diff --git a/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php b/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
index c94ede8191281986387629bdb06534e938b06b61..af1d5c0b7f96c5748ada048bd49e295fb6910600 100644
--- a/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
+++ b/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
@@ -123,7 +123,7 @@ class CreateFolderController {
 			function reload(a) {	//
 				if (!changed || (changed && confirm(' . GeneralUtility::quoteJSvalue($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:mess.redraw')) . '))) {
 					var params = "&target="+encodeURIComponent(path)+"&number="+a+"&returnUrl=' . rawurlencode($this->returnUrl) . '";
-					window.location.href = "' . BackendUtility::getModuleUrl('file_newfolder') . '"+params;
+					window.location.href = ' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('file_newfolder')) . '+params;
 				}
 			}
 			function backToList() {	//
diff --git a/typo3/sysext/install/Classes/Report/InstallStatusReport.php b/typo3/sysext/install/Classes/Report/InstallStatusReport.php
index 60516762a6bcbfe0254e42751caa2c553b74d222..14f9784be4716673c89d3efdd932ad1f45ba3e24 100644
--- a/typo3/sysext/install/Classes/Report/InstallStatusReport.php
+++ b/typo3/sysext/install/Classes/Report/InstallStatusReport.php
@@ -127,7 +127,7 @@ class InstallStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
 			$value = $GLOBALS['LANG']->getLL('status_updateIncomplete');
 			$severity = \TYPO3\CMS\Reports\Status::WARNING;
 			$url = BackendUtility::getModuleUrl('system_InstallInstall');
-			$message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_update'), '<a href="' . $url . '">', '</a>');
+			$message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_update'), '<a href="' . htmlspecialchars($url) . '">', '</a>');
 		}
 		return \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class, $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_remainingUpdates'), $value, $message, $severity);
 	}
diff --git a/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php b/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
index aebe43774c5fd4de9775c543675ff928ddd3a4ac..d0630f563667dcaf09c7a24d67c56ca12bca8f8a 100644
--- a/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
+++ b/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
@@ -1186,25 +1186,25 @@ class DatabaseRecordList extends AbstractDatabaseRecordList {
 		}
 		// "Move" wizard link for pages/tt_content elements:
 		if ($table == 'tt_content' && $permsEdit || $table == 'pages') {
-			$onClick = htmlspecialchars('return jumpExt(\'' . $this->backPath . 'move_el.php?table=' . $table . '&uid=' . $row['uid'] . '\');');
+			$onClick = 'return jumpExt(\'' . $this->backPath . 'move_el.php?table=' . $table . '&uid=' . $row['uid'] . '\');';
 			$linkTitleLL = $GLOBALS['LANG']->getLL('move_' . ($table === 'tt_content' ? 'record' : 'page'), TRUE);
 			$spriteIcon = $table === 'tt_content'
 				? IconUtility::getSpriteIcon('actions-document-move')
 				: IconUtility::getSpriteIcon('actions-page-move');
-			$cells['move'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="' . $linkTitleLL . '">' . $spriteIcon . '</a>';
+			$cells['move'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="' . $linkTitleLL . '">' . $spriteIcon . '</a>';
 		}
 		// If the extended control panel is enabled OR if we are seeing a single table:
 		if ($GLOBALS['SOBE']->MOD_SETTINGS['bigControlPanel'] || $this->table) {
 			// "Info": (All records)
-			$onClick = htmlspecialchars(('top.launchView(\'' . $table . '\', \'' . $row['uid'] . '\'); return false;'));
-			$cells['viewBig'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="' . $GLOBALS['LANG']->getLL('showInfo', TRUE) . '">'
+			$onClick = 'top.launchView(\'' . $table . '\', \'' . $row['uid'] . '\'); return false;';
+			$cells['viewBig'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="' . $GLOBALS['LANG']->getLL('showInfo', TRUE) . '">'
 				. IconUtility::getSpriteIcon('actions-document-info') . '</a>';
 			// If the table is NOT a read-only table, then show these links:
 			if (!$GLOBALS['TCA'][$table]['ctrl']['readOnly']) {
 				// "Revert" link (history/undo)
 				$moduleUrl = BackendUtility::getModuleUrl('record_history', array('element' => $table . ':' . $row['uid']));
-				$onClick = htmlspecialchars('return jumpExt(' . GeneralUtility::quoteJSvalue($this->backPath . $moduleUrl) . ',\'#latest\');');
-				$cells['history'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="'
+				$onClick = 'return jumpExt(' . GeneralUtility::quoteJSvalue($this->backPath . $moduleUrl) . ',\'#latest\');';
+				$cells['history'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="'
 					. $GLOBALS['LANG']->getLL('history', TRUE) . '">'
 					. IconUtility::getSpriteIcon('actions-document-history-open') . '</a>';
 				// Versioning:
@@ -1216,18 +1216,18 @@ class DatabaseRecordList extends AbstractDatabaseRecordList {
 						if (count($vers) > 1) {
 							$versionIcon = count($vers) - 1;
 						}
-						$href = htmlspecialchars($this->backPath . BackendUtility::getModuleUrl('web_txversionM1', array(
+						$href = $this->backPath . BackendUtility::getModuleUrl('web_txversionM1', array(
 							'table' => $table, 'uid' => $row['uid']
-						)));
-						$cells['version'] = '<a class="btn" href="' . $href . '" title="'
+						));
+						$cells['version'] = '<a class="btn" href="' . htmlspecialchars($href) . '" title="'
 							. $GLOBALS['LANG']->getLL('displayVersions', TRUE) . '">'
 							. IconUtility::getSpriteIcon(('status-version-' . $versionIcon)) . '</a>';
 					}
 				}
 				// "Edit Perms" link:
 				if ($table === 'pages' && $GLOBALS['BE_USER']->check('modules', 'system_BeuserTxPermission') && ExtensionManagementUtility::isLoaded('beuser')) {
-					$href = htmlspecialchars((BackendUtility::getModuleUrl('system_BeuserTxPermission') . '&id=' . $row['uid'] . '&return_id=' . $row['uid'] . '&edit=1'));
-					$cells['perms'] = '<a class="btn" href="' . $href . '" title="'
+					$href = BackendUtility::getModuleUrl('system_BeuserTxPermission') . '&id=' . $row['uid'] . '&return_id=' . $row['uid'] . '&edit=1';
+					$cells['perms'] = '<a class="btn" href="' . htmlspecialchars($href) . '" title="'
 						. $GLOBALS['LANG']->getLL('permissions', TRUE) . '">'
 						. IconUtility::getSpriteIcon('status-status-locked') . '</a>';
 				}
@@ -1311,12 +1311,12 @@ class DatabaseRecordList extends AbstractDatabaseRecordList {
 					);
 
 					$params = '&cmd[' . $table . '][' . $row['uid'] . '][delete]=1';
-					$onClick = htmlspecialchars('if (confirm(' . $warningText . ')) {jumpToUrl(\''
-						. $GLOBALS['SOBE']->doc->issueCommand($params, -1) . '\');} return false;');
+					$onClick = 'if (confirm(' . $warningText . ')) {jumpToUrl(\''
+						. $GLOBALS['SOBE']->doc->issueCommand($params, -1) . '\');} return false;';
 
 					$icon = IconUtility::getSpriteIcon('actions-edit-' . $actionName);
 					$linkTitle = $GLOBALS['LANG']->getLL($actionName, TRUE);
-					$cells['delete'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="' . $linkTitle . '">' . $icon . '</a>';
+					$cells['delete'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="' . $linkTitle . '">' . $icon . '</a>';
 				}
 				// "Levels" links: Moving pages into new levels...
 				if ($permsEdit && $table == 'pages' && !$this->searchLevels) {
diff --git a/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php b/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php
index 15386d6cfba2d09e2a46b8e4831173668549f439..94b551ccfde80bd27de7b5273c72d4ce50a2fe0a 100644
--- a/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php
+++ b/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php
@@ -81,7 +81,7 @@ class ConfigurationStatus implements \TYPO3\CMS\Reports\StatusProviderInterface
 			$value = $GLOBALS['LANG']->getLL('status_empty');
 			$severity = \TYPO3\CMS\Reports\Status::WARNING;
 			$url =  \TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl('system_dbint') . '&id=0&SET[function]=refindex';
-			$message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_reference_index'), '<a href="' . $url . '">', '</a>', \TYPO3\CMS\Backend\Utility\BackendUtility::dateTime($lastRefIndexUpdate));
+			$message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_reference_index'), '<a href="' . htmlspecialchars($url) . '">', '</a>', \TYPO3\CMS\Backend\Utility\BackendUtility::dateTime($lastRefIndexUpdate));
 		}
 		return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class, $GLOBALS['LANG']->getLL('status_referenceIndex'), $value, $message, $severity);
 	}
diff --git a/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php b/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
index 905be5348f0f32eeb6e64546c69aae15a0d77948..6ce6e41f4cd3aaa9963d1641c85e2b004ddd147e 100644
--- a/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
+++ b/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
@@ -78,7 +78,7 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
 				$editUserAccountUrl = 'alt_doc.php?returnUrl=' .
 					rawurlencode(BackendUtility::getModuleUrl('system_ReportsTxreportsm1')) . '&edit[be_users][' . $row['uid'] . ']=edit';
 				$message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_admin'),
-					'<a href="' . $editUserAccountUrl . '">', '</a>');
+					'<a href="' . htmlspecialchars($editUserAccountUrl) . '">', '</a>');
 			}
 		}
 		$GLOBALS['TYPO3_DB']->sql_free_result($res);
@@ -201,7 +201,7 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
 			$severity = \TYPO3\CMS\Reports\Status::ERROR;
 			$changeInstallToolPasswordUrl = BackendUtility::getModuleUrl('system_InstallInstall');
 			$message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.installtool_default_password'),
-				'<a href="' . $changeInstallToolPasswordUrl . '">', '</a>');
+				'<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">', '</a>');
 		}
 		return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
 			$GLOBALS['LANG']->getLL('status_installToolPassword'), $value, $message, $severity);
diff --git a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
index e99e8485b8c078beb82fc0b4500cf0318960c261..e4812646af2a94b0b61088620f169369dbe30aee 100644
--- a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
+++ b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
@@ -679,7 +679,7 @@ class SetupModuleController {
 				}
 			}
 			if (count($opt)) {
-				$this->simulateSelector = '<select id="field_simulate" name="simulateUser" onchange="window.location.href=\'' . BackendUtility::getModuleUrl('user_setup') . '&simUser=\'+this.options[this.selectedIndex].value;"><option></option>' . implode('', $opt) . '</select>';
+				$this->simulateSelector = '<select id="field_simulate" name="simulateUser" onchange="window.location.href=' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('user_setup') . '&simUser=') . '+this.options[this.selectedIndex].value;"><option></option>' . implode('', $opt) . '</select>';
 			}
 		}
 		// This can only be set if the previous code was executed.
diff --git a/typo3/sysext/sys_action/Classes/ActionTask.php b/typo3/sysext/sys_action/Classes/ActionTask.php
index adf3b1d926f7c2564573f4ffa72642ea71624455..55d0910473d5727367d22539abf50709f99c6cd1 100644
--- a/typo3/sysext/sys_action/Classes/ActionTask.php
+++ b/typo3/sysext/sys_action/Classes/ActionTask.php
@@ -718,9 +718,10 @@ class ActionTask implements \TYPO3\CMS\Taskcenter\TaskInterface {
 						$actionContent .= '<hr /> ' . $fullsearch->tableWrap($sql_query['qSelect']);
 					}
 					$actionContent .= '<br /><a title="' . $GLOBALS['LANG']->getLL('action_editQuery') . '" href="'
-						. BackendUtility::getModuleUrl('system_dbint')
-						. '&id=' . '&SET[function]=search' . '&SET[search]=query'
-						. '&storeControl[STORE]=-' . $record['uid'] . '&storeControl[LOAD]=1' . '">
+						. htmlspecialchars(BackendUtility::getModuleUrl('system_dbint')
+							. '&id=' . '&SET[function]=search' . '&SET[search]=query'
+							. '&storeControl[STORE]=-' . $record['uid'] . '&storeControl[LOAD]=1')
+						. '">
 						<img class="icon"' . \TYPO3\CMS\Backend\Utility\IconUtility::skinImg($GLOBALS['BACK_PATH'],
 						'gfx/edit2.gif') . ' alt="" />' . $GLOBALS['LANG']->getLL(($queryIsEmpty ? 'action_createQuery'
 						: 'action_editQuery')) . '</a><br /><br />';
diff --git a/typo3/sysext/version/Classes/Controller/VersionModuleController.php b/typo3/sysext/version/Classes/Controller/VersionModuleController.php
index ba79c40b9dd69296c13b3ac92353636ea1d6bae3..b88eb73c7ca0bf7f4fd0f8fab497d987677879e4 100644
--- a/typo3/sysext/version/Classes/Controller/VersionModuleController.php
+++ b/typo3/sysext/version/Classes/Controller/VersionModuleController.php
@@ -424,7 +424,7 @@ class VersionModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClass
 							<td>' . $this->adminLinks($tN, $subrow) . '</td>
 							<td>' . $subrow['uid'] . '</td>
 							' . ($ownVer > 1 ? '<td style="font-weight: bold; background-color: yellow;"><a href="' .
-							BackendUtility::getModuleUrl('web_txversionM1', array('table' => $tN, 'uid' => $subrow['uid'])) .
+							htmlspecialchars(BackendUtility::getModuleUrl('web_txversionM1', array('table' => $tN, 'uid' => $subrow['uid']))) .
 							'">' . ($ownVer - 1) . '</a></td>' : '<td></td>') . '
 							<td width="98%">' . BackendUtility::getRecordTitle($tN, $subrow, TRUE) . '</td>
 						</tr>';