diff --git a/api/src/Framework/Login.php b/api/src/Framework/Login.php
index b145844af5..463038a5f8 100644
--- a/api/src/Framework/Login.php
+++ b/api/src/Framework/Login.php
@@ -164,7 +164,7 @@ class Login
 
 		$tmpl->set_var('login_url', $GLOBALS['egw_info']['server']['webserver_url'] . '/login.php' . $extra_vars);
 		$tmpl->set_var('version', $GLOBALS['egw_info']['server']['versions']['phpgwapi']);
-		$tmpl->set_var('login', $last_loginid);
+		$tmpl->set_var('login', htmlspecialchars($last_loginid));
 
 		$tmpl->set_var('lang_username',lang('username'));
 		$tmpl->set_var('lang_login',lang('login'));
diff --git a/api/src/loader/security.php b/api/src/loader/security.php
index df8f84f3af..d2beaaf297 100755
--- a/api/src/loader/security.php
+++ b/api/src/loader/security.php
@@ -173,7 +173,7 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_
 	die("<p style='color: ".($num_failed?'red':'black')."'>Tests finished: $num_failed / $total failed</p>");
 }*/
 
-foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n => $where)
+foreach(array('_COOKIE','_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n => $where)
 {
 	$pregs = array(
 		'order' => '/^[a-zA-Z0-9_,]*$/',
@@ -188,7 +188,7 @@ foreach(array('_GET','_POST','_REQUEST','HTTP_GET_VARS','HTTP_POST_VARS') as $n
 	}
 	// do the check for script-tags only for _GET and _POST or if we found something in _GET and _POST
 	// speeds up the execusion a bit
-	if (isset($GLOBALS[$where]) && is_array($GLOBALS[$where]) && ($n < 2 || isset($GLOBALS['egw_unset_vars'])))
+	if (isset($GLOBALS[$where]) && is_array($GLOBALS[$where]) && ($n < 3 || isset($GLOBALS['egw_unset_vars'])))
 	{
 		_check_script_tag($GLOBALS[$where],$where);
 	}