsp/eventHandlers.jsp
@@ -79,7 +79,7 @@
         var pointNode, dataSourceNode, publisherNode, etNode, wid;
         
         allPoints = data.allPoints;
-        
+
         emailRecipients = new mango.erecip.EmailRecipients("emailRecipients",
                 "<spring:message code="eventHandlers.recipTestEmailMessage" />",
                 data.mailingLists, data.users);
@@ -228,7 +228,7 @@
             img = "images/cog_process.png";
 
         var node = dojo.widget.createWidget("TreeNode", {
-                title: "<img src='"+ img +"'/> <span id='"+ handler.id +"Msg'>"+ handler.message +"</span>",
+                title: "<img src='"+ img +"'/> <span id='"+ handler.id +"Msg'>"+ unescapeHtml(handler.message) +"</span>",
                 widgetId: "h"+ handler.id,
                 object: handler
         });
@@ -286,7 +286,7 @@
             $set("handlerTypeSelect", handler.handlerType);
             $("handlerTypeSelect").disabled = true;
             $set("xid", handler.xid);
-            $set("alias", handler.alias);
+            $set("alias", unescapeHtml(handler.alias));
             $set("disabled", handler.disabled);
             if (handler.handlerType == <c:out value="<%= EventHandlerVO.TYPE_SET_POINT %>"/>) {
                 $set("targetPointSelect", handler.targetPointId);
@@ -527,7 +527,7 @@
                 selectedHandlerNode.onTitleClick();
             }
             else
-                $set(handler.id +"Msg", handler.message);
+                $set(handler.id +"Msg", unescapeHtml(handler.message));
 
             setUserMessage("<spring:message code="eventHandlers.saved"/>");
             selectedHandlerNode.object = handler;
diff --git a/WebContent/WEB-INF/jsp/include/settingsEditor.jsp b/WebContent/WEB-INF/jsp/include/settingsEditor.jsp
index 84ad9df6d4..5d56ae000b 100644
--- a/WebContent/WEB-INF/jsp/include/settingsEditor.jsp
+++ b/WebContent/WEB-INF/jsp/include/settingsEditor.jsp
@@ -153,15 +153,15 @@
         
         this.updatePointList = function(dataTypes) {
             dwr.util.removeAllOptions("settingsPointList");
-            		
-            for (i=0; i<settingsEditor.pointList.length; i++) {
-				if (contains(dataTypes, settingsEditor.pointList[i].dataType)) {
-				jQuery("#settingsPointList").append( new Option(
-							settingsEditor.pointList[i].name,
-							settingsEditor.pointList[i].id) );
-				}
-			}
-            jQuery("#settingsPointList").append( new Option('',-1) );
+
+        for (let i = 0; i < settingsEditor.pointList.length; i++) {
+            const p = settingsEditor.pointList[i];
+            if (contains(dataTypes, p.dataType)) {
+                const label = unescapeHtml(p.name);
+                jQuery("#settingsPointList").append(new Option(label, p.id));
+            }
+        }
+        jQuery("#settingsPointList").append( new Option('',-1) );
         };
     }
     var settingsEditor = new SettingsEditor();
diff --git a/WebContent/WEB-INF/jsp/mailingLists.jsp b/WebContent/WEB-INF/jsp/mailingLists.jsp
index 0324b65f85..11a78e0494 100644
--- a/WebContent/WEB-INF/jsp/mailingLists.jsp
+++ b/WebContent/WEB-INF/jsp/mailingLists.jsp
@@ -47,7 +47,7 @@
             editingMailingList = ml;
             
             $set("xid", ml.xid);
-            $set("name", ml.name);
+            $set("name", unescapeHtml(ml.name));
             $set("dailyLimitSentEmailsNumber", ml.dailyLimitSentEmailsNumber);
             $set("cronPattern", ml.cronPattern);
             $set("collectInactiveEmails", ml.collectInactiveEmails);
@@ -98,7 +98,10 @@
             if (!found)
                 availUsers[availUsers.length] = user;
         }
-        dwr.util.addOptions($("userList"), availUsers, "id", "username");
+        dwr.util.addOptions($("userList"), availUsers,
+                function(u) { return u.id; },
+                function(u) { return unescapeHtml(u.username); }
+        );
     }
 
     function saveMailingList() {
@@ -226,6 +229,7 @@
             referenceAddress : addr
         };
         editingMailingList.entries[editingMailingList.entries.length] = addressEntry;
+        addressEntry.referenceAddress = escapeHtml(addressEntry.referenceAddress);
         appendAddressEntry(addressEntry);
         updateEmptyListMessage();
     }
diff --git a/WebContent/WEB-INF/jsp/maintenanceEvents.jsp b/WebContent/WEB-INF/jsp/maintenanceEvents.jsp
index 81d3243771..16539dfda0 100644
--- a/WebContent/WEB-INF/jsp/maintenanceEvents.jsp
+++ b/WebContent/WEB-INF/jsp/maintenanceEvents.jsp
@@ -53,7 +53,10 @@
             oncedays[oncedays.length] = new OptionData(i, i);
         
         MaintenanceEventsDwr.getMaintenanceEvents(function(response) {
-            dwr.util.addOptions("dataSourceId", response.data.dataSources, "key", "value");
+        	var ds = response.data.dataSources.map(function(o) {
+                return { key: o.key, value: unescapeHtml(o.value) };
+        	});
+        	dwr.util.addOptions("dataSourceId", ds, "key", "value");
         	
         	var events = response.data.events;
             for (var i=0; i<events.length; i++) {
@@ -77,9 +80,9 @@
             
             updateToggle(response.data.activated);
             
-            $set("xid", me.xid);
+            $set("xid", unescapeHtml(me.xid));
             $set("dataSourceId", me.dataSourceId);
-            $set("alias", me.alias);
+            $set("alias", unescapeHtml(me.alias));
             $set("alarmLevel", me.alarmLevel);
             updateAlarmLevelImage();
             $set("scheduleType", me.scheduleType);
@@ -92,14 +95,14 @@
             $set("activeHour", me.activeHour);
             $set("activeMinute", me.activeMinute);
             $set("activeSecond", me.activeSecond);
-            $set("activeCron", me.activeCron);
+            $set("activeCron", unescapeHtml(me.activeCron));
             $set("inactiveYear", me.inactiveYear);
             $set("inactiveMonth", me.inactiveMonth);
             $set("inactiveDay", me.inactiveDay);
             $set("inactiveHour", me.inactiveHour);
             $set("inactiveMinute", me.inactiveMinute);
             $set("inactiveSecond", me.inactiveSecond);
-            $set("inactiveCron", me.inactiveCron);
+            $set("inactiveCron", unescapeHtml(me.inactiveCron));
             
             setUserMessage();
         });
diff --git a/WebContent/WEB-INF/jsp/pointEdit/pointProperties.jsp b/WebContent/WEB-INF/jsp/pointEdit/pointProperties.jsp
index 1b0d4cc20d..e2e7c50f5b 100644
--- a/WebContent/WEB-INF/jsp/pointEdit/pointProperties.jsp
+++ b/WebContent/WEB-INF/jsp/pointEdit/pointProperties.jsp
@@ -49,7 +49,7 @@
       </td>
     </tr>
       
-    <spring:bind path="form.name">
+    <spring:bind path="form.name" htmlEscape="false">
       <tr>
         <td class="formLabelRequired"><spring:message code="pointEdit.props.name"/></td>
         <div>
@@ -59,7 +59,7 @@
       </tr>
     </spring:bind>
 
-    <spring:bind path="form.description">
+    <spring:bind path="form.description" htmlEscape="false">
       <tr>
         <td class="formLabelRequired"><spring:message code="pointEdit.props.description"/></td>
         <td class="formField"><input type="text" class="formLong" name="description" value="<c:out value="${status.value}"/>"/></td>
diff --git a/WebContent/WEB-INF/jsp/pointHierarchySLTS.jsp b/WebContent/WEB-INF/jsp/pointHierarchySLTS.jsp
index c0a5ac24bf..0437618e69 100644
--- a/WebContent/WEB-INF/jsp/pointHierarchySLTS.jsp
+++ b/WebContent/WEB-INF/jsp/pointHierarchySLTS.jsp
@@ -815,21 +815,33 @@ var messages = {
  		          dialog.getButton('btn-Close').disable();
  		          var $button = this;
  		          $button.disable();
- 		          $button.spin();
- 		          dialog.setClosable(false);
- 		          $.ajax({
-		            type: "POST",
-		        	dataType: "json",
-		        	url:myLocation+"pointHierarchy/new/0/"+dialog.getModalBody().find('input').val(),
-		        	success: function(msg){
-		        	  var titleNewNode = dialog.getModalBody().find('input').val();
-		        	  dialog.getModalBody().html('<div><h3>'+messages.folder+':</h3><ul><li>'+messages.key+':<b>'+msg+'</b></li><li>'+messages.title+':<b>'+titleNewNode+'</b></li></ul></div>');
-		        	  $button.hide();
-		 		      $button.stopSpin();
-		 		      dialog.setClosable(true);
-		 		      dialog.getButton('btn-Close').enable();
-		 		       dialog.close();
-		 		       reload();
+					$button.spin();
+					dialog.setClosable(false);
+					let inputs = dialog.getModalBody().find('input');
+					let titleNewNode;
+					if(inputs.length == 1) {
+						let inputNode = inputs[0];
+						titleNewNode = inputNode.value ? inputNode.value.replaceAll('\\','').replaceAll('\/','') : '';
+					}
+
+					if(!titleNewNode) {
+						dialog.getModalBody().html('<div><h3>'+messages.folderNotAdd+'</h3><p>'+ messages.errorThrown +':'+errorThrown+'</p></div>');
+						dialog.setClosable(true);
+						dialog.getButton('btn-Close').enable();
+						return;
+					}
+
+					$.ajax({
+						type: "POST",
+						dataType: "json",
+						url:myLocation+"pointHierarchy/new/0/"+titleNewNode,
+						success: function(msg){
+							$button.hide();
+							$button.stopSpin();
+							dialog.setClosable(true);
+							dialog.getButton('btn-Close').enable();
+							dialog.close();
+							reload();
 		        	  },
 		        	  error: function(XMLHttpRequest, textStatus, errorThrown) {
 		        	    dialog.getModalBody().html('<div><h3>'+messages.folderNotAdd+'</h3><p>'+ messages.errorThrown +':'+errorThrown+'</p></div>');
diff --git a/WebContent/WEB-INF/jsp/pointLinks.jsp b/WebContent/WEB-INF/jsp/pointLinks.jsp
index 1ca2b832d4..694a6de922 100644
--- a/WebContent/WEB-INF/jsp/pointLinks.jsp
+++ b/WebContent/WEB-INF/jsp/pointLinks.jsp
@@ -28,17 +28,19 @@
     
     function init() {
         PointLinksDwr.init(function(response) {
+            let srcOpts = response.sourcePoints.map(p => ({ key: p.key, value: unescapeHtml(p.value) }));
+            let tgtOpts = response.targetPoints.map(p => ({ key: p.key, value: unescapeHtml(p.value) }));
             sourcePoints = response.sourcePoints;
             
             // Add points to source and target selects
-            dwr.util.addOptions("sourcePointId", response.sourcePoints, "key", "value");
+            dwr.util.addOptions("sourcePointId", srcOpts, "key", "value");
             jQuery("#sourcePointId").chosen({
                 allow_single_deselect: true,
                 placeholder_text_single: "<spring:message code='chosen.selector.selectPoint'/>",
                 search_contains: true,
                 width: "100%"
             });
-            dwr.util.addOptions("targetPointId", response.targetPoints, "key", "value");
+            dwr.util.addOptions("targetPointId", tgtOpts, "key", "value");
             jQuery("#targetPointId").chosen({
               allow_single_deselect: true,
               placeholder_text_single: "<spring:message code='chosen.selector.selectPoint'/>",
diff --git a/WebContent/WEB-INF/jsp/publisherEdit.jsp b/WebContent/WEB-INF/jsp/publisherEdit.jsp
index e6d5528553..211c9a4a8f 100644
--- a/WebContent/WEB-INF/jsp/publisherEdit.jsp
+++ b/WebContent/WEB-INF/jsp/publisherEdit.jsp
@@ -95,7 +95,7 @@
             <tr>
               <td class="formLabelRequired"><spring:message code="publisherEdit.name"/></td>
               <td class="formField">
-                <input type="text" id="name" value="${publisher.name}"/>
+                <input type="text" id="name" value="<c:out value='${publisher.name}'/>"/>
                 <div id="nameMsg" class="formError" style="display:none;"></div>
               </td>
             </tr>
@@ -103,20 +103,20 @@
             <tr>
               <td class="formLabelRequired"><spring:message code="common.xid"/></td>
               <td class="formField">
-                <input type="text" id="xid" value="${publisher.xid}"/>
+                <input type="text" id="xid" value="<c:out value='${publisher.xid}'/>"/>
                 <div id="xidMsg" class="formError" style="display:none;"></div>
               </td>
             </tr>
             
             <tr>
               <td class="formLabelRequired"><spring:message code="common.enabled"/></td>
-              <td class="formField"><sst:checkbox id="enabled" selectedValue="${publisher.enabled}"/></td>
+              <td class="formField"><sst:checkbox id="enabled" selectedValue="<c:out value='${publisher.enabled}'/>"/></td>
             </tr>
             
             <tr>
               <td class="formLabelRequired"><spring:message code="publisherEdit.cacheWarning"/></td>
               <td class="formField">
-                <input type="text" id="cacheWarningSize" value="${publisher.cacheWarningSize}" class="formShort"/>
+                <input type="text" id="cacheWarningSize" value="<c:out value='${publisher.cacheWarningSize}'/>" class="formShort"/>
                 <div id="cacheWarningSizeMsg" class="formError" style="display:none;"></div>
               </td>
             </tr>
@@ -124,7 +124,7 @@
             <tr>
               <td class="formLabelRequired"><spring:message code="publisherEdit.updateEvent"/></td>
               <td class="formField">
-                <sst:select id="changesOnly" value="${publisher.changesOnly}">
+                <sst:select id="changesOnly" value="<c:out value='${publisher.changesOnly}'/>">
                   <sst:option value="false"><spring:message code="publisherEdit.updateEvent.all"/></sst:option>
                   <sst:option value="true"><spring:message code="publisherEdit.updateEvent.changes"/></sst:option>
                 </sst:select>
@@ -134,14 +134,14 @@
             <tr>
               <td class="formLabelRequired"><spring:message code="publisherEdit.snapshot"/></td>
               <td class="formField"><sst:checkbox id="sendSnapshot" onclick="sendSnapshotChanged()"
-                      selectedValue="${publisher.sendSnapshot}"/></td>
+                      selectedValue="<c:out value='${publisher.sendSnapshot}'/>"/></td>
             </tr>
             
             <tr>
               <td class="formLabelRequired"><spring:message code="publisherEdit.snapshotPeriod"/></td>
               <td class="formField">
-                <input type="text" id="snapshotSendPeriods" value="${publisher.snapshotSendPeriods}" class="formShort"/>
-                <sst:select id="snapshotSendPeriodType" value="${publisher.snapshotSendPeriodType}">
+                <input type="text" id="snapshotSendPeriods" value="<c:out value='${publisher.snapshotSendPeriods}'/>" class="formShort"/>
+                <sst:select id="snapshotSendPeriodType" value="<c:out value='${publisher.snapshotSendPeriodType}'/>">
                   <tag:timePeriodOptions sst="true" s="true" min="true" h="true"/>
                 </sst:select>
                 <div id="snapshotSendPeriodsMsg" class="formError" style="display:none;"></div>
diff --git a/WebContent/WEB-INF/jsp/publisherEdit/editHttpSender.jsp b/WebContent/WEB-INF/jsp/publisherEdit/editHttpSender.jsp
index 54a80b122b..cb97d8c666 100644
--- a/WebContent/WEB-INF/jsp/publisherEdit/editHttpSender.jsp
+++ b/WebContent/WEB-INF/jsp/publisherEdit/editHttpSender.jsp
@@ -35,22 +35,22 @@
       var list = response.data.allPoints;
       for (var i=0; i<list.length; i++)
           allPoints[allPoints.length] = {
-                  id: list[i].id, name: list[i].extendedName, enabled: list[i].enabled, type: list[i].dataTypeMessage};
+                  id: list[i].id, name: unescapeHtml(list[i].extendedName), enabled: list[i].enabled, type: unescapeHtml(list[i].dataTypeMessage)};
 
       staticHeaderList = new Array();
       list = response.data.publisher.staticHeaders;
       for (i=0; i<list.length; i++)
-          staticHeaderList[staticHeaderList.length] = {key: list[i].key, value: list[i].value};
+          staticHeaderList[staticHeaderList.length] = {key: unescapeHtml(list[i].key), value: unescapeHtml(list[i].value)};
       refreshStaticHeaderList();
       
       list = response.data.publisher.staticParameters;
       for (i=0; i<list.length; i++)
-          staticParameterList[staticParameterList.length] = {key: list[i].key, value: list[i].value};
+          staticParameterList[staticParameterList.length] = {key: unescapeHtml(list[i].key), value: unescapeHtml(list[i].value)};
       refreshStaticParameterList();
       
       list = response.data.publisher.points;
       for (i=0; i<list.length; i++)
-          addToSelectedArray(list[i].dataPointId, list[i].parameterName, list[i].includeTimestamp);
+          addToSelectedArray(list[i].dataPointId, unescapeHtml(list[i].parameterName), unescapeHtml(list[i].includeTimestamp));
       refreshSelectedPoints();
       PublisherEditDwr.getBasicCredentials(staticHeaderList, setCredentials);
       PublisherEditDwr.getIsUseJSON(setUseJSON);
@@ -67,7 +67,7 @@
     var i;
     var list = response.data.staticHeaders;
     for (i=0; i<list.length; i++)
-      staticHeaderList[staticHeaderList.length] = {key: list[i].key, value: list[i].value};
+      staticHeaderList[staticHeaderList.length] = {key: unescapeHtml(list[i].key), value: unescapeHtml(list[i].value)};
     refreshStaticHeaderList();
     PublisherEditDwr.getBasicCredentials(staticHeaderList, setCredentials);
   }
@@ -120,7 +120,7 @@
       else {
           hide("noStaticHeadersMsg");
           dwr.util.addRows("staticHeaderList", staticHeaderList, [
-                  function(data) { return data.key +"="+ data.value; },
+                  function(data) { return escapeHtml(data.key) +"="+ escapeHtml(data.value); },
                   function(data, options) {
                       return "<img src='images/bullet_delete.png' class='ptr' title='<spring:message code="publisherEdit.httpSender.removeHeader"/>' "+
                               "onclick='removeStaticHeader("+ options.rowIndex + ");'/>";
@@ -164,7 +164,7 @@
       else {
           hide("noStaticParametersMsg");
           dwr.util.addRows("staticParameterList", staticParameterList, [
-                  function(data) { return data.key +"="+ data.value; },
+                  function(data) { return escapeHtml(data.key) +"="+ escapeHtml(data.value); },
                   function(data, options) {
                       return "<img src='images/bullet_delete.png' class='ptr' title='<spring:message code="publisherEdit.httpSender.removeParam"/>' "+
                               "onclick='removeStaticParameter("+ options.rowIndex + ");'/>";
@@ -211,11 +211,11 @@
           hide("selectedPointsEmpty");
           dwr.util.addRows("selectedPoints", selectedPoints,
               [
-                  function(data) { return data.pointName; },
+                  function(data) { return "<span>" + escapeHtml(data.pointName) + "</span>"; },
                   function(data) { return "<img src='images/"+ (data.enabled ? "brick_go" : "brick_stop") +".png'/>"; },
-                  function(data) { return data.pointType; },
+                  function(data) { return "<span>" + data.pointType + "</span>"; },
                   function(data) {
-                          return "<input type='text' value='"+ data.parameterName +"' "+
+                          return "<input type='text' value='"+ escapeHtml(data.parameterName) +"' "+
                                   "onblur='updateParameterName("+ data.id +", this.value)'/>";
                   },
                   function(data) {
diff --git a/WebContent/WEB-INF/jsp/publisherEdit/editPachube.jsp b/WebContent/WEB-INF/jsp/publisherEdit/editPachube.jsp
index bd9c9742a2..411f1ea4f2 100644
--- a/WebContent/WEB-INF/jsp/publisherEdit/editPachube.jsp
+++ b/WebContent/WEB-INF/jsp/publisherEdit/editPachube.jsp
@@ -27,7 +27,7 @@
           var list = response.data.allPoints;
           for (var i=0; i<list.length; i++)
               allPoints[allPoints.length] = {
-                      id: list[i].id, name: list[i].extendedName, enabled: list[i].enabled, type: list[i].dataTypeMessage};
+                      id: list[i].id, name: unescapeHtml(list[i].extendedName), enabled: list[i].enabled, type: list[i].dataTypeMessage};
               
           list = response.data.publisher.points;
           for (i=0; i<list.length; i++)
@@ -77,7 +77,7 @@
           hide("selectedPointsEmpty");
           dwr.util.addRows("selectedPoints", selectedPoints,
               [
-                  function(data) { return data.pointName; },
+                  function(data) { return "<span>" + escapeHtml(data.pointName) + "</span>"; },
                   function(data) { return "<img src='images/"+ (data.enabled ? "brick_go" : "brick_stop") +".png'/>"; },
                   function(data) { return data.pointType; },
                   function(data) {
diff --git a/WebContent/WEB-INF/jsp/publisherEdit/editPersistent.jsp b/WebContent/WEB-INF/jsp/publisherEdit/editPersistent.jsp
index 99c3bfecf1..2d22baf2e5 100644
--- a/WebContent/WEB-INF/jsp/publisherEdit/editPersistent.jsp
+++ b/WebContent/WEB-INF/jsp/publisherEdit/editPersistent.jsp
@@ -28,7 +28,7 @@
           var list = response.data.allPoints;
           for (var i=0; i<list.length; i++)
               allPoints[allPoints.length] = {
-                      id: list[i].id, name: list[i].extendedName, enabled: list[i].enabled, type: list[i].dataTypeMessage};
+                      id: list[i].id, name: unescapeHtml(list[i].extendedName), enabled: list[i].enabled, type: list[i].dataTypeMessage};
               
           list = response.data.publisher.points;
           for (i=0; i<list.length; i++)
@@ -76,7 +76,7 @@
           hide("selectedPointsEmpty");
           dwr.util.addRows("selectedPoints", selectedPoints,
               [
-                  function(data) { return data.pointName; },
+                  function(data) { return "<span>" + escapeHtml(data.pointName) + "</span>"; },
                   function(data) { return "<img src='images/"+ (data.enabled ? "brick_go" : "brick_stop") +".png'/>"; },
                   function(data) { return data.pointType; },
                   function(data) { 
diff --git a/WebContent/WEB-INF/jsp/publisherList.jsp b/WebContent/WEB-INF/jsp/publisherList.jsp
index 43246b24db..89425474ec 100644
--- a/WebContent/WEB-INF/jsp/publisherList.jsp
+++ b/WebContent/WEB-INF/jsp/publisherList.jsp
@@ -34,9 +34,9 @@
         dwr.util.removeAllRows("publisherList");
         dwr.util.addRows("publisherList", publishers,
             [
-                function(p) { return "<b>"+ p.name +"</b>"; },
-                function(p) { return p.typeMessage; },
-                function(p) { return p.configDescription; },
+                function(p) { return "<b>" + p.name + "</b>"; },
+                function(p) { return "<span>" + unescapeHtml(p.typeMessage) + "</span>"; },
+                function(p) { return "<span>" + unescapeHtml(p.configDescription) + "</span>"; },
                 function(p) {
                     if (p.enabled)
                         return '<img src="images/transmit_go.png" title="<spring:message code="common.enabledToggle"/>" '+
diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp
index fd92eb1666..318964b300 100644
--- a/WebContent/WEB-INF/jsp/reports.jsp
+++ b/WebContent/WEB-INF/jsp/reports.jsp
@@ -142,7 +142,7 @@
             hide("noReportInstances");
             dwr.util.addRows("reportInstancesList", instanceArray,
                 [
-                    function(ri) { return "<span>" + escapeHtml(ri.name) + "</span>"; },
+                    function(ri) { return ri.name; },
                     function(ri) { return ri.prettyRunStartTime; },
                     function(ri) { return ri.prettyRunDuration; },
                     function(ri) { return ri.prettyReportStartTime; },
@@ -158,15 +158,15 @@
                             return "";
                             
                         var result = "<img src='images/bullet_down.png' class='ptr' title='<spring:message code="reports.export"/>' "+
-                                "onclick='exportData(\""+ escapeHtml(ri.name) +"\", "+ ri.id +")'/>";
+                                "onclick='exportData(\""+ ri.name +"\", "+ ri.id +")'/>";
                         
                         if (ri.includeEvents != <c:out value="<%= ReportVO.EVENTS_NONE %>"/>)
                             result += "<img src='images/flag_white.png' class='ptr' title='<spring:message code="reports.eventExport"/>' "+
-                                    "onclick='exportEventData(\""+ escapeHtml(ri.name) +"\", "+ ri.id +")'/>";
+                                    "onclick='exportEventData(\""+ ri.name +"\", "+ ri.id +")'/>";
                         
                         if (ri.includeUserComments)
                             result += "<img src='images/comment.png' class='ptr' title='<spring:message code="reports.userCommentExport"/>' "+
-                                    "onclick='exportUserComments(\""+ escapeHtml(ri.name) +"\", "+ ri.id +")'/>";
+                                    "onclick='exportUserComments(\""+ ri.name +"\", "+ ri.id +")'/>";
                         
                         result += "<img src='images/icon_chart.png' class='ptr' title='<spring:message code="reports.charts"/>' "+
                                 "onclick='viewChart("+ ri.id +")'/>"+
@@ -204,15 +204,15 @@
     }
     
     function exportData(name, instanceId) {
-        window.location = "export/"+ name +".csv?instanceId="+ instanceId;
+        window.location = "export/"+ encodeURIComponent(name) +".csv?instanceId="+ instanceId;
     }
     
     function exportEventData(name, instanceId) {
-        window.location = "eventExport/"+ name +"Events.csv?instanceId="+ instanceId;
+        window.location = "eventExport/"+ encodeURIComponent(name) +"Events.csv?instanceId="+ instanceId;
     }
     
     function exportUserComments(name, instanceId) {
-        window.location = "userCommentExport/"+ name +"Comments.csv?instanceId="+ instanceId;
+        window.location = "userCommentExport/"+ encodeURIComponent(name) +"Comments.csv?instanceId="+ instanceId;
     }
     
     function viewChart(instanceId) {
@@ -336,8 +336,7 @@
     }
     
     function updateReport(id, name) {
-        let escapedName = escapeHtml(name);
-        $("r"+ id +"Name").innerHTML = escapedName;
+        $("r"+ id +"Name").innerHTML = name;
     }
     
     function clearMessages() {
diff --git a/WebContent/WEB-INF/jsp/scheduledEvents.jsp b/WebContent/WEB-INF/jsp/scheduledEvents.jsp
index 11f3da220a..2588e03020 100644
--- a/WebContent/WEB-INF/jsp/scheduledEvents.jsp
+++ b/WebContent/WEB-INF/jsp/scheduledEvents.jsp
@@ -76,8 +76,8 @@
                 show($("scheduledEventDetails"));
             editingScheduledEvent = se;
             
-            $set("xid", se.xid);
-            $set("alias", se.alias);
+            $set("xid", unescapeHtml(se.xid));
+            $set("alias", unescapeHtml(se.alias));
             $set("alarmLevel", se.alarmLevel);
             updateAlarmLevelImage();
             $set("scheduleType", se.scheduleType);
@@ -91,14 +91,14 @@
             $set("activeHour", se.activeHour);
             $set("activeMinute", se.activeMinute);
             $set("activeSecond", se.activeSecond);
-            $set("activeCron", se.activeCron);
+            $set("activeCron", unescapeHtml(se.activeCron));
             $set("inactiveYear", se.inactiveYear);
             $set("inactiveMonth", se.inactiveMonth);
             $set("inactiveDay", se.inactiveDay);
             $set("inactiveHour", se.inactiveHour);
             $set("inactiveMinute", se.inactiveMinute);
             $set("inactiveSecond", se.inactiveSecond);
-            $set("inactiveCron", se.inactiveCron);
+            $set("inactiveCron", unescapeHtml(se.inactiveCron));
             
             setUserMessage();
         });
diff --git a/WebContent/WEB-INF/jsp/scripting.jsp b/WebContent/WEB-INF/jsp/scripting.jsp
index cf42c8eaaa..65d0f730e8 100644
--- a/WebContent/WEB-INF/jsp/scripting.jsp
+++ b/WebContent/WEB-INF/jsp/scripting.jsp
@@ -103,7 +103,7 @@
     }
 
     function updateScript(se) {
-        $("se"+ se.id +"Name").innerHTML = escapeHtml(se.name);
+        $("se"+ se.id +"Name").innerHTML = se.name;
         //setScheduledEventImg(se.disabled, $("se"+ se.id +"Img"));
     }
 
@@ -118,9 +118,9 @@
                  show($("scriptDetails"));
 
             editingScript = s;
-            setValueInNode('xid', s.xid);
-            setValueInNode('name', s.name);
-            setValueInNode('script', s.script);
+            setValueInNode('xid', unescapeHtml(s.xid));
+            setValueInNode('name', unescapeHtml(s.name));
+            setValueInNode('script', unescapeHtml(s.script));
 
             let handlePointsContext = new ScriptPointsContext(s.pointsOnContext, pointsArray);
             setPointsContext(handlePointsContext);
diff --git a/WebContent/WEB-INF/jsp/users.jsp b/WebContent/WEB-INF/jsp/users.jsp
index 50833c25a5..7116b6b5e3 100644
--- a/WebContent/WEB-INF/jsp/users.jsp
+++ b/WebContent/WEB-INF/jsp/users.jsp
@@ -323,7 +323,7 @@
     
     function updateUser(response) {
         var user = response.data ? response.data.user : response.user;
-        $("u"+ user.id +"Username").textContent = user.username;
+        $("u"+ user.id +"Username").innerHTML = user.username;
         setUserImg(user.admin, user.disabled, $("u"+ user.id +"Img"));
     }
     
diff --git a/WebContent/WEB-INF/jsp/usersProfiles.jsp b/WebContent/WEB-INF/jsp/usersProfiles.jsp
index 20c796fd48..e5e7faff76 100644
--- a/WebContent/WEB-INF/jsp/usersProfiles.jsp
+++ b/WebContent/WEB-INF/jsp/usersProfiles.jsp
@@ -148,7 +148,7 @@
     function showUserProfileCB(userProfile) {
         //show($("deleteButton"));
         show($("userProfileDetails"));
-        $set("userProfileName", userProfile.name);
+        $set("userProfileName", unescapeHtml(userProfile.name));
 
         if (dataSources != null){
 	        var i, j, dscb, dp;
diff --git a/WebContent/WEB-INF/jsp/watchList.jsp b/WebContent/WEB-INF/jsp/watchList.jsp
index 2ad9d93b81..192b68c453 100644
--- a/WebContent/WEB-INF/jsp/watchList.jsp
+++ b/WebContent/WEB-INF/jsp/watchList.jsp
@@ -120,7 +120,7 @@
       function addPointNames(folder) {
           var i;
           for (i=0; i<folder.points.length; i++)
-              pointNames[folder.points[i].key] = folder.points[i].value;
+              pointNames[folder.points[i].key] = unescapeHtml(folder.points[i].value);
           for (i=0; i<folder.subfolders.length; i++)
               addPointNames(folder.subfolders[i]);
       }
@@ -154,7 +154,7 @@
       function addPoint(point, parent) {
           var spanNode = document.createElement("span");
           spanNode.id = 'ph'+ point.key +'Name';
-          spanNode.textContent = point.value;
+          spanNode.innerHTML = point.value;
           var pointNode = dojo.widget.createWidget("TreeNode", {
                   title: "<img src='images/icon_comp.png'/> " + spanNode.innerHTML +
                           "<img src='images/bullet_go.png' id='ph"+ point.key +"Image' title='<spring:message code="watchlist.addToWatchlist"/>'/>",
@@ -658,10 +658,10 @@
             <tr>
               <td class="smallTitle"><spring:message code="watchlist.watchlist"/> <tag:help id="watchList"/></td>
               <td align="right">
-                <sst:select id="watchListSelect" value="${selectedWatchList}" onchange="watchListChanged()"
+                <sst:select id="watchListSelect" value="<c:out value='${selectedWatchList}'/>" onchange="watchListChanged()"
                         onmouseover="closeLayers();">
                   <c:forEach items="${watchLists}" var="wl">
-                    <sst:option value="${wl.key}">${sst:escapeLessThan(wl.value)}</sst:option>
+                    <sst:option value="<c:out value='${wl.key}'/>">${sst:escapeLessThan(wl.value)}</sst:option>
                   </c:forEach>
                 </sst:select>
 
diff --git a/WebContent/WEB-INF/tags/page.tag b/WebContent/WEB-INF/tags/page.tag
index 6c28a5b385..1e74c63756 100644
--- a/WebContent/WEB-INF/tags/page.tag
+++ b/WebContent/WEB-INF/tags/page.tag
@@ -30,7 +30,9 @@
 <html>
 <head>
   <title><c:choose>
-    <c:when test="${!empty instanceDescriptionHeader}">${instanceDescriptionHeader}</c:when>
+    <c:when test="${!empty instanceDescriptionHeader}">
+        <c:out value="${instanceDescriptionHeader}"/>
+    </c:when>
     <c:otherwise><spring:message code="header.title"/></c:otherwise>
   </c:choose></title>
 
@@ -218,7 +220,9 @@
 
   <div>
     <c:if test="${!empty instanceDescriptionHeader}">
-      <span id="instanceDescriptionHeader" align="right" valign="bottom" class="projectTitle"><a href="system_settings.shtm" style="text-decoration: none;color:grey">${instanceDescriptionHeader}</a></span>
+      <span id="instanceDescriptionHeader" align="right" valign="bottom" class="projectTitle">
+          <a href="system_settings.shtm" style="text-decoration: none;color:grey"><c:out value="${instanceDescriptionHeader}"/></a>
+      </span>
     </c:if>
   </div>
 </div>
diff --git a/build.gradle b/build.gradle
index 0d97451cff..18ed3a2aeb 100644
--- a/build.gradle
+++ b/build.gradle
@@ -241,13 +241,14 @@ test {
         includeTestsMatching "com.serotonin.mango.util.StartStopDataPointsUtilsTestsSuite"
         includeTestsMatching "org.scada_lts.utils.BlockingQueuesUtilsTest"
         includeTestsMatching "org.scada_lts.web.security.XssValidatorUtilsTestsSuite"
-        includeTestsMatching "org.scada_lts.web.mvc.api.validation.css.CssValidatorTestsSuite"
+        includeTestsMatching "org.scada_lts.web.beans.validation.css.CssValidatorTestsSuite"
         includeTestsMatching "org.scada_lts.web.beans.validation.xss.XssValidatorTestsSuite"
         includeTestsMatching "org.scada_lts.utils.CyclicDependencyValidationUtilsTest"
         includeTestsMatching "org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaDataTypeTestsSuite"
         includeTestsMatching "com.serotonin.mango.vo.EngineeringUnitsTypesTest"
         includeTestsMatching "org.scada_lts.cache.PointHierarchyCacheTestsSuite"
         includeTestsMatching "com.serotonin.mango.rt.dataImage.types.BinaryValueTestsSuite"
+        includeTestsMatching "org.scada_lts.web.security.dwr.XssBeanConverterUtilsTestsSuite"
     }
 
     failFast = true
diff --git a/scadalts-ui/src/apps/App.vue b/scadalts-ui/src/apps/App.vue
index 9211f0703f..c2d26da627 100644
--- a/scadalts-ui/src/apps/App.vue
+++ b/scadalts-ui/src/apps/App.vue
@@ -18,12 +18,8 @@
 						<v-row>
 							<v-col class="d-flex justify-start align-center">
 								<div id="top-description-container" class="text-align-left">
-									<span id="top-description-prefix" class="custom-text">
-										{{ topDescriptionPrefix }}
-									</span>
-									<span id="top-description" class="custom-text">
-										{{ topDescription }}
-									</span>
+									<span id="top-description-prefix" class="custom-text" v-text="unescapeVueHtml(topDescriptionPrefix)"></span>
+									<span id="top-description" class="custom-text" v-text="unescapeVueHtml(topDescription)"></span>
 								</div>
 							</v-col>
 						</v-row>
@@ -89,7 +85,7 @@
 import NavigationBar from '../layout/NavigationBar.vue';
 import internetMixin from '@/utils/connection-status-utils';
 import NotificationAlert from '../layout/snackbars/NotificationAlert.vue';
-import {unescapeHtml} from "@/utils/common";
+import {unescapeHtml, unescapeVueHtml} from "@/utils/common";
 
 export default {
 	name: 'app',
@@ -179,6 +175,7 @@ export default {
 	},
 
 	methods: {
+		unescapeVueHtml,
 
 		fetchCustomCss() {
 			let customCss = this.$store.state.systemSettings.customCss;
diff --git a/scadalts-ui/src/components/common/EscapedTextarea.vue b/scadalts-ui/src/components/common/EscapedTextarea.vue
new file mode 100644
index 0000000000..ebcdc61c9b
--- /dev/null
+++ b/scadalts-ui/src/components/common/EscapedTextarea.vue
@@ -0,0 +1,51 @@
+<template>
+	<v-textarea
+		ref="inner"
+		:value="decoded"
+		:rows="rows"
+		:auto-grow="autoGrow"
+		v-bind="forwardAttrs"
+		v-on="listenersWithoutInput"
+		@input="onInput"
+	/>
+</template>
+
+<script>
+import { unescapeVueHtml } from '@/utils/common';
+
+const decodeHtml = (s = '') => unescapeVueHtml(s);
+
+export default {
+	name: 'EscapedTextarea',
+	inheritAttrs: false,
+	props: {
+		value: { type: String, default: '' },
+		rows: { type: [Number, String], default: 1 },
+		autoGrow: { type: Boolean, default: false },
+	},
+	computed: {
+		decoded() {
+			const raw = this.value == null ? '' : this.value;
+			return decodeHtml(raw);
+		},
+		forwardAttrs() {
+			const { value, modelValue, ...rest } = this.$attrs;
+			return rest;
+		},
+		listenersWithoutInput() {
+			const { input, ...others } = this.$listeners || {};
+			return others;
+		},
+	},
+	methods: {
+		onInput(v) {
+			this.$emit('input', v == null ? '' : String(v));
+		},
+		validate() {
+			if (this.$refs.inner && this.$refs.inner.validate) {
+				return this.$refs.inner.validate();
+			}
+		},
+	},
+};
+</script>
diff --git a/scadalts-ui/src/components/datasources/MetaDataSource/point.vue b/scadalts-ui/src/components/datasources/MetaDataSource/point.vue
index 0c8e2d4f00..af01bcd747 100644
--- a/scadalts-ui/src/components/datasources/MetaDataSource/point.vue
+++ b/scadalts-ui/src/components/datasources/MetaDataSource/point.vue
@@ -316,7 +316,7 @@
 									</table>
 								</v-col>
 							</v-row>
-							<v-textarea :rules="[ruleNotNull, ruleValidScript]"
+							<EscapedTextarea :rules="[ruleNotNull, ruleValidScript]"
 								style="width: 100%; font-family: monospace"
 								:label="$t('scriptList.script')"
 								v-model="datapoint.pointLocator.script"
@@ -325,7 +325,7 @@
 								ref="scriptBodyTextarea"
 								required
 								error-count="0"
-							></v-textarea>
+							></EscapedTextarea>
 							<v-col>
 								<v-btn block color="primary" @click="validateScript"
 									>{{ $t('script.runScript') }}
@@ -384,8 +384,10 @@
 <script>
 import DataPointCreation from '../DataPointCreation';
 import { DataTypes, DataChangeTypes } from '@/store/dataSource/constants';
+import EscapedTextarea from '@c/common/EscapedTextarea.vue';
 export default {
 	components: {
+		EscapedTextarea,
 		DataPointCreation,
 	},
 	async mounted() {
diff --git a/scadalts-ui/src/utils/common.js b/scadalts-ui/src/utils/common.js
index 856cd7e7b5..805939a25e 100644
--- a/scadalts-ui/src/utils/common.js
+++ b/scadalts-ui/src/utils/common.js
@@ -63,6 +63,25 @@ export function unescapeHtml(value) {
    return div.textContent || div.innerText;
 }
 
+export function unescapeVueHtml(str) {
+  let s = String(str);
+
+  for (let i = 0; i < 3; i++) {
+    const prev = s;
+    s = s
+      .replace(/&lt;/g, '<')
+      .replace(/&gt;/g, '>')
+      .replace(/&quot;/g, '"')
+      .replace(/&#39;/g, "'")
+      .replace(/&#10;/g, '\n')
+      .replace(/&#13;/g, '\r')
+      .replace(/&amp;/g, '&');
+
+    if (s === prev) break;
+  }
+  return s;
+}
+
 export function escapeHtml(value) {
    let div = document.createElement("div");
    div.textContent = value;
diff --git a/scadalts-ui/src/views/DataObjects/Scripting/index.vue b/scadalts-ui/src/views/DataObjects/Scripting/index.vue
index bd21f0032c..4d0dc5a0a0 100644
--- a/scadalts-ui/src/views/DataObjects/Scripting/index.vue
+++ b/scadalts-ui/src/views/DataObjects/Scripting/index.vue
@@ -27,6 +27,10 @@
 					class="elevation-1"
 					@click:row="selectScript($event.id)"
 				>
+					<template v-slot:item.name="{ item }">
+						{{ decodeName(item.name) }}
+					</template>
+
 					<template v-slot:item.actions="{ item }">
 						<v-btn icon @click.stop="runScript(item.xid)">
 							<v-icon title="run">mdi-cog</v-icon>
@@ -81,7 +85,7 @@
 						<v-form ref="editForm">
 							<v-row>
 								<v-col cols="6">
-									<v-text-field :label="$t('common.name')" v-model="scriptForm.name" :rules="[ruleNotNull, ruleMaxLen40 ]"></v-text-field>
+									<EscapedTextarea :label="$t('common.name')" v-model="scriptForm.name" :rules="[ruleNotNull, ruleMaxLen40 ]"></EscapedTextarea>
 								</v-col>
 								<v-col cols="6">
 									<v-text-field ref="xidInput" :label="$t('common.xid')" @input="validateXid" v-model="scriptForm.xid" :rules="[ruleNotNull, ruleXidUnique, ruleMaxLen50 ]"></v-text-field>
@@ -129,12 +133,14 @@
 									></v-text-field>
 								</v-col>
 							</v-row>
-							<v-textarea :rules="[ruleNotNull]"
+							<EscapedTextarea :rules="[ruleNotNull]"
 								style="width: 100%; font-family: monospace"
 								:label="$t('scriptList.script')"
+								:rows="8"
+								:autoGrow="true"
 								v-model="scriptForm.script"
 								ref="scriptBodyTextarea"
-							></v-textarea>
+							></EscapedTextarea>
 						</v-form>
 					</v-card-text>
 					<v-card-actions>
@@ -192,10 +198,12 @@
  * @author sselvaggi
  */
 import ConfirmationDialog from '@/layout/dialogs/ConfirmationDialog';
+import EscapedTextarea from '@c/common/EscapedTextarea.vue';
+import { unescapeVueHtml } from '@/utils/common';
 
 export default {
 	name: 'scriptList',
-	components: { ConfirmationDialog },
+	components: { EscapedTextarea, ConfirmationDialog },
 	async mounted() {
 		this.fetchScriptList();
 		this.datapoints = await this.$store.dispatch('getAllDatapoints');
@@ -411,8 +419,13 @@ export default {
 
 		async saveScript(closeOnSaveConfirmation = true) {
 			if (this.$refs.editForm.validate()) {
+				const payload = {
+					...this.scriptForm,
+					script: unescapeVueHtml(this.scriptForm.script || ''),
+				};
+
 				let method = this.selectedScriptId != -1 ? 'updateScript' : 'createScript';
-				await this.$store.dispatch(method, this.scriptForm);
+				await this.$store.dispatch(method, payload);
 				this.fetchScriptList();
 				this.$store.dispatch('showSuccessNotification', this.$t('scriptList.scriptSaved'));
 				if (closeOnSaveConfirmation) this.dialog = false
@@ -435,6 +448,10 @@ export default {
 
 		onScriptDeleteConfirm(e) {
 			if(e) { this.deleteScript(this.operationQueue); }
+		},
+
+		decodeName(value) {
+			return unescapeVueHtml(value || '');
 		}
 	},
 };
diff --git a/scadalts-ui/src/views/System/SystemSettings/index.vue b/scadalts-ui/src/views/System/SystemSettings/index.vue
index 9ea86bf15b..fa97d646d4 100644
--- a/scadalts-ui/src/views/System/SystemSettings/index.vue
+++ b/scadalts-ui/src/views/System/SystemSettings/index.vue
@@ -182,18 +182,22 @@
 						</v-col>
 					</v-row>
 					<v-col cols="12">
-						<v-text-field
+						<EscapedTextarea
 							v-model="systemInfoSettings.topDescriptionPrefix"
 							:label="$t('systemsettings.top.description.prefix')"
+							rows="1"
+							auto-grow
 							@focusout="saveSystemInfoSettings()"
-						></v-text-field>
+						></EscapedTextarea>
 					</v-col>
 					<v-col cols="12">
-						<v-text-field
+						<EscapedTextarea
 							v-model="systemInfoSettings.topDescription"
 							:label="$t('systemsettings.top.description')"
+							rows="1"
+							auto-grow
 							@focusout="saveSystemInfoSettings()"
-						></v-text-field>
+						></EscapedTextarea>
 					</v-col>
 
 					<data-base-info-component></data-base-info-component>
@@ -292,11 +296,13 @@ import SmsDomainSettingsComponent from './SmsDomainSettingsComponent';
 import ScadaConfigurationComponent from './ScadaConfigurationComponent';
 import AmChartSettingsComponent from './AmChartSettingsComponent';
 import DataBaseInfoComponent from './DataBaseInfoComponent';
+import EscapedTextarea from '@c/common/EscapedTextarea.vue';
 
 export default {
 	el: '#systemsettings',
 	name: 'systemsettings',
 	components: {
+		EscapedTextarea,
 		IsAlive,
 		AuditEventTypesComponent,
 		SystemEventTypesComponent,
diff --git a/src/br/org/scadabr/view/component/LinkComponent.java b/src/br/org/scadabr/view/component/LinkComponent.java
index 5894c8fb36..77f4052ad8 100644
--- a/src/br/org/scadabr/view/component/LinkComponent.java
+++ b/src/br/org/scadabr/view/component/LinkComponent.java
@@ -49,12 +49,15 @@ private void createLink() {
 	}
 
 	public String createLinkContent() {
+		String escapedHref = link == null ? "" : escapeHtml(link);
+		String escapedText = text == null ? "" : escapeHtml(text);
+
 		StringBuilder sb = new StringBuilder();
 		sb.append("<a href='")
-				.append(escapeHtml(link))
-				.append("'>");
-		sb.append(text);
-		sb.append("</a>");
+				.append(escapedHref)
+				.append("'>")
+				.append(escapedText)
+				.append("</a>");
 		return sb.toString();
 	}
 
diff --git a/src/com/serotonin/mango/vo/DataPointVO.java b/src/com/serotonin/mango/vo/DataPointVO.java
index ebb29e0656..46f7973f5b 100644
--- a/src/com/serotonin/mango/vo/DataPointVO.java
+++ b/src/com/serotonin/mango/vo/DataPointVO.java
@@ -50,6 +50,7 @@
 import org.scada_lts.ds.messaging.protocol.mqtt.MqttPointLocatorVO;
 import org.scada_lts.mango.service.DataPointService;
 import org.scada_lts.utils.ColorUtils;
+import org.scada_lts.web.security.EmptyInstance;
 
 import java.io.IOException;
 import java.io.ObjectInputStream;
@@ -62,7 +63,7 @@
 
 @JsonRemoteEntity
 public class DataPointVO implements Serializable, Cloneable, JsonSerializable, ChangeComparable<DataPointVO>,
-        ScadaValidation, GetExtendedName {
+        ScadaValidation, GetExtendedName, EmptyInstance {
     private static final long serialVersionUID = -1;
     public static final String XID_PREFIX = "DP_";
 
@@ -1165,4 +1166,9 @@ public DataPointIdentifier toIdentifier() {
                 .dataSourceName(getDataSourceName())
                 .build();
     }
+
+    @Override
+    public DataPointVO newInstanceEmpty() {
+        return new DataPointVO(-1, -1, -1);
+    }
 }
diff --git a/src/com/serotonin/mango/vo/event/EventTypeVO.java b/src/com/serotonin/mango/vo/event/EventTypeVO.java
index 9646d2f7e3..e7242fe72f 100644
--- a/src/com/serotonin/mango/vo/event/EventTypeVO.java
+++ b/src/com/serotonin/mango/vo/event/EventTypeVO.java
@@ -31,8 +31,9 @@
 import com.serotonin.mango.rt.event.type.SystemEventType;
 import com.serotonin.mango.rt.event.type.DataSourcePointEventType;
 import com.serotonin.web.i18n.LocalizableMessage;
+import org.scada_lts.web.security.EmptyInstance;
 
-public class EventTypeVO {
+public class EventTypeVO implements EmptyInstance {
     /**
      * The type of event. @see EventType.EventSources
      */
@@ -173,4 +174,9 @@ public String getEventDetectorKey() {
     public void setEventDetectorKey(String eventDetectorKey) {
         this.eventDetectorKey = eventDetectorKey;
     }
+
+    @Override
+    public EventTypeVO newInstanceEmpty() {
+        return new EventTypeVO(-1,-1,-1);
+    }
 }
diff --git a/src/com/serotonin/mango/vo/event/MaintenanceEventVO.java b/src/com/serotonin/mango/vo/event/MaintenanceEventVO.java
index 7917ad83db..d26f06a52b 100644
--- a/src/com/serotonin/mango/vo/event/MaintenanceEventVO.java
+++ b/src/com/serotonin/mango/vo/event/MaintenanceEventVO.java
@@ -31,6 +31,8 @@
 import org.scada_lts.mango.service.MaintenanceEventService;
 import org.scada_lts.utils.XidUtils;
 
+import static org.scada_lts.web.security.XssProtectUtils.unescapeHtml;
+
 @JsonRemoteEntity
 public class MaintenanceEventVO implements ChangeComparable<MaintenanceEventVO>, JsonSerializable {
     public static final String XID_PREFIX = "ME_";
@@ -305,12 +307,17 @@ public EventTypeVO getEventType() {
     public LocalizableMessage getDescription() {
         LocalizableMessage message;
 
-        if (!StringUtils.isEmpty(alias))
-            message = new LocalizableMessage("common.default", alias);
+        String unescapedAlias = unescapeHtml(alias);
+        String unescapedDataSourceName = unescapeHtml(dataSourceName);
+        String unescapedActiveCron = unescapeHtml(activeCron);
+        String unescapedInactiveCron = unescapeHtml(inactiveCron);
+
+        if (!StringUtils.isEmpty(unescapedAlias))
+            message = new LocalizableMessage("common.default", unescapedAlias);
         else if (scheduleType == TYPE_MANUAL)
-            message = new LocalizableMessage("maintenanceEvents.schedule.manual", dataSourceName);
+            message = new LocalizableMessage("maintenanceEvents.schedule.manual", unescapedDataSourceName);
         else if (scheduleType == TYPE_ONCE) {
-            message = new LocalizableMessage("maintenanceEvents.schedule.onceUntil", dataSourceName,
+            message = new LocalizableMessage("maintenanceEvents.schedule.onceUntil", unescapedDataSourceName,
                     DateFunctions.getTime(new DateTime(activeYear, activeMonth, activeDay, activeHour, activeMinute,
                             activeSecond, 0).getMillis()), DateFunctions.getTime(new DateTime(inactiveYear,
                             inactiveMonth, inactiveDay, inactiveHour, inactiveMinute, inactiveSecond, 0).getMillis()));
@@ -318,25 +325,25 @@ else if (scheduleType == TYPE_ONCE) {
         else if (scheduleType == TYPE_HOURLY) {
             String activeTime = StringUtils.pad(Integer.toString(activeMinute), '0', 2) + ":"
                     + StringUtils.pad(Integer.toString(activeSecond), '0', 2);
-            message = new LocalizableMessage("maintenanceEvents.schedule.hoursUntil", dataSourceName, activeTime,
+            message = new LocalizableMessage("maintenanceEvents.schedule.hoursUntil", unescapedDataSourceName, activeTime,
                     StringUtils.pad(Integer.toString(inactiveMinute), '0', 2) + ":"
                             + StringUtils.pad(Integer.toString(inactiveSecond), '0', 2));
         }
         else if (scheduleType == TYPE_DAILY)
-            message = new LocalizableMessage("maintenanceEvents.schedule.dailyUntil", dataSourceName, activeTime(),
+            message = new LocalizableMessage("maintenanceEvents.schedule.dailyUntil", unescapedDataSourceName, activeTime(),
                     inactiveTime());
         else if (scheduleType == TYPE_WEEKLY)
-            message = new LocalizableMessage("maintenanceEvents.schedule.weeklyUntil", dataSourceName, weekday(true),
+            message = new LocalizableMessage("maintenanceEvents.schedule.weeklyUntil", unescapedDataSourceName, weekday(true),
                     activeTime(), weekday(false), inactiveTime());
         else if (scheduleType == TYPE_MONTHLY)
-            message = new LocalizableMessage("maintenanceEvents.schedule.monthlyUntil", dataSourceName, monthday(true),
+            message = new LocalizableMessage("maintenanceEvents.schedule.monthlyUntil", unescapedDataSourceName, monthday(true),
                     activeTime(), monthday(false), inactiveTime());
         else if (scheduleType == TYPE_YEARLY)
-            message = new LocalizableMessage("maintenanceEvents.schedule.yearlyUntil", dataSourceName, monthday(true),
+            message = new LocalizableMessage("maintenanceEvents.schedule.yearlyUntil", unescapedDataSourceName, monthday(true),
                     month(true), activeTime(), monthday(false), month(false), inactiveTime());
         else if (scheduleType == TYPE_CRON)
-            message = new LocalizableMessage("maintenanceEvents.schedule.cronUntil", dataSourceName, activeCron,
-                    inactiveCron);
+            message = new LocalizableMessage("maintenanceEvents.schedule.cronUntil", unescapedDataSourceName, unescapedActiveCron,
+                    unescapedInactiveCron);
         else
             throw new ShouldNeverHappenException("Unknown schedule type: " + scheduleType);
 
diff --git a/src/com/serotonin/mango/vo/event/ScheduledEventVO.java b/src/com/serotonin/mango/vo/event/ScheduledEventVO.java
index 29d75b272e..9566bbb41a 100644
--- a/src/com/serotonin/mango/vo/event/ScheduledEventVO.java
+++ b/src/com/serotonin/mango/vo/event/ScheduledEventVO.java
@@ -46,6 +46,8 @@
 import org.scada_lts.mango.service.ScheduledEventService;
 import org.scada_lts.utils.XidUtils;
 
+import static org.scada_lts.web.security.XssProtectUtils.unescapeHtml;
+
 /**
  * @author Matthew Lohbihler
  * 
@@ -138,8 +140,12 @@ public String getEventDetectorKey() {
     public LocalizableMessage getDescription() {
         LocalizableMessage message;
 
-        if (!StringUtils.isEmpty(alias))
-            message = new LocalizableMessage("common.default", alias);
+        String unescapedAlias = unescapeHtml(alias);
+        String unescapedActiveCron = unescapeHtml(activeCron);
+        String unescapedInactiveCron = unescapeHtml(inactiveCron);
+
+        if (!StringUtils.isEmpty(unescapedAlias))
+            message = new LocalizableMessage("common.default", unescapedAlias);
         else if (scheduleType == TYPE_ONCE) {
             if (returnToNormal)
                 message = new LocalizableMessage("event.schedule.onceUntil", DateFunctions.getTime(new DateTime(
@@ -189,9 +195,9 @@ else if (scheduleType == TYPE_YEARLY) {
         }
         else if (scheduleType == TYPE_CRON) {
             if (returnToNormal)
-                message = new LocalizableMessage("event.schedule.cronUntil", activeCron, inactiveCron);
+                message = new LocalizableMessage("event.schedule.cronUntil", unescapedActiveCron, unescapedInactiveCron);
             else
-                message = new LocalizableMessage("event.schedule.cronAt", activeCron);
+                message = new LocalizableMessage("event.schedule.cronAt", unescapedActiveCron);
         }
         else
             throw new ShouldNeverHappenException("Unknown schedule type: " + scheduleType);
diff --git a/src/com/serotonin/mango/vo/report/ReportVO.java b/src/com/serotonin/mango/vo/report/ReportVO.java
index 22419b61bb..42b5d1816b 100644
--- a/src/com/serotonin/mango/vo/report/ReportVO.java
+++ b/src/com/serotonin/mango/vo/report/ReportVO.java
@@ -48,6 +48,7 @@
 import org.scada_lts.mango.service.UserService;
 import org.scada_lts.permissions.service.GetDataPointsWithAccess;
 import org.scada_lts.utils.ColorUtils;
+import org.scada_lts.utils.PathSecureUtils;
 import org.scada_lts.web.mvc.api.dto.ReportDTO;
 
 /**
@@ -873,6 +874,8 @@ public void validateRun(DwrResponseI18n response, User user) {
             response.addContextualMessage("name", "reports.validate.required");
         if (StringUtils.isLengthGreaterThan(name, 100))
             response.addContextualMessage("name", "reports.validate.longerThan100");
+        if(!PathSecureUtils.ValidationPaths.validateFilename(name + ".csv") || name.contains(";"))
+            response.addContextualMessage("name", "validate.invalidValue");
         if (points.isEmpty())
             response.addContextualMessage("points", "reports.validate.needPoint");
         if (dateRangeType != ReportVO.DATE_RANGE_TYPE_RELATIVE && dateRangeType != ReportVO.DATE_RANGE_TYPE_SPECIFIC)
diff --git a/src/com/serotonin/mango/web/dwr/PointLinksDwr.java b/src/com/serotonin/mango/web/dwr/PointLinksDwr.java
index 215d8734f6..ca6e943552 100644
--- a/src/com/serotonin/mango/web/dwr/PointLinksDwr.java
+++ b/src/com/serotonin/mango/web/dwr/PointLinksDwr.java
@@ -40,7 +40,6 @@
 import com.serotonin.mango.vo.User;
 import com.serotonin.mango.vo.link.PointLinkVO;
 import com.serotonin.mango.vo.permission.Permissions;
-import com.serotonin.util.StringUtils;
 import com.serotonin.web.dwr.DwrResponseI18n;
 import com.serotonin.web.i18n.LocalizableMessage;
 import com.serotonin.web.taglib.DateFunctions;
diff --git a/src/com/serotonin/mango/web/dwr/XssDataPointBeanConverter.java b/src/com/serotonin/mango/web/dwr/XssDataPointBeanConverter.java
deleted file mode 100644
index 19a6c90697..0000000000
--- a/src/com/serotonin/mango/web/dwr/XssDataPointBeanConverter.java
+++ /dev/null
@@ -1,20 +0,0 @@
-package com.serotonin.mango.web.dwr;
-
-import com.serotonin.mango.web.dwr.beans.DataPointBean;
-import org.directwebremoting.convert.BeanConverter;
-import org.directwebremoting.extend.MarshallException;
-import org.directwebremoting.extend.OutboundContext;
-import org.directwebremoting.extend.OutboundVariable;
-
-import static org.scada_lts.web.security.XssProtectUtils.escapeHtml;
-
-public class XssDataPointBeanConverter extends BeanConverter {
-
-    @Override
-    public OutboundVariable convertOutbound(Object data, OutboundContext outctx) throws MarshallException {
-        DataPointBean dataPointBean = (DataPointBean)data;
-        dataPointBean.setName(escapeHtml(dataPointBean.getName()));
-        dataPointBean.setXid(escapeHtml(dataPointBean.getXid()));
-        return super.convertOutbound(dataPointBean, outctx);
-    }
-}
diff --git a/src/com/serotonin/mango/web/dwr/XssDataPointVoConverter.java b/src/com/serotonin/mango/web/dwr/XssDataPointVoConverter.java
deleted file mode 100644
index 629b9e4a92..0000000000
--- a/src/com/serotonin/mango/web/dwr/XssDataPointVoConverter.java
+++ /dev/null
@@ -1,23 +0,0 @@
-package com.serotonin.mango.web.dwr;
-
-import com.serotonin.mango.vo.DataPointVO;
-import org.directwebremoting.convert.BeanConverter;
-import org.directwebremoting.extend.*;
-
-import static org.scada_lts.web.security.XssProtectUtils.escapeHtml;
-
-public class XssDataPointVoConverter extends BeanConverter {
-
-    @Override
-    public OutboundVariable convertOutbound(Object data, OutboundContext outctx) throws MarshallException {
-        DataPointVO dataPointVo = (DataPointVO)data;
-        dataPointVo.setName(escapeHtml(dataPointVo.getName()));
-        dataPointVo.setXid(escapeHtml(dataPointVo.getXid()));
-        dataPointVo.setDataSourceXid(escapeHtml(dataPointVo.getDataSourceXid()));
-        dataPointVo.setChartColour(escapeHtml(dataPointVo.getChartColour()));
-        dataPointVo.setDataSourceName(escapeHtml(dataPointVo.getDataSourceName()));
-        dataPointVo.setDescription(escapeHtml(dataPointVo.getDescription()));
-        dataPointVo.setDeviceName(escapeHtml(dataPointVo.getDeviceName()));
-        return super.convertOutbound(dataPointVo, outctx);
-    }
-}
diff --git a/src/com/serotonin/mango/web/dwr/beans/DataPointBean.java b/src/com/serotonin/mango/web/dwr/beans/DataPointBean.java
index 4a58a4f057..aae7ef0aa6 100644
--- a/src/com/serotonin/mango/web/dwr/beans/DataPointBean.java
+++ b/src/com/serotonin/mango/web/dwr/beans/DataPointBean.java
@@ -18,10 +18,17 @@
  */
 package com.serotonin.mango.web.dwr.beans;
 
+import com.serotonin.mango.rt.dataSource.PointLocatorRT;
 import com.serotonin.mango.vo.DataPointVO;
+import com.serotonin.mango.vo.dataSource.DataPointSaveHandler;
+import com.serotonin.mango.vo.dataSource.PointLocatorVO;
+import com.serotonin.web.dwr.DwrResponseI18n;
 import com.serotonin.web.i18n.LocalizableMessage;
+import org.scada_lts.web.security.EmptyInstance;
 
-public class DataPointBean {
+import java.util.List;
+
+public class DataPointBean implements EmptyInstance {
     private int id;
     private String xid;
     private String name;
@@ -87,4 +94,61 @@ public String getXid() {
     public void setXid(String xid) {
         this.xid = xid;
     }
+
+    @Override
+    public DataPointBean newInstanceEmpty() {
+        DataPointVO dataPointVO = new DataPointVO(-1, -1, -1);
+        dataPointVO.setPointLocator(new PointLocatorVO() {
+            @Override
+            public int getDataTypeId() {
+                return 0;
+            }
+
+            @Override
+            public LocalizableMessage getDataTypeMessage() {
+                return null;
+            }
+
+            @Override
+            public LocalizableMessage getConfigurationDescription() {
+                return null;
+            }
+
+            @Override
+            public boolean isSettable() {
+                return false;
+            }
+
+            @Override
+            public boolean isRelinquishable() {
+                return false;
+            }
+
+            @Override
+            public PointLocatorRT createRuntime() {
+                return null;
+            }
+
+            @Override
+            public void validate(DwrResponseI18n response) {
+
+            }
+
+            @Override
+            public DataPointSaveHandler getDataPointSaveHandler() {
+                return null;
+            }
+
+            @Override
+            public void addProperties(List<LocalizableMessage> list) {
+
+            }
+
+            @Override
+            public void addPropertyChanges(List<LocalizableMessage> list, Object o) {
+
+            }
+        });
+        return new DataPointBean(dataPointVO);
+    }
 }
diff --git a/src/org/scada_lts/dao/cache/UsersProfileDaoWithCache.java b/src/org/scada_lts/dao/cache/UsersProfileDaoWithCache.java
index 85764cb319..1f49a15e67 100644
--- a/src/org/scada_lts/dao/cache/UsersProfileDaoWithCache.java
+++ b/src/org/scada_lts/dao/cache/UsersProfileDaoWithCache.java
@@ -39,7 +39,10 @@ public List<UsersProfileVO> selectUserProfileByUserId(int userId) {
 
     @Override
     public List<UsersProfileVO> selectProfiles(int offset, int limit) {
-        return usersProfileCache.selectProfiles(offset, limit);
+        return usersProfileCache.selectProfiles(offset, limit)
+            .stream()
+            .map(UsersProfileVO::new)
+            .collect(Collectors.toList());
     }
 
     @Override
diff --git a/src/org/scada_lts/mango/service/SystemSettingsService.java b/src/org/scada_lts/mango/service/SystemSettingsService.java
index d8d59ec293..7c34f7bc6e 100644
--- a/src/org/scada_lts/mango/service/SystemSettingsService.java
+++ b/src/org/scada_lts/mango/service/SystemSettingsService.java
@@ -23,6 +23,7 @@
 import org.scada_lts.serorepl.utils.DirectoryInfo;
 import org.scada_lts.serorepl.utils.DirectoryUtils;
 import org.scada_lts.serorepl.utils.StringUtils;
+import org.scada_lts.utils.PathSecureUtils;
 import org.scada_lts.utils.SystemSettingsUtils;
 import org.scada_lts.web.beans.ApplicationBeans;
 import org.scada_lts.web.mvc.api.AggregateSettings;
@@ -467,21 +468,29 @@ public int getWorkItemsReportingItemsPerSecondLimit() {
         }
     }
 
-    public String getWebResourceGraphicsPath(){
+    public String getWebResourceGraphicsPath() {
         String defaultValue = SystemSettingsUtils.getWebResourceGraphicsPath();
         try {
-            return SystemSettingsDAO.getValue(SystemSettingsDAO.WEB_RESOURCE_GRAPHICS_PATH, defaultValue);
-        } catch (Exception e){
+            String path = SystemSettingsDAO.getValue(SystemSettingsDAO.WEB_RESOURCE_GRAPHICS_PATH, defaultValue);
+            if(PathSecureUtils.ValidationPaths.validatePath(path, a -> true)) {
+                return path;
+            }
+            return defaultValue;
+        } catch (Exception e) {
             LOG.error(e.getMessage());
             return defaultValue;
         }
     }
 
-    public String getWebResourceUploadsPath(){
+    public String getWebResourceUploadsPath() {
         String defaultValue = SystemSettingsUtils.getWebResourceUploadsPath();
         try {
-            return SystemSettingsDAO.getValue(SystemSettingsDAO.WEB_RESOURCE_UPLOADS_PATH, defaultValue);
-        } catch (Exception e){
+            String path = SystemSettingsDAO.getValue(SystemSettingsDAO.WEB_RESOURCE_UPLOADS_PATH, defaultValue);
+            if(PathSecureUtils.ValidationPaths.validatePath(path, a -> true)) {
+                return path;
+            }
+            return defaultValue;
+        } catch (Exception e) {
             LOG.error(e.getMessage());
             return defaultValue;
         }
@@ -622,7 +631,10 @@ public void saveWorkItemsReportingMisc(boolean workItemsReportingItemsPerSecondE
     }
 
     public void saveResourceGraphicsPathMisc(String webResourceGraphicsPath, DwrResponseI18n response) {
-        if (webResourceGraphicsPath != null && (StringUtils.isEmpty(webResourceGraphicsPath)
+        boolean validated = PathSecureUtils.ValidationPaths.validatePath(webResourceGraphicsPath, a -> true);
+        if(!validated) {
+            response.addContextualMessage(SystemSettingsDAO.WEB_RESOURCE_GRAPHICS_PATH, "validate.invalidValue");
+        } else if (webResourceGraphicsPath != null && (StringUtils.isEmpty(webResourceGraphicsPath)
                 || (webResourceGraphicsPath.endsWith("graphics")
                 || webResourceGraphicsPath.endsWith("graphics" + File.separator)))) {
             saveResourceGraphicsPathMisc(webResourceGraphicsPath);
@@ -632,7 +644,10 @@ public void saveResourceGraphicsPathMisc(String webResourceGraphicsPath, DwrResp
     }
 
     public void saveResourceUploadsPathMisc(String webResourceUploadsPath, DwrResponseI18n response) {
-        if (webResourceUploadsPath != null && (StringUtils.isEmpty(webResourceUploadsPath)
+        boolean validated = PathSecureUtils.ValidationPaths.validatePath(webResourceUploadsPath, a -> true);
+        if(!validated) {
+            response.addContextualMessage(SystemSettingsDAO.WEB_RESOURCE_UPLOADS_PATH, "validate.invalidValue");
+        } else if(webResourceUploadsPath != null && (StringUtils.isEmpty(webResourceUploadsPath)
                 || (webResourceUploadsPath.endsWith("uploads")
                 || webResourceUploadsPath.endsWith("uploads" + File.separator)))) {
             saveResourceUploadsPathMisc(webResourceUploadsPath);
diff --git a/src/org/scada_lts/utils/PathSecureUtils.java b/src/org/scada_lts/utils/PathSecureUtils.java
index 1e6bf0196c..6632f4a9c6 100644
--- a/src/org/scada_lts/utils/PathSecureUtils.java
+++ b/src/org/scada_lts/utils/PathSecureUtils.java
@@ -1,6 +1,7 @@
 package org.scada_lts.utils;
 
 import com.serotonin.mango.Common;
+import com.serotonin.mango.util.LoggingUtils;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -55,7 +56,12 @@ public static String normalizeSeparator(String path) {
     }
 
     public static Path normalizePath(String path) {
-        return Paths.get(normalizeSeparator(path)).toFile().getAbsoluteFile().toPath().normalize();
+        try {
+            return Paths.get(normalizeSeparator(path)).toFile().getAbsoluteFile().toPath().normalize();
+        } catch (Exception exception) {
+            LOG.error(LoggingUtils.exceptionInfo(exception));
+            return null;
+        }
     }
 
     private static Optional<Path> normalizePath(Path path, BinaryOperator<Path> reduce) {
@@ -65,7 +71,7 @@ private static Optional<Path> normalizePath(Path path, BinaryOperator<Path> redu
         }
 
         Path normalizedPath = getAbsoluteResourcePath(path.toString());
-        if (normalizedPath.toString().isEmpty()) {
+        if (normalizedPath == null || normalizedPath.toString().isEmpty()) {
             return Optional.empty();
         }
 
@@ -185,6 +191,9 @@ public static Path getAppContextSystemFilePath() {
 
         public static Path getAbsoluteResourcePath(String path) {
             Path normalizedPath = PathSecureUtils.normalizePath(path);
+            if(normalizedPath == null) {
+                return null;
+            }
             if (!path.equals(normalizedPath.toString())) {
                 Path basePath = getCatalinaHomePath();
                 return Path.of(basePath + File.separator + normalizeSeparator(path));
@@ -205,7 +214,8 @@ private static List<Path> getImageSystemFilePaths(Supplier<String> getLocalPath,
             if (!StringUtils.isEmpty(normalizePath) && (normalizePath.endsWith(normalizeFolder)
                     || normalizePath.endsWith(normalizeFolder + File.separator))) {
                 Path path = getAbsoluteResourcePath(normalizePath);
-                createPath(path, notExistsPath(), paths::add);
+                if(path != null)
+                    createPath(path, notExistsPath(), paths::add);
             }
             Path path = getAppContextSystemFilePath(normalizeFolder);
             createPath(path, notExistsPath(), paths::add);
diff --git a/src/org/scada_lts/web/security/EmptyInstance.java b/src/org/scada_lts/web/security/EmptyInstance.java
new file mode 100644
index 0000000000..77da767668
--- /dev/null
+++ b/src/org/scada_lts/web/security/EmptyInstance.java
@@ -0,0 +1,5 @@
+package org.scada_lts.web.security;
+
+public interface EmptyInstance {
+    Object newInstanceEmpty();
+}
\ No newline at end of file
diff --git a/src/org/scada_lts/web/security/XssProtectUtils.java b/src/org/scada_lts/web/security/XssProtectUtils.java
index de9e5e9544..5b0f7563b2 100644
--- a/src/org/scada_lts/web/security/XssProtectUtils.java
+++ b/src/org/scada_lts/web/security/XssProtectUtils.java
@@ -2,31 +2,53 @@
 
 import org.springframework.web.util.HtmlUtils;
 
+import java.util.HashMap;
+import java.util.Map;
+
 public final class XssProtectUtils {
 
+    private static final Map<String,String> newLineAndWhitespaceCodes = new HashMap<>();
+
+    static {
+        newLineAndWhitespaceCodes.put("&#10;", "\n");
+        newLineAndWhitespaceCodes.put("&#13;", "\r");
+
+        newLineAndWhitespaceCodes.put("&emsp;", "\t");
+        newLineAndWhitespaceCodes.put("&#11;", "\u000B");
+        newLineAndWhitespaceCodes.put("&#12;", "\f");
+        newLineAndWhitespaceCodes.put("&#28;", "\u001C");
+        newLineAndWhitespaceCodes.put("&#29;", "\u001D");
+        newLineAndWhitespaceCodes.put("&#30;", "\u001E");
+        newLineAndWhitespaceCodes.put("&#31;", "\u001F");
+    }
+
     public XssProtectUtils() {}
 
     public static String escapeHtml(String value) {
         if(value == null)
             return "";
-        String content = HtmlUtils.htmlEscape(value);
-        return whiteSpaceHtmlCode(newLineHtmlCode(content));
+        return escapeNewLineAndWhitespace(HtmlUtils.htmlEscape(value));
     }
 
-    private static String newLineHtmlCode(String content) {
-        if(content.contains("\n")) {
-            return content.replace("\n", "&#10;").replace("\r", "");
+    public static String unescapeHtml(String value) {
+        if(value == null)
+            return "";
+        return HtmlUtils.htmlUnescape(unescapeNewLineAndWhitespace(value));
+    }
+
+    private static String escapeNewLineAndWhitespace(String content) {
+        String result = content;
+        for(Map.Entry<String, String> entry: newLineAndWhitespaceCodes.entrySet()) {
+            result = result.replace(entry.getValue(), entry.getKey());
         }
-        return content.replace("\r", "&#13;");
+        return result;
     }
 
-    private static String whiteSpaceHtmlCode(String content) {
-        return content.replace("\t", "&emsp;")
-                .replace("\u000B","&#11;")
-                .replace("\f", "&#12;")
-                .replace("\u001C", "&#28;")
-                .replace("\u001D", "&#29;")
-                .replace("\u001E", "&#30;")
-                .replace("\u001F", "&#31;");
+    private static String unescapeNewLineAndWhitespace(String content) {
+        String result = content;
+        for(Map.Entry<String, String> entry: newLineAndWhitespaceCodes.entrySet()) {
+            result = result.replace(entry.getKey(), entry.getValue());
+        }
+        return result;
     }
 }
diff --git a/src/org/scada_lts/web/security/dwr/NoEscape.java b/src/org/scada_lts/web/security/dwr/NoEscape.java
new file mode 100644
index 0000000000..6c4a7dbb65
--- /dev/null
+++ b/src/org/scada_lts/web/security/dwr/NoEscape.java
@@ -0,0 +1,12 @@
+package org.scada_lts.web.security.dwr;
+
+import java.lang.annotation.*;
+
+/**
+ * Marks a field or method parameter as safe to carry raw HTML.
+ * Use sparingly: only for server-generated HTML fragments you really intend to render via innerHTML.
+ */
+@Target({ ElementType.FIELD })
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface NoEscape {}
diff --git a/src/org/scada_lts/web/security/dwr/ScadaMarshallException.java b/src/org/scada_lts/web/security/dwr/ScadaMarshallException.java
new file mode 100644
index 0000000000..65ef79eef1
--- /dev/null
+++ b/src/org/scada_lts/web/security/dwr/ScadaMarshallException.java
@@ -0,0 +1,18 @@
+package org.scada_lts.web.security.dwr;
+
+import org.directwebremoting.extend.MarshallException;
+
+public class ScadaMarshallException extends MarshallException {
+
+    public ScadaMarshallException(Class paramType) {
+        super(paramType);
+    }
+
+    public ScadaMarshallException(Class paramType, Throwable ex) {
+        super(paramType, ex);
+    }
+
+    public ScadaMarshallException(Class paramType, String message) {
+        super(paramType, message);
+    }
+}
diff --git a/src/org/scada_lts/web/security/dwr/XssBeanConverter.java b/src/org/scada_lts/web/security/dwr/XssBeanConverter.java
new file mode 100644
index 0000000000..e7b4e7507e
--- /dev/null
+++ b/src/org/scada_lts/web/security/dwr/XssBeanConverter.java
@@ -0,0 +1,23 @@
+package org.scada_lts.web.security.dwr;
+
+import org.directwebremoting.convert.BeanConverter;
+import org.directwebremoting.extend.*;
+
+import static org.scada_lts.web.security.dwr.XssBeanConverterUtils.convertObjectEscaped;
+import static org.scada_lts.web.security.dwr.XssBeanConverterUtils.convertObjectUnescaped;
+
+public class XssBeanConverter extends BeanConverter {
+
+    @Override
+    public OutboundVariable convertOutbound(Object value, OutboundContext outctx) throws MarshallException {
+        Object escaped = convertObjectEscaped(value);
+        return super.convertOutbound(escaped, outctx);
+    }
+
+    @Override
+    public Object convertInbound(Class paramType, InboundVariable iv, InboundContext inctx) throws MarshallException {
+        Object converted = super.convertInbound(paramType, iv, inctx);
+        return convertObjectUnescaped(converted);
+    }
+
+}
diff --git a/src/org/scada_lts/web/security/dwr/XssBeanConverterUtils.java b/src/org/scada_lts/web/security/dwr/XssBeanConverterUtils.java
new file mode 100644
index 0000000000..edea4116d8
--- /dev/null
+++ b/src/org/scada_lts/web/security/dwr/XssBeanConverterUtils.java
@@ -0,0 +1,218 @@
+package org.scada_lts.web.security.dwr;
+
+import com.serotonin.mango.util.LoggingUtils;
+import com.serotonin.web.i18n.LocalizableMessage;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.scada_lts.web.security.EmptyInstance;
+import org.scada_lts.web.security.XssProtectUtils;
+import org.springframework.util.ReflectionUtils;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.util.*;
+import java.util.function.BiFunction;
+import java.util.function.Function;
+import java.util.function.Predicate;
+
+import static java.lang.reflect.Modifier.isStatic;
+
+public final class XssBeanConverterUtils {
+
+    private XssBeanConverterUtils() {}
+
+    private static final Logger LOG = LogManager.getLogger(XssBeanConverterUtils.class);
+
+    public static Object convertObjectEscaped(Object value) throws ScadaMarshallException {
+        return doConvertIf(value, isSimpleJavaType().negate(),
+                XssBeanConverterUtils::doConvert,
+                object -> convertObject(object, XssBeanConverterUtils::escapeIfString));
+    }
+
+    public static Object convertObjectUnescaped(Object value) throws ScadaMarshallException {
+        return doConvertIf(value, isSimpleJavaType().negate(),
+                XssBeanConverterUtils::doConvert,
+                object -> convertObject(object, XssBeanConverterUtils::unescapeIfString));
+    }
+
+    private static Object doConvertIf(Object object, Predicate<Object> doConvertIf,
+                                      BiFunction<Object, Function<Object, Object>, Object> doConvert,
+                                      Function<Object, Object> converter) throws ScadaMarshallException {
+        if(doConvertIf.test(object)) {
+            try {
+                return doConvert.apply(object, converter);
+            } catch (Exception e) {
+                LOG.error(LoggingUtils.exceptionInfo(e));
+                throw e;
+            }
+        } else {
+            ScadaMarshallException marshallException = new ScadaMarshallException(object.getClass());
+            LOG.error(LoggingUtils.exceptionInfo(marshallException));
+            throw marshallException;
+        }
+    }
+
+    public static Predicate<Object> isSimpleJavaType() {
+        return object -> object instanceof Boolean || object instanceof String || object instanceof Character
+                || object instanceof Number || object.getClass().isPrimitive();
+    }
+
+    private static Object doConvert(Object originObject, Function<Object, Object> convert) {
+        Object object;
+        try {
+            object = newInstanceEmpty(originObject);
+        } catch (Exception e) {
+            throw new RuntimeException(new ScadaMarshallException(originObject.getClass(), e));
+        }
+        List<Field> fields = getAllFields(originObject);
+        for(Field field: fields) {
+            if(!isStatic(field.getModifiers())) {
+                try {
+                    field.setAccessible(true);
+                    Object value = field.get(originObject);
+                    if(value != null) {
+                        Object converted = convert.apply(value);
+                        if(converted != null && !field.isAnnotationPresent(NoEscape.class))
+                            field.set(object, converted);
+                        else
+                            field.set(object, value);
+                    }
+                } catch (Exception e) {
+                    throw new RuntimeException(new ScadaMarshallException(originObject.getClass(), e));
+                } finally {
+                    field.setAccessible(false);
+                }
+            }
+        }
+        return object;
+    }
+
+    private static List<Field> getAllFields(Object originObject) {
+        List<Field> fields = new ArrayList<>();
+        ReflectionUtils.doWithFields(originObject.getClass(), fields::add);
+        return fields;
+    }
+
+    private static Object newInstanceEmpty(Object originObject) throws Exception {
+        Object object;
+        if(originObject instanceof LocalizableMessage) {
+            object = new LocalizableMessage("");
+        } else if(originObject instanceof EmptyInstance) {
+            object = ((EmptyInstance) originObject).newInstanceEmpty();
+        } else {
+            object = originObject.getClass().getConstructor().newInstance();
+        }
+        return object;
+    }
+
+    private static Object convertObject(Object object, Function<Object, Object> doConvert) {
+
+        if (object instanceof String) {
+            return convertStringObject(object, doConvert);
+        }
+
+        if (object.getClass().isArray()) {
+            return convertArrayObject(object, doConvert);
+        }
+
+        if (object instanceof List) {
+            return convertListObject(object, doConvert);
+        }
+
+        if (object instanceof Set) {
+            return convertSetObject(object, doConvert);
+        }
+
+        if (object instanceof Map) {
+            return convertMapObject(object, doConvert);
+        }
+
+        return object;
+    }
+
+    private static Object convertStringObject(Object stringObject, Function<Object, Object> convert) {
+        return convert.apply(stringObject);
+    }
+
+    private static Object convertMapObject(Object mapObject, Function<Object, Object> convert) {
+        try {
+            Map<?, ?> in = (Map<?, ?>) mapObject;
+            Map<Object, Object> out = new HashMap<>();
+
+            for(Object key: in.keySet().toArray()) {
+                Object val = in.get(key);
+                out.put(convert.apply(key), convert.apply(val));
+            }
+            Constructor<?> ctor = mapObject.getClass().getConstructor(Map.class);
+            return ctor.newInstance(out);
+        } catch (Exception e) {
+            LOG.error(LoggingUtils.exceptionInfo(e));
+            return null;
+        }
+    }
+
+    private static Object convertSetObject(Object setObject, Function<Object, Object> convert) {
+        try {
+            Collection<?> in = (Collection<?>) setObject;
+            Collection<Object> out = new HashSet<>();
+
+            for(Object obj: in.toArray()) {
+                out.add(convert.apply(obj));
+            }
+
+            Constructor<?> ctor = setObject.getClass().getConstructor(Collection.class);
+            return ctor.newInstance(out);
+        } catch (Exception e) {
+            LOG.error(LoggingUtils.exceptionInfo(e));
+            return null;
+        }
+    }
+
+    private static Object convertListObject(Object listObject, Function<Object, Object> convert) {
+        try {
+            Collection<?> in = (Collection<?>) listObject;
+            Collection<Object> out = new ArrayList<>();
+
+            for(Object obj: in.toArray()) {
+                out.add(convert.apply(obj));
+            }
+
+            Constructor<?> ctor = listObject.getClass().getConstructor(Collection.class);
+            return ctor.newInstance(out);
+        } catch (Exception e) {
+            LOG.error(LoggingUtils.exceptionInfo(e));
+            return null;
+        }
+    }
+
+    private static Object convertArrayObject(Object arrayObject, Function<Object, Object> convert) {
+        try {
+            int len = java.lang.reflect.Array.getLength(arrayObject);
+            Object out = java.lang.reflect.Array.newInstance(arrayObject.getClass().getComponentType(), len);
+            for (int i = 0; i < len; i++) {
+                Object elem = java.lang.reflect.Array.get(arrayObject, i);
+                java.lang.reflect.Array.set(out, i, convert.apply(elem));
+            }
+            return out;
+        } catch (Exception e) {
+            LOG.error(LoggingUtils.exceptionInfo(e));
+            return null;
+        }
+    }
+
+    private static Object escapeIfString(Object object) {
+        if(object instanceof String) {
+            return XssProtectUtils.escapeHtml((String) object);
+        } else {
+            return object;
+        }
+    }
+
+    private static Object unescapeIfString(Object object) {
+        if(object instanceof String) {
+            return XssProtectUtils.unescapeHtml((String) object);
+        } else {
+            return object;
+        }
+    }
+}
diff --git a/src/org/scada_lts/web/security/dwr/XssLocalizableMessageConverter.java b/src/org/scada_lts/web/security/dwr/XssLocalizableMessageConverter.java
new file mode 100644
index 0000000000..d1e2f0026c
--- /dev/null
+++ b/src/org/scada_lts/web/security/dwr/XssLocalizableMessageConverter.java
@@ -0,0 +1,30 @@
+package org.scada_lts.web.security.dwr;
+
+import com.serotonin.mango.Common;
+import com.serotonin.web.i18n.LocalizableMessage;
+import org.directwebremoting.WebContext;
+import org.directwebremoting.WebContextFactory;
+import org.directwebremoting.convert.StringConverter;
+import org.directwebremoting.extend.*;
+
+import static org.scada_lts.web.security.dwr.XssBeanConverterUtils.convertObjectEscaped;
+import static org.scada_lts.web.security.dwr.XssBeanConverterUtils.convertObjectUnescaped;
+
+
+public class XssLocalizableMessageConverter  extends StringConverter {
+    public XssLocalizableMessageConverter() {
+    }
+
+    public OutboundVariable convertOutbound(Object data, OutboundContext outctx) throws MarshallException {
+        WebContext webctx = WebContextFactory.get();
+        LocalizableMessage lm = (LocalizableMessage)convertObjectEscaped(data);
+        String escaped = lm.getLocalizedMessage(Common.getBundle(webctx.getHttpServletRequest()));
+        return super.convertOutbound(escaped, outctx);
+    }
+
+    @Override
+    public Object convertInbound(Class paramType, InboundVariable iv, InboundContext inctx) throws MarshallException {
+        Object converted = super.convertInbound(paramType, iv, inctx);
+        return convertObjectUnescaped(converted);
+    }
+}
diff --git a/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsEscapedTest.java b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsEscapedTest.java
new file mode 100644
index 0000000000..a732d1c17f
--- /dev/null
+++ b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsEscapedTest.java
@@ -0,0 +1,61 @@
+package org.scada_lts.web.security.dwr;
+
+import br.org.scadabr.vo.scripting.ContextualizedScriptVO;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+public class XssBeanConverterUtilsEscapedTest {
+
+    private ContextualizedScriptVO objectUnescaped;
+    private ContextualizedScriptVO objectEscaped;
+
+    @Before
+    public void config() {
+        objectUnescaped = new ContextualizedScriptVO();
+        objectUnescaped.setScript("<script>alert(1)</script>");
+        objectEscaped = new ContextualizedScriptVO();
+        objectEscaped.setScript("&lt;script&gt;alert(1)&lt;/script&gt;");
+    }
+
+    @Test
+    public void when_convertObjectEscaped_then_Object_escaped() throws ScadaMarshallException {
+
+        //when:
+        Object result = XssBeanConverterUtils.convertObjectEscaped(objectUnescaped);
+
+        //then:
+        Assert.assertEquals(objectEscaped, result);
+    }
+
+    @Test
+    public void when_convertObjectUnescaped_then_Object_unescaped() throws ScadaMarshallException {
+
+        //when:
+        Object result = XssBeanConverterUtils.convertObjectUnescaped(objectEscaped);
+
+        //then:
+        Assert.assertEquals(objectUnescaped, result);
+    }
+
+    @Test
+    public void when_convertObjectUnescaped_then_not_same_arg() throws ScadaMarshallException {
+
+        //when:
+        Object result = XssBeanConverterUtils.convertObjectUnescaped(objectEscaped);
+
+        //then:
+        Assert.assertNotSame(objectEscaped, result);
+    }
+
+    @Test
+    public void when_convertObjectEscaped_then_not_same_arg() throws ScadaMarshallException {
+
+        //when:
+        Object result = XssBeanConverterUtils.convertObjectEscaped(objectUnescaped);
+
+        //then:
+        Assert.assertNotSame(objectUnescaped, result);
+    }
+
+}
\ No newline at end of file
diff --git a/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsExceptionTest.java b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsExceptionTest.java
new file mode 100644
index 0000000000..d99e45f6fa
--- /dev/null
+++ b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsExceptionTest.java
@@ -0,0 +1,44 @@
+package org.scada_lts.web.security.dwr;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class XssBeanConverterUtilsExceptionTest {
+
+    @Parameterized.Parameters(name = "{index}: value: {0}, type: {1}")
+    public static Object[][] data() {
+        return new Object[][] {
+                {"", String.class},
+                {'o', Character.class},
+                {1.0, Double.class},
+                {1, Integer.class},
+                {Short.valueOf("1"), Short.class},
+                {1L, Long.class},
+                {true, Boolean.class},
+                {false, Boolean.class},
+        };
+    }
+
+    private final Object value;
+
+    public XssBeanConverterUtilsExceptionTest(Object value, Class<?> type) {
+        this.value = value;
+    }
+
+    @Test(expected = ScadaMarshallException.class)
+    public void when_convertObjectEscaped_for_object_with_type_no_source_then_IllegalArgumentException() throws ScadaMarshallException {
+
+        //when:
+        XssBeanConverterUtils.convertObjectEscaped(value);
+    }
+
+    @Test(expected = ScadaMarshallException.class)
+    public void when_convertObjectUnescaped_for_object_with_type_no_source_then_IllegalArgumentException() throws ScadaMarshallException {
+
+        //when:
+        XssBeanConverterUtils.convertObjectUnescaped(value);
+    }
+
+}
\ No newline at end of file
diff --git a/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsTest.java b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsTest.java
new file mode 100644
index 0000000000..937d5f9cc4
--- /dev/null
+++ b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsTest.java
@@ -0,0 +1,136 @@
+package org.scada_lts.web.security.dwr;
+
+import br.org.scadabr.vo.permission.WatchListAccess;
+import br.org.scadabr.vo.usersProfiles.UsersProfileVO;
+import com.serotonin.db.IntValuePair;
+import com.serotonin.mango.rt.dataSource.PointLocatorRT;
+import com.serotonin.mango.view.View;
+import com.serotonin.mango.vo.DataPointVO;
+import com.serotonin.mango.vo.dataSource.DataPointSaveHandler;
+import com.serotonin.mango.vo.dataSource.DataSourceVO;
+import com.serotonin.mango.vo.dataSource.PointLocatorVO;
+import com.serotonin.mango.vo.dataSource.virtual.VirtualDataSourceVO;
+import com.serotonin.mango.vo.event.CompoundEventDetectorVO;
+import com.serotonin.mango.vo.event.EventHandlerVO;
+import com.serotonin.mango.vo.event.EventTypeVO;
+import com.serotonin.mango.vo.mailingList.AddressEntry;
+import com.serotonin.mango.vo.mailingList.MailingList;
+import com.serotonin.mango.vo.mailingList.UserEntry;
+import com.serotonin.mango.vo.report.ReportInstance;
+import com.serotonin.mango.vo.report.ReportVO;
+import com.serotonin.mango.web.dwr.beans.DataPointBean;
+import com.serotonin.mango.web.dwr.beans.EventSourceBean;
+import com.serotonin.mango.web.dwr.beans.RecipientListEntryBean;
+import com.serotonin.web.dwr.DwrResponseI18n;
+import com.serotonin.web.i18n.LocalizableMessage;
+import net.sf.mbus4j.SerialPortConnection;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.scada_lts.dao.model.UserIdentifier;
+
+import java.util.List;
+
+@RunWith(Parameterized.class)
+public class XssBeanConverterUtilsTest {
+
+    @Parameterized.Parameters(name = "{index}: value: {0}, type: {1}")
+    public static Object[][] data() {
+        DataPointVO dataPoint = new DataPointVO(-1, -1, -1);
+        dataPoint.setPointLocator(new PointLocatorVO() {
+            @Override
+            public int getDataTypeId() {
+                return 0;
+            }
+
+            @Override
+            public LocalizableMessage getDataTypeMessage() {
+                return null;
+            }
+
+            @Override
+            public LocalizableMessage getConfigurationDescription() {
+                return null;
+            }
+
+            @Override
+            public boolean isSettable() {
+                return false;
+            }
+
+            @Override
+            public boolean isRelinquishable() {
+                return false;
+            }
+
+            @Override
+            public PointLocatorRT createRuntime() {
+                return null;
+            }
+
+            @Override
+            public void validate(DwrResponseI18n response) {
+
+            }
+
+            @Override
+            public DataPointSaveHandler getDataPointSaveHandler() {
+                return null;
+            }
+
+            @Override
+            public void addProperties(List<LocalizableMessage> list) {
+
+            }
+
+            @Override
+            public void addPropertyChanges(List<LocalizableMessage> list, Object o) {
+
+            }
+        });
+        return new Object[][] {
+                {new VirtualDataSourceVO(), DataSourceVO.class},
+                {new WatchListAccess(), WatchListAccess.class},
+                {new SerialPortConnection(), SerialPortConnection.class},
+                {new UserIdentifier(), UserIdentifier.class},
+                {new Exception(), Exception.class},
+                {new UsersProfileVO(), UsersProfileVO.class},
+                {new View(), View.class},
+                {dataPoint, DataPointVO.class},
+                {new DataPointBean(dataPoint), DataPointBean.class},
+                {new CompoundEventDetectorVO(), CompoundEventDetectorVO.class},
+                {new EventHandlerVO(), EventHandlerVO.class},
+                {new EventTypeVO(-1, -1, -1), EventTypeVO.class},
+                {new IntValuePair(), IntValuePair.class},
+                {new EventSourceBean(), EventSourceBean.class},
+                {new AddressEntry(), AddressEntry.class},
+                {new MailingList(), MailingList.class},
+                {new UserEntry(), UserEntry.class},
+                {new ReportInstance(), ReportInstance.class},
+                {new ReportVO(), ReportVO.class},
+                {new RecipientListEntryBean(), RecipientListEntryBean.class},
+
+        };
+    }
+
+    private final Object value;
+
+    public XssBeanConverterUtilsTest(Object value, Class<?> type) {
+        this.value = value;
+    }
+
+    @Test
+    public void when_convertObjectEscaped_for_object_with_type_no_source_then_IllegalArgumentException() throws ScadaMarshallException {
+
+        //when:
+        XssBeanConverterUtils.convertObjectEscaped(value);
+    }
+
+    @Test
+    public void when_convertObjectUnescaped_for_object_with_type_no_source_then_IllegalArgumentException() throws ScadaMarshallException {
+
+        //when:
+        XssBeanConverterUtils.convertObjectUnescaped(value);
+    }
+
+}
\ No newline at end of file
diff --git a/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsTestsSuite.java b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsTestsSuite.java
new file mode 100644
index 0000000000..262cde9806
--- /dev/null
+++ b/test/org/scada_lts/web/security/dwr/XssBeanConverterUtilsTestsSuite.java
@@ -0,0 +1,13 @@
+package org.scada_lts.web.security.dwr;
+
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+
+@RunWith(Suite.class)
+@Suite.SuiteClasses({
+        XssBeanConverterUtilsTest.class,
+        XssBeanConverterUtilsExceptionTest.class,
+        XssBeanConverterUtilsEscapedTest.class
+})
+public class XssBeanConverterUtilsTestsSuite {
+}