sanitized login form

Controller/UserController.php

@@ -20,7 +20,7 @@ class UserController
     public function loginUser() 
     {
         $erg = array();
-        $erg = $this->userModel->loginUser($_POST["username"], $_POST["password"]);
+        $erg = $this->userModel->loginUser($this->sanitize($_POST["username"]), $this->sanitize($_POST["password"]) );
         if ($erg["success"] == true) {
             header("Location: ?controller=Welcome&do=showWelcome");
             exit();
@@ -46,7 +46,7 @@ class UserController
     public function registerUser() 
     {
         $erg = array();
-        $erg = $this->userModel->registerUser($_POST["username"], $_POST["password"]);
+        $erg = $this->userModel->registerUser($this->sanitize($_POST["username"]), $this->sanitize($_POST["password"]) );
         if ($erg["success"] == true) {
             header("Location: ?controller=User&do=showUserLoginForm");
             exit();
@@ -54,10 +54,10 @@ class UserController
         else {
             $this->view->setDoMethodName("showUserRegisterForm");
             
-             $message = $erg['message'];
+            $message = $this->sanitize($erg['message']);
             echo "<script type='text/javascript'>alert(\"$message\");</script>";
             $this->view->setVars([
-            "errmsg" => $erg["message"]
+            "errmsg" => $message
             ]);
             $this->showUserRegisterForm();
         }
@@ -73,6 +73,7 @@ class UserController
 
     }
 
-
+    function sanitize($data, $flags = ENT_QUOTES, $encoding = 'UTF-8') {
-
+        return htmlspecialchars((string)$data, $flags, $encoding);
+    }
 }