diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 8e0ac580..b81bf34f 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1560,7 +1560,7 @@ function unset_tfa_key($_data) {
 }
 function get_tfa($username = null, $id = null) {
   global $pdo;
-  if (isset($_SESSION['mailcow_cc_username'])) {
+  if (empty($username) && isset($_SESSION['mailcow_cc_username'])) {
     $username = $_SESSION['mailcow_cc_username'];
   }
   elseif (empty($username)) {
diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js
index 80da6416..a2c7954d 100644
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -397,7 +397,10 @@ jQuery(function($){
         {
           title: lang.host,
           data: 'hostname',
-          defaultContent: ''
+          defaultContent: '',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: lang.username,
diff --git a/data/web/js/site/debug.js b/data/web/js/site/debug.js
index 4f3f4aaf..3c51c194 100644
--- a/data/web/js/site/debug.js
+++ b/data/web/js/site/debug.js
@@ -325,7 +325,10 @@ jQuery(function($){
           title: 'URI',
           data: 'uri',
           defaultContent: '',
-          className: 'dtr-col-md dtr-break-all'
+          className: 'dtr-col-md dtr-break-all',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: 'Method',