diff --git a/web/root/sajax-forum/client_functions.xjs b/web/root/sajax-forum/client_functions.xjs
index 5955c7d74b572a8e3eb4068127cf15a175c3c447..3d1c9dec89040cca3acb34437769b08ae70ba5e7 100644
--- a/web/root/sajax-forum/client_functions.xjs
+++ b/web/root/sajax-forum/client_functions.xjs
@@ -76,7 +76,7 @@ function toggle_replies(sub_code, message_number)
 	var expander=document.getElementById(expanderid);
 
 	if(container.innerHTML=='') {
-		ajaxpage(messages_url+"?sub_code="+sub_code+"&msg_number="+message_number+'&user='+user,containerid,expanderid,minus_url);
+		ajaxpage(messages_url+"?sub_code="+encodeURIComponent(sub_code)+"&msg_number="+message_number+'&user='+encodeURIComponent(user),containerid,expanderid,minus_url);
 		container.style.display='block';
 	}
 	else {
@@ -98,7 +98,7 @@ function toggle_body(sub_code, message_number)
 	var message=container.parentNode.parentNode;
 
 	if(container.innerHTML=='') {
-		ajaxpage(body_url+"?sub_code="+sub_code+"&msg_number="+message_number+'&user='+user,containerid);
+		ajaxpage(body_url+"?sub_code="+encodeURIComponent(sub_code)+"&msg_number="+message_number+'&user='+encodeURIComponent(user),containerid);
 		container.style.display='block';
 		/* If this is higher than the current read_ptr, update it */
 		if(read_ptr[sub_code] < message_number)
@@ -144,7 +144,7 @@ function load_more_messages(sub_code, offset, count)
 	var m=container.innerHTML.match(/^([\u0000-\uffff]*?)<[Aa] href="javascript:load_more_messages[\u0000-\uffff]*$/);
 
 	if(m!=null) {
-		ajaxpage(messages_url+"?sub_code="+sub_code+'&msg_count='+count+'&msg_offset='+offset+'&user='+user,containerid, undefined, undefined, false, m[1]);
+		ajaxpage(messages_url+"?sub_code="+encodeURIComponent(sub_code)+'&msg_count='+count+'&msg_offset='+offset+'&user='+encodeURIComponent(user),containerid, undefined, undefined, false, m[1]);
 	}
 	else {
 		alert("No match!");
@@ -157,7 +157,7 @@ function toggle_messages(sub_code)
 	var container=document.getElementById(containerid);
 
 	if(container.innerHTML=='') {
-		ajaxpage(messages_url+"?sub_code="+sub_code+'&user='+user,containerid);
+		ajaxpage(messages_url+"?sub_code="+encodeURIComponent(sub_code)+'&user='+encodeURIComponent(user),containerid);
 		container.style.display='block';
 		if(read_ptr[sub_code]==undefined)
 			read_ptr[sub_code]=0;
@@ -176,7 +176,7 @@ function toggle_subs(group_code)
 	var container=document.getElementById(containerid);
 
 	if(container.innerHTML=='') {
-		ajaxpage(subs_url+"?group_code="+group_code+'&user='+user,containerid);
+		ajaxpage(subs_url+"?group_code="+encodeURIComponent(group_code)+'&user='+encodeURIComponent(user),containerid);
 		container.style.display='block';
 	}
 	else {
@@ -190,7 +190,7 @@ function toggle_subs(group_code)
 function reload_groups()
 {
 	var containerid='group-list';
-	ajaxpage(groups_url+'?user='+user,containerid);
+	ajaxpage(groups_url+'?user='+encodeURIComponent(user),containerid);
 }
 
 function ajaxpage(url, containerid, buttonid, buttonurl, is_script, prefix, suffix)
@@ -286,7 +286,7 @@ function login()
 	var new_password=document.getElementById('login_password').value;
 	/* Clear newest read pointers */
 	read_ptr=new Object();
-	ajaxpage(login_url+'?user='+new_user+'&pass='+new_password+'&killcache='+new Date().getTime()+Math.random(), 'current_user',undefined,undefined,true);
+	ajaxpage(login_url+'?user='+encodeURIComponent(new_user)+'&pass='+encodeURIComponent(new_password)+'&killcache='+new Date().getTime()+Math.random(), 'current_user',undefined,undefined,true);
 }
 
 function update_pointers()