diff --git a/server_privileges.php b/server_privileges.php
index b11a96fa5..0e1afece2 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1151,7 +1151,7 @@ if (!empty($update_privs)) {
     }
     $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2;
     $message = PMA_Message::success('strUpdatePrivMessage');
-    $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+    $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
 }
 
 
@@ -1175,7 +1175,7 @@ if (isset($_REQUEST['revokeall'])) {
     }
     $sql_query = $sql_query0 . ' ' . $sql_query1;
     $message = PMA_Message::success('strRevokeMessage');
-    $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+    $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
     if (! isset($tablename)) {
         unset($dbname);
     } else {
@@ -1211,7 +1211,7 @@ if (isset($_REQUEST['change_pw'])) {
         PMA_DBI_try_query($local_query)
             or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
         $message = PMA_Message::success('strPasswordChanged');
-        $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+        $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
     }
 }
 
@@ -1590,7 +1590,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
 
         if (isset($dbname)) {
             echo ' <i><a href="server_privileges.php?'
-                . $GLOBALS['url_query'] . '&amp;username=' . urlencode($username)
+                . $GLOBALS['url_query'] . '&amp;username=' . htmlspecialchars(urlencode($username))
                 . '&amp;hostname=' . urlencode($hostname) . '&amp;dbname=&amp;tablename=">\''
                 . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname)
                 . '\'</a></i>' . "\n";
@@ -1599,7 +1599,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
             echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] );
             if (isset($tablename)) {
                 echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query']
-                    . '&amp;username=' . urlencode($username) . '&amp;hostname=' . urlencode($hostname)
+                    . '&amp;username=' . htmlspecialchars(urlencode($username)) . '&amp;hostname=' . urlencode($hostname)
                     . '&amp;dbname=' . htmlspecialchars($url_dbname) . '&amp;tablename=">' . htmlspecialchars($dbname) . '</a></i>';
                 echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>';
             } else {
@@ -1834,14 +1834,14 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
                     }
                     echo '</td>' . "\n"
                        . '    <td>';
-                    printf($link_edit, urlencode($username),
+                    printf($link_edit, htmlspecialchars(urlencode($username)),
                         urlencode($hostname),
                         urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
                         urlencode((! isset($dbname)) ? '' : $row['Table_name']));
                     echo '</td>' . "\n"
                        . '    <td>';
                     if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
-                        printf($link_revoke, urlencode($username),
+                        printf($link_revoke, htmlspecialchars(urlencode($username)),
                             urlencode($hostname),
                             urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
                             urlencode((! isset($dbname)) ? '' : $row['Table_name']));