diff --git a/ajax/networking/get_int_config.php b/ajax/networking/get_int_config.php
index 59b3a76..5e1c9b8 100644
--- a/ajax/networking/get_int_config.php
+++ b/ajax/networking/get_int_config.php
@@ -6,6 +6,7 @@ include_once('../../includes/functions.php');
 
 if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
     $int = $_POST['interface'];
+    // FIXME slashes and other forbidden filename characters not stripped. [security]
     if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
         touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
     }
@@ -21,4 +22,3 @@ if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate())
     echo json_encode($jsonData);
 }
 
-?>
diff --git a/includes/admin.php b/includes/admin.php
index 46f388e..e649ea2 100755
--- a/includes/admin.php
+++ b/includes/admin.php
@@ -8,7 +8,7 @@ function DisplayAuthConfig($username, $password){
     if (CSRFValidate()) {
       if (password_verify($_POST['oldpass'], $password)) {
         $new_username=trim($_POST['username']);
-        if ($_POST['newpass'] != $_POST['newpassagain']) {
+        if ($_POST['newpass'] !== $_POST['newpassagain']) {
           $status->addMessage('New passwords do not match', 'danger');
         } else if ($new_username == '') {
           $status->addMessage('Username must not be empty', 'danger');
@@ -16,7 +16,8 @@ function DisplayAuthConfig($username, $password){
           if (!file_exists(RASPI_ADMIN_DETAILS)) {
               $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
               fclose($tmpauth);
-	  }
+          }
+
           if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
             fwrite($auth_file, $new_username.PHP_EOL);
             fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
@@ -46,7 +47,7 @@ function DisplayAuthConfig($username, $password){
             <div class="row">
               <div class="form-group col-md-4">
                 <label for="username"><?php echo _("Username"); ?></label>
-                <input type="text" class="form-control" name="username" value="<?php echo $username; ?>"/>
+                <input type="text" class="form-control" name="username" value="<?php echo htmlspecialchars($username, ENT_QUOTES); ?>"/>
               </div>
             </div>
             <div class="row">
@@ -76,4 +77,3 @@ function DisplayAuthConfig($username, $password){
 <?php 
 }
 
-?>
diff --git a/includes/authenticate.php b/includes/authenticate.php
index 8a72967..79151a2 100755
--- a/includes/authenticate.php
+++ b/includes/authenticate.php
@@ -10,4 +10,3 @@ if (!$validated) {
   die ("Not authorized");
 }
 
-?>
diff --git a/includes/config.php b/includes/config.php
index 366b52e..4653628 100755
--- a/includes/config.php
+++ b/includes/config.php
@@ -31,4 +31,3 @@ define('RASPI_CHANGETHEME_ENABLED', true );
 define('LOCALE_ROOT', 'locale');
 define('LOCALE_DOMAIN', 'messages'); 
 
-?>
diff --git a/includes/configure_client.php b/includes/configure_client.php
index b6dda6f..7121ad7 100755
--- a/includes/configure_client.php
+++ b/includes/configure_client.php
@@ -158,14 +158,14 @@ function DisplayWPAConfig(){
 
   <div class="row">
     <div class="col-lg-12">
-      <div class="panel panel-primary">           
+      <div class="panel panel-primary">
         <div class="panel-heading"><i class="fa fa-signal fa-fw"></i> <?php echo _("Configure client"); ?></div>
         <!-- /.panel-heading -->
         <div class="panel-body">
           <p><?php $status->showMessages(); ?></p>
           <h4><?php echo _("Client settings"); ?></h4>
 	        <div class="btn-group btn-block">
-	          <a href=".?<?php echo $_SERVER['QUERY_STRING']; ?>" style="padding:10px;float: right;display: block;position: relative;margin-top: -55px;" class="col-md-2 btn btn-info" id="update"><?php echo _("Rescan"); ?></a>
+	          <a href=".?<?php echo htmlspecialchars($_SERVER['QUERY_STRING'], ENT_QUOTES); ?>" style="padding:10px;float: right;display: block;position: relative;margin-top: -55px;" class="col-md-2 btn btn-info" id="update"><?php echo _("Rescan"); ?></a>
 	        </div>
           <form method="POST" action="?page=wpa_conf" name="wpa_conf_form">
             <?php CSRFToken() ?>
@@ -191,19 +191,19 @@ function DisplayWPAConfig(){
                 <?php } ?>
                 </td>
                 <td>
-                  <input type="hidden" name="ssid<?php echo $index ?>" value="<?php echo htmlentities($ssid) ?>" />
-                  <?php echo $ssid ?>
+                  <input type="hidden" name="ssid<?php echo $index ?>" value="<?php echo htmlentities($ssid, ENT_QUOTES) ?>" />
+                  <?php echo htmlspecialchars($ssid, ENT_QUOTES); ?>
                 </td>
               <?php if (array_key_exists('visible', $network) && $network['visible']) { ?>
-                <td><?php echo $network['channel'] ?></td>
+                <td><?php echo htmlspecialchars($network['channel'], ENT_QUOTES); ?></td>
               <?php } else { ?>
                 <td><span class="label label-warning">X</span></td>
               <?php } ?>
                 <td>
               <?php if (array_key_exists('priority', $network)) { ?>
-                  <input type="hidden" name="priority<?php echo $index ?>" value="<?php echo $network['priority'] ?>" />
+                  <input type="hidden" name="priority<?php echo $index ?>" value="<?php echo htmlspecialchars($network['priority'], ENT_QUOTES); ?>" />
               <?php } ?>
-                  <input type="hidden" name="protocol<?php echo $index ?>" value="<?php echo $network['protocol'] ?>" /><?php echo $network['protocol'] ?>
+                  <input type="hidden" name="protocol<?php echo $index ?>" value="<?php echo htmlspecialchars($network['protocol'], ENT_QUOTES); ?>" /><?php echo htmlspecialchars($network['protocol'], ENT_QUOTES); ?>
                 </td>
               <?php if ($network['protocol'] === 'Open') { ?>
                 <td><input type="hidden" name="passphrase<?php echo $index ?>" value="" />---</td>
@@ -233,4 +233,3 @@ function DisplayWPAConfig(){
 <?php
 }
 
-?>
diff --git a/includes/dashboard.php b/includes/dashboard.php
index 5e4c956..e39c246 100755
--- a/includes/dashboard.php
+++ b/includes/dashboard.php
@@ -85,16 +85,16 @@ function DisplayDashboard(){
                         <div class="panel panel-default">
                           <div class="panel-body">
                             <h4><?php echo _("Interface Information"); ?></h4>
-                              <div class="info-item"><?php echo _("Interface Name"); ?></div> <?php echo RASPI_WIFI_CLIENT_INTERFACE ?></br>
-                              <div class="info-item"><?php echo _("IP Address"); ?></div>     <?php echo $strIPAddress ?></br>
-                              <div class="info-item"><?php echo _("Subnet Mask"); ?></div>    <?php echo $strNetMask ?></br>
-                              <div class="info-item"><?php echo _("Mac Address"); ?></div>    <?php echo $strHWAddress ?></br></br>
+                              <div class="info-item"><?php echo _("Interface Name"); ?></div> <?php echo RASPI_WIFI_CLIENT_INTERFACE; ?><br />
+                              <div class="info-item"><?php echo _("IP Address"); ?></div>     <?php echo htmlspecialchars($strIPAddress, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Subnet Mask"); ?></div>    <?php echo htmlspecialchars($strNetMask, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Mac Address"); ?></div>    <?php echo htmlspecialchars($strHWAddress, ENT_QUOTES); ?><br /><br />
 
                             <h4><?php echo _("Interface Statistics"); ?></h4>
-                              <div class="info-item"><?php echo _("Received Packets"); ?></div>    <?php echo $strRxPackets ?></br>
-                              <div class="info-item"><?php echo _("Received Bytes"); ?></div>      <?php echo $strRxBytes ?></br></br>
-                              <div class="info-item"><?php echo _("Transferred Packets"); ?></div> <?php echo $strTxPackets ?></br>
-                              <div class="info-item"><?php echo _("Transferred Bytes"); ?></div>   <?php echo $strTxBytes ?></br>
+                              <div class="info-item"><?php echo _("Received Packets"); ?></div>    <?php echo htmlspecialchars($strRxPackets, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Received Bytes"); ?></div>      <?php echo htmlspecialchars($strRxBytes, ENT_QUOTES); ?><br /><br />
+                              <div class="info-item"><?php echo _("Transferred Packets"); ?></div> <?php echo htmlspecialchars($strTxPackets, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Transferred Bytes"); ?></div>   <?php echo htmlspecialchars($strTxBytes, ENT_QUOTES); ?><br />
                           </div><!-- /.panel-body -->
                         </div><!-- /.panel-default -->
                         </div><!-- /.col-md-6 -->
@@ -102,18 +102,18 @@ function DisplayDashboard(){
                         <div class="panel panel-default">
                           <div class="panel-body wireless">
                             <h4><?php echo _("Wireless Information"); ?></h4>
-                              <div class="info-item"><?php echo _("Connected To"); ?></div>   <?php echo $strSSID ?></br>
-                              <div class="info-item"><?php echo _("AP Mac Address"); ?></div> <?php echo $strBSSID ?></br>
-                              <div class="info-item"><?php echo _("Bitrate"); ?></div>        <?php echo $strBitrate ?></br>
-                              <div class="info-item"><?php echo _("Signal Level"); ?></div>	<?php echo $strSignalLevel ?></br>
-                              <div class="info-item"><?php echo _("Transmit Power"); ?></div> <?php echo $strTxPower ?></br>
-                              <div class="info-item"><?php echo _("Frequency"); ?></div>      <?php echo $strFrequency ?></br></br>
+                              <div class="info-item"><?php echo _("Connected To"); ?></div>   <?php echo htmlspecialchars($strSSID, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("AP Mac Address"); ?></div> <?php echo htmlspecialchars($strBSSID, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Bitrate"); ?></div>        <?php echo htmlspecialchars($strBitrate, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Signal Level"); ?></div>	<?php echo htmlspecialchars($strSignalLevel, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Transmit Power"); ?></div> <?php echo htmlspecialchars($strTxPower, ENT_QUOTES); ?><br />
+                              <div class="info-item"><?php echo _("Frequency"); ?></div>      <?php echo htmlspecialchars($strFrequency, ENT_QUOTES); ?><br /><br />
                               <div class="info-item"><?php echo _("Link Quality"); ?></div>
                                 <div class="progress">
                                 <div class="progress-bar progress-bar-info progress-bar-striped active"
                                   role="progressbar"
-                                  aria-valuenow="<?php echo $strLinkQuality ?>" aria-valuemin="0" aria-valuemax="100"
-                                  style="width: <?php echo $strLinkQuality ?>%;"><?php echo $strLinkQuality ?>%
+                                  aria-valuenow="<?php echo htmlspecialchars($strLinkQuality, ENT_QUOTES); ?>" aria-valuemin="0" aria-valuemax="100"
+                                  style="width: <?php echo htmlspecialchars($strLinkQuality, ENT_QUOTES); ?>%;"><?php echo htmlspecialchars($strLinkQuality, ENT_QUOTES); ?>%
                                 </div>
                               </div>
                           </div><!-- /.panel-body -->
@@ -143,4 +143,3 @@ function DisplayDashboard(){
   <?php
 }
 
-?>
diff --git a/includes/dhcp.php b/includes/dhcp.php
index f65059f..281da43 100755
--- a/includes/dhcp.php
+++ b/includes/dhcp.php
@@ -14,7 +14,7 @@ function DisplayDHCPConfig() {
     if (CSRFValidate()) {
       $config = 'interface='.$_POST['interface'].PHP_EOL
         .'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].',255.255.255.0,'.$_POST['RangeLeaseTime'].''.$_POST['RangeLeaseTimeUnits'];
-      exec( 'echo "'.$config.'" > /tmp/dhcpddata',$temp );
+      exec( 'echo "'.$config.'" > /tmp/dhcpddata',$temp);
       system( 'sudo cp /tmp/dhcpddata '. RASPI_DNSMASQ_CONFIG, $return );
 
       if( $return == 0 ) {
@@ -83,14 +83,14 @@ function DisplayDHCPConfig() {
   $dselected = '';
 
   switch( $arrRangeLeaseTime[2] ) {
-    case "h":
-      $hselected = " selected";
+    case 'h':
+      $hselected = ' selected="selected"';
     break;
-    case "m":
-      $mselected = " selected";
+    case 'm':
+      $mselected = ' selected="selected"';
     break;
-    case "d":
-      $dselected = " selected";
+    case 'd':
+      $dselected = ' selected="selected"';
     break;
   }
 
@@ -119,42 +119,49 @@ function DisplayDHCPConfig() {
       <div class="form-group col-md-4">
         <label for="code">Interface</label>
         <select class="form-control" name="interface">
-        <?php 
+<?php 
         exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
 
-        foreach( $interfaces as $int ) {
+        foreach( $interfaces as $inet ) {
           $select = '';
-          if( $int == $conf['interface'] ) {
-            $select = " selected";
+          if( $inet === $conf['interface'] ) {
+            $select = ' selected="selected"';  // FIXED use xhtml valid attribute
           }
-            echo '<option value="'.$int.'"'.$select.'>'.$int.'</option>';
-          }
-        ?>
+
+          echo '        <option value="'.htmlspecialchars($inet, ENT_QUOTES).'"'.
+                $select.'>'.htmlspecialchars($inet, ENT_QUOTES).'</option>' , PHP_EOL;
+        }
+?>
         </select>
       </div>
     </div>
     <div class="row">
       <div class="form-group col-md-4">
         <label for="code"><?php echo _("Starting IP Address"); ?></label>
-        <input type="text" class="form-control"name="RangeStart" value="<?php echo $RangeStart; ?>" />
+        <input type="text" class="form-control"name="RangeStart" value="<?php echo htmlspecialchars($RangeStart, ENT_QUOTES); ?>" />
       </div>
     </div>
 
     <div class="row">
       <div class="form-group col-md-4">
         <label for="code"><?php echo _("Ending IP Address"); ?></label>
-        <input type="text" class="form-control" name="RangeEnd" value="<?php echo $RangeEnd; ?>" />
+        <input type="text" class="form-control" name="RangeEnd" value="<?php echo htmlspecialchars($RangeEnd, ENT_QUOTES); ?>" />
       </div>
     </div>
 
     <div class="row">
       <div class="form-group col-xs-2 col-sm-2">
         <label for="code"><?php echo _("Lease Time"); ?></label>
-        <input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo $arrRangeLeaseTime[1]; ?>" />
+        <input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo htmlspecialchars($arrRangeLeaseTime[1], ENT_QUOTES); ?>" />
       </div>
       <div class="col-xs-2 col-sm-2">
         <label for="code"><?php echo _("Interval"); ?></label>
-        <select name="RangeLeaseTimeUnits" class="form-control" ><option value="m" <?php echo $mselected; ?>>Minute(s)</option><option value="h" <?php echo $hselected; ?>>Hour(s)</option><option value="d" <?php echo $dselected; ?>>Day(s)</option><option value="infinite">Infinite</option></select> 
+        <select name="RangeLeaseTimeUnits" class="form-control" >
+            <option value="m" <?php echo $mselected; ?>>Minute(s)</option>
+            <option value="h" <?php echo $hselected; ?>>Hour(s)</option>
+            <option value="d" <?php echo $dselected; ?>>Day(s)</option>
+            <option value="infinite">Infinite</option>
+        </select> 
       </div>
     </div>
 
@@ -166,7 +173,7 @@ function DisplayDHCPConfig() {
     } else {
       echo'<input type="submit" class="btn btn-success" value="' .  _("Start dnsmasq") . '" name="startdhcpd" />';
     }
-    ?>
+?>
     </form>
     </div><!-- /.tab-pane -->
 
@@ -190,16 +197,18 @@ function DisplayDHCPConfig() {
             </thead>
             <tbody>
               <tr>
-                <?php
-                exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases );
-                foreach( $leases as $lease ) {
-                  $lease_items = explode(' ', $lease);
-                  foreach( $lease_items as $lease_item ) {
-                    echo '<td>' . $lease_item . '</td>';
-                  }
-                  echo '</tr>';
-                };
-                ?>
+<?php
+exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases );
+foreach( $leases as $lease ) {
+    $lease_items = explode(' ', $lease);
+    foreach( $lease_items as $lease_item ) {
+        echo '                  <td>'.htmlspecialchars($lease_item, ENT_QUOTES).'</td>'.PHP_EOL;
+    }
+
+    echo '                </tr>'.PHP_EOL;
+};
+
+?>
               </tr>
             </tbody>
           </table>
@@ -210,12 +219,10 @@ function DisplayDHCPConfig() {
     </div><!-- /.tab-pane -->
     </div><!-- /.tab-content -->
     </div><!-- ./ Panel body -->
-    <div class="panel-footer"> <?php echo _("Information provided by Dnsmasq");?></div>
+    <div class="panel-footer"> <?php echo _("Information provided by Dnsmasq"); ?></div>
         </div><!-- /.panel-primary -->
     </div><!-- /.col-lg-12 -->
   </div><!-- /.row -->
 <?php
 }
 
-?>
-
diff --git a/includes/functions.php b/includes/functions.php
index 8d05d41..ba97f14 100755
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -55,7 +55,7 @@ function safefilerewrite($fileName, $dataToSave) {
 */
 function CSRFToken() {
 ?>
-<input id="csrf_token" type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
+<input id="csrf_token" type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token'], ENT_QUOTES);; ?>" />
 <?php
 }
 
@@ -90,16 +90,19 @@ function isAssoc($arr) {
 *
 */
 function SelectorOptions($name, $options, $selected = null) {
-  echo "<select class=\"form-control\" name=\"$name\">";
+  echo '<select class="form-control" name="'.htmlspecialchars($name, ENT_QUOTES).'>' , PHP_EOL;
   foreach ( $options as $opt => $label) {
     $select = '';
     $key = isAssoc($options) ? $opt : $label;
     if( $key == $selected ) {
-      $select = " selected";
+      $select = ' selected="selected"';
     }
-    echo "<option value=\"$key\"$select>$label</options>";
+
+    echo '<option value="'.htmlspecialchars($key, ENT_QUOTES).'"'.$select.'>'.
+            htmlspecialchars($label, ENT_QUOTES).'</options>' , PHP_EOL;
   }
-  echo "</select>";
+
+  echo '</select>' , PHP_EOL;
 }
 
 /**
@@ -220,96 +223,93 @@ function DisplayOpenVPNConfig() {
 	?>
 	<div class="row">
 	<div class="col-lg-12">
-    	<div class="panel panel-primary">           
-			<div class="panel-heading"><i class="fa fa-lock fa-fw"></i> Configure OpenVPN 
-            </div>
-        <!-- /.panel-heading -->
-        <div class="panel-body">
-        	<!-- Nav tabs -->
-            <ul class="nav nav-tabs">
-                <li class="active"><a href="#openvpnclient" data-toggle="tab">Client settings</a>
-                </li>
-                <li><a href="#openvpnserver" data-toggle="tab">Server settings</a>
-                </li>
-            </ul>
-            <!-- Tab panes -->
-           	<div class="tab-content">
-           		<p><?php echo $status; ?></p>
-            	<div class="tab-pane fade in active" id="openvpnclient">
-            		
-            		<h4>Client settings</h4>
+		<div class="panel panel-primary">
+			<div class="panel-heading"><i class="fa fa-lock fa-fw"></i> Configure OpenVPN </div>
+		<!-- /.panel-heading -->
+		<div class="panel-body">
+			<!-- Nav tabs -->
+			<ul class="nav nav-tabs">
+				<li class="active"><a href="#openvpnclient" data-toggle="tab">Client settings</a></li>
+				<li><a href="#openvpnserver" data-toggle="tab">Server settings</a></li>
+			</ul>
+			<!-- Tab panes -->
+			<div class="tab-content">
+				<p><?php echo $status; ?></p>
+				<div class="tab-pane fade in active" id="openvpnclient">
+
+					<h4>Client settings</h4>
 					<form role="form" action="?page=save_hostapd_conf" method="POST">
 
 					<div class="row">
 						<div class="form-group col-md-4">
-	                        <label>Select OpenVPN configuration file (.ovpn)</label>
-	                        <input type="file" name="openvpn-config">
-	                    </div>
+							<label>Select OpenVPN configuration file (.ovpn)</label>
+							<input type="file" name="openvpn-config">
+						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">Client Log</label>
-							<input type="text" class="form-control" id="disabledInput" name="log-append" type="text" placeholder="<?php echo $arrClientConfig['log-append']; ?>" disabled />
+							<input type="text" class="form-control" id="disabledInput" name="log-append" type="text" placeholder="<?php echo htmlspecialchars($arrClientConfig['log-append'], ENT_QUOTES); ?>" disabled="disabled" />
 						</div>
 					</div>
 				</div>
 				<div class="tab-pane fade" id="openvpnserver">
-            		<h4>Server settings</h4>
-            		<div class="row">
+					<h4>Server settings</h4>
+					<div class="row">
 						<div class="form-group col-md-4">
-            			<label for="code">Port</label> 
-            			<input type="text" class="form-control" name="openvpn_port" value="<?php echo $arrServerConfig['port'] ?>" />
+						<label for="code">Port</label> 
+						<input type="text" class="form-control" name="openvpn_port" value="<?php echo htmlspecialchars($arrServerConfig['port'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 						<label for="code">Protocol</label>
-						<input type="text" class="form-control" name="openvpn_proto" value="<?php echo $arrServerConfig['proto'] ?>" />
+						<input type="text" class="form-control" name="openvpn_proto" value="<?php echo htmlspecialchars($arrServerConfig['proto'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 						<label for="code">Root CA certificate</label>
-						<input type="text" class="form-control" name="openvpn_rootca" placeholder="<?php echo $arrServerConfig['ca']; ?>" disabled />
+						<input type="text" class="form-control" name="openvpn_rootca" placeholder="<?php echo htmlspecialchars($arrServerConfig['ca'], ENT_QUOTES); ?>" disabled="disabled" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 						<label for="code">Server certificate</label>
-						<input type="text" class="form-control" name="openvpn_cert" placeholder="<?php echo $arrServerConfig['cert']; ?>" disabled />
+						<input type="text" class="form-control" name="openvpn_cert" placeholder="<?php echo htmlspecialchars($arrServerConfig['cert'], ENT_QUOTES); ?>" disabled="disabled" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 						<label for="code">Diffie Hellman parameters</label>
-						<input type="text" class="form-control" name="openvpn_dh" placeholder="<?php echo $arrServerConfig['dh']; ?>" disabled />
+						<input type="text" class="form-control" name="openvpn_dh" placeholder="<?php echo htmlspecialchars($arrServerConfig['dh'], ENT_QUOTES); ?>" disabled="disabled" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 						<label for="code">KeepAlive</label>
-						<input type="text" class="form-control" name="openvpn_keepalive" value="<?php echo $arrServerConfig['keepalive']; ?>" />
+						<input type="text" class="form-control" name="openvpn_keepalive" value="<?php echo htmlspecialchars($arrServerConfig['keepalive'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 						<label for="code">Server log</label>
-						<input type="text" class="form-control" name="openvpn_status" placeholder="<?php echo $arrServerConfig['status']; ?>" disabled />
+						<input type="text" class="form-control" name="openvpn_status" placeholder="<?php echo htmlspecialchars($arrServerConfig['status'], ENT_QUOTES); ?>" disabled="disabled" />
 						</div>
 					</div>
-            	</div>
+				</div>
 				<input type="submit" class="btn btn-outline btn-primary" name="SaveOpenVPNSettings" value="Save settings" />
 				<?php
 				if($hostapdstatus[0] == 0) {
-					echo '<input type="submit" class="btn btn-success" name="StartOpenVPN" value="Start OpenVPN" />';
+					echo '<input type="submit" class="btn btn-success" name="StartOpenVPN" value="Start OpenVPN" />' , PHP_EOL;
 				} else {
-					echo '<input type="submit" class="btn btn-warning" name="StopOpenVPN" value="Stop OpenVPN" />';
+					echo '<input type="submit" class="btn btn-warning" name="StopOpenVPN" value="Stop OpenVPN" />' , PHP_EOL;
 				}
-				?>
+?>
 				</form>
 		</div><!-- /.panel-body -->
-    </div><!-- /.panel-primary -->
-    <div class="panel-footer"> Information provided by openvpn</div>
+	</div><!-- /.panel-primary -->
+	<div class="panel-footer"> Information provided by openvpn</div>
 </div><!-- /.col-lg-12 -->
 </div><!-- /.row -->
 <?php
@@ -339,12 +339,11 @@ function DisplayTorProxyConfig(){
 		}
 	}
 
-	?>
+?>
 	<div class="row">
 	<div class="col-lg-12">
-    	<div class="panel panel-primary">           
-			<div class="panel-heading"><i class="fa fa-eye-slash fa-fw"></i> Configure TOR proxy
-            </div>
+		<div class="panel panel-primary">
+			<div class="panel-heading"><i class="fa fa-eye-slash fa-fw"></i> Configure TOR proxy</div>
         <!-- /.panel-heading -->
         <div class="panel-body">
         	<!-- Nav tabs -->
@@ -365,37 +364,37 @@ function DisplayTorProxyConfig(){
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">VirtualAddrNetwork</label>
-							<input type="text" class="form-control" name="virtualaddrnetwork" value="<?php echo $arrConfig['VirtualAddrNetwork']; ?>" />
+							<input type="text" class="form-control" name="virtualaddrnetwork" value="<?php echo htmlspecialchars($arrConfig['VirtualAddrNetwork'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">AutomapHostsSuffixes</label>
-							<input type="text" class="form-control" name="automaphostssuffixes" value="<?php echo $arrConfig['AutomapHostsSuffixes']; ?>" />
+							<input type="text" class="form-control" name="automaphostssuffixes" value="<?php echo htmlspecialchars($arrConfig['AutomapHostsSuffixes'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">AutomapHostsOnResolve</label>
-							<input type="text" class="form-control" name="automaphostsonresolve" value="<?php echo $arrConfig['AutomapHostsOnResolve']; ?>" />
+							<input type="text" class="form-control" name="automaphostsonresolve" value="<?php echo htmlspecialchars($arrConfig['AutomapHostsOnResolve'], ENT_QUOTES); ?>" />
 						</div>
 					</div>	
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">TransListenAddress</label>
-							<input type="text" class="form-control" name="translistenaddress" value="<?php echo $arrConfig['TransListenAddress']; ?>" />
+							<input type="text" class="form-control" name="translistenaddress" value="<?php echo htmlspecialchars($arrConfig['TransListenAddress'], ENT_QUOTES); ?>" />
 						</div>
 					</div>	
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">DNSPort</label>
-							<input type="text" class="form-control" name="dnsport" value="<?php echo $arrConfig['DNSPort']; ?>" />
+							<input type="text" class="form-control" name="dnsport" value="<?php echo htmlspecialchars($arrConfig['DNSPort'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">DNSListenAddress</label>
-							<input type="text" class="form-control" name="dnslistenaddress" value="<?php echo $arrConfig['DNSListenAddress']; ?>" />
+							<input type="text" class="form-control" name="dnslistenaddress" value="<?php echo htmlspecialchars($arrConfig['DNSListenAddress'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 				</div>
@@ -404,47 +403,47 @@ function DisplayTorProxyConfig(){
             		<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">ORPort</label>
-							<input type="text" class="form-control" name="orport" value="<?php echo $arrConfig['ORPort']; ?>" />
+							<input type="text" class="form-control" name="orport" value="<?php echo htmlspecialchars($arrConfig['ORPort'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">ORListenAddress</label>
-							<input type="text" class="form-control" name="orlistenaddress" value="<?php echo $arrConfig['ORListenAddress']; ?>" />
+							<input type="text" class="form-control" name="orlistenaddress" value="<?php echo htmlspecialchars($arrConfig['ORListenAddress'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">Nickname</label>
-							<input type="text" class="form-control" name="nickname" value="<?php echo $arrConfig['Nickname']; ?>" />
+							<input type="text" class="form-control" name="nickname" value="<?php echo htmlspecialchars($arrConfig['Nickname'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">Address</label>
-							<input type="text" class="form-control" name="address" value="<?php echo $arrConfig['Address']; ?>" />
+							<input type="text" class="form-control" name="address" value="<?php echo htmlspecialchars($arrConfig['Address'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">RelayBandwidthRate</label>
-							<input type="text" class="form-control" name="relaybandwidthrate" value="<?php echo $arrConfig['RelayBandwidthRate']; ?>" />
+							<input type="text" class="form-control" name="relaybandwidthrate" value="<?php echo htmlspecialchars($arrConfig['RelayBandwidthRate'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
 					<div class="row">
 						<div class="form-group col-md-4">
 							<label for="code">RelayBandwidthBurst</label>
-							<input type="text" class="form-control" name="relaybandwidthburst" value="<?php echo $arrConfig['RelayBandwidthBurst']; ?>" />
+							<input type="text" class="form-control" name="relaybandwidthburst" value="<?php echo htmlspecialchars($arrConfig['RelayBandwidthBurst'], ENT_QUOTES); ?>" />
 						</div>
 					</div>
-            	</div>
-		
+				</div>
+
 				<input type="submit" class="btn btn-outline btn-primary" name="SaveTORProxySettings" value="Save settings" />
 				<?php 
 				if( $torproxystatus[0] == 0 ) {
-					echo '<input type="submit" class="btn btn-success" name="StartTOR" value="Start TOR" />';
+					echo '<input type="submit" class="btn btn-success" name="StartTOR" value="Start TOR" />' , PHP_EOL;
 				} else {
-					echo '<input type="submit" class="btn btn-warning" name="StopTOR" value="Stop TOR" />';
+					echo '<input type="submit" class="btn btn-warning" name="StopTOR" value="Stop TOR" />' , PHP_EOL;
 				};
 				?>
 				</form>
@@ -470,26 +469,26 @@ function SaveTORAndVPNConfig(){
     echo "Attempting to start openvpn";
     exec( 'sudo /etc/init.d/openvpn start', $return );
     foreach( $return as $line ) {
-      echo $line."<br />";
+      echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
     }
   } elseif( isset($_POST['StopOpenVPN']) ) {
     echo "Attempting to stop openvpn";
     exec( 'sudo /etc/init.d/openvpn stop', $return );
     foreach( $return as $line ) {
-      echo $line."<br />";
+      echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
     }
   } elseif( isset($_POST['StartTOR']) ) {
     echo "Attempting to start TOR";
     exec( 'sudo /etc/init.d/tor start', $return );
     foreach( $return as $line ) {
-      echo $line."<br />";
+      echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
     }
   } elseif( isset($_POST['StopTOR']) ) {
     echo "Attempting to stop TOR";
     exec( 'sudo /etc/init.d/tor stop', $return );
     foreach( $return as $line ) {
-      echo $line."<br />";
+      echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
     }
   }
 }
-?>
+
diff --git a/includes/hostapd.php b/includes/hostapd.php
index 5aecec3..c5a41bd 100755
--- a/includes/hostapd.php
+++ b/includes/hostapd.php
@@ -62,7 +62,8 @@ function DisplayHostAPDConfig(){
       $arrConfig[$arrLine[0]]=$arrLine[1];
     }
   };
-  ?>
+
+?>
   <div class="row">
     <div class="col-lg-12">
       <div class="panel panel-primary">
@@ -96,7 +97,7 @@ function DisplayHostAPDConfig(){
                 <div class="row">
                   <div class="form-group col-md-4">
                     <label for="code"><?php echo _("SSID"); ?></label>
-                    <input type="text" class="form-control" name="ssid" value="<?php echo $arrConfig['ssid']; ?>" />
+                    <input type="text" class="form-control" name="ssid" value="<?php echo htmlspecialchars($arrConfig['ssid'], ENT_QUOTES); ?>" />
                   </div>
                 </div>
                 <div class="row">
@@ -129,7 +130,7 @@ function DisplayHostAPDConfig(){
                 <div class="row">
                   <div class="form-group col-md-4">
                     <label for="code"><?php echo _("PSK"); ?></label>
-                    <input type="text" class="form-control" name="wpa_passphrase" value="<?php echo $arrConfig['wpa_passphrase'] ?>" />
+                    <input type="text" class="form-control" name="wpa_passphrase" value="<?php echo htmlspecialchars($arrConfig['wpa_passphrase'], ENT_QUOTES); ?>" />
                   </div>
                 </div>
               </div>
@@ -140,7 +141,7 @@ function DisplayHostAPDConfig(){
                       <?php
                           if($arrHostapdConf['LogEnable'] == 1) {
                               $log = file_get_contents('/tmp/hostapd.log');
-                              echo '<br /><textarea class="logoutput">'.$log.'</textarea>';
+                              echo '<br /><textarea class="logoutput">'.htmlspecialchars($log, ENT_QUOTES).'</textarea>';
                           } else {
                               echo "<br />Logfile output not enabled";
                           }
@@ -154,8 +155,14 @@ function DisplayHostAPDConfig(){
                   <div class="col-md-4">
                   <div class="form-check">
                     <label class="form-check-label">
-			<?php echo _("Enable logging"); ?> <?php $checked = ''; if($arrHostapdConf['LogEnable'] == 1) { $checked = 'checked'; } ?>
-                        <input id="logEnable" name ="logEnable" type="checkbox" class="form-check-input" value="1" <?php echo $checked; ?> />
+                      <?php echo _("Enable logging");
+$checked = ''; 
+if ($arrHostapdConf['LogEnable'] == 1) {
+    $checked = ' checked="checked"';
+}
+
+?>
+                      <input id="logEnable" name ="logEnable" type="checkbox" class="form-check-input" value="1"<?php echo $checked; ?> />
                     </label>
                   </div>
                   </div>
@@ -163,7 +170,7 @@ function DisplayHostAPDConfig(){
                 <div class="row">
                   <div class="form-group col-md-4">
                   <label for="code"><?php echo _("Country Code"); ?></label>
-                  <input type="hidden" id="selected_country" value="<?php echo $arrConfig['country_code'] ?>">
+                  <input type="hidden" id="selected_country" value="<?php echo htmlspecialchars($arrConfig['country_code'], ENT_QUOTES); ?>">
                   <select  class="form-control"  id="countries" name="country_code">
                     <option value="AF">Afghanistan</option>
                     <option value="AX">Åland Islands</option>
@@ -414,29 +421,30 @@ function DisplayHostAPDConfig(){
                     <option value="YE">Yemen</option>
                     <option value="ZM">Zambia</option>
                     <option value="ZW">Zimbabwe</option>
-        	  </select>
-        	  <script>       
-		    country = document.getElementById("selected_country").value;
-		    countries = document.getElementById("countries");
-		    ops = countries.getElementsByTagName("option");
-		      for(i = 0;i < ops.length; i++) {
-			if(ops[i].value == country){
-			  ops[i].selected=true;
-			  break;
-			}
-		      }
-		  </script>
+                  </select>
+<script type="text/javascript">
+var country = document.getElementById("selected_country").value;
+var countries = document.getElementById("countries");
+var ops = countries.getElementsByTagName("option");
+for (var i = 0; i < ops.length; ++i) {
+	if(ops[i].value == country){
+		ops[i].selected=true;
+		break;
+	}
+}
+
+</script>
                 </div>
               </div><!-- /.panel-body -->
             </div><!-- /.panel-primary -->
             <input type="submit" class="btn btn-outline btn-primary" name="SaveHostAPDSettings" value="<?php echo _("Save settings"); ?>" />
             <?php
               if($hostapdstatus[0] == 0) {
-                echo '<input type="submit" class="btn btn-success" name="StartHotspot" value="' . _("Start hotspot") . '"/>';
+                echo '<input type="submit" class="btn btn-success" name="StartHotspot" value="' . _("Start hotspot") . '"/>' , PHP_EOL;
               } else {
-                echo '<input type="submit" class="btn btn-warning" name="StopHotspot" value="' . _("Stop hotspot") . '"/>';
+                echo '<input type="submit" class="btn btn-warning" name="StopHotspot" value="' . _("Stop hotspot") . '"/>' , PHP_EOL;
               };
-            ?>
+?>
           </form>
         </div></div><!-- /.panel-primary -->
       <div class="panel-footer"> <?php echo _("Information provided by hostapd"); ?></div>
@@ -448,12 +456,17 @@ function DisplayHostAPDConfig(){
 function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status) {
   // It should not be possible to send bad data for these fields so clearly
   // someone is up to something if they fail. Fail silently.
-  if (!(array_key_exists($_POST['wpa'], $wpa_array) && array_key_exists($_POST['wpa_pairwise'], $enc_types) && in_array($_POST['hw_mode'], $modes))) {
-    error_log("Attempting to set hostapd config with wpa='".$_POST['wpa']."', wpa_pairwise='".$_POST['wpa_pairwise']."' and hw_mode='".$_POST['hw_mode']."'");
+  if (!(array_key_exists($_POST['wpa'], $wpa_array) &&
+      array_key_exists($_POST['wpa_pairwise'], $enc_types) &&
+      in_array($_POST['hw_mode'], $modes))) {
+    error_log("Attempting to set hostapd config with wpa='".$_POST['wpa']."', wpa_pairwise='".$_POST['wpa_pairwise']."' and hw_mode='".$_POST['hw_mode']."'");  // FIXME: log injection
     return false;
   }
-  if ((!filter_var($_POST['channel'], FILTER_VALIDATE_INT)) || intval($_POST['channel']) < 1 || intval($_POST['channel']) > 14) {
-    error_log("Attempting to set channel to '".$_POST['channel']."'");
+
+  if ((!filter_var($_POST['channel'], FILTER_VALIDATE_INT)) || 
+       intval($_POST['channel']) < 1 ||
+       intval($_POST['channel']) > 14) {
+    error_log("Attempting to set channel to '".$_POST['channel']."'");  // FIXME: log injection
     return false;
   }
 
@@ -477,25 +490,29 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
             exec('sudo /etc/raspap/hostapd/disablelog.sh');
         }
     }
+
     write_php_ini(["LogEnable" => $logEnable],'/etc/raspap/hostapd.ini');
 
   // Verify input
-  if (strlen($_POST['ssid']) == 0 || strlen($_POST['ssid']) > 32) {
+  if (empty($_POST['ssid']) || strlen($_POST['ssid']) > 32) {
     // Not sure of all the restrictions of SSID
     $status->addMessage('SSID must be between 1 and 32 characters', 'danger');
     $good_input = false;
   }
+
   if (strlen($_POST['wpa_passphrase']) < 8 || strlen($_POST['wpa_passphrase']) > 63) {
     $status->addMessage('WPA passphrase must be between 8 and 63 characters', 'danger');
     $good_input = false;
   }
+
   if (! in_array($_POST['interface'], $interfaces)) {
     // The user is probably up to something here but it may also be a
     // genuine error.
     $status->addMessage('Unknown interface '.$_POST['interface'], 'danger');
     $good_input = false;
   }
-  if (strlen($_POST['country_code']) != 0 && strlen($_POST['country_code']) != 2) {
+
+  if (strlen($_POST['country_code']) !== 0 && strlen($_POST['country_code']) != 2) {
     $status->addMessage('Country code must be blank or two characters', 'danger');
     $good_input = false;
   }
@@ -510,6 +527,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
       fwrite($tmp_file, 'auth_algs=1'.PHP_EOL);
       fwrite($tmp_file, 'wpa_key_mgmt=WPA-PSK'.PHP_EOL);
 
+      // TODO: deal with ini file value escaping. E.g. ssid=E=mc2 becomes ssid=E\=mc2
       fwrite($tmp_file, 'ssid='.$_POST['ssid'].PHP_EOL);
       fwrite($tmp_file, 'channel='.$_POST['channel'].PHP_EOL);
       fwrite($tmp_file, 'hw_mode='.$_POST['hw_mode'].PHP_EOL);
@@ -531,6 +549,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
       return false;
     }
   }
+
   return true;
 }
-?>
+
diff --git a/includes/networking.php b/includes/networking.php
index d0b01f3..25a4054 100755
--- a/includes/networking.php
+++ b/includes/networking.php
@@ -30,7 +30,7 @@ function DisplayNetworkingConfig(){
 	      <li role="presentation" class="active"><a href="#summary" aria-controls="summary" role="tab" data-toggle="tab"><?php echo _("Summary"); ?></a></li>
                 <?php
                   foreach($interfaces as $interface) {
-                      echo '<li role="presentation"><a href="#'.$interface.'" aria-controls="'.$interface.'" role="tab" data-toggle="tab">'.$interface.'</a></li>';
+                      echo '<li role="presentation"><a href="#'.htmlspecialchars($interface, ENT_QUOTES).'" aria-controls="'.htmlspecialchars($interface, ENT_QUOTES).'" role="tab" data-toggle="tab">'.htmlspecialchars($interface, ENT_QUOTES).'</a></li>';
                   }
                 ?>
               </ul>
@@ -42,8 +42,8 @@ function DisplayNetworkingConfig(){
                         foreach($interfaces as $interface) {
                           echo '<div class="col-md-6">
                             <div class="panel panel-default">
-                                <div class="panel-heading">'.$interface.'</div>
-                                <div class="panel-body" id="'.$interface.'-summary"></div>
+                                <div class="panel-heading">'.htmlspecialchars($interface, ENT_QUOTES).'</div>
+                                <div class="panel-body" id="'.htmlspecialchars($interface, ENT_QUOTES).'-summary"></div>
                             </div>
                             </div>';
                         }
@@ -55,63 +55,63 @@ function DisplayNetworkingConfig(){
                       </div><!-- /.row -->
                     </div><!-- /.col-lg-12 -->
                   </div><!-- /.tab-pane -->
-                <?php
+<?php
                   foreach($interfaces as $interface) {
                       echo '
-                      <div role="tabpanel" class="tab-pane fade in" id="'.$interface.'">
+                      <div role="tabpanel" class="tab-pane fade in" id="'.htmlspecialchars($interface, ENT_QUOTES).'">
                         <div class="row">
                           <div class="col-lg-6">
-                            <form id="frm-'.$interface.'">
+                            <form id="frm-'.htmlspecialchars($interface, ENT_QUOTES).'">
                               <div class="form-group">
                                 <h4>' . _("Adapter IP Address Settings") . '</h4>
                                 <div class="btn-group" data-toggle="buttons">
                                   <label class="btn btn-primary">
-                                    <input type="radio" name="'.$interface.'-addresstype" id="'.$interface.'-dhcp" autocomplete="off">' . _("DHCP") . '
+                                    <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-addresstype" id="'.htmlspecialchars($interface, ENT_QUOTES).'-dhcp" autocomplete="off">' . _("DHCP") . '
                                   </label>
                                   <label class="btn btn-primary">
-                                    <input type="radio" name="'.$interface.'-addresstype" id="'.$interface.'-static" autocomplete="off">' . _("Static IP") . '
+                                    <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-addresstype" id="'.htmlspecialchars($interface, ENT_QUOTES).'-static" autocomplete="off">' . _("Static IP") . '
                                   </label>
                                 </div><!-- /.btn-group -->
                                 <h4>' . _("Enable Fallback to Static Option") . '</h4>
                                 <div class="btn-group" data-toggle="buttons">
                                   <label class="btn btn-primary">
-                                    <input type="radio" name="'.$interface.'-dhcpfailover" id="'.$interface.'-failover" autocomplete="off">' . _("Enabled") . '
+                                    <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-dhcpfailover" id="'.htmlspecialchars($interface, ENT_QUOTES).'-failover" autocomplete="off">' . _("Enabled") . '
                                   </label>
                                   <label class="btn btn-warning">
-                                    <input type="radio" name="'.$interface.'-dhcpfailover" id="'.$interface.'-nofailover" autocomplete="off">' . _("Disabled") . '
+                                    <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-dhcpfailover" id="'.htmlspecialchars($interface, ENT_QUOTES).'-nofailover" autocomplete="off">' . _("Disabled") . '
                                   </label>
                                 </div><!-- /.btn-group -->
                               </div><!-- /.form-group -->
                               <hr />
                               <h4>' . _("Static IP Options") . '</h4>
                               <div class="form-group">
-                                <label for="'.$interface.'-ipaddress">' . _("IP Address") . '</label>
-                                <input type="text" class="form-control" id="'.$interface.'-ipaddress" placeholder="0.0.0.0">
+                                <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-ipaddress">' . _("IP Address") . '</label>
+                                <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-ipaddress" placeholder="0.0.0.0">
                               </div>
                               <div class="form-group">
-                                <label for="'.$interface.'-netmask">' . _("Subnet Mask") . '</label>
-                                <input type="text" class="form-control" id="'.$interface.'-netmask" placeholder="255.255.255.0">
+                                <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-netmask">' . _("Subnet Mask") . '</label>
+                                <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-netmask" placeholder="255.255.255.0">
                               </div>
                               <div class="form-group">
-                                <label for="'.$interface.'-gateway">' . _("Default Gateway") . '</label>
-                                <input type="text" class="form-control" id="'.$interface.'-gateway" placeholder="0.0.0.0">
+                                <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-gateway">' . _("Default Gateway") . '</label>
+                                <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-gateway" placeholder="0.0.0.0">
                               </div>
                               <div class="form-group">
-                                <label for="'.$interface.'-dnssvr">' . _("DNS Server") . '</label>
-                                <input type="text" class="form-control" id="'.$interface.'-dnssvr" placeholder="0.0.0.0">
+                                <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvr">' . _("DNS Server") . '</label>
+                                <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvr" placeholder="0.0.0.0">
                               </div>
                               <div class="form-group">
-                                <label for="'.$interface.'-dnssvralt">' . _("Alternate DNS Server") . '</label>
-                                <input type="text" class="form-control" id="'.$interface.'-dnssvralt" placeholder="0.0.0.0">
+                                <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvralt">' . _("Alternate DNS Server") . '</label>
+                                <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvralt" placeholder="0.0.0.0">
                               </div>
-                              <a href="#" class="btn btn-outline btn-primary intsave" data-int="'.$interface.'">' . _("Save settings") . '</a>
-                              <a href="#" class="btn btn-warning intapply" data-int="'.$interface.'">' . _("Apply settings") . '</a>
+                              <a href="#" class="btn btn-outline btn-primary intsave" data-int="'.htmlspecialchars($interface, ENT_QUOTES).'">' . _("Save settings") . '</a>
+                              <a href="#" class="btn btn-warning intapply" data-int="'.htmlspecialchars($interface, ENT_QUOTES).'">' . _("Apply settings") . '</a>
                               </form>
                             </div>
                       </div><!-- /.tab-panel -->
                     </div>';
                   }
-                ?>
+?>
               </div><!-- /.tab-content -->
             </div><!-- /.panel-body -->
 	    <div class="panel-footer"><?php echo _("Information provided by /sys/class/net"); ?></div>
diff --git a/includes/system.php b/includes/system.php
index 6a07b3d..308b312 100755
--- a/includes/system.php
+++ b/includes/system.php
@@ -141,23 +141,23 @@ function DisplaySystem(){
       <div class="row">
         <div class="col-lg-6">
           <h4><?php echo _("System Information"); ?></h4>
-          <div class="info-item"><?php echo _("Hostname"); ?></div> <?php echo $hostname ?></br>
-          <div class="info-item"><?php echo _("Pi Revision"); ?></div> <?php echo RPiVersion() ?></br>
-          <div class="info-item"><?php echo _("Uptime"); ?></div>   <?php echo $uptime ?></br></br>
+          <div class="info-item"><?php echo _("Hostname"); ?></div> <?php echo htmlspecialchars($hostname, ENT_QUOTES); ?></br>
+          <div class="info-item"><?php echo _("Pi Revision"); ?></div> <?php echo htmlspecialchars(RPiVersion(), ENT_QUOTES); ?></br>
+          <div class="info-item"><?php echo _("Uptime"); ?></div>   <?php echo htmlspecialchars($uptime, ENT_QUOTES); ?></br></br>
           <div class="info-item"><?php echo _("Memory Used"); ?></div>
           <div class="progress">
-          <div class="progress-bar progress-bar-<?php echo $memused_status ?> progress-bar-striped active"
+          <div class="progress-bar progress-bar-<?php echo htmlspecialchars($memused_status, ENT_QUOTES); ?> progress-bar-striped active"
           role="progressbar"
-          aria-valuenow="<?php echo $memused ?>" aria-valuemin="0" aria-valuemax="100"
-          style="width: <?php echo $memused ?>%;"><?php echo $memused ?>%
+          aria-valuenow="<?php echo htmlspecialchars($memused, ENT_QUOTES); ?>" aria-valuemin="0" aria-valuemax="100"
+          style="width: <?php echo htmlspecialchars($memused, ENT_QUOTES); ?>%;"><?php echo htmlspecialchars($memused, ENT_QUOTES); ?>%
           </div>
           </div>
           <div class="info-item"><?php echo _("CPU Load"); ?></div>
           <div class="progress">
-          <div class="progress-bar progress-bar-<?php echo $cpuload_status ?> progress-bar-striped active"
+          <div class="progress-bar progress-bar-<?php echo htmlspecialchars($cpuload_status, ENT_QUOTES); ?> progress-bar-striped active"
           role="progressbar"
-          aria-valuenow="<?php echo $cpuload ?>" aria-valuemin="0" aria-valuemax="100"
-          style="width: <?php echo $cpuload ?>%;"><?php echo $cpuload ?>%
+          aria-valuenow="<?php echo htmlspecialchars($cpuload, ENT_QUOTES); ?>" aria-valuemin="0" aria-valuemax="100"
+          style="width: <?php echo htmlspecialchars($cpuload, ENT_QUOTES); ?>%;"><?php echo htmlspecialchars($cpuload, ENT_QUOTES); ?>%
           </div>
           </div>
 
@@ -200,9 +200,9 @@ function DisplaySystem(){
   </form>
   </div><!-- /.panel-primary -->
   <div class="panel-footer"></div>
+  </div><!-- /.panel-primary -->
   </div><!-- /.col-lg-12 -->
   </div><!-- /.row -->
-  </xdiv>
 <?php
 }
-?>
+
diff --git a/includes/themes.php b/includes/themes.php
index fb3850c..fded5bd 100755
--- a/includes/themes.php
+++ b/includes/themes.php
@@ -11,13 +11,13 @@ function DisplayThemeConfig(){
 
   switch( $_COOKIE['theme'] ) {
     case "custom.css":
-      $cselected = "selected";
+      $cselected = ' selected="selected"';
       break;
     case "hackernews.css":
-      $hselected = "selected";
+      $hselected = ' selected="selected"';
       break;
     case "terminal.css":
-      $tselected = "selected";
+      $tselected = ' selected="selected"';
       break;
   }
 
@@ -37,9 +37,9 @@ function DisplayThemeConfig(){
           <div class="form-group col-md-6">
             <label for="code"><?php echo _("Select a theme"); ?></label>  
               <select class="form-control" id="theme-select"><?php echo _("Select a Theme"); ?>
-                <option value="default" class="theme-link" <?php echo $cselected; ?>>RaspAP (default)</option>
+                <option value="default" class="theme-link"<?php echo $cselected; ?>>RaspAP (default)</option>
                 <option value="hackernews" class="theme-link"<?php echo $hselected; ?>>HackerNews</option>
-                <option value="terminal" class="theme-link" <?php echo $tselected; ?>>Terminal</option>
+                <option value="terminal" class="theme-link"<?php echo $tselected; ?>>Terminal</option>
               </select>
           </div>
         </div>
@@ -59,5 +59,4 @@ function DisplayThemeConfig(){
   </div><!-- /.row -->
   <?php
 }
-?>