diff --git a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
index a496a0acbc..f12d5bb741 100644
--- a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
@@ -55,6 +55,7 @@
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresource.ITemplateResource;
 import org.thymeleaf.templateresource.StringTemplateResource;
+import org.springframework.web.util.HtmlUtils;
 
 /**
  * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
@@ -161,7 +162,7 @@ private String determineLanguage() {
     } else {
       String langHeader = request.getHeader(Headers.ACCEPT_LANGUAGE_STRING);
       if (null != langHeader) {
-        log.debug("browser locale {}", langHeader);
+        log.debug("browser locale {}", HtmlUtils.htmlEscape(String.valueOf(langHeader).replace("\n", "").replace("\r", "")));
         return langHeader.substring(0, 2);
       } else {
         log.debug("browser default english");
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
index ffcb739a5b..d89580eb80 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
@@ -38,6 +38,7 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.util.HtmlUtils;
 
 @RestController
 @AssignmentHints({
@@ -78,7 +79,7 @@ public AttackResult completed(
     }
     if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray())
         .equals(tempModulus.toUpperCase())) {
-      log.warn("modulus {} incorrect", modulus);
+      log.warn("modulus {} incorrect", HtmlUtils.htmlEscape(String.valueOf(modulus).replace("\n", "").replace("\r", "")));
       return failed(this).feedback("crypto-signing.modulusnotok").build();
     }
     /* orginal modulus must be used otherwise the signature would be invalid */
diff --git a/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
index 7bdcc1006b..1b2aa04460 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
@@ -29,6 +29,7 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.util.HtmlUtils;
 
 @Controller
 @Slf4j
@@ -45,7 +46,7 @@ public class LandingPage {
       })
   public Callable<ResponseEntity<?>> ok(HttpServletRequest request) {
     return () -> {
-      log.trace("Incoming request for: {}", request.getRequestURL());
+      log.trace("Incoming request for: {}", HtmlUtils.htmlEscape(String.valueOf(request.getRequestURL()).replace("\n", "").replace("\r", "")));
       return ResponseEntity.ok().build();
     };
   }