diff --git a/ext/forms/element.c b/ext/forms/element.c
index de10a3f86f4..11b0028218b 100644
--- a/ext/forms/element.c
+++ b/ext/forms/element.c
@@ -40,6 +40,7 @@
 #include "kernel/concat.h"
 #include "kernel/file.h"
 #include "kernel/hash.h"
+#include "kernel/string.h"
 
 /**
  * Phalcon\Forms\Element
@@ -581,6 +582,7 @@ PHP_METHOD(Phalcon_Forms_Element, getLabel){
 PHP_METHOD(Phalcon_Forms_Element, label){
 
 	zval *label, *attributes = NULL, *name = NULL, *html = NULL, *key = NULL, *value = NULL;
+	zval *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -603,8 +605,14 @@ PHP_METHOD(Phalcon_Forms_Element, label){
 		phalcon_read_property_this(&name, this_ptr, SL("_name"), PH_NOISY_CC);
 	}
 
+	PHALCON_INIT_VAR(escaped);
+	phalcon_htmlspecialchars(escaped, name, NULL, NULL TSRMLS_CC);
+
 	PHALCON_INIT_VAR(html);
-	PHALCON_CONCAT_SVS(html, "<label for=\"", name, "\"");
+	PHALCON_CONCAT_SVS(html, "<label for=\"", escaped, "\"");
+
+	zval_dtor(escaped);
+	ZVAL_NULL(escaped);
 
 	if (attributes && Z_TYPE_P(attributes) == IS_ARRAY) {	
 		phalcon_is_iterable(attributes, &ah0, &hp0, 0, 0);
@@ -614,7 +622,10 @@ PHP_METHOD(Phalcon_Forms_Element, label){
 			PHALCON_GET_HVALUE(value);
 		
 			if (Z_TYPE_P(key) != IS_LONG) {
-				PHALCON_SCONCAT_SVSVS(html, " ", key, "=\"", value, "\"");
+				phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+				PHALCON_SCONCAT_SVSVS(html, " ", key, "=\"", escaped, "\"");
+				zval_dtor(escaped);
+				ZVAL_NULL(escaped);
 			}
 		
 			zend_hash_move_forward_ex(ah0, &hp0);
diff --git a/ext/tag.c b/ext/tag.c
index 86a225b425c..f8003baa0fc 100644
--- a/ext/tag.c
+++ b/ext/tag.c
@@ -445,7 +445,7 @@ PHP_METHOD(Phalcon_Tag, resetInput){
 PHP_METHOD(Phalcon_Tag, linkTo){
 
 	zval *parameters, *text = NULL, *params = NULL, *action = NULL, *url, *internal_url;
-	zval *code, *value = NULL, *key = NULL;
+	zval *code, *value = NULL, *key = NULL, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -463,14 +463,14 @@ PHP_METHOD(Phalcon_Tag, linkTo){
 	if (Z_TYPE_P(parameters) != IS_ARRAY) { 
 		PHALCON_INIT_VAR(params);
 		array_init_size(params, 2);
-		phalcon_array_append(&params, parameters, PH_SEPARATE);
-		phalcon_array_append(&params, text, PH_SEPARATE);
+		phalcon_array_append(&params, parameters, 0);
+		phalcon_array_append(&params, text, 0);
 	} else {
 		PHALCON_CPY_WRT(params, parameters);
 	}
 	
 	PHALCON_INIT_VAR(action);
-	ZVAL_STRING(action, "", 1);
+	ZVAL_EMPTY_STRING(action);
 	if (phalcon_array_isset_long(params, 0)) {
 		PHALCON_OBS_NVAR(action);
 		phalcon_array_fetch_long(&action, params, 0, PH_NOISY);
@@ -483,7 +483,7 @@ PHP_METHOD(Phalcon_Tag, linkTo){
 	}
 	
 	PHALCON_INIT_NVAR(text);
-	ZVAL_STRING(text, "", 1);
+	ZVAL_EMPTY_STRING(text);
 	if (phalcon_array_isset_long(params, 1)) {
 		PHALCON_OBS_NVAR(text);
 		phalcon_array_fetch_long(&text, params, 1, PH_NOISY);
@@ -501,8 +501,13 @@ PHP_METHOD(Phalcon_Tag, linkTo){
 	PHALCON_INIT_VAR(internal_url);
 	phalcon_call_method_p1(internal_url, url, "get", action);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	PHALCON_INIT_VAR(code);
-	PHALCON_CONCAT_SVS(code, "<a href=\"", internal_url, "\"");
+	phalcon_htmlspecialchars(escaped, internal_url, NULL, NULL TSRMLS_CC);
+	PHALCON_CONCAT_SVS(code, "<a href=\"", escaped, "\"");
+	zval_dtor(escaped);
+	ZVAL_NULL(escaped);
 	
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
@@ -512,7 +517,10 @@ PHP_METHOD(Phalcon_Tag, linkTo){
 		PHALCON_GET_HVALUE(value);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", value, "\"");
+			phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
@@ -604,12 +612,16 @@ PHP_METHOD(Phalcon_Tag, _inputField){
 			}
 		}
 	}
-	
-	PHALCON_INIT_VAR(code);
-	PHALCON_CONCAT_SVS(code, "<input type=\"", type, "\"");
-	
+
 	PHALCON_INIT_VAR(escaped);
+	phalcon_htmlspecialchars(escaped, type, NULL, NULL TSRMLS_CC);
 
+	PHALCON_INIT_VAR(code);
+	PHALCON_CONCAT_SVS(code, "<input type=\"", escaped, "\"");
+	
+	zval_dtor(escaped);
+	ZVAL_NULL(escaped);
+	
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
@@ -652,7 +664,7 @@ PHP_METHOD(Phalcon_Tag, _inputField){
 PHP_METHOD(Phalcon_Tag, _inputFieldChecked){
 
 	zval *type, *parameters, *params = NULL, *value = NULL, *id = NULL, *name;
-	zval *current_value, *code, *key = NULL, *doctype;
+	zval *current_value, *code, *key = NULL, *doctype, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -725,9 +737,15 @@ PHP_METHOD(Phalcon_Tag, _inputFieldChecked){
 		phalcon_array_update_string(&params, SL("value"), &value, PH_COPY | PH_SEPARATE);
 	}
 	
+	PHALCON_INIT_VAR(escaped);
+	phalcon_htmlspecialchars(escaped, type, NULL, NULL TSRMLS_CC);
+
 	PHALCON_INIT_VAR(code);
-	PHALCON_CONCAT_SVS(code, "<input type=\"", type, "\"");
+	PHALCON_CONCAT_SVS(code, "<input type=\"", escaped, "\"");
 	
+	zval_dtor(escaped);
+	ZVAL_NULL(escaped);
+
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
@@ -736,7 +754,10 @@ PHP_METHOD(Phalcon_Tag, _inputFieldChecked){
 		PHALCON_GET_HVALUE(value);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", value, "\"");
+			phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
@@ -1123,7 +1144,7 @@ PHP_METHOD(Phalcon_Tag, select){
 PHP_METHOD(Phalcon_Tag, textArea){
 
 	zval *parameters, *params = NULL, *id = NULL, *name, *content = NULL, *code;
-	zval *avalue = NULL, *key = NULL;
+	zval *avalue = NULL, *key = NULL, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -1177,13 +1198,18 @@ PHP_METHOD(Phalcon_Tag, textArea){
 	
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
 	
 		PHALCON_GET_HKEY(key, ah0, hp0);
 		PHALCON_GET_HVALUE(avalue);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", avalue, "\"");
+			phalcon_htmlspecialchars(escaped, avalue, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
@@ -1214,7 +1240,7 @@ PHP_METHOD(Phalcon_Tag, textArea){
 PHP_METHOD(Phalcon_Tag, form){
 
 	zval *parameters = NULL, *params = NULL, *params_action = NULL, *action = NULL;
-	zval *url, *code, *avalue = NULL, *key = NULL;
+	zval *url, *code, *avalue = NULL, *key = NULL, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -1282,13 +1308,18 @@ PHP_METHOD(Phalcon_Tag, form){
 	
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
 	
 		PHALCON_GET_HKEY(key, ah0, hp0);
 		PHALCON_GET_HVALUE(avalue);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", avalue, "\"");
+			phalcon_htmlspecialchars(escaped, avalue, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
@@ -1392,7 +1423,7 @@ PHP_METHOD(Phalcon_Tag, prependTitle){
  */
 PHP_METHOD(Phalcon_Tag, getTitle){
 
-	zval *tags = NULL, *document_title, *eol;
+	zval *tags = NULL, *document_title;
 
 	PHALCON_MM_GROW();
 
@@ -1406,9 +1437,7 @@ PHP_METHOD(Phalcon_Tag, getTitle){
 	PHALCON_OBS_VAR(document_title);
 	phalcon_read_static_property(&document_title, SL("phalcon\\tag"), SL("_documentTitle") TSRMLS_CC);
 	if (PHALCON_IS_TRUE(tags)) {
-		PHALCON_INIT_VAR(eol);
-		ZVAL_STRING(eol, PHP_EOL, 1);
-		PHALCON_CONCAT_SVSV(return_value, "<title>", document_title, "</title>", eol);
+		PHALCON_CONCAT_SVS(return_value, "<title>", document_title, "</title>" PHP_EOL);
 		RETURN_MM();
 	}
 	
@@ -1437,7 +1466,7 @@ PHP_METHOD(Phalcon_Tag, stylesheetLink){
 
 	zval *parameters = NULL, *local = NULL, *params = NULL, *first_param;
 	zval *url, *url_href, *href, *code, *value = NULL, *key = NULL, *doctype;
-	zval *eol;
+	zval *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -1460,8 +1489,8 @@ PHP_METHOD(Phalcon_Tag, stylesheetLink){
 	if (Z_TYPE_P(parameters) != IS_ARRAY) { 
 		PHALCON_INIT_VAR(params);
 		array_init_size(params, 2);
-		phalcon_array_append(&params, parameters, PH_SEPARATE);
-		phalcon_array_append(&params, local, PH_SEPARATE);
+		phalcon_array_append(&params, parameters, 0);
+		phalcon_array_append(&params, local, 0);
 	} else {
 		PHALCON_CPY_WRT(params, parameters);
 	}
@@ -1510,6 +1539,8 @@ PHP_METHOD(Phalcon_Tag, stylesheetLink){
 	PHALCON_INIT_VAR(code);
 	ZVAL_STRING(code, "<link rel=\"stylesheet\"", 1);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
@@ -1518,7 +1549,10 @@ PHP_METHOD(Phalcon_Tag, stylesheetLink){
 		PHALCON_GET_HVALUE(value);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", value, "\"");
+			phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
@@ -1527,16 +1561,13 @@ PHP_METHOD(Phalcon_Tag, stylesheetLink){
 	PHALCON_OBS_VAR(doctype);
 	phalcon_read_static_property(&doctype, SL("phalcon\\tag"), SL("_documentType") TSRMLS_CC);
 	
-	PHALCON_INIT_VAR(eol);
-	ZVAL_STRING(eol, PHP_EOL, 1);
-	
 	/** 
 	 * Check if Doctype is XHTML
 	 */
 	if (PHALCON_GT_LONG(doctype, 5)) {
-		PHALCON_SCONCAT_SV(code, " />", eol);
+		phalcon_concat_self_str(&code, SL(" />" PHP_EOL) TSRMLS_CC);
 	} else {
-		PHALCON_SCONCAT_SV(code, ">", eol);
+		phalcon_concat_self_str(&code, SL(">" PHP_EOL) TSRMLS_CC);
 	}
 	
 	RETURN_CTOR(code);
@@ -1563,7 +1594,7 @@ PHP_METHOD(Phalcon_Tag, stylesheetLink){
 PHP_METHOD(Phalcon_Tag, javascriptInclude){
 
 	zval *parameters = NULL, *local = NULL, *params = NULL, *first_param;
-	zval *url, *params_src, *src, *eol, *code, *value = NULL, *key = NULL;
+	zval *url, *params_src, *src, *code, *value = NULL, *key = NULL, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -1586,8 +1617,8 @@ PHP_METHOD(Phalcon_Tag, javascriptInclude){
 	if (Z_TYPE_P(parameters) != IS_ARRAY) { 
 		PHALCON_INIT_VAR(params);
 		array_init_size(params, 2);
-		phalcon_array_append(&params, parameters, PH_SEPARATE);
-		phalcon_array_append(&params, local, PH_SEPARATE);
+		phalcon_array_append(&params, parameters, 0);
+		phalcon_array_append(&params, local, 0);
 	} else {
 		PHALCON_CPY_WRT(params, parameters);
 	}
@@ -1633,29 +1664,30 @@ PHP_METHOD(Phalcon_Tag, javascriptInclude){
 		phalcon_array_update_string(&params, SL("src"), &src, PH_COPY | PH_SEPARATE);
 	}
 	
-	PHALCON_INIT_VAR(eol);
-	ZVAL_STRING(eol, PHP_EOL, 1);
-	
 	PHALCON_INIT_VAR(code);
 	ZVAL_STRING(code, "<script", 1);
 	
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
 	
 		PHALCON_GET_HKEY(key, ah0, hp0);
 		PHALCON_GET_HVALUE(value);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", value, "\"");
+			phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
 	}
 	
-	PHALCON_SCONCAT_SV(code, "></script>", eol);
-	
-	RETURN_CTOR(code);
+	PHALCON_CONCAT_VS(return_value, code, "></script>" PHP_EOL);
+	PHALCON_MM_RESTORE();
 }
 
 /**
@@ -1680,7 +1712,7 @@ PHP_METHOD(Phalcon_Tag, javascriptInclude){
 PHP_METHOD(Phalcon_Tag, image){
 
 	zval *parameters = NULL, *local = NULL, *params = NULL, *first_param, *second_param;
-	zval *url, *url_src, *src, *code, *value = NULL, *key = NULL, *doctype;
+	zval *url, *url_src, *src, *code, *value = NULL, *key = NULL, *doctype, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -1713,7 +1745,7 @@ PHP_METHOD(Phalcon_Tag, image){
 	if (Z_TYPE_P(parameters) != IS_ARRAY) { 
 		PHALCON_INIT_VAR(params);
 		array_init_size(params, 1);
-		phalcon_array_append(&params, parameters, PH_SEPARATE);
+		phalcon_array_append(&params, parameters, 0);
 	} else {
 		PHALCON_CPY_WRT(params, parameters);
 	}
@@ -1747,13 +1779,18 @@ PHP_METHOD(Phalcon_Tag, image){
 	
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
 	
 		PHALCON_GET_HKEY(key, ah0, hp0);
 		PHALCON_GET_HVALUE(value);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", value, "\"");
+			phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
@@ -1842,60 +1879,42 @@ PHP_METHOD(Phalcon_Tag, setDocType){
  */
 PHP_METHOD(Phalcon_Tag, getDocType){
 
-	zval *doctype = NULL, *declaration, *eol, *doctype_html;
+	zval *doctype;
 
 	PHALCON_MM_GROW();
 
-	PHALCON_OBS_NVAR(doctype);
+	PHALCON_OBS_VAR(doctype);
 	phalcon_read_static_property(&doctype, SL("phalcon\\tag"), SL("_documentType") TSRMLS_CC);
 
-	PHALCON_INIT_VAR(eol);
-	ZVAL_STRING(eol, PHP_EOL, 1);
-
-	PHALCON_INIT_VAR(declaration);
 	if (phalcon_compare_strict_long(doctype, 1 TSRMLS_CC)) {
-		ZVAL_STRING(declaration, " PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\"", 1);
-		goto ph_end_0;
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 2 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD HTML 4.01//EN\"", eol, "\t\"http://www.w3.org/TR/html4/strict.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 2 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\"" PHP_EOL "\t\"http://www.w3.org/TR/html4/strict.dtd\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 3 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\"", eol, "\t\"http://www.w3.org/TR/html4/loose.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 3 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\"" PHP_EOL "\t\"http://www.w3.org/TR/html4/loose.dtd\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 4 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD HTML 4.01 Frameset//EN\"", eol, "\t\"http://www.w3.org/TR/html4/frameset.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 4 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Frameset//EN\"" PHP_EOL"\t\"http://www.w3.org/TR/html4/frameset.dtd\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 6 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"", eol, "\t\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 6 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"" PHP_EOL "\t\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 7 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"", eol, "\t\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 7 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"" PHP_EOL "\t\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 8 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD XHTML 1.0 Frameset//EN\"", eol, "\t\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 8 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Frameset//EN\"" PHP_EOL "\t\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 9 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"", eol, "\t\"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 9 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"" PHP_EOL"\t\"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">" PHP_EOL, 1);
 	}
-	if (phalcon_compare_strict_long(doctype, 10 TSRMLS_CC)) {
-		PHALCON_CONCAT_SVS(declaration, " PUBLIC \"-//W3C//DTD XHTML 2.0//EN\"", eol, "\t\"http://www.w3.org/MarkUp/DTD/xhtml2.dtd\"");
-		goto ph_end_0;
+	else if (phalcon_compare_strict_long(doctype, 10 TSRMLS_CC)) {
+		RETVAL_STRING("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 2.0//EN\"" PHP_EOL "\t\"http://www.w3.org/MarkUp/DTD/xhtml2.dtd\">" PHP_EOL, 1);
 	}
 
-	ph_end_0:
-
-	PHALCON_INIT_VAR(doctype_html);
-	PHALCON_CONCAT_SVSV(doctype_html, "<!DOCTYPE html", declaration, ">", eol);
-
-	RETURN_CTOR(doctype_html);
+	PHALCON_MM_RESTORE();
 }
 
 /**
@@ -1916,7 +1935,7 @@ PHP_METHOD(Phalcon_Tag, tagHtml){
 
 	zval *tag_name, *parameters = NULL, *self_close = NULL, *only_start = NULL;
 	zval *use_eol = NULL, *params = NULL, *local_code, *value = NULL, *key = NULL;
-	zval *doctype, *eol;
+	zval *doctype, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -1947,7 +1966,7 @@ PHP_METHOD(Phalcon_Tag, tagHtml){
 	if (Z_TYPE_P(parameters) != IS_ARRAY) { 
 		PHALCON_INIT_VAR(params);
 		array_init_size(params, 1);
-		phalcon_array_append(&params, parameters, PH_SEPARATE);
+		phalcon_array_append(&params, parameters, 0);
 	} else {
 		PHALCON_CPY_WRT(params, parameters);
 	}
@@ -1957,13 +1976,18 @@ PHP_METHOD(Phalcon_Tag, tagHtml){
 	
 	phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
 	
 		PHALCON_GET_HKEY(key, ah0, hp0);
 		PHALCON_GET_HVALUE(value);
 	
 		if (Z_TYPE_P(key) != IS_LONG) {
-			PHALCON_SCONCAT_SVSVS(local_code, " ", key, "=\"", value, "\"");
+			phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+			PHALCON_SCONCAT_SVSVS(local_code, " ", key, "=\"", escaped, "\"");
+			zval_dtor(escaped);
+			ZVAL_NULL(escaped);
 		}
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
@@ -1990,9 +2014,7 @@ PHP_METHOD(Phalcon_Tag, tagHtml){
 	}
 	
 	if (zend_is_true(use_eol)) {
-		PHALCON_INIT_VAR(eol);
-		ZVAL_STRING(eol, PHP_EOL, 1);
-		phalcon_concat_self(&local_code, eol TSRMLS_CC);
+		phalcon_concat_self_str(&local_code, SL(PHP_EOL) TSRMLS_CC);
 	}
 	
 	RETURN_CTOR(local_code);
@@ -2011,7 +2033,7 @@ PHP_METHOD(Phalcon_Tag, tagHtml){
  */
 PHP_METHOD(Phalcon_Tag, tagHtmlClose){
 
-	zval *tag_name, *use_eol = NULL, *local_code, *eol;
+	zval *tag_name, *use_eol = NULL, *local_code;
 
 	PHALCON_MM_GROW();
 
@@ -2019,17 +2041,14 @@ PHP_METHOD(Phalcon_Tag, tagHtmlClose){
 	
 	if (!use_eol) {
 		PHALCON_INIT_VAR(use_eol);
-		ZVAL_BOOL(use_eol, 0);
+		ZVAL_FALSE(use_eol);
 	}
 	
 	PHALCON_INIT_VAR(local_code);
 	PHALCON_CONCAT_SVS(local_code, "</", tag_name, ">");
 	if (zend_is_true(use_eol)) {
-		PHALCON_INIT_VAR(eol);
-		ZVAL_STRING(eol, PHP_EOL, 1);
-		phalcon_concat_self(&local_code, eol TSRMLS_CC);
+		phalcon_concat_self_str(&local_code, SL(PHP_EOL) TSRMLS_CC);
 	}
 	
 	RETURN_CTOR(local_code);
 }
-
diff --git a/ext/tag/select.c b/ext/tag/select.c
index bfe36dedc6c..099acfed52f 100644
--- a/ext/tag/select.c
+++ b/ext/tag/select.c
@@ -69,7 +69,7 @@ PHP_METHOD(Phalcon_Tag_Select, selectField){
 	zval *parameters, *data = NULL, *params = NULL, *eol, *id = NULL, *name, *value = NULL;
 	zval *use_empty = NULL, *empty_value = NULL, *empty_text = NULL, *code;
 	zval *avalue = NULL, *key = NULL, *close_option, *options = NULL, *using;
-	zval *resultset_options, *array_options;
+	zval *resultset_options, *array_options, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -160,6 +160,8 @@ PHP_METHOD(Phalcon_Tag_Select, selectField){
 	
 		phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
 	
+		PHALCON_INIT_VAR(escaped);
+
 		while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
 	
 			PHALCON_GET_HKEY(key, ah0, hp0);
@@ -167,7 +169,10 @@ PHP_METHOD(Phalcon_Tag_Select, selectField){
 	
 			if (Z_TYPE_P(key) != IS_LONG) {
 				if (Z_TYPE_P(avalue) != IS_ARRAY) { 
-					PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", avalue, "\"");
+					phalcon_htmlspecialchars(escaped, avalue, NULL, NULL TSRMLS_CC);
+					PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+					zval_dtor(escaped);
+					ZVAL_NULL(escaped);
 				}
 			}
 	
@@ -252,18 +257,20 @@ PHP_METHOD(Phalcon_Tag_Select, _optionsFromResultset){
 	zval *resultset, *using, *value, *close_option;
 	zval *code, *params = NULL, *option = NULL, *using_zero = NULL, *using_one = NULL;
 	zval *option_value = NULL, *option_text = NULL, *code_option = NULL;
-	zval *r0 = NULL;
+	zval *r0 = NULL, *escaped;
 
 	PHALCON_MM_GROW();
 
 	phalcon_fetch_params(1, 4, 0, &resultset, &using, &value, &close_option);
 	
 	PHALCON_INIT_VAR(code);
-	ZVAL_STRING(code, "", 1);
+	ZVAL_EMPTY_STRING(code);
 	
 	PHALCON_INIT_VAR(params);
 	phalcon_call_method_noret(resultset, "rewind");
 	
+	PHALCON_INIT_VAR(escaped);
+
 	while (1) {
 	
 		PHALCON_INIT_NVAR(r0);
@@ -333,17 +340,18 @@ PHP_METHOD(Phalcon_Tag_Select, _optionsFromResultset){
 			/** 
 			 * If the value is equal to the option's value we mark it as selected
 			 */
+			phalcon_htmlspecialchars(escaped, option_value, NULL, NULL TSRMLS_CC);
 			if (Z_TYPE_P(value) == IS_ARRAY) { 
 				if (phalcon_fast_in_array(option_value, value TSRMLS_CC)) {
-					PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", option_value, "\">", option_text, close_option);
+					PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", escaped, "\">", option_text, close_option);
 				} else {
-					PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", option_value, "\">", option_text, close_option);
+					PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", escaped, "\">", option_text, close_option);
 				}
 			} else {
 				if (PHALCON_IS_EQUAL(option_value, value)) {
-					PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", option_value, "\">", option_text, close_option);
+					PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", escaped, "\">", option_text, close_option);
 				} else {
-					PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", option_value, "\">", option_text, close_option);
+					PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", escaped, "\">", option_text, close_option);
 				}
 			}
 		} else {
@@ -380,7 +388,7 @@ PHP_METHOD(Phalcon_Tag_Select, _optionsFromResultset){
 PHP_METHOD(Phalcon_Tag_Select, _optionsFromArray){
 
 	zval *data, *value, *close_option, *code, *option_text = NULL;
-	zval *option_value = NULL;
+	zval *option_value = NULL, *escaped;
 	HashTable *ah0;
 	HashPosition hp0;
 	zval **hd;
@@ -390,28 +398,35 @@ PHP_METHOD(Phalcon_Tag_Select, _optionsFromArray){
 	phalcon_fetch_params(1, 3, 0, &data, &value, &close_option);
 	
 	PHALCON_INIT_VAR(code);
-	ZVAL_STRING(code, "", 1);
+	ZVAL_EMPTY_STRING(code);
 	
 	phalcon_is_iterable(data, &ah0, &hp0, 0, 0);
 	
+	PHALCON_INIT_VAR(escaped);
+
 	while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
 	
 		PHALCON_GET_HKEY(option_value, ah0, hp0);
 		PHALCON_GET_HVALUE(option_text);
+
+		phalcon_htmlspecialchars(escaped, option_value, NULL, NULL TSRMLS_CC);
 	
 		if (Z_TYPE_P(value) == IS_ARRAY) { 
 			if (phalcon_fast_in_array(option_value, value TSRMLS_CC)) {
-				PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", option_value, "\">", option_text, close_option);
+				PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", escaped, "\">", option_text, close_option);
 			} else {
-				PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", option_value, "\">", option_text, close_option);
+				PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", escaped, "\">", option_text, close_option);
 			}
 		} else {
 			if (PHALCON_IS_EQUAL(option_value, value)) {
-				PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", option_value, "\">", option_text, close_option);
+				PHALCON_SCONCAT_SVSVV(code, "\t<option selected=\"selected\" value=\"", escaped, "\">", option_text, close_option);
 			} else {
-				PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", option_value, "\">", option_text, close_option);
+				PHALCON_SCONCAT_SVSVV(code, "\t<option value=\"", escaped, "\">", option_text, close_option);
 			}
 		}
+
+		zval_dtor(escaped);
+		ZVAL_NULL(escaped);
 	
 		zend_hash_move_forward_ex(ah0, &hp0);
 	}
diff --git a/ext/tests/issue-1216.phpt b/ext/tests/issue-1216.phpt
new file mode 100644
index 00000000000..c62048bc7c1
--- /dev/null
+++ b/ext/tests/issue-1216.phpt
@@ -0,0 +1,39 @@
+--TEST--
+XSS - https://github.com/phalcon/cphalcon/issues/1216
+--SKIPIF--
+<?php if (!extension_loaded("phalcon")) print "skip"; ?>
+--FILE--
+<?php
+$di = new \Phalcon\DI\FactoryDefault();
+$e  = new \Phalcon\Forms\Element\Text('TEXT');
+echo $e->label(array('id' => 'test<', 'class' => 'test>')), PHP_EOL;
+echo \Phalcon\Tag::linkTo(array('url"', '<>', 'class' => 'class"')), PHP_EOL;
+echo \Phalcon\Tag::textField(array('name"')), PHP_EOL;
+echo \Phalcon\Tag::checkField(array('name"')), PHP_EOL;
+echo \Phalcon\Tag::form(array('<', 'method' => '>')), PHP_EOL;
+echo \Phalcon\Tag::textArea(array('<', 'cols' => '<')), PHP_EOL;
+echo \Phalcon\Tag::stylesheetLink(array('href' => '<', 'local' => false, 'type' => '>')), PHP_EOL;
+echo \Phalcon\Tag::javascriptInclude(array('src' => '<', 'local' => false, 'type' => '>')), PHP_EOL;
+echo \Phalcon\Tag::image(array('src' => '<', 'alt' => '>'), false), PHP_EOL;
+echo \Phalcon\Tag::tagHtml('br', array('class' => '<'), true, false, false), PHP_EOL;
+echo \Phalcon\Tag\Select::selectField(array('name' => '<', 'value' => '>', 'id' => ''), array('"' => '"', '>' => 'test')), PHP_EOL;
+echo "DONE", PHP_EOL;
+?>
+--EXPECT--
+<label for="test&lt;" id="test&lt;" class="test&gt;">test<</label>
+<a href="/tests/url&quot;" class="class&quot;"><></a>
+<input type="text" name="name&quot;" id="name&quot;" value="" />
+<input type="checkbox" name="name&quot;" id="name&quot;" value="" />
+<form method="&gt;" action="/tests/&lt;">
+<textarea cols="&lt;" name="&lt;" id="&lt;"></textarea>
+<link rel="stylesheet" href="&lt;" type="&gt;" />
+
+<script src="&lt;" type="&gt;"></script>
+
+<img src="&lt;" alt="&gt;" />
+<br class="&lt;" />
+<select name="&lt;" id="">
+	<option value="&quot;">"</option>
+	<option selected="selected" value="&gt;">test</option>
+</select>
+DONE
diff --git a/unit-tests/TagTest.php b/unit-tests/TagTest.php
index e29e6a7bee7..0ab07d710e3 100644
--- a/unit-tests/TagTest.php
+++ b/unit-tests/TagTest.php
@@ -18,6 +18,8 @@
   +------------------------------------------------------------------------+
 */
 
+use Phalcon\Tag;
+
 class DIDescendant extends Phalcon\DI {}
 
 class TagTest extends PHPUnit_Framework_TestCase
@@ -74,7 +76,6 @@ public function testIssue744()
 
 	public function testIssue947()
         {
-		use Phalcon\Tag;
 		$di = new Phalcon\DI\FactoryDefault();
 		Tag::setDI($di);
 
@@ -100,5 +101,50 @@ public function testIssue947()
 		));
 		$pos = strpos($html, 'checked="checked"');
 		$this->assertTrue($pos !== FALSE);
-        }
+	}
+
+	public function testIssue1216()
+	{
+		$di = new \Phalcon\DI\FactoryDefault();
+
+		$actual   = \Phalcon\Tag::linkTo(array('url"', '<>', 'class' => 'class"'));
+		$expected = '<a href="/url&quot;" class="class&quot;"><></a>';
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::textField(array('name"'));
+		$expected = '<input type="text" name="name&quot;" id="name&quot;" value="" />';
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::checkField(array('name"'));
+		$expected = '<input type="checkbox" name="name&quot;" id="name&quot;" value="" />';
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::form(array('<', 'method' => '>'));
+		$expected = '<form method="&gt;" action="/&lt;">';
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::textArea(array('<', 'cols' => '<'));
+		$expected = '<textarea cols="&lt;" name="&lt;" id="&lt;"></textarea>';
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::stylesheetLink(array('href' => '<', 'local' => false, 'type' => '>'));
+		$expected = '<link rel="stylesheet" href="&lt;" type="&gt;" />' . PHP_EOL;
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::javascriptInclude(array('src' => '<', 'local' => false, 'type' => '>'));
+		$expected = '<script src="&lt;" type="&gt;"></script>' . PHP_EOL;
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::image(array('src' => '<', 'alt' => '>'), false);
+		$expected = '<img src="&lt;" alt="&gt;" />';
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag::tagHtml('br', array('class' => '<'), true, false, false);
+		$expected = '<br class="&lt;" />';
+		$this->assertEquals($expected, $actual);
+
+		$actual   = \Phalcon\Tag\Select::selectField(array('name' => '<', 'value' => '>', 'id' => ''), array('"' => '"', '>' => 'test'));
+		$expected = '<select name="&lt;" id="">' . PHP_EOL . "\t" . '<option value="&quot;">"</option>' . PHP_EOL . "\t" . '<option selected="selected" value="&gt;">test</option>' . PHP_EOL . '</select>';
+		$this->assertEquals($expected, $actual);
+	}
 }
diff --git a/unit-tests/phpunit.xml b/unit-tests/phpunit.xml
index 5478be55975..abd2477a2ff 100644
--- a/unit-tests/phpunit.xml
+++ b/unit-tests/phpunit.xml
@@ -90,6 +90,7 @@
 			<file>unit-tests/FormsTest.php</file>
 			<file>unit-tests/AssetsTest.php</file>
 			<file>unit-tests/CryptTest.php</file>
+			<file>unit-tests/TagTest.php</file>
 
 			<!-- Complex components/Integral tests -->
 			<file>unit-tests/ModelsResultsetCacheTest.php</file>