diff --git a/edit_form.php b/edit_form.php
index dc514ff..49491e0 100644
--- a/edit_form.php
+++ b/edit_form.php
@@ -246,10 +246,10 @@ public function validation($data, $files) {
                     $rs->close();
                 } catch (dml_exception $e) {
                     $errors['querysql'] = get_string('queryfailed', 'report_customsql',
-                    $e->getMessage() . ' ' . $e->debuginfo);
+                            s($e->getMessage() . ' ' . $e->debuginfo));
                 } catch (Exception $e) {
                     $errors['querysql'] = get_string('queryfailed', 'report_customsql',
-                                                     $e->getMessage());
+                            s($e->getMessage()));
                 }
             }
         }
@@ -266,12 +266,12 @@ public function validation($data, $files) {
             // The path either needs to be a writable directory ...
             if (is_dir($path) ) {
                 if (!is_writable($path)) {
-                    $errors['customdir'] = get_string('customdirnotwritable', 'report_customsql', $path);
+                    $errors['customdir'] = get_string('customdirnotwritable', 'report_customsql', s($path));
                 }
 
             } else if (substr($path, -1) == DIRECTORY_SEPARATOR) {
                 // ... and it must exist...
-                $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', $path);
+                $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', s($path));
 
             } else {
 
@@ -279,16 +279,16 @@ public function validation($data, $files) {
                 $dir = dirname($path);
 
                 if (!is_dir($dir)) {
-                    $errors['customdir'] = get_string('customdirnotadirectory', 'report_customsql', $dir);
+                    $errors['customdir'] = get_string('customdirnotadirectory', 'report_customsql', s($dir));
                 } else {
 
                     if (file_exists($path)) {
                         if (!is_writable($path)) {
-                            $errors['customdir'] = get_string('filenotwritable', 'report_customsql', $path);
+                            $errors['customdir'] = get_string('filenotwritable', 'report_customsql', s($path));
                         }
                     } else {
                         if (!is_writable($dir)) {
-                            $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', $dir);
+                            $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', s($dir));
                         }
                     }
                 }
diff --git a/locallib.php b/locallib.php
index 602c8d8..b90951f 100644
--- a/locallib.php
+++ b/locallib.php
@@ -647,7 +647,7 @@ function report_customsql_validate_users($userids, $capability) {
         // User does not have the chosen access level.
         $context = context_user::instance($user->id);
         $a->userid = $userid;
-        $a->name = fullname($user);
+        $a->name = s(fullname($user));
         if (!has_capability($capability, $context, $user)) {
             return get_string('userhasnothiscapability', 'report_customsql', $a);
         }