diff --git a/gulliver/system/class.inputfilter.php b/gulliver/system/class.inputfilter.php
index 92abbad53..30f5d0de1 100644
--- a/gulliver/system/class.inputfilter.php
+++ b/gulliver/system/class.inputfilter.php
@@ -381,7 +381,7 @@ class InputFilter
                         $input[$i] = $this->xssFilter($val);
                     } else {
                         if(!empty($val)) {
-                            if($type != "url") {
+                            if($type != "url" && !strpos(basename($val), "=")) {
                                 $inputFiltered = addslashes(htmlspecialchars(filter_var($val, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8'));
                             } else {
                                 $inputFiltered = filter_var($val, FILTER_SANITIZE_STRING);
@@ -423,12 +423,15 @@ class InputFilter
             if(sizeof($input)) {
                 foreach($input as $i => $val) {
                     if(is_array($val) && sizeof($val)) {
-                        $input[$i] = $this->xssFilterHard($val);
+                        $input[$i] = $this->xssFilterHard($val,$type);
                     } else {
                         if(!empty($val)) {
                             $inputFiltered = $purifier->purify($val);
-                            if($type != "url") {
-                                $inputFiltered = addslashes(htmlspecialchars($inputFiltered, ENT_COMPAT, 'UTF-8'));   
+                            $pos = strpos($inputFiltered, "=");
+                            if($type != "url" && $pos === false) {                                
+                                $inputFiltered = addslashes(htmlspecialchars($inputFiltered, ENT_COMPAT, 'UTF-8'));
+                            } else {
+                              $inputFiltered = str_replace('&amp;','&',$inputFiltered);
                             }
                         } else {
                             $inputFiltered = "";
@@ -438,13 +441,16 @@ class InputFilter
                 }
             }
             return $input;
-        } else {
+        } else { 
             if(!isset($input) || trim($input) === '' || $input === NULL ) {
                 return '';
             } else {
                 $input = $purifier->purify($input);
-                if($type != "url") {
+                $pos = strpos(basename($input), "=");
+                if($type != "url" && $pos === false) {                    
                     $input = addslashes(htmlspecialchars($input, ENT_COMPAT, 'UTF-8'));
+                } else {
+                   $input = str_replace('&amp;','&',$input);
                 }
                 return $input;
             }
@@ -521,8 +527,7 @@ class InputFilter
             break;
             default:
                 $value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
-        }
-    
+        }    
         return $value;
     }
 }
\ No newline at end of file
diff --git a/gulliver/system/class.webResource.php b/gulliver/system/class.webResource.php
index 021d00ba9..973fc4afb 100755
--- a/gulliver/system/class.webResource.php
+++ b/gulliver/system/class.webResource.php
@@ -66,7 +66,14 @@ class WebResource
                     $paramsRef[] = '$parameters[' . $key . ']';
                 }
             }
-            $res = eval( 'return ($this->' . $post['function'] . '(' . implode( ',', $paramsRef ) . '));' );
+            
+            $paramsRef = implode( ',', $paramsRef );
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $post['function'] = $filter->validateInput($post['function']);
+            $paramsRef = $filter->validateInput($paramsRef);
+            
+            $res = eval( 'return ($this->' . $post['function'] . '(' . $paramsRef . '));' );
             $res = G::json_encode( $res );
             print ($res) ;
         } else {
@@ -82,13 +89,18 @@ class WebResource
      */
     function _encode ()
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         header( 'Content-Type: text/json' );
         $methods = get_class_methods( get_class( $this ) );
+        $methods = $filter->xssFilterHard($methods);
+        $this->_uri = $filter->xssFilterHard($this->_uri);
         print ('{') ;
         $first = true;
         foreach ($methods as $method) {
             //To avoid PHP version incompatibilities, put the $method name in lowercase
             $method = strtolower( $method );
+            $method = $filter->xssFilterHard($method);
             if ((substr( $method, 0, 1 ) === '_') || (strcasecmp( $method, 'WebResource' ) == 0) || (strcasecmp( $method, get_class( $this ) ) == 0)) {
             } elseif (strcasecmp( substr( $method, 0, 3 ), 'js_' ) == 0) {
                 if (! $first) {
diff --git a/workflow/engine/classes/model/AdditionalTables.php b/workflow/engine/classes/model/AdditionalTables.php
index f443d72e5..9c52cc061 100755
--- a/workflow/engine/classes/model/AdditionalTables.php
+++ b/workflow/engine/classes/model/AdditionalTables.php
@@ -1,4 +1,4 @@
-<?php
+﻿<?php
 
 /**
  * AdditionalTables.php
@@ -445,19 +445,23 @@ class AdditionalTables extends BaseAdditionalTables
             $oCriteriaCount = clone $oCriteria;
             eval('$count = ' . $sClassPeerName . '::doCount($oCriteria);');
         }
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $sort = $filter->validateInput($_POST['sort']);
+        $sClassPeerName = $filter->validateInput($sClassPeerName);
 
         if (isset($_POST['sort'])) {
             if ($_POST['dir'] == 'ASC') {
                 if ($keyOrderUppercase) {
-                    eval('$oCriteria->addAscendingOrderByColumn("' . $_POST['sort'] . '");');
+                    eval('$oCriteria->addAscendingOrderByColumn("' . $sort . '");');
                 } else {
-                    eval('$oCriteria->addAscendingOrderByColumn(' . $sClassPeerName . '::' . $_POST['sort'] . ');');
+                    eval('$oCriteria->addAscendingOrderByColumn(' . $sClassPeerName . '::' . $sort . ');');
                 }
             } else {
                 if ($keyOrderUppercase) {
-                    eval('$oCriteria->addDescendingOrderByColumn("' . $_POST['sort'] . '");');
+                    eval('$oCriteria->addDescendingOrderByColumn("' . $sort . '");');
                 } else {
-                    eval('$oCriteria->addDescendingOrderByColumn(' . $sClassPeerName . '::' . $_POST['sort'] . ');');
+                    eval('$oCriteria->addDescendingOrderByColumn(' . $sClassPeerName . '::' . $sort . ');');
                 }
             }
         }