diff --git a/core/templates/404.php b/core/templates/404.php
index 13a81010343449ec60658b55083529e582b35eb5..cd4f2b40bb2e0e21a5397a25f691fe4d420d28e0 100644
--- a/core/templates/404.php
+++ b/core/templates/404.php
@@ -10,6 +10,6 @@ if(!isset($_)){//also provide standalone error page
 <ul>
 	<li class='error'>
 		<?php echo $l->t( 'Cloud not found' ); ?><br/>
-		<p class='hint'><?php if(isset($_['file'])) echo $_['file']?></p>
+		<p class='hint'><?php if(isset($_['file'])) echo htmlentities($_['file'])?></p>
 	</li>
 </ul>
diff --git a/files/templates/index.php b/files/templates/index.php
index f423b96ba1e39523f832ff1ab79afdafe6c838b0..639bdeaead83fb1e575394e424060c8f56a5e1aa 100644
--- a/files/templates/index.php
+++ b/files/templates/index.php
@@ -15,7 +15,7 @@
 				<form data-upload-id='1' class="file_upload_form" action="ajax/upload.php" method="post" enctype="multipart/form-data" target="file_upload_target_1">
 					<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
 					<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
-					<input type="hidden" name="dir" value="<?php echo $_['dir'] ?>" id="dir">
+					<input type="hidden" name="dir" value="<?php echo htmlentities($_['dir']) ?>" id="dir">
 					<button class="file_upload_filename">&nbsp;<img class='svg action' alt="Upload" src="<?php echo image_path("core", "actions/upload.svg"); ?>" /></button>
 					<input class="file_upload_start" type="file" name='files[]'/>
 						<a href="#" class="file_upload_button_wrapper" onclick="return false;" title="<?php echo $l->t('Upload'); echo  ' max. '.$_['uploadMaxHumanFilesize'] ?>"></a>
diff --git a/files/templates/part.breadcrumb.php b/files/templates/part.breadcrumb.php
index ab81cc5c03924c5d835fdd1aee449e19c280836e..16da6bb97b418e3fb6277d1413bcebb235e5ec9b 100644
--- a/files/templates/part.breadcrumb.php
+++ b/files/templates/part.breadcrumb.php
@@ -1,6 +1,6 @@
 	<?php for($i=0; $i<count($_["breadcrumb"]); $i++):
         $crumb = $_["breadcrumb"][$i]; ?>
 		<div class="crumb <?php if($i == count($_["breadcrumb"])-1) echo 'last';?> svg" data-dir='<?php echo $crumb["dir"];?>' style='background-image:url("<?php echo image_path('core','breadcrumb.png');?>")'>
-    		<a href="<?php echo $_['baseURL'].$crumb["dir"]; ?>"><?php echo htmlspecialchars($crumb["name"]); ?></a>
+    		<a href="<?php echo $_['baseURL'].$crumb["dir"]; ?>"><?php echo htmlentities($crumb["name"]); ?></a>
 		</div>
 	<?php endfor;?>
\ No newline at end of file