diff --git a/Controller/UserController.php b/Controller/UserController.php
index 99e7d9b..1b34855 100644
--- a/Controller/UserController.php
+++ b/Controller/UserController.php
@@ -20,7 +20,7 @@ class UserController
     public function loginUser() 
     {
         $erg = array();
-        $erg = $this->userModel->loginUser($_POST["username"], $_POST["password"]);
+        $erg = $this->userModel->loginUser($this->sanitize($_POST["username"]), $this->sanitize($_POST["password"]) );
         if ($erg["success"] == true) {
             header("Location: ?controller=Welcome&do=showWelcome");
             exit();
@@ -43,7 +43,7 @@ class UserController
     public function registerUser() 
     {
         $erg = array();
-        $erg = $this->userModel->registerUser($_POST["username"], $_POST["password"]);
+        $erg = $this->userModel->registerUser($this->sanitize($_POST["username"]), $this->sanitize($_POST["password"]) );
         if ($erg["success"] == true) {
             header("Location: ?controller=User&do=showUserLoginForm");
             exit();
@@ -51,10 +51,10 @@ class UserController
         else {
             $this->view->setDoMethodName("showUserRegisterForm");
             
-             $message = $erg['message'];
+            $message = $this->sanitize($erg['message']);
             echo "<script type='text/javascript'>alert(\"$message\");</script>";
             $this->view->setVars([
-            "errmsg" => $erg["message"]
+            "errmsg" => $message
             ]);
             $this->showUserRegisterForm();
         }
@@ -69,4 +69,8 @@ class UserController
     {
 
     }
+
+    function sanitize($data, $flags = ENT_QUOTES, $encoding = 'UTF-8') {
+        return htmlspecialchars((string)$data, $flags, $encoding);
+    }
 }
\ No newline at end of file