diff --git a/app/emails/emails.php b/app/emails/emails.php
index a543197a23..c7e9e06d28 100644
--- a/app/emails/emails.php
+++ b/app/emails/emails.php
@@ -210,19 +210,19 @@ else {
 			$tr_link = "href='email_view.php?id=".$row['email_uuid']."'";
 			echo "<tr ".$tr_link.">\n";
 			if ($_REQUEST['showall'] == true && permission_exists('emails_all')) {
-				echo "	<td valign='top' class='".$row_style[$c]."'>".$row['domain_name']."</td>\n";
+				echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['domain_name'])."</td>\n";
 			}
 
 			echo "	<td valign='top' class='".$row_style[$c]."'>";
 			$sent_date = explode('.', $row['sent_date']);
 			echo 		$sent_date[0];
 			echo "	</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$text['label-type_'.$row['type']]."</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]."'>".$text['label-status_'.$row['status']]."</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".$text['label-type_'.escape($row['type'])]."</td>\n";
+			echo "	<td valign='top' class='".$row_style[$c]."'>".$text['label-status_'.escape($row['status'])]."</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void'>";
-			echo "		<a href='email_view.php?id=".$row['email_uuid']."'>".$text['label-message_view']."</a>&nbsp;&nbsp;";
+			echo "		<a href='email_view.php?id=".escape($row['email_uuid'])."'>".$text['label-message_view']."</a>&nbsp;&nbsp;";
 			if (permission_exists('email_download')) {
-				echo "	<a href='?id=".$row['email_uuid']."&a=download'>".$text['label-download']."</a>&nbsp;&nbsp;";
+				echo "	<a href='?id=".escape($row['email_uuid'])."&a=download'>".$text['label-download']."</a>&nbsp;&nbsp;";
 			}
 			if (permission_exists('email_resend')) {
 				echo "	<a href='?id=".$row['email_uuid']."&a=resend";
@@ -233,14 +233,14 @@ else {
 			}
 			echo "	</td>\n";
 			echo "	<td valign='top' class='row_stylebg tr_link_void' style='white-space: nowrap; vertical-align: top;'>";
-			echo "		<a href='".PROJECT_PATH."/app/xml_cdr/xml_cdr_details.php?uuid=".$row['call_uuid']."'>".$text['label-reference_cdr']."</a>";
+			echo "		<a href='".PROJECT_PATH."/app/xml_cdr/xml_cdr_details.php?uuid=".escape($row['call_uuid'])."'>".$text['label-reference_cdr']."</a>";
 			echo "		".($caller_id_name != '') ? "&nbsp;&nbsp;".$caller_id_name." (".format_phone($caller_id_number).")" : $caller_id_number;
 			echo 		"&nbsp;&nbsp;<span style='font-size: 150%; line-height: 10px;'>&#8674;</span>&nbsp;&nbsp;".$destination_number;
 			echo "	</td>\n";
 			echo "	<td class='list_control_icons'>";
-			echo 		"<a href='email_view.php?id=".$row['email_uuid']."' alt='".$text['label-message_view']."'>$v_link_label_view</a>";
+			echo 		"<a href='email_view.php?id=".escape($row['email_uuid'])."' alt='".$text['label-message_view']."'>$v_link_label_view</a>";
 			if (permission_exists('email_delete')) {
-				echo 	"<a href='email_delete.php?id=".$row['email_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+				echo 	"<a href='email_delete.php?id=".escape($row['email_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";