diff --git a/server/api/controller/settings.js b/server/api/controller/settings.js
index 404a2e10..d2cf73fd 100644
--- a/server/api/controller/settings.js
+++ b/server/api/controller/settings.js
@@ -9,6 +9,7 @@ const pkg = require('../../../package.json')
 const generateKeyPair = promisify(crypto.generateKeyPair)
 const log = require('../../log')
 const locales = require('../../../locales/index')
+const escape = require('lodash/escape')
 
 
 let defaultHostname
@@ -162,11 +163,12 @@ const settingsController = {
     await settingsController.set('smtp', smtp.smtp)
     const mail = require('../mail')
     try {
-      await mail._send(settingsController.settings.admin_email, 'test', null, 'en')
+      await mail._send(settingsController.settings.admin_email, 'test')
+
       return res.sendStatus(200)
     } catch (e) {
       console.error(e)
-      return res.status(400).send(String(e))
+      return res.status(400).send(escape(String(e)))
     }
   },
 
diff --git a/server/api/controller/setup.js b/server/api/controller/setup.js
index 011d1fb8..9dbffd95 100644
--- a/server/api/controller/setup.js
+++ b/server/api/controller/setup.js
@@ -5,6 +5,7 @@ const db = require('../models/index.js')
 const config = require('../../config')
 const settingsController = require('./settings')
 const path = require('path')
+const escape = require('lodash/escape')
 
 const setupController = {
 
@@ -88,7 +89,7 @@ const setupController = {
 
       } catch (e) {
         log.error(String(e))
-        return res.status(400).send(String(e))
+        return res.status(400).send(escape(String(e)))
       }
     }
 
diff --git a/server/federation/users.js b/server/federation/users.js
index 17f98f0d..ec00cf30 100644
--- a/server/federation/users.js
+++ b/server/federation/users.js
@@ -2,7 +2,7 @@ const Event = require('../api/models/event')
 const Place = require('../api/models/place')
 const APUser = require('../api/models/ap_user')
 const Tag = require('../api/models/tag')
-
+const escape = require('lodash/escape')
 const config = require('../config')
 const log = require('../log')
 const utc = require('dayjs/plugin/utc')
@@ -16,7 +16,7 @@ module.exports = {
     const name = req.params.name
     if (!name) { return res.status(400).send('Bad request.') }
 
-    if (name !== req.settings.instance_name) { return res.status(404).send(`No record found for ${name}`) }
+    if (name !== req.settings.instance_name) { return res.status(404).send(`No record found for ${escape(name)}`) }
     const ret = {
       '@context': [
         'https://www.w3.org/ns/activitystreams',
@@ -64,7 +64,7 @@ module.exports = {
     if (!name) { return res.status(400).send('Bad request.') }
     if (name !== req.settings.instance_name) {
       log.warn('No record found')
-      return res.status(404).send(`No record found for ${name}`)
+      return res.status(404).send(`No record found for ${escape(name)}`)
     }
     const followers = await APUser.findAll({ where: { follower: true } })
 
@@ -102,7 +102,7 @@ module.exports = {
     }
     if (name !== req.settings.instance_name) {
       log.info(`No record found for ${name}`)
-      return res.status(404).send(`No record found for ${name}`)
+      return res.status(404).send(`No record found for ${escape(name)}`)
     }
 
     const events = await Event.findAll({ include: [{ model: Tag, required: false }, Place], limit: 10 })
diff --git a/server/helpers.js b/server/helpers.js
index 0cc4320d..9f18e67e 100644
--- a/server/helpers.js
+++ b/server/helpers.js
@@ -112,6 +112,9 @@ module.exports = {
 
   async getImageFromURL (url) {
     log.debug(`getImageFromURL ${url}`)
+    if(!/^https?:\/\//.test(url)) {
+      throw Error('Hacking attempt?')
+    }
     const filename = crypto.randomBytes(16).toString('hex') + '.jpg'
     const finalPath = path.resolve(config.upload_path, filename)
     const thumbPath = path.resolve(config.upload_path, 'thumb', filename)