diff --git a/include/client/pwreset.login.php b/include/client/pwreset.login.php
index a1c1ed4e75f656b8372d95052aa1201ba2e28545..c2bc7e39935259b38c560bf1ccd9ee34a05c6ee1 100644
--- a/include/client/pwreset.login.php
+++ b/include/client/pwreset.login.php
@@ -12,7 +12,7 @@ Enter your username or email address again in the form below and press the
     <div style="width:50%;display:inline-block">
     <?php csrf_token(); ?>
     <input type="hidden" name="do" value="reset"/>
-    <input type="hidden" name="token" value="<?php echo $_REQUEST['token']; ?>"/>
+    <input type="hidden" name="token" value="<?php echo Format::htmlchars($_REQUEST['token']); ?>"/>
     <strong><?php echo Format::htmlchars($banner); ?></strong>
     <br>
     <div>
diff --git a/include/client/register.inc.php b/include/client/register.inc.php
index 0a5676781c0de4625ac2e033279ed3c67ec7bbf5..9c86407a1685cf3c6efc2a530daf41d93af29bcf 100644
--- a/include/client/register.inc.php
+++ b/include/client/register.inc.php
@@ -22,8 +22,8 @@ your account
 </p>
 <form action="account.php" method="post">
   <?php csrf_token(); ?>
-  <input type="hidden" name="do" value="<?php echo $_REQUEST['do']
-    ?: ($info['backend'] ? 'import' :'create'); ?>" />
+  <input type="hidden" name="do" value="<?php echo Format::htmlchars($_REQUEST['do']
+    ?: ($info['backend'] ? 'import' :'create')); ?>" />
 <table width="800" class="padded">
 <tbody>
 <?php
diff --git a/include/staff/dynamic-list.inc.php b/include/staff/dynamic-list.inc.php
index a064dc935142d5f05a2fbfd8473c101484c34e4e..32b8921e0707c4bd741f89efe33584c05af468f8 100644
--- a/include/staff/dynamic-list.inc.php
+++ b/include/staff/dynamic-list.inc.php
@@ -19,7 +19,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
 <form action="?" method="post" id="save">
     <?php csrf_token(); ?>
     <input type="hidden" name="do" value="<?php echo $action; ?>">
-    <input type="hidden" name="a" value="<?php echo $_REQUEST['a']; ?>">
+    <input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
     <input type="hidden" name="id" value="<?php echo $info['id']; ?>">
     <h2>Custom List</h2>