diff --git a/DnsServerCore/www/js/main.js b/DnsServerCore/www/js/main.js
index 2dccc8dc..6ceae45d 100644
--- a/DnsServerCore/www/js/main.js
+++ b/DnsServerCore/www/js/main.js
@@ -378,7 +378,7 @@ function login(username, password) {
     var btn = $("#btnLogin").button('loading');
 
     HTTPRequest({
-        url: "/api/login?user=" + username + "&pass=" + password,
+        url: "/api/login?user=" + encodeURIComponent(username) + "&pass=" + encodeURIComponent(password),
         success: function (responseJSON) {
             token = responseJSON.token;
 
@@ -449,7 +449,7 @@ function changePassword() {
     var btn = $("#btnChangePasswordSave").button('loading');
 
     HTTPRequest({
-        url: "/api/changePassword?token=" + token + "&pass=" + newPassword,
+        url: "/api/changePassword?token=" + token + "&pass=" + encodeURIComponent(newPassword),
         success: function (responseJSON) {
             $("#modalChangePassword").modal("hide");
             btn.button('reset');
@@ -682,7 +682,7 @@ function saveDnsSettings() {
         proxy = "&proxyType=" + proxyType;
     }
     else {
-        proxy = "&proxyType=" + proxyType + "&proxyAddress=" + $("#txtProxyAddress").val() + "&proxyPort=" + $("#txtProxyPort").val() + "&proxyUsername=" + $("#txtProxyUsername").val() + "&proxyPassword=" + $("#txtProxyPassword").val();
+        proxy = "&proxyType=" + proxyType + "&proxyAddress=" + $("#txtProxyAddress").val() + "&proxyPort=" + $("#txtProxyPort").val() + "&proxyUsername=" + encodeURIComponent($("#txtProxyUsername").val()) + "&proxyPassword=" + encodeURIComponent($("#txtProxyPassword").val());
     }
 
     var forwarders = cleanTextList($("#txtForwarders").val());
@@ -696,18 +696,15 @@ function saveDnsSettings() {
 
     var blockListUrls = cleanTextList($("#txtBlockListUrls").val());
 
-    if ((blockListUrls.length === 0) || (blockListUrls === ",")) {
+    if ((blockListUrls.length === 0) || (blockListUrls === ","))
         blockListUrls = false;
-    }
-    else {
+    else
         $("#txtBlockListUrls").val(blockListUrls.replace(/,/g, "\n") + "\n");
-        blockListUrls = window.btoa(blockListUrls);
-    }
 
     var btn = $("#btnSaveDnsSettings").button('loading');
 
     HTTPRequest({
-        url: "/api/setDnsSettings?token=" + token + "&serverDomain=" + serverDomain + "&webServicePort=" + webServicePort + "&dnsServerLocalAddresses=" + dnsServerLocalAddresses + "&preferIPv6=" + preferIPv6 + "&logQueries=" + logQueries + "&allowRecursion=" + allowRecursion + "&allowRecursionOnlyForPrivateNetworks=" + allowRecursionOnlyForPrivateNetworks + proxy + "&forwarders=" + forwarders + "&forwarderProtocol=" + forwarderProtocol + "&blockListUrls=" + blockListUrls,
+        url: "/api/setDnsSettings?token=" + token + "&serverDomain=" + serverDomain + "&webServicePort=" + webServicePort + "&dnsServerLocalAddresses=" + encodeURIComponent(dnsServerLocalAddresses) + "&preferIPv6=" + preferIPv6 + "&logQueries=" + logQueries + "&allowRecursion=" + allowRecursion + "&allowRecursionOnlyForPrivateNetworks=" + allowRecursionOnlyForPrivateNetworks + proxy + "&forwarders=" + encodeURIComponent(forwarders) + "&forwarderProtocol=" + forwarderProtocol + "&blockListUrls=" + encodeURIComponent(blockListUrls),
         success: function (responseJSON) {
             document.title = "Technitium DNS Server " + responseJSON.response.version + " - " + responseJSON.response.serverDomain;
             $("#lblServerDomain").text(" - " + responseJSON.response.serverDomain);
@@ -1623,13 +1620,13 @@ function renderStandardResourceRecord(record, domain) {
 
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtName" + id + "\">Name</label>";
-    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 120px;\" value=\"" + encodeURI(name) + "\" disabled>";
+    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 120px;\" value=\"" + htmlEncode(name) + "\" disabled>";
     html += "</div>";
 
     //value
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtValue" + id + "\">Value</label>";
-    html += "<input id=\"txtValue" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"value\" style=\"width: 250px;\" value=\"" + encodeURI(record.rData.value) + "\" disabled>";
+    html += "<input id=\"txtValue" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"value\" style=\"width: 250px;\" value=\"" + htmlEncode(record.rData.value) + "\" disabled>";
     html += "</div>";
 
     //ttl
@@ -1640,7 +1637,7 @@ function renderStandardResourceRecord(record, domain) {
 
     //buttons
     html += "<div class=\"form-group\" style=\"display: block; margin-bottom: 0px;\">";
-    html += "<div id=\"data" + id + "\" data-record-name=\"" + encodeURI(record.name) + "\" data-record-value=\"" + encodeURI(record.rData.value) + "\" data-record-disabled=\"" + record.disabled + "\" style=\"display: none;\"></div>";
+    html += "<div id=\"data" + id + "\" data-record-name=\"" + htmlEncode(record.name) + "\" data-record-value=\"" + htmlEncode(record.rData.value) + "\" data-record-disabled=\"" + record.disabled + "\" style=\"display: none;\"></div>";
     html += "<button id=\"btnEdit" + id + "\" type=\"button\" class=\"btn btn-primary\" data-id=\"" + id + "\" onclick=\"return editResourceRecord(this);\" style=\"margin-right: 10px;\">Edit</button>";
     html += "<button id=\"btnUpdate" + id + "\" type=\"submit\" class=\"btn btn-primary\" data-loading-text=\"Updating...\" data-id=\"" + id + "\" onclick=\"return updateResourceRecord(this);\" style=\"margin-right: 10px; display: none;\">Update</button>";
     html += "<button id=\"btnCancelEdit" + id + "\" type=\"button\" class=\"btn btn-default\" data-id=\"" + id + "\" onclick=\"return cancelEditResourceRecord(this);\" style=\"margin-right: 10px; display: none;\">Cancel</button>";
@@ -1681,13 +1678,13 @@ function renderMXResourceRecord(record, domain) {
 
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtName" + id + "\">Name</label>";
-    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 136px;\" value=\"" + encodeURI(name) + "\" disabled>";
+    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 136px;\" value=\"" + htmlEncode(name) + "\" disabled>";
     html += "</div>";
 
     //exchange
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtExchange" + id + "\">Exchange</label>";
-    html += "<input id=\"txtExchange" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"mx1.example.com\" style=\"width: 250px;\" value=\"" + encodeURI(record.rData.value) + "\" disabled>";
+    html += "<input id=\"txtExchange" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"mx1.example.com\" style=\"width: 250px;\" value=\"" + htmlEncode(record.rData.value) + "\" disabled>";
     html += "</div>";
 
     //preference
@@ -1704,7 +1701,7 @@ function renderMXResourceRecord(record, domain) {
 
     //buttons
     html += "<div class=\"form-group\" style=\"display: block; margin-bottom: 0px;\">";
-    html += "<div id=\"data" + id + "\" data-record-name=\"" + encodeURI(record.name) + "\" data-record-value=\"" + encodeURI(record.rData.value) + "\" data-record-disabled=\"" + record.disabled + "\" style=\"display: none;\"></div>";
+    html += "<div id=\"data" + id + "\" data-record-name=\"" + htmlEncode(record.name) + "\" data-record-value=\"" + htmlEncode(record.rData.value) + "\" data-record-disabled=\"" + record.disabled + "\" style=\"display: none;\"></div>";
     html += "<button id=\"btnEdit" + id + "\" type=\"button\" class=\"btn btn-primary\" data-id=\"" + id + "\" onclick=\"return editResourceRecord(this);\" style=\"margin-right: 10px;\">Edit</button>";
     html += "<button id=\"btnUpdate" + id + "\" type=\"submit\" class=\"btn btn-primary\" data-loading-text=\"Updating...\" data-id=\"" + id + "\" onclick=\"return updateResourceRecord(this);\" style=\"margin-right: 10px; display: none;\">Update</button>";
     html += "<button id=\"btnCancelEdit" + id + "\" type=\"button\" class=\"btn btn-default\" data-id=\"" + id + "\" onclick=\"return cancelEditResourceRecord(this);\" style=\"margin-right: 10px; display: none;\">Cancel</button>";
@@ -1744,19 +1741,19 @@ function renderSOAResourceRecord(record, domain) {
 
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtName" + id + "\">Name</label>";
-    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 70px;\" value=\"" + encodeURI(name) + "\" disabled>";
+    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 70px;\" value=\"" + htmlEncode(name) + "\" disabled>";
     html += "</div>";
 
     //master name server
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtMasterNameServer" + id + "\">Master Name Server</label>";
-    html += "<input id=\"txtMasterNameServer" + id + "\"type=\"text\" class=\"form-control\" placeholder=\"value\" style=\"width: 300px;\" value=\"" + encodeURI(record.rData.masterNameServer) + "\" disabled>";
+    html += "<input id=\"txtMasterNameServer" + id + "\"type=\"text\" class=\"form-control\" placeholder=\"value\" style=\"width: 300px;\" value=\"" + htmlEncode(record.rData.masterNameServer) + "\" disabled>";
     html += "</div>";
 
     //responsible person
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtResponsiblePerson" + id + "\">Responsible Person</label>";
-    html += "<input id=\"txtResponsiblePerson" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"value\" style=\"width: 220px;\" value=\"" + encodeURI(record.rData.responsiblePerson) + "\" disabled>";
+    html += "<input id=\"txtResponsiblePerson" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"value\" style=\"width: 220px;\" value=\"" + htmlEncode(record.rData.responsiblePerson) + "\" disabled>";
     html += "</div>";
 
     //serial
@@ -1850,19 +1847,19 @@ function renderSRVResourceRecord(record, domain) {
     //name
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtName" + id + "\">Name</label>";
-    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 120px;\" value=\"" + encodeURI(name) + "\" disabled>";
+    html += "<input id=\"txtName" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"@\" style=\"width: 120px;\" value=\"" + htmlEncode(name) + "\" disabled>";
     html += "</div>";
 
     //service
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtService" + id + "\">Service</label>";
-    html += "<input id=\"txtService" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"service\" style=\"width: 80px;\" value=\"" + encodeURI(service) + "\" disabled>";
+    html += "<input id=\"txtService" + id + "\" type=\"text\" class=\"form-control\" placeholder=\"service\" style=\"width: 80px;\" value=\"" + htmlEncode(service) + "\" disabled>";
     html += "</div>";
 
     //protocol
     html += "<div class=\"form-group\">";
     html += "<label for=\"txtProtocol" + id + "\">Protocol</label>";
-    html += "<input id=\"txtProtocol" + id + "\"type=\"text\" class=\"form-control\" placeholder=\"protocol\" style=\"width: 80px;\" value=\"" + encodeURI(protocol) + "\" disabled>";
+    html += "<input id=\"txtProtocol" + id + "\"type=\"text\" class=\"form-control\" placeholder=\"protocol\" style=\"width: 80px;\" value=\"" + htmlEncode(protocol) + "\" disabled>";
     html += "</div>";
 
     //priority
@@ -1897,7 +1894,7 @@ function renderSRVResourceRecord(record, domain) {
 
     //buttons
     html += "<div class=\"form-group\" style=\"display: block; margin-bottom: 0px;\">";
-    html += "<div id=\"data" + id + "\" data-record-name=\"" + encodeURI(record.name) + "\" data-record-value=\"" + encodeURI(record.rData.value) + "\" data-record-port=\"" + record.rData.port + "\" data-record-disabled=\"" + record.disabled + "\" style=\"display: none;\"></div>";
+    html += "<div id=\"data" + id + "\" data-record-name=\"" + htmlEncode(record.name) + "\" data-record-value=\"" + htmlEncode(record.rData.value) + "\" data-record-port=\"" + record.rData.port + "\" data-record-disabled=\"" + record.disabled + "\" style=\"display: none;\"></div>";
     html += "<button id=\"btnEdit" + id + "\" type=\"button\" class=\"btn btn-primary\" data-id=\"" + id + "\" onclick=\"return editResourceRecord(this);\" style=\"margin-right: 10px;\">Edit</button>";
     html += "<button id=\"btnUpdate" + id + "\" type=\"submit\" class=\"btn btn-primary\" data-loading-text=\"Updating...\" data-id=\"" + id + "\" onclick=\"return updateResourceRecord(this);\" style=\"margin-right: 10px; display: none;\">Update</button>";
     html += "<button id=\"btnCancelEdit" + id + "\" type=\"button\" class=\"btn btn-default\" data-id=\"" + id + "\" onclick=\"return cancelEditResourceRecord(this);\" style=\"margin-right: 10px; display: none;\">Cancel</button>";
@@ -2264,7 +2261,7 @@ function addResourceRecord() {
         ttl = 3600;
     }
 
-    var apiUrl = "/api/addRecord?token=" + token + "&domain=" + name + "&type=" + type + "&ttl=" + ttl + "&value=" + value;
+    var apiUrl = "/api/addRecord?token=" + token + "&domain=" + encodeURIComponent(name) + "&type=" + type + "&ttl=" + ttl + "&value=" + encodeURIComponent(value);
 
     switch (type) {
         case "MX":
@@ -2327,7 +2324,7 @@ function deleteResourceRecord(objBtn) {
     if (!confirm("Are you sure to permanently delete the " + type + " record '" + name + "' with value '" + value + "'?"))
         return false;
 
-    var apiUrl = "/api/deleteRecord?token=" + token + "&domain=" + name + "&type=" + type + "&value=" + value;
+    var apiUrl = "/api/deleteRecord?token=" + token + "&domain=" + name + "&type=" + type + "&value=" + encodeURIComponent(value);
 
     if (type === "SRV") {
         var port = $("#txtPort" + id).val();
@@ -2494,7 +2491,7 @@ function updateResourceRecord(objBtn, disable) {
             break;
     }
 
-    var apiUrl = "/api/updateRecord?token=" + token + "&type=" + type + "&domain=" + newName + "&oldDomain=" + oldName + "&value=" + newValue + "&oldValue=" + oldValue + "&ttl=" + ttl + "&disable=" + disable;
+    var apiUrl = "/api/updateRecord?token=" + token + "&type=" + type + "&domain=" + newName + "&oldDomain=" + oldName + "&value=" + encodeURIComponent(newValue) + "&oldValue=" + encodeURIComponent(oldValue) + "&ttl=" + ttl + "&disable=" + disable;
 
     switch (type) {
         case "MX":
@@ -2624,7 +2621,7 @@ function resolveQuery(importRecords) {
     divDnsClientLoader.show();
 
     HTTPRequest({
-        url: "/api/resolveQuery?token=" + token + "&server=" + server + "&domain=" + domain + "&type=" + type + "&protocol=" + protocol + (importRecords ? "&import=true" : ""),
+        url: "/api/resolveQuery?token=" + token + "&server=" + encodeURIComponent(server) + "&domain=" + encodeURIComponent(domain) + "&type=" + type + "&protocol=" + protocol + (importRecords ? "&import=true" : ""),
         success: function (responseJSON) {
             preDnsClientOutput.text(JSON.stringify(responseJSON.response.result, null, 2));