diff --git a/application/cmdbabstract.class.inc.php b/application/cmdbabstract.class.inc.php
index 822a9ee9c..2e9e48485 100644
--- a/application/cmdbabstract.class.inc.php
+++ b/application/cmdbabstract.class.inc.php
@@ -1522,7 +1522,7 @@ abstract class cmdbAbstractObject extends CMDBObject implements iDisplay
 		{
 			if (is_scalar($sValue))
 			{
-				$sHtml .= "<input type=\"hidden\" name=\"$sName\" value=\"$sValue\" />\n";
+				$sHtml .= "<input type=\"hidden\" name=\"$sName\" value=\"".htmlentities($sValue, ENT_QUOTES, 'UTF-8')."\" />\n";
 			}
 		}
 		$sHtml .= "<input type=\"hidden\" name=\"class\" value=\"$sClassName\" />\n";
diff --git a/application/portalwebpage.class.inc.php b/application/portalwebpage.class.inc.php
index d031aba5b..77847890a 100644
--- a/application/portalwebpage.class.inc.php
+++ b/application/portalwebpage.class.inc.php
@@ -826,7 +826,7 @@ EOF
 		}
 
 		$sStepHistory = implode(',', $aPreviousSteps);
-		$this->add("<input type=\"hidden\" id=\"step_history\" name=\"step_history\" value=\"$sStepHistory\">");
+		$this->add("<input type=\"hidden\" id=\"step_history\" name=\"step_history\" value=\"".htmlentities($sStepHistory, ENT_QUOTES, 'UTF-8')."\">");
 
 		if (!is_null($sNextStep))
 		{		
diff --git a/application/ui.extkeywidget.class.inc.php b/application/ui.extkeywidget.class.inc.php
index edb76d104..3b5c784ce 100644
--- a/application/ui.extkeywidget.class.inc.php
+++ b/application/ui.extkeywidget.class.inc.php
@@ -259,7 +259,7 @@ EOF
 			$sHTMLValue .= "<img id=\"mini_search_{$this->iId}\" style=\"border:0;vertical-align:middle;cursor:pointer;\" src=\"../images/mini_search.gif\" onClick=\"oACWidget_{$this->iId}.Search();\"/>&nbsp;";
 	
 			// another hidden input to store & pass the object's Id
-			$sHTMLValue .= "<input type=\"hidden\" id=\"$this->iId\" name=\"{$sAttrFieldPrefix}{$sFieldName}\" value=\"$value\" />\n";
+			$sHTMLValue .= "<input type=\"hidden\" id=\"$this->iId\" name=\"{$sAttrFieldPrefix}{$sFieldName}\" value=\"".htmlentities($value, ENT_QUOTES, 'UTF-8')."\" />\n";
 
 			$JSSearchMode = $this->bSearchMode ? 'true' : 'false';	
 			// Scripts to start the autocomplete and bind some events to it
diff --git a/readme.txt b/readme.txt
index daf112771..242d7017f 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,4 +1,4 @@
-iTop - version 2.1.0 - 16-Dec-2014
+iTop - version 2.1.0 - 18-Dec-2014
 Readme file
 
 1.   ABOUT THIS RELEASE
@@ -284,6 +284,7 @@ Prevent the JS validation (on focus) to create multiple entries for the same fie
 #1037 Refresh "priority" when either "impact" or "urgency" changes.
 #1038 Duplicate column name (service name) when importing service subcategories
 #1040 The graphical display of "impact/depends on" is not consistent with the "list" tab
+#1041 Protect against XSS injections
 
 
 Extending the data model