diff --git a/includes/account.php b/includes/account.php
index 9f85b89..0158851 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -67,7 +67,7 @@
 		if(mysql_num_rows($res) > 0)
 		{
 			showheader(_("My CAcert.org Account!"));
-			printf(_("The email address '%s' is already in the system. Can't continue."), $_REQUEST['email']);
+			printf(_("The email address '%s' is already in the system. Can't continue."), sanitizeHTML($_REQUEST['email']));
 			showfooter();
 			exit;
 		}
@@ -433,7 +433,7 @@
 			$oldid=0;
 			$id = 7;
 			showheader(_("My CAcert.org Account!"));
-			printf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $newdomain);
+			printf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), sanitizeHTML($newdomain));
 			showfooter();
 			exit;
 		}
@@ -512,7 +512,7 @@
 		if(mysql_num_rows($res) > 0)
 		{
 			showheader(_("My CAcert.org Account!"));
-			printf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $_SESSION['_config']['domain']);
+			printf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
 			showfooter();
 			exit;
 		}
@@ -1892,7 +1892,7 @@
 						`C`='".$_SESSION['_config']['C']."',
 						`comments`='".$_SESSION['_config']['comments']."'");
 			showheader(_("My CAcert.org Account!"));
-			printf(_("'%s' has just been successfully added as an organisation to the database."), $_SESSION['_config']['O']);
+			printf(_("'%s' has just been successfully added as an organisation to the database."), sanitizeHTML($_SESSION['_config']['O']));
 			showfooter();
 			exit;
 		}
@@ -1920,7 +1920,7 @@
 						`comments`='".$_SESSION['_config']['comments']."'
 					where `id`='".$_SESSION['_config']['orgid']."'");
 			showheader(_("My CAcert.org Account!"));
-			printf(_("'%s' has just been successfully updated in the database."), $_SESSION['_config']['O']);
+			printf(_("'%s' has just been successfully updated in the database."), sanitizeHTML($_SESSION['_config']['O']));
 			showfooter();
 			exit;
 		}
@@ -1932,7 +1932,7 @@
 		$res1 = mysql_query("select * from `orgdomains` where `domain`='$domain'");
 		if(mysql_num_rows($res1) > 0)
 		{
-			$_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $domain);
+			$_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), sanitizeHTML($domain));
 			$id = $oldid;
 			$oldid=0;
 		}