diff --git a/js/RichText/UserMention.js b/js/RichText/UserMention.js
index 6d2930918e6..4c4718930a9 100644
--- a/js/RichText/UserMention.js
+++ b/js/RichText/UserMention.js
@@ -32,6 +32,7 @@
  */
 
 /* global tinymce */
+/* global _ */
 
 window.GLPI = window.GLPI || {};
 window.GLPI.RichText = window.GLPI.RichText || {};
@@ -157,6 +158,6 @@ window.GLPI.RichText.UserMention = class {
     generateUserMentionHtml(user) {
         return `<span contenteditable="false"
                     data-user-mention="true"
-                    data-user-id="${user.id}">@${user.name}</span>&nbsp;`;
+                    data-user-id="${_.escape(user.id)}">@${_.escape(user.name)}</span>&nbsp;`;
     }
 };
diff --git a/js/cable.js b/js/cable.js
index dd07d44e70c..3742e7fd14e 100644
--- a/js/cable.js
+++ b/js/cable.js
@@ -42,8 +42,8 @@ function refreshAssetBreadcrumb(itemtype, items_id, dom_to_update) {
             itemtype: itemtype,
         }
     }).done((html_breadcrum) => {
-        $(`#${dom_to_update}`).empty();
-        $(`#${dom_to_update}`).append(html_breadcrum);
+        $(`#${CSS.escape(dom_to_update)}`).empty();
+        $(`#${CSS.escape(dom_to_update)}`).append(html_breadcrum);
     });
 
 }
@@ -59,8 +59,8 @@ function refreshNetworkPortDropdown(itemtype, items_id, dom_to_update) {
             itemtype: itemtype,
         }
     }).done((html_data) => {
-        $(`#${dom_to_update}`).empty();
-        $(`#${dom_to_update}`).append(html_data);
+        $(`#${CSS.escape(dom_to_update)}`).empty();
+        $(`#${CSS.escape(dom_to_update)}`).append(html_data);
     });
 }
 
@@ -77,7 +77,7 @@ function refreshSocketDropdown(itemtype, items_id, socketmodels_id, dom_name) {
             dom_name: dom_name
         }
     }).done((html_data) => {
-        const parent_dom = $(`select[name="${dom_name}"]`).parent().parent();
+        const parent_dom = $(`select[name="${CSS.escape(dom_name)}"]`).parent().parent();
         parent_dom.empty();
         parent_dom.append(html_data);
     });
diff --git a/js/common.js b/js/common.js
index 72da960b085..8963e926b8e 100644
--- a/js/common.js
+++ b/js/common.js
@@ -174,7 +174,7 @@ function displayOtherSelectOptions(select_object, other_option_name) {
 **/
 function checkAsCheckboxes(reference, container_id, checkboxes_selector = 'input[type="checkbox"]') {
     reference = typeof(reference) === 'string' ? document.getElementById(reference) : reference;
-    $('#' + container_id + ' ' + checkboxes_selector + ':enabled')
+    $('#' + CSS.escape(container_id) + ' ' + checkboxes_selector + ':enabled')
         .prop('checked', $(reference).is(':checked'));
 
     return true;
@@ -236,14 +236,14 @@ function showHideDiv(id, img_name = '', img_src_close = '', img_src_open = '') {
         var _deco;
         var _img;
         if (!_awesome) {
-            _img = $('img[name=' + img_name + ']');
+            _img = $('img[name=' + CSS.escape(img_name) + ']');
             if (_elt.is(':visible')) {
                 _img.attr('src', img_src_close);
             } else {
                 _img.attr('src', img_src_open);
             }
         } else {
-            _deco = $('#'+img_name);
+            _deco = $('#' + CSS.escape(img_name));
             if (_elt.is(':visible')) {
                 _deco
                     .removeClass(img_src_open)
@@ -361,7 +361,8 @@ function submitGetLink(target, fields) {
  * @param id
 **/
 function selectAll(id) {
-    var element =$('#'+id);var selected = [];
+    var element = $('#'+CSS.escape(id));
+    var selected = [];
     element.find('option').each(function(i,e){
         selected[selected.length]=$(e).attr('value');
     });
@@ -375,7 +376,7 @@ function selectAll(id) {
  * @param id
 **/
 function deselectAll(id) {
-    $('#'+id).val('').trigger('change');
+    $('#' + CSS.escape(id)).val('').trigger('change');
 }
 
 
@@ -393,7 +394,7 @@ function massiveUpdateCheckbox(criterion, reference) {
     if (typeof(reference) == 'boolean') {
         value = reference;
     } else if (typeof(reference) == 'string') {
-        value = $('#' + reference).prop('checked');
+        value = $('#' + CSS.escape(reference)).prop('checked');
     } else if (typeof(reference) == 'object') {
         value = $(reference).prop('checked');
     }
@@ -612,7 +613,7 @@ var getExtIcon = function(ext) {
         url = CFG_GLPI.root_doc+'/pics/icones/defaut-dist.png';
     }
 
-    return '<img src="'+url+'" title="'+ext+'">';
+    return '<img src="' + _.escape(url) + '" title="' + _.escape(ext) + '">';
 };
 
 /**
@@ -752,7 +753,7 @@ var initMap = function(parent_elt, map_id, height, initial_view = {position: [0,
     }
 
     //add map, set a default arbitrary location
-    parent_elt.append($('<div id="'+map_id+'" style="height: ' + height + '"></div>'));
+    parent_elt.append($('<div id="'+_.escape(map_id)+'" style="height: ' + _.escape(height) + '"></div>'));
     var map = L.map(map_id, {fullscreenControl: true, minZoom: 2}).setView(initial_view.position, initial_view.zoom);
 
     //setup tiles and © messages
@@ -764,7 +765,7 @@ var initMap = function(parent_elt, map_id, height, initial_view = {position: [0,
 
 var showMapForLocation = function(elt) {
     var _id = $(elt).data('fid');
-    var _items_id = $('#' + _id).val();
+    var _items_id = $('#' + CSS.escape(_id)).val();
 
     if (_items_id == 0) {
         return;
@@ -785,7 +786,7 @@ var showMapForLocation = function(elt) {
                 url: CFG_GLPI.root_doc + '/ajax/getMapPoint.php',
                 data: {
                     itemtype: 'Location',
-                    items_id: $('#' + _id).val()
+                    items_id: $('#' + CSS.escape(_id)).val()
                 }
             }).done(function(data) {
                 if (data.success === false) {
@@ -850,7 +851,7 @@ var templateResult = function(result) {
     _elt.attr('title', result.title);
 
     if (typeof query.term !== 'undefined' && typeof result.rendered_text !== 'undefined') {
-        _elt.html(result.rendered_text);
+        _elt.html(result.rendered_text); // rendered_text is expected to be a safe HTML string
     } else {
         if (!result.text) {
             return null;
@@ -1051,8 +1052,8 @@ var escapeMarkupText = function (text) {
  * @return void
  */
 function updateProgress(progressid) {
-    var progress = $("progress#progress"+progressid).first();
-    $("div[data-progressid='"+progressid+"']").each(function(i, item) {
+    var progress = $("#"+CSS.escape(progressid)).first();
+    $("div[data-progressid='"+CSS.escape(progressid)+"']").each(function(i, item) {
         var j_item = $(item);
         var fg = j_item.find(".progress-fg").first();
         var calcWidth = (progress.attr('value') / progress.attr('max')) * 100;
@@ -1219,7 +1220,7 @@ function updateItemOnEvent(dropdown_ids, target, url, params = {}, events = ['ch
             //TODO Manage buffer time
 
             const cleaned_zone_id = zone.replace('[', '_').replace(']', '_');
-            const zone_obj = $(`#${cleaned_zone_id}`);
+            const zone_obj = $(`#${CSS.escape(cleaned_zone_id)}`);
 
             zone_obj.on(event, () => {
                 const conditional = (min_size >= 0 || force_load_for.length > 0);
@@ -1233,9 +1234,9 @@ function updateItemOnEvent(dropdown_ids, target, url, params = {}, events = ['ch
                         if (typeof v === "string") {
                             const reqs = v.match(/^__VALUE(\d+)__$/);
                             if (reqs !== null) {
-                                resolved_params[k] = $('#'+dropdown_ids[reqs[0]]).val();
+                                resolved_params[k] = $('#'+CSS.escape(dropdown_ids[reqs[0]])).val();
                             } else if (v === '__VALUE__') {
-                                resolved_params[k] = $('#'+dropdown_ids[0]).val();
+                                resolved_params[k] = $('#'+CSS.escape(dropdown_ids[0])).val();
                             } else {
                                 resolved_params[k] = v;
                             }
@@ -1354,11 +1355,11 @@ function tableToDetails(table) {
             if (in_details) {
                 details += '</pre></details>';
             }
-            details += `<details><summary>${e.innerText}</summary><pre>`;
+            details += `<details><summary>${_.escape(e.innerText)}</summary><pre>`;
             in_details = true;
         } else {
             if (in_details) {
-                details += e.innerText;
+                details += _.escape(e.innerText);
             }
         }
     });
@@ -1555,7 +1556,7 @@ $(document.body).on('shown.bs.tab', 'a[data-bs-toggle="tab"]', (e) => {
  * @param {string} item The ID of the field to be shown
  */
 function showDisclosablePasswordField(item) {
-    $("#" + item).prop("type", "text");
+    $("#" + CSS.escape(item)).prop("type", "text");
 }
 
 /**
@@ -1563,7 +1564,7 @@ function showDisclosablePasswordField(item) {
  * @param {string} item The ID of the field to be hidden
  */
 function hideDisclosablePasswordField(item) {
-    $("#" + item).prop("type", "password");
+    $("#" + CSS.escape(item)).prop("type", "password");
 }
 
 /**
@@ -1571,11 +1572,11 @@ function hideDisclosablePasswordField(item) {
  * @param {string} item The ID of the field to be copied
  */
 function copyDisclosablePasswordFieldToClipboard(item) {
-    const is_password_input = $("#" + item).prop("type") === "password";
+    const is_password_input = $("#" + CSS.escape(item)).prop("type") === "password";
     if (is_password_input) {
         showDisclosablePasswordField(item);
     }
-    $("#" + item).select();
+    $("#" + CSS.escape(item)).select();
     try {
         document.execCommand("copy");
     } catch {
@@ -1591,7 +1592,7 @@ function copyDisclosablePasswordFieldToClipboard(item) {
  * @param element_id The ID of the table to be converted
  */
 function initSortableTable(element_id) {
-    const element = $(`#${element_id}`);
+    const element = $(`#${CSS.escape(element_id)}`);
     const sort_table = (column_index) => {
         const current_sort = element.data('sort');
         element.data('sort', column_index);
@@ -1700,7 +1701,7 @@ if (typeof GlpiCommonAjaxController == "function") {
 function setupAjaxDropdown(config) {
     // Field ID is used as a selector, so we need to escape special characters
     // to avoid issues with jQuery.
-    const field_id = $.escapeSelector(config.field_id);
+    const field_id = CSS.escape(config.field_id);
 
     const select2_el = $('#' + field_id).select2({
         containerCssClass: config.container_css_class,
@@ -1796,7 +1797,7 @@ function setupAjaxDropdown(config) {
 
     $('label[for=' + field_id + ']').on('click', function () { $('#' + field_id).select2('open'); });
     $('#' + field_id).on('select2:open', function (e) {
-        const search_input = document.querySelector(`.select2-search__field[aria-controls='select2-${e.target.id}-results']`);
+        const search_input = document.querySelector(`.select2-search__field[aria-controls='select2-${CSS.escape(e.target.id)}-results']`);
         if (search_input) {
             search_input.focus();
         }
@@ -1809,7 +1810,7 @@ function setupAdaptDropdown(config)
 {
     // Field ID is used as a selector, so we need to escape special characters
     // to avoid issues with jQuery.
-    const field_id = $.escapeSelector(config.field_id);
+    const field_id = CSS.escape(config.field_id);
 
     const options = {
         width: config.width,
@@ -1909,8 +1910,8 @@ function setupAdaptDropdown(config)
     $('label[for=' + field_id + ']').on('click', function () {
         $('#' + field_id).select2('open');
     });
-    $('#' + field_id).on('select2:open', function () {
-        const search_input = document.querySelector(`.select2-search__field[aria-controls='select2-\${e.target.id}-results']`);
+    $('#' + field_id).on('select2:open', function (e) {
+        const search_input = document.querySelector(`.select2-search__field[aria-controls='select2-${CSS.escape(e.target.id)}-results']`);
         if (search_input) {
             search_input.focus();
         }
diff --git a/js/fileupload.js b/js/fileupload.js
index 895090e6740..c5e82813253 100644
--- a/js/fileupload.js
+++ b/js/fileupload.js
@@ -43,7 +43,7 @@ function uploadFile(file, editor) {
 
     // Search for fileupload container.
     // First try to find an uplaoder having same name as editor element.
-    var uploader = $(`[data-uploader-name="${editor.getElement().name}"]`);
+    var uploader = $(`[data-uploader-name="${CSS.escape(editor.getElement().name)}"]`);
     if (uploader.length === 0) {
         // Fallback to uploader using default name
         uploader = $(editor.getElement()).closest('form').find('[data-uploader-name="filename"]');
@@ -81,7 +81,7 @@ var handleUploadedFile = function (files, files_data, input_name, container, edi
                             editor = tinyMCE.get(editor_id);
                             const uploaded_image = uploaded_images.find((entry) => entry.filename === file.name);
                             const matching_image = uploaded_image !== undefined
-                                ? editor.dom.select(`img[data-upload_id="${uploaded_image.upload_id}"]`)
+                                ? editor.dom.select(`img[data-upload_id="${CSS.escape(uploaded_image.upload_id)}"]`)
                                 : [];
                             if (matching_image.length > 0) {
                                 editor.dom.setAttrib(matching_image, 'id', tag_data.tag.replace(/#/g, ''));
@@ -123,7 +123,7 @@ var handleUploadedFile = function (files, files_data, input_name, container, edi
  * @param      {Object}  container     The fileinfo container
  */
 var displayUploadedFile = function(file, tag, editor, input_name, filecontainer) {
-    var fileindex = $(`input[name^="_${input_name}["]`).length;
+    var fileindex = $(`input[name^="_${CSS.escape(input_name)}["]`).length;
     var ext = file.name.split('.').pop();
 
     var p = $('<p></p>')
@@ -173,7 +173,7 @@ var displayUploadedFile = function(file, tag, editor, input_name, filecontainer)
 var deleteImagePasted = function(elementsIdToRemove, tagToRemove, editor) {
     // Remove file display lines
     $.each(elementsIdToRemove, (index, element) => {
-        $(`#${element}`).remove();
+        $(`#${CSS.escape(element)}`).remove();
     });
 
     if (typeof editor !== "undefined" && editor !== null
diff --git a/js/glpi_dialog.js b/js/glpi_dialog.js
index 0d34a28a71c..e5731cd971a 100644
--- a/js/glpi_dialog.js
+++ b/js/glpi_dialog.js
@@ -33,6 +33,7 @@
 
 /* eslint no-var: 0 */
 /* global bootstrap */
+/* global _ */
 
 /**
  * Create a dialog window
@@ -81,14 +82,14 @@ var glpi_html_dialog = function({
             var bclass = ("class" in button) ? button.class : 'btn-secondary';
 
             buttons_html+= `
-            <button type="button" id="${bid}"
-                    class="btn ${bclass}" data-bs-dismiss="modal">
+            <button type="button" id="${_.escape(bid)}"
+                    class="btn ${_.escape(bclass)}" data-bs-dismiss="modal">
                ${label}
             </button>`;
 
             // add click event on button
             if ('click' in button) {
-                $(document).on('click', `#${bid}`, (event) => {
+                $(document).on('click', `#${CSS.escape(bid)}`, (event) => {
                     button.click(event);
                 });
             }
@@ -105,8 +106,8 @@ var glpi_html_dialog = function({
 
     const data_bs_focus = !bs_focus ? 'data-bs-focus="false"' : '';
 
-    var modal = `<div class="modal fade ${modalclass}" id="${id}" role="dialog" ${data_bs_focus} aria-labelledby="${id}_title">
-         <div class="modal-dialog ${dialogclass}">
+    var modal = `<div class="modal fade ${_.escape(modalclass)}" id="${_.escape(id)}" role="dialog" ${data_bs_focus} aria-labelledby="${_.escape(id)}_title">
+         <div class="modal-dialog ${_.escape(dialogclass)}">
             <div class="modal-content">
                <div class="modal-header">
                   <h2 id="${id}_title" class="fs-4 modal-title" tabindex="-1">${title}</h2>
@@ -136,7 +137,7 @@ var glpi_html_dialog = function({
     // create global events
     myModalEl.addEventListener('shown.bs.modal', (event) => {
         // focus first element in modal
-        $(`#${id}`).find("input, textarea, select").first().trigger("focus");
+        $(`#${CSS.escape(id)}`).find("input, textarea, select").first().trigger("focus");
 
         // call show event
         show(event);
@@ -150,7 +151,7 @@ var glpi_html_dialog = function({
         }
 
         // remove html on modal close
-        $(`#${id}`).remove();
+        $(`#${CSS.escape(id)}`).remove();
     });
 
     return id;
@@ -355,9 +356,9 @@ const glpi_toast = (title, message, css_class, options = {}) => {
     if (!valid_locations.includes(location)) {
         location = 'bottom-right';
     }
-    const html = `<div class='toast-container ${location} p-3 messages_after_redirect'>
-      <div id='toast_js_${toast_id}' class='toast ${animation_classes}' role='alert' aria-live='assertive' aria-atomic='true'>
-         <div class='toast-header ${css_class}'>
+    const html = `<div class='toast-container ${_.escape(location)} p-3 messages_after_redirect'>
+      <div id='toast_js_${toast_id}' class='toast ${_.escape(animation_classes)}' role='alert' aria-live='assertive' aria-atomic='true'>
+         <div class='toast-header ${_.escape(css_class)}'>
             <strong class='me-auto'>${title}</strong>
             <button type='button' class='btn-close' data-bs-dismiss='toast' aria-label='${__('Close')}'></button>
          </div>
@@ -368,7 +369,7 @@ const glpi_toast = (title, message, css_class, options = {}) => {
    </div>`;
     $('body').append(html);
 
-    const toast = new bootstrap.Toast(document.querySelector(`#toast_js_${toast_id}`), {
+    const toast = new bootstrap.Toast(document.querySelector(`#toast_js_${CSS.escape(toast_id)}`), {
         delay: options.delay,
     });
     toast.show();
diff --git a/js/impact.js b/js/impact.js
index 0ac684b9e0e..fac899632c1 100644
--- a/js/impact.js
+++ b/js/impact.js
@@ -1430,7 +1430,7 @@ var GLPIImpact = {
         var nodeID = GLPIImpact.makeID(GLPIImpact.NODE, node.itemtype, node.items_id);
 
         // Check if the node is already on the graph
-        if (GLPIImpact.cy.filter('node[id="' + nodeID + '"]').length > 0) {
+        if (GLPIImpact.cy.filter('node[id="' + CSS.escape(nodeID) + '"]').length > 0) {
             alert(__('This asset already exists.'));
             return;
         }
@@ -2079,7 +2079,7 @@ var GLPIImpact = {
         for (i=0; i<graph.length; i++) {
             var id = graph[i].data.id;
             // Check that the element is not already on the graph,
-            if (this.cy.filter('[id="' + id + '"]').length > 0) {
+            if (this.cy.filter('[id="' + CSS.escape(id) + '"]').length > 0) {
                 continue;
             }
             // Store node to add them at once with a layout
@@ -2090,7 +2090,7 @@ var GLPIImpact = {
                 var node_info = graph[i].data.id.split(GLPIImpact.NODE_ID_SEPERATOR);
                 var itemtype = node_info[0];
                 var items_id = node_info[1];
-                $("p[data-id=" + items_id + "][data-type='" + itemtype + "']").remove();
+                $("p[data-id=" + CSS.escape(items_id) + "][data-type='" + CSS.escape(itemtype) + "']").remove();
             }
         }
 
@@ -2611,10 +2611,10 @@ var GLPIImpact = {
     * @returns {string}
     */
     buildOngoingDialogContent: function(ITILObjects) {
-        return this.listElements(__("Requests"), ITILObjects.requests, "ticket")
-         + this.listElements(__("Incidents"), ITILObjects.incidents, "ticket")
-         + this.listElements(__("Changes"), ITILObjects.changes , "change")
-         + this.listElements(__("Problems"), ITILObjects.problems, "problem");
+        return this.listElements(_.unescape(__("Requests")), ITILObjects.requests, "ticket")
+         + this.listElements(_.unescape(__("Incidents")), ITILObjects.incidents, "ticket")
+         + this.listElements(_.unescape(__("Changes")), ITILObjects.changes , "change")
+         + this.listElements(_.unescape(__("Problems")), ITILObjects.problems, "problem");
     },
 
     /**
@@ -2630,12 +2630,12 @@ var GLPIImpact = {
         var html = "";
 
         if (elements.length > 0) {
-            html += "<h3>" + title + "</h3>";
+            html += "<h3>" + _.escape(title) + "</h3>";
             html += "<ul>";
 
             elements.forEach(function(element) {
                 var link = CFG_GLPI.root_doc + "/front/" + url + ".form.php?id=" + element.id;
-                html += '<li><a target="_blank" href="' + link + '">' + element.name
+                html += '<li><a target="_blank" href="' + _.escape(link) + '">' + _.escape(element.name)
                + '</a></li>';
             });
             html += "</ul>";
@@ -3569,8 +3569,8 @@ var GLPIImpact = {
                 event.target.select();
 
                 if (event.target.isNode()){
-                    var sourceFilter = "edge[source='" + id + "']";
-                    var targetFilter = "edge[target='" + id + "']";
+                    var sourceFilter = "edge[source='" + CSS.escape(id) + "']";
+                    var targetFilter = "edge[target='" + CSS.escape(id) + "']";
                     event.cy.filter(sourceFilter + ", " + targetFilter)
                         .data('todelete', 1)
                         .select();
@@ -3734,9 +3734,9 @@ var GLPIImpact = {
                         cssClass = "impact-res-disabled";
                     }
 
-                    var str = '<p class="' + cssClass + '" data-id="' + value['id'] + '" data-type="' + itemtype + '">';
+                    var str = '<p class="' + cssClass + '" data-id="' + _.escape(value['id']) + '" data-type="' + _.escape(itemtype) + '">';
                     str += `<img src='${_.escape(value['image'])}'></img>`;
-                    str += value["name"];
+                    str += _.escape(value["name"]);
 
                     if (isHidden) {
                         str += '<i class="ti ti-eye-off impact-res-hidden"></i>';
@@ -3985,7 +3985,7 @@ var GLPIImpact = {
             $(GLPIImpact.selectors.sideSearch).show();
             $(GLPIImpact.selectors.sideSearch + " img").attr('title', $(img).attr('title'));
             $(GLPIImpact.selectors.sideSearch + " img").attr('src', $(img).attr('src'));
-            $(GLPIImpact.selectors.sideSearch + " > h4 > span").html($(img).attr('title'));
+            $(GLPIImpact.selectors.sideSearch + " > h4 > span").html(_.escape($(img).attr('title')));
             $(GLPIImpact.selectors.sideSearchSelectItemtype).hide();
 
             // Empty search
diff --git a/js/planning.js b/js/planning.js
index 8995599d0cc..37e153e5a44 100644
--- a/js/planning.js
+++ b/js/planning.js
@@ -35,6 +35,8 @@
 /* eslint no-var: 0 */
 /* global FullCalendar, FullCalendarLocales, FullCalendarInteraction */
 /* global glpi_ajax_dialog, glpi_html_dialog */
+/* global _ */
+
 var GLPIPlanning  = {
     calendar:      null,
     dom_id:        "",
@@ -173,7 +175,7 @@ var GLPIPlanning  = {
                 // append event data to dom (to re-use they in clone behavior)
                 element.data('myevent', event);
 
-                var eventtype_marker = `<span class="event_type" style="background-color: ${extProps.typeColor}"></span>`;
+                var eventtype_marker = `<span class="event_type" style="background-color: ${_.escape(extProps.typeColor)}"></span>`;
                 element.append(eventtype_marker);
 
                 var content = extProps.content;
@@ -193,7 +195,7 @@ var GLPIPlanning  = {
                     }
 
                     element.find(".fc-title, .fc-list-item-title")
-                        .append(`&nbsp;<i class='${extProps.icon}' title='${icon_alt}'></i>`);
+                        .append(`&nbsp;<i class='${_.escape(extProps.icon)}' title='${_.escape(icon_alt)}'></i>`);
                 }
 
                 // add classes to current event
@@ -390,7 +392,7 @@ var GLPIPlanning  = {
                 }
 
                 // attach button (planning and refresh) in planning header
-                $(`#${GLPIPlanning.dom_id} .fc-toolbar .fc-center h2`)
+                $(`#${CSS.escape(GLPIPlanning.dom_id)} .fc-toolbar .fc-center h2`)
                     .after(
                         $('<i id="refresh_planning" class="ti ti-refresh pointer"></i>')
                     ).after(
diff --git a/js/rack.js b/js/rack.js
index 3ae9ecdd293..dc119fd6240 100644
--- a/js/rack.js
+++ b/js/rack.js
@@ -35,6 +35,7 @@
 /* global grid_link_url, grid_rack_add_tip, grid_rack_id, grid_rack_units, GridStack */
 /* global glpi_ajax_dialog, displayAjaxMessageAfterRedirect */
 /* global grid_item_ajax_url */
+/* global _ */
 
 let pos_before_drag = {x: 0, y: 0};
 var dirty = false;
@@ -178,7 +179,7 @@ var initRack = function() {
                             var other_side_cls = j_item.hasClass('item_rear')
                                 ? "item_front"
                                 : "item_rear";
-                            var other_side_el = $(`.grid-stack-item.${other_side_cls}[gs-id=${j_item.attr('gs-id')}]`);
+                            var other_side_el = $(`.grid-stack-item.${CSS.escape(other_side_cls)}[gs-id=${CSS.escape(j_item.attr('gs-id'))}]`);
 
                             if (other_side_el.length) {
                                 //retrieve other side gridstack instance
@@ -241,7 +242,7 @@ var initRack = function() {
 
         // append cells for adding new items
         $('.racks_add').append(
-            `<div class="cell_add"><span class="tipcontent">${grid_rack_add_tip}</span></div>`
+            `<div class="cell_add"><span class="tipcontent">${_.escape(grid_rack_add_tip)}</span></div>`
         );
     }
 };
diff --git a/js/reservations.js b/js/reservations.js
index 1a58e85fb49..0064045d857 100644
--- a/js/reservations.js
+++ b/js/reservations.js
@@ -34,6 +34,7 @@
 /* eslint no-var: 0 */
 /* global FullCalendar, FullCalendarLocales */
 /* global glpi_ajax_dialog */
+/* global _ */
 
 var Reservations = function() {
     this.is_all      = true;
@@ -167,7 +168,7 @@ var Reservations = function() {
                     }
 
                     element.find(".fc-title, .fc-list-item-title")
-                        .append(`&nbsp;<i class='${extProps.icon}' title='${icon_alt}'></i>`);
+                        .append(`&nbsp;<i class='${_.escape(extProps.icon)}' title='${_.escape(icon_alt)}'></i>`);
                 }
 
                 // detect ideal position
diff --git a/js/src/vue/CustomObject/FieldPreview/FieldDisplay.vue b/js/src/vue/CustomObject/FieldPreview/FieldDisplay.vue
index e4ce0a00d07..f075c1d21ce 100644
--- a/js/src/vue/CustomObject/FieldPreview/FieldDisplay.vue
+++ b/js/src/vue/CustomObject/FieldPreview/FieldDisplay.vue
@@ -134,7 +134,7 @@
                 sortable_field.is_active = true;
                 // Recalculate the order of the fields to match the index in the displayed list
                 sortable_fields.forEach((field) => {
-                    field.order = $(component_root.value).find('.sortable-field').index($(`.sortable-field[data-key="${field.key}"]`));
+                    field.order = $(component_root.value).find('.sortable-field').index($(`.sortable-field[data-key="${CSS.escape(field.key)}"]`));
                 });
             } else {
                 removeField(moved_field.attr('data-key'));
@@ -165,8 +165,8 @@
                 window.glpi_ajax_dialog({
                     id: 'core_field_options_editor',
                     modalclass: 'modal-xl',
-                    appendTo: `#${$(sortable_fields_container.value).attr('id')}`,
-                    title: field_el.text(),
+                    appendTo: `#${CSS.escape($(sortable_fields_container.value).attr('id'))}`,
+                    title: _.escape(field_el.text()),
                     url: url,
                     buttons: [
                         {
diff --git a/js/src/vue/Debug/Toolbar.vue b/js/src/vue/Debug/Toolbar.vue
index 5e986ecb7fe..281fdb0c471 100644
--- a/js/src/vue/Debug/Toolbar.vue
+++ b/js/src/vue/Debug/Toolbar.vue
@@ -68,7 +68,7 @@
             refreshButton: (button) => {
                 const server_perf = props.initial_request.server_performance;
                 const memory_usage = +(server_perf.memory_usage / 1024 / 1024).toFixed(2);
-                const server_performance_button_label = `${server_perf.execution_time} <span class="text-muted"> ms using </span> ${memory_usage} <span class="text-muted"> MiB </span>`;
+                const server_performance_button_label = `${_.escape(server_perf.execution_time)} <span class="text-muted"> ms using </span> ${_.escape(memory_usage)} <span class="text-muted"> MiB </span>`;
                 button.find('.debug-text').html(server_performance_button_label);
             }
         },
@@ -80,7 +80,7 @@
             component_registered_name: 'widget-sqlrequests',
             refreshButton: (button) => {
                 const sql_data = getCombinedSQLData();
-                const database_button_label = `${sql_data.total_requests} <span class="text-muted"> requests </span>`;
+                const database_button_label = `${_.escape(sql_data.total_requests)} <span class="text-muted"> requests </span>`;
                 button.find('.debug-text').html(database_button_label);
             }
         },
@@ -104,7 +104,7 @@
                 if (button.find('.debug-text').text().trim() === '') {
                     setTimeout(() => {
                         const dom_timing = +window.performance.getEntriesByType('navigation')[0].domComplete.toFixed(2);
-                        const client_performance_button_label = `${dom_timing} <span class="text-muted"> ms </span>`;
+                        const client_performance_button_label = `${_.escape(dom_timing)} <span class="text-muted"> ms </span>`;
                         button.find('.debug-text').html(client_performance_button_label);
                     }, 200);
                 }
@@ -125,7 +125,7 @@
             main_widget: true, // This widget shows directly in the toolbar
             component_registered_name: 'widget-theme-switcher',
             refreshButton: (button) => {
-                button.find('.debug-text').html(`<span class="text-muted">Theme: </span> ${document.documentElement.attributes['data-glpi-theme'].value}`);
+                button.find('.debug-text').html(`<span class="text-muted">Theme: </span> ${_.escape(document.documentElement.attributes['data-glpi-theme'].value)}`);
             }
         },
         {
@@ -283,7 +283,7 @@
 
     function refreshWidgetButtons() {
         $.each(getMainWidgets(), (i, /** @type MainWidget */ widget) => {
-            widget.refreshButton($(`#debug-toolbar .debug-toolbar-widgets li[data-glpi-debug-widget-id="${widget.id}"]`));
+            widget.refreshButton($(`#debug-toolbar .debug-toolbar-widgets li[data-glpi-debug-widget-id="${CSS.escape(widget.id)}"]`));
         });
         initial_load.value = false;
     }
diff --git a/js/src/vue/Debug/Widget/HTTPRequests.vue b/js/src/vue/Debug/Widget/HTTPRequests.vue
index f798addc00a..be8a9dddae9 100644
--- a/js/src/vue/Debug/Widget/HTTPRequests.vue
+++ b/js/src/vue/Debug/Widget/HTTPRequests.vue
@@ -148,7 +148,7 @@
                 seen_request_ids.push(request.id);
                 setTimeout(() => {
                     // Need this timeout because this watcher is called before the DOM is updated
-                    const row = $(`tr[data-request-id="${request.id}"]`);
+                    const row = $(`tr[data-request-id="${CSS.escape(request.id)}"]`);
                     row.css('background-color', '#FFFF7B80');
                     setTimeout(() => {
                         row.css('background-color', 'transparent');
diff --git a/js/src/vue/Debug/Widget/SQLRequests.vue b/js/src/vue/Debug/Widget/SQLRequests.vue
index 5476a5346ce..ad6185a4d0d 100644
--- a/js/src/vue/Debug/Widget/SQLRequests.vue
+++ b/js/src/vue/Debug/Widget/SQLRequests.vue
@@ -130,8 +130,8 @@
 
         return Promise.resolve(window.GLPI.Monaco.colorizeText(query, 'sql')).then((html) => {
             // get all 'span' elements with mtk6 class (keywords) and insert the needed line breaks
-            const newline_before_selector = newline_keywords.map((keyword) => `span.mtk6:contains(${keyword})`).join(',');
-            const post_newline_selector = post_newline_keywords.map((keyword) => `span.mtk6:contains(${keyword})`).join(',');
+            const newline_before_selector = newline_keywords.map((keyword) => `span.mtk6:contains(${CSS.escape(keyword)})`).join(',');
+            const post_newline_selector = post_newline_keywords.map((keyword) => `span.mtk6:contains(${CSS.escape(keyword)})`).join(',');
             return $($.parseHTML(html)).find(newline_before_selector).before('</br>').end().find(post_newline_selector).after('</br>').end().html();
         });
     }
diff --git a/js/src/vue/Kanban/Kanban.vue b/js/src/vue/Kanban/Kanban.vue
index 49480d270df..4e304ff9453 100644
--- a/js/src/vue/Kanban/Kanban.vue
+++ b/js/src/vue/Kanban/Kanban.vue
@@ -128,9 +128,9 @@
                             // Compute current position based on list of sortable elements without current card.
                             // Indeed, current card is still in DOM (but invisible), making placeholder index in DOM
                             // not always corresponding to its position inside list of visible elements.
-                            const sortable_elements = $('#' + current_column + ' ul.kanban-body > li:not([id="' + sort_data.card_id + '"])');
+                            const sortable_elements = $('#' + CSS.escape(current_column) + ' ul.kanban-body > li:not([id="' + CSS.escape(sort_data.card_id) + '"])');
                             const current_position = sortable_elements.index(placeholder.get(0));
-                            const card = $('#' + sort_data.card_id);
+                            const card = $('#' + CSS.escape(sort_data.card_id));
                             card.data('current-pos', current_position);
 
                             if (!rights.canOrderCard()) {
@@ -153,7 +153,7 @@
                 }
             });
         });
-        mutation_observer.observe($(`#${props.element_id}`).get(0), {
+        mutation_observer.observe($(`#${CSS.escape(props.element_id)}`).get(0), {
             subtree: true,
             childList: true
         });
@@ -164,9 +164,9 @@
      * This should be called every time a new column or item is added to the board.
      */
     function refreshSortables() {
-        $(`#${props.element_id}`).trigger('kanban:refresh_sortables');
+        $(`#${CSS.escape(props.element_id)}`).trigger('kanban:refresh_sortables');
         // Make sure all items in the columns can be sorted
-        const bodies = $(`#${props.element_id} .kanban-body`);
+        const bodies = $(`#${CSS.escape(props.element_id)} .kanban-body`);
         $.each(bodies, function(b) {
             const body = $(b);
             if (body.data('sortable')) {
@@ -209,15 +209,15 @@
 
         if (rights.canModifyView()) {
             // Enable column sorting
-            sortable(`#${props.element_id} .kanban-columns`, {
-                acceptFrom: `#${props.element_id} .kanban-columns`,
+            sortable(`#${CSS.escape(props.element_id)} .kanban-columns`, {
+                acceptFrom: `#${CSS.escape(props.element_id)} .kanban-columns`,
                 appendTo: '.kanban-container',
                 items: '.kanban-column:not(.kanban-protected)',
                 handle: '.kanban-column-header',
                 orientation: 'horizontal',
                 forcePlaceholderSize: true
             });
-            $(`#${props.element_id} .kanban-columns .kanban-column:not(.kanban-protected) .kanban-column-header`).addClass('grab');
+            $(`#${CSS.escape(props.element_id)} .kanban-columns .kanban-column:not(.kanban-protected) .kanban-column-header`).addClass('grab');
         }
 
         $(`#${props.element_id} .kanban-columns`).off('sortstop').on('sortstop', (e) => {
@@ -232,7 +232,7 @@
         filter_input.tokenizer.clearAutocomplete();
 
         // Refresh core tags autocomplete
-        filter_input.tokenizer.setAutocomplete('type', Object.keys(props.supported_itemtypes).map(k => `<i class="${props.supported_itemtypes[k].icon} me-1"></i>` + k));
+        filter_input.tokenizer.setAutocomplete('type', Object.keys(props.supported_itemtypes).map(k => `<i class="${_.escape(props.supported_itemtypes[k].icon)} me-1"></i>` + _.escape(k)));
         filter_input.tokenizer.setAutocomplete('milestone', ["true", "false"]);
         filter_input.tokenizer.setAutocomplete('deleted', ["true", "false"]);
 
@@ -295,8 +295,8 @@
             // Sort cards based on their index in the column
             new_state[i].cards.sort((a, b) => {
                 // Handle the case where the card is not in the column
-                const card_a = $(`#${a}`);
-                const card_b = $(`#${b}`);
+                const card_a = $(`#${CSS.escape(a)}`);
+                const card_b = $(`#${CSS.escape(b)}`);
                 if (card_a.length === 0) {
                     return -1;
                 }
@@ -362,14 +362,14 @@
             const indices = Object.keys(state['state']);
             const promises = [];
             for (let i = 0; i < indices.length; i++) {
-                const index = indices[i];
+                const index = parseInt(indices[i]);
                 const entry = state['state'][index];
                 entry.folded = entry.folded === 'true' || entry.folded === true;
-                const element = $(`#column-${props.column_field.id}-${entry.column}`);
+                const element = $(`#column-${CSS.escape(props.column_field.id)}-${CSS.escape(entry.column)}`);
                 if (element.length === 0) {
                     promises.push(loadColumn(entry.column, true, false));
                 }
-                $(`#${props.element_id} .kanban-columns .kanban-column:nth-child(${index})`).after(element);
+                $(`#${CSS.escape(props.element_id)} .kanban-columns .kanban-column:nth-child(${index})`).after(element);
                 if (entry.folded) {
                     element.addClass('collapsed');
                 }
@@ -661,13 +661,13 @@
                 action: 'load_item_panel'
             }
         }).done((result) => {
-            $(`#${props.element_id} .offcanvas`).remove();
-            $(`#${props.element_id}`).append(`
+            $(`#${CSS.escape(props.element_id)} .offcanvas`).remove();
+            $(`#${CSS.escape(props.element_id)}`).append(`
                 <div class="offcanvas offcanvas-end show position-absolute h-100" tabindex="-1">
                     <div class="offcanvas-body p-0"></div>
                 </div>
             `);
-            const offcanvas_body = $(`#${props.element_id} .offcanvas .offcanvas-body`);
+            const offcanvas_body = $(`#${CSS.escape(props.element_id)} .offcanvas .offcanvas-body`);
             offcanvas_body.append(result);
             offcanvas_body.find(`.card-title button`).on('click', () => {
                 closeCardDetailsPanel();
@@ -690,7 +690,7 @@
                 l.append(`
                     <div class="member-details">
                         ${member_item}
-                        ${_.escape(l.attr('data-name')) || `${member_itemtype} (${member_items_id})`}
+                        ${_.escape(l.attr('data-name')) || `${_.escape(member_itemtype)} (${_.escape(member_items_id)})`}
                     </div>
                     <button type="button" name="delete" class="btn btn-ghost-danger">
                         <i class="ti ti-x" title="${__('Delete')}"></i>
@@ -749,7 +749,7 @@
                 action: 'load_teammember_form'
             }
         }).done((result) => {
-            const teammember_types_dropdown = $(`#kanban-teammember-item-dropdown-${card_itemtype}`).html();
+            const teammember_types_dropdown = $(`#kanban-teammember-item-dropdown-${CSS.escape(card_itemtype)}`).html();
             const content = `
                 ${teammember_types_dropdown}
                 ${result}
@@ -1009,7 +1009,7 @@
 
         emit('kanban:filter', {
             filters: new_filters,
-            kanban_element: $(`#${props.element_id}`),
+            kanban_element: $(`#${CSS.escape(props.element_id)}`),
             columns: columns.value
         });
         emit('kanban:post_filter', new_filters);
@@ -1301,7 +1301,7 @@
     backgroundRefresh();
     onMounted(() => {
         initMutationObserver();
-        filter_input = new SearchInput($(`#${props.element_id} input[name="filter"]`), {
+        filter_input = new SearchInput($(`#${CSS.escape(props.element_id)} input[name="filter"]`), {
             allowed_tags: props.supported_filters,
             on_result_change: (e, result) => {
                 filters.value = {
diff --git a/js/src/vue/Kanban/SearchInput.js b/js/src/vue/Kanban/SearchInput.js
index 128c383b0e2..d844016dd51 100644
--- a/js/src/vue/Kanban/SearchInput.js
+++ b/js/src/vue/Kanban/SearchInput.js
@@ -169,7 +169,7 @@ export default class SearchInput {
             e.preventDefault();
             e.stopPropagation();
             const tag = $(e.target).closest('li').attr('data-tag');
-            const node = $(`<span class="search-input-tag-input">${tag.trim()}:</span>`).insertBefore($('.search-input-tag-input:last-of-type'));
+            const node = $(`<span class="search-input-tag-input">${_.escape(tag.trim())}:</span>`).insertBefore($('.search-input-tag-input:last-of-type'));
             //Clear selected node's text
             const selected_node = this.getSelectedNode();
             $(selected_node).text('');
@@ -183,7 +183,7 @@ export default class SearchInput {
             e.stopPropagation();
             const prefix = $(e.target).closest('button.tag-prefix').attr('data-prefix');
             const tag = $(e.target).closest('li').attr('data-tag');
-            const node = $(`<span class="search-input-tag-input">${prefix || ''}${tag.trim()}:</span>`).insertBefore($('.search-input-tag-input:last-of-type'));
+            const node = $(`<span class="search-input-tag-input">${_.escape(prefix || '')}${_.escape(tag.trim())}:</span>`).insertBefore($('.search-input-tag-input:last-of-type'));
             //Clear selected node's text
             const selected_node = this.getSelectedNode();
             $(selected_node).text('');
@@ -197,7 +197,7 @@ export default class SearchInput {
             const li = $(e.target).closest('li');
             const tag = li.closest('ul').attr('data-tag');
             const selected_term = li.text().trim();
-            const editing_node = input.find(`.search-input-tag-input[data-tag="${tag}"]`);
+            const editing_node = input.find(`.search-input-tag-input[data-tag="${CSS.escape(tag)}"]`);
             editing_node.text(`${tag}:${selected_term}`);
             this.tagifyInputNode(editing_node);
             this.placeCaretInDefaultInput();
@@ -388,7 +388,7 @@ export default class SearchInput {
     * @param {SearchToken} token
     */
     tokenToTagHtml(token) {
-        const tag_display = token.tag ? `<b>${token.exclusion ? this.tokenizer.EXCLUSION_PREFIX : ''}${token.prefix ? token.prefix : ''}${token.tag}</b>:` : '';
+        const tag_display = token.tag ? `<b>${_.escape(token.exclusion ? this.tokenizer.EXCLUSION_PREFIX : '')}${_.escape(token.prefix ? token.prefix : '')}${_.escape(token.tag)}</b>:` : '';
         let tag_color_override = null;
         if (this.tokenizer.options.custom_prefixes[token.prefix]) {
             tag_color_override = this.tokenizer.options.custom_prefixes[token.prefix].token_color || null;
@@ -407,12 +407,12 @@ export default class SearchInput {
             if (tag_color_override.indexOf('#') === 0) {
                 tag_color_override = tag_color_override.replace(/[^#]*#([0-9a-f]{6})([0-9a-f]{2})?/i, '#$1');
             }
-            style_overrides = tag_color_override ? `style="border-color: ${tag_color_override} !important; background-color: unset !important;"` : '';
+            style_overrides = tag_color_override ? `border-color: ${tag_color_override} !important; background-color: unset !important;` : '';
         } else {
-            style_overrides = tag_color_override ? `style="background-color: ${tag_color_override} !important"` : '';
+            style_overrides = tag_color_override ? `background-color: ${tag_color_override} !important` : '';
         }
-        return `<span class="search-input-tag badge bg-secondary text-secondary-fg me-1" contenteditable="false" data-tag="${token.tag}" ${style_overrides}>
-                  <span class="search-input-tag-value" contenteditable="false">${tag_display}${_.escape(token.term) || ''}</span>
+        return `<span class="search-input-tag badge bg-secondary text-secondary-fg me-1" contenteditable="false" data-tag="${token.tag}" style="${_.escape(style_overrides)}">
+                  <span class="search-input-tag-value" contenteditable="false">${tag_display}${_.escape(token.term || '')}</span>
                   <i class="ti ti-x cursor-pointer ms-1" title="${__('Delete')}" contenteditable="false"></i>
                </span>`;
     }
@@ -650,15 +650,15 @@ export default class SearchInput {
                 if (prefix === this.tokenizer.EXCLUSION_PREFIX) {
                     label = __('Exclude');
                 }
-                prefix_content += `<button type="button" class="btn btn-outline-secondary btn-sm ${prefix_count > 1 ? 'ms-1' : ''} tag-prefix" title="${label}" data-prefix="${prefix}">${prefix}</button>`;
+                prefix_content += `<button type="button" class="btn btn-outline-secondary btn-sm ${prefix_count > 1 ? 'ms-1' : ''} tag-prefix" title="${label}" data-prefix="${_.escape(prefix)}">${_.escape(prefix)}</button>`;
             });
             helper += `
-            <li class="list-group-item list-group-item-action" style="cursor: pointer" data-tag="${name}">
+            <li class="list-group-item list-group-item-action" style="cursor: pointer" data-tag="${_.escape(name)}">
                 <div class="d-flex flex-grow-1 justify-content-between">
-                   <b>${name}</b>
+                   <b>${_.escape(name)}</b>
                    <span>${prefix_content}</span>
                 </div>
-                <div class="text-muted fst-italic">${description}</div>
+                <div class="text-muted fst-italic">${_.escape(description)}</div>
             </li>
          `;
         });
@@ -682,15 +682,15 @@ export default class SearchInput {
         let helper = '';
         const autocomplete_values = this.tokenizer.getAutocomplete(tag_name);
         if (autocomplete_values.length > 0) {
-            helper += `<ul class="list-group term-suggestions-list" data-tag="${tag_name}">`;
+            helper += `<ul class="list-group term-suggestions-list" data-tag="${_.escape(tag_name)}">`;
         } else {
-            helper = `${tag_name.toLowerCase()}: ${tag.description}`;
+            helper = `${_.escape(tag_name.toLowerCase())}: ${_.escape(tag.description)}`;
         }
         $.each(autocomplete_values, (i, v) => {
             if ((this.options.filter_on_type && selected_text.length > 0) && !v.toLowerCase().startsWith(current_term.toLowerCase())) {
                 return; // continue
             }
-            helper += `<li class="list-group-item list-group-item-action" style="cursor: pointer">${v}</li>`;
+            helper += `<li class="list-group-item list-group-item-action" style="cursor: pointer">${_.escape(v)}</li>`;
         });
         if (autocomplete_values.length > 0) {
             helper += '</ul>';
diff --git a/js/src/vue/Kanban/TeamBadgeProvider.js b/js/src/vue/Kanban/TeamBadgeProvider.js
index ac0c164f7ea..849c9579d5b 100644
--- a/js/src/vue/Kanban/TeamBadgeProvider.js
+++ b/js/src/vue/Kanban/TeamBadgeProvider.js
@@ -32,6 +32,8 @@
  */
 
 /* global tinycolor */
+/* global _ */
+
 export class TeamBadgeProvider {
     constructor(display_initials, max_team_images = 3) {
         this.badges = {
@@ -138,7 +140,7 @@ export class TeamBadgeProvider {
             Object.keys(users_ids).forEach((user_id) => {
                 if (data[user_id] !== undefined) {
                     // Store new image in cache
-                    this.badges['User'][user_id] = `<span>${data[user_id]}</span>`;
+                    this.badges['User'][user_id] = `<span>${_.escape(data[user_id])}</span>`;
                     to_reload.push(user_id);
                 }
             });
@@ -217,8 +219,8 @@ export class TeamBadgeProvider {
         const context = canvas.getContext('2d');
         context.fillText(initials, this.team_image_size / 2, this.team_image_size / 2);
         const src = canvas.toDataURL("image/png");
-        const name = team_member['name'].replace(/"/g, '&quot;').replace(/'/g, '&#39;');
-        return `<span><img src='${src}' title='${name}' data-bs-toggle='tooltip' data-bs-placement='top' data-placeholder-users-id='${team_member["id"]}'/></span>`;
+        const name = team_member['name'];
+        return `<span><img src="${_.escape(src)}" title="${_.escape(name)}" data-bs-toggle="tooltip" data-bs-placement="top" data-placeholder-users-id="${_.escape(team_member["id"])}"/></span>`;
     }
 
     /**
@@ -229,11 +231,11 @@ export class TeamBadgeProvider {
      */
     generateOtherBadge(team_member, icon) {
         const bg_color = this.getBadgeColor(team_member);
-        const name = team_member['name'].replace(/"/g, '&quot;').replace(/'/g, '&#39;');
+        const name = team_member['name'];
 
         return `
-            <span class="badge badge-pill" style="background-color: ${bg_color}; font-size: ${(this.team_image_size / 2)}px; height: 26px; padding: 0.25em;">
-                <i class='${icon}' title="${name}" data-bs-toggle='tooltip' data-bs-placement='top'></i>
+            <span class="badge badge-pill" style="background-color: ${_.escape(bg_color)}; font-size: ${(this.team_image_size / 2)}px; height: 26px; padding: 0.25em;">
+                <i class="${_.escape(icon)}" title="${_.escape(name)}" data-bs-toggle="tooltip" data-bs-placement="top"></i>
             </span>
         `;
     }
@@ -250,6 +252,6 @@ export class TeamBadgeProvider {
         const context = canvas.getContext('2d');
         context.fillText(`+${overflow_count}`, this.team_image_size / 2, this.team_image_size / 2);
         const src = canvas.toDataURL("image/png");
-        return `<span class='position-relative'><img src='${src}' title='${__('%d other team members').replace('%d', overflow_count)}' data-bs-toggle='tooltip' data-bs-placement='top'></span>`;
+        return `<span class="position-relative"><img src="${_.escape(src)}" title="${__('%d other team members').replace('%d', overflow_count)}" data-bs-toggle="tooltip" data-bs-placement="top"></span>`;
     }
 }
diff --git a/js/stencil-editor.js b/js/stencil-editor.js
index 7a6e49a60e8..de5bca9067e 100644
--- a/js/stencil-editor.js
+++ b/js/stencil-editor.js
@@ -40,11 +40,13 @@
  *
  * @constructor
  * @param {HTMLElement} container - The container element for the editor.
- * @param {string} rand - A random string used for generating unique IDs.
+ * @param {integer} rand - A random string used for generating unique IDs.
  * @param {Object} zones_definition - The initial definition of zones.
  * @returns {StencilEditor} A new StencilEditor instance.
  */
 const StencilEditor = function (container, rand, zones_definition) {
+    rand = parseInt(rand);
+
     const zones = zones_definition;
 
     const croppers = [];
@@ -115,7 +117,7 @@ const StencilEditor = function (container, rand, zones_definition) {
                     const originalText = submitButton.text();
 
                     submitButton.data('delete', '1');
-                    submitButton.text(_x('button', 'Are you sure?'));
+                    submitButton.text(_.unescape(_x('button', 'Are you sure?')));
                     setInterval(() => {
                         submitButton.data('delete', '0');
                         submitButton.text(originalText);
@@ -180,7 +182,7 @@ const StencilEditor = function (container, rand, zones_definition) {
 
         $(container).find('.set-zone-data').removeClass('btn-warning'); // remove old active definition
         $(container).find(".defined-zone").remove();
-        $(container).find(`.set-zone-data[data-zone-index=${  current_zone  }]`).addClass('btn-warning');
+        $(container).find(`.set-zone-data[data-zone-index=${ CSS.escape(current_zone) }]`).addClass('btn-warning');
         $(container).find(`#general-submit-${rand}`).addClass('d-none');
         $(container).find(`#zone-data-${rand}`).removeClass('d-none');
         $(container).find(`#zone_label-${rand}`).val(zone['label'] ?? current_zone);
@@ -334,13 +336,13 @@ const StencilEditor = function (container, rand, zones_definition) {
 
         for (const [zone_number, zone] of Object.entries(zones)) {
             $(container).find(`.stencil-image[data-side=${zone['side']}]`).parent().append(`
-                <a href="#zone_number_-${rand}${zone_number}"
+                <a href="#zone_number_-${rand}${_.escape(zone_number)}"
                 class="defined-zone set-zone-data d-inline-flex align-items-center justify-content-center"
-                data-zone-index="${zone_number}"
+                data-zone-index="${_.escape(zone_number)}"
                 data-bs-toggle="tooltip"
                 data-bs-title="${_.escape(zone['label'])}"
                 data-bs-placement="auto"
-                style="left: ${zone['x_percent']}%; top: ${zone['y_percent']}%; width: ${zone['width_percent']}%; height: ${zone['height_percent']}%;">
+                style="left: ${_.escape(zone['x_percent'])}%; top: ${_.escape(zone['y_percent'])}%; width: ${_.escape(zone['width_percent'])}%; height: ${_.escape(zone['height_percent'])}%;">
                     <span class="zone-number" style="max-height: 90%;
                         max-width: 90%;
                         overflow: hidden;
@@ -420,7 +422,7 @@ const StencilEditor = function (container, rand, zones_definition) {
                 $(`form#stencil-editor-form-${rand} button[name="reset-zone-data"][data-bs-toggle="tooltip"]`).tooltip('hide');
 
                 // Reset zone data
-                var zoneData = $(`.set-zone-data[data-zone-index="${zoneId}"]`);
+                var zoneData = $(`.set-zone-data[data-zone-index="${CSS.escape(zoneId)}"]`);
                 zoneData.removeClass('btn-success').removeClass('btn-warning').addClass('btn-outline-secondary');
                 zoneData.find('span').text(zoneId);
                 zoneData.find('i').removeClass('ti-check').addClass('ti-file-unknown');
diff --git a/src/Glpi/Controller/GenericAjaxCrudController.php b/src/Glpi/Controller/GenericAjaxCrudController.php
index 48aaf3cc8ef..af10c91fcde 100644
--- a/src/Glpi/Controller/GenericAjaxCrudController.php
+++ b/src/Glpi/Controller/GenericAjaxCrudController.php
@@ -63,16 +63,16 @@ public function __invoke(Request $request): Response
         // Validate id as soon as possible so all sub-methods can assume
         // $input['id'] exist
         if (!isset($input['id'])) {
-            return $this->errorReponse(400, __("Invalid id"));
+            return $this->errorReponse(400, __s("Invalid id")); // response string will not be escaped when inserted to the DOM
         }
 
         // Validate and instanciate item from supplied itemtype
         $itemtype = $input['itemtype'] ?? "";
         if (!\is_string($itemtype) || !\is_a($itemtype, CommonDBTM::class, true)) {
-            return $this->errorReponse(400, __("Invalid itemtype"));
+            return $this->errorReponse(400, __s("Invalid itemtype")); // response string will not be escaped when inserted to the DOM
         }
         if (!$this->isClassAllowed($itemtype)) {
-            return $this->errorReponse(403, __("Forbidden itemtype"));
+            return $this->errorReponse(403, __s("Forbidden itemtype")); // response string will not be escaped when inserted to the DOM
         }
         $this->item = new $itemtype();
 
@@ -83,7 +83,7 @@ public function __invoke(Request $request): Response
 
             return $this->handleAction($input);
         } catch (HttpException $e) {
-            return $this->errorReponse($e->getStatusCode(), $e->getMessage());
+            return $this->errorReponse($e->getStatusCode(), \htmlescape($e->getMessage())); // response string will not be escaped when inserted to the DOM
         }
     }
 
@@ -99,7 +99,7 @@ protected function handleAction(array $input): Response
     {
         switch ($input['_action'] ?? "") {
             default:
-                return $this->errorReponse(400, __("Invalid action"));
+                return $this->errorReponse(400, __s("Invalid action")); // response string will not be escaped when inserted to the DOM
 
             case "update":
                 return $this->handleUpdateAction($input);
@@ -123,6 +123,9 @@ protected function handleAction(array $input): Response
      * @param string $message Error message
      *
      * @return Response
+     *
+     * @psalm-taint-specialize (to report each unsafe usage as a distinct error)
+     * @psalm-taint-sink html $message (string will be added to HTML source)
      */
     final protected function errorReponse(int $code, string $message): Response
     {
diff --git a/src/Html.php b/src/Html.php
index 4d81679ed9f..f8e3d9323da 100644
--- a/src/Html.php
+++ b/src/Html.php
@@ -5002,9 +5002,9 @@ public static function progress($max, $value, $params = [])
         $html = <<<HTML
          <div class="progress" style="height: 12px"
               id="progress{$rand}"
-              data-progressid="{$rand}"
+              data-progressid="progress{$rand}"
               data-append-percent="{$append_percent}"
-              onchange="updateProgress('{$rand}')"
+              onchange="updateProgress('progress{$rand}')"
               max="{$max}"
               value="{$value}"
               title="{$tooltip}" data-bs-toggle="tooltip">
diff --git a/src/Item_Rack.php b/src/Item_Rack.php
index 9584fb2c318..0691182fed2 100644
--- a/src/Item_Rack.php
+++ b/src/Item_Rack.php
@@ -418,7 +418,7 @@ public static function showItems(Rack $rack): bool
         self::showItemsGraph($rack, $items);
         echo "</div>"; // #viewgraph
 
-        $rack_add_tip = __s('Insert an item here');
+        $rack_add_tip = __('Insert an item here');
         $ajax_url     = $CFG_GLPI['root_doc'] . "/ajax/rack.php";
 
         $js = '
diff --git a/templates/components/search/displaypreference_config.html.twig b/templates/components/search/displaypreference_config.html.twig
index 7ca54741a12..ee954f69d8b 100644
--- a/templates/components/search/displaypreference_config.html.twig
+++ b/templates/components/search/displaypreference_config.html.twig
@@ -71,7 +71,8 @@
                             if ($(`li[data-opt-id="${opt.id}"]`).length > 0) {
                                 return null;
                             }
-                            return _.escape(opt.text);
+                            {# select2 will escape the text #}
+                            return opt.text;
                         }
                     {% endset %}
 
diff --git a/templates/pages/setup/dropdowns_list.html.twig b/templates/pages/setup/dropdowns_list.html.twig
index af262122554..cbcc2c9d3e1 100644
--- a/templates/pages/setup/dropdowns_list.html.twig
+++ b/templates/pages/setup/dropdowns_list.html.twig
@@ -112,8 +112,8 @@ $(function () {
 
       if (input_value.length > 0) {
          timerid = setTimeout(function() {
-            $('.dropdowns-list .list-group-item:not(:icontains('+input_value+'))').hide();
-            $('.dropdowns-list .list-group-item:icontains('+input_value+')')
+            $('.dropdowns-list .list-group-item:not(:icontains('+CSS.escape(input_value)+'))').hide();
+            $('.dropdowns-list .list-group-item:icontains('+CSS.escape(input_value)+')')
                .closest('.accordion-collapse').addClass('show')
                .siblings('.accordion-header')
                   .children('.accordion-button').removeClass('collapsed');
diff --git a/tests/functional/Glpi/Controller/GenericAjaxCrudControllerTest.php b/tests/functional/Glpi/Controller/GenericAjaxCrudControllerTest.php
index dcf12ae2212..ae5f07a1964 100644
--- a/tests/functional/Glpi/Controller/GenericAjaxCrudControllerTest.php
+++ b/tests/functional/Glpi/Controller/GenericAjaxCrudControllerTest.php
@@ -126,7 +126,7 @@ protected function testHandleRequestProvider(): iterable
                 'messages' => [
                     'info'    => [],
                     'warning' => [],
-                    'error'   => ["You don't have permission to perform this action."],
+                    'error'   => ["You don&#039;t have permission to perform this action."],
                 ],
             ],
         ];
@@ -181,7 +181,7 @@ protected function testHandleRequestProvider(): iterable
                 'messages' => [
                     'info'    => [],
                     'warning' => [],
-                    'error'   => ["You don't have permission to perform this action."],
+                    'error'   => ["You don&#039;t have permission to perform this action."],
                 ],
             ],
         ];
@@ -233,7 +233,7 @@ protected function testHandleRequestProvider(): iterable
                 'messages' => [
                     'info'    => [],
                     'warning' => [],
-                    'error'   => ["You don't have permission to perform this action."],
+                    'error'   => ["You don&#039;t have permission to perform this action."],
                 ],
             ],
         ];
@@ -285,7 +285,7 @@ protected function testHandleRequestProvider(): iterable
                 'messages' => [
                     'info'    => [],
                     'warning' => [],
-                    'error'   => ["You don't have permission to perform this action."],
+                    'error'   => ["You don&#039;t have permission to perform this action."],
                 ],
             ],
         ];
