diff --git a/auth/oauth2/facebook_token.php b/auth/oauth2/facebook_token.php
index ef7446143aea2c92d8cf87bcd2bcbe322a60bc0e..8af7f194078f79e9c8901afb25c6386aaf8ded16 100755
--- a/auth/oauth2/facebook_token.php
+++ b/auth/oauth2/facebook_token.php
@@ -37,8 +37,9 @@ $fb = new Facebook\Facebook([
         ]);
 
 $helper = $fb->getRedirectLoginHelper();
-if (isset($_GET['state'])) {
-    $helper->getPersistentDataHandler()->set('state', $_GET['state']);
+$state = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_STRING);
+if ($state !== null) {
+    $helper->getPersistentDataHandler()->set('state', $state);
 }
 
 try {
diff --git a/auth/oauth2/google_token.php b/auth/oauth2/google_token.php
index 16831cc69bb0a67df476cc4a2e6a4f29b86d5db8..9d4122cf55b4cfbf5072390ceb3e22ab77abed09 100644
--- a/auth/oauth2/google_token.php
+++ b/auth/oauth2/google_token.php
@@ -44,9 +44,10 @@ if (isset($_REQUEST['logout'])) {
     unset($_SESSION['access_token']);
 }
 
-if (isset($_GET['code'])) {
+$code = filter_input(INPUT_GET, 'code', FILTER_SANITIZE_STRING);
+if ($code !== null) {
 // An access token has been returned from the auth URL.
-    $client->authenticate($_GET['code']);
+    $client->authenticate($code);
     $_SESSION['access_token'] = $client->getAccessToken();
 }
 
@@ -63,7 +64,7 @@ if ($client->getAccessToken()) {
         $res = $service->people->get('people/me', array('requestMask.includeField' => 'person.names,person.email_addresses'));
     } catch (Google_Service_Exception $e) {
         echo '<p>' . json_encode($e->getErrors()) . '</p>';
-        $thisPage = $PROTOCOL . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
+        $thisPage = $PROTOCOL . $_SERVER['HTTP_HOST'] . htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8");
         echo '<p><a href="' . $thisPage . '?logout">Click here to unset the access token</a></p>';
     }