diff --git a/server/routes/dxpeditions.js b/server/routes/dxpeditions.js
index d99beb57..e9df4430 100644
--- a/server/routes/dxpeditions.js
+++ b/server/routes/dxpeditions.js
@@ -36,14 +36,17 @@ module.exports = function (app, ctx) {
       let prev;
       do {
         prev = text;
-        text = text.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '');
+        text = text.replace(/<script[^>]*>[\s\S]*?<\/script(?:\s[^>]*)?>/gi, '');
       } while (text !== prev);
       do {
         prev = text;
-        text = text.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, '');
+        text = text.replace(/<style[^>]*>[\s\S]*?<\/style(?:\s[^>]*)?>/gi, '');
       } while (text !== prev);
       // Strip any remaining opening script/style tags (malformed HTML)
-      text = text.replace(/<script[^>]*>/gi, '').replace(/<style[^>]*>/gi, '');
+      do {
+        prev = text;
+        text = text.replace(/<script[^>]*>/gi, '').replace(/<style[^>]*>/gi, '');
+      } while (text !== prev);
       text = text
         .replace(/<br\s*\/?>/gi, '\n') // Convert br to newlines
         .replace(/<[^>]+>/g, ' ') // Remove all HTML tags
diff --git a/server/routes/pskreporter.js b/server/routes/pskreporter.js
index d8c1ca29..b87043fd 100644
--- a/server/routes/pskreporter.js
+++ b/server/routes/pskreporter.js
@@ -492,7 +492,7 @@ module.exports = function (app, ctx) {
         // "Connection closed" errors are expected during reconnects —
         // the on('connect') handler will re-subscribe all active callsigns
         if (err.message && err.message.includes('onnection closed')) return;
-        console.error(`[PSK-MQTT] Subscribe error for ${call}:`, err.message);
+        console.error('[PSK-MQTT] Subscribe error for %s:', call, err.message);
       }
     });
   }
@@ -504,7 +504,7 @@ module.exports = function (app, ctx) {
     pskMqtt.client.unsubscribe([txTopic, rxTopic], (err) => {
       if (err) {
         if (err.message && err.message.includes('onnection closed')) return;
-        console.error(`[PSK-MQTT] Unsubscribe error for ${call}:`, err.message);
+        console.error('[PSK-MQTT] Unsubscribe error for %s:', call, err.message);
       }
     });
   }
@@ -525,9 +525,9 @@ module.exports = function (app, ctx) {
     pskMqtt.client.subscribe([txTopic, rxTopic], { qos: 0 }, (err) => {
       if (err) {
         if (err.message && err.message.includes('onnection closed')) return;
-        console.error(`[PSK-MQTT] Grid subscribe error for ${grid}:`, err.message);
+        console.error('[PSK-MQTT] Grid subscribe error for %s:', grid, err.message);
       } else {
-        console.log(`[PSK-MQTT] Subscribed grid ${grid}`);
+        console.log('[PSK-MQTT] Subscribed grid %s', grid);
       }
     });
   }
@@ -539,7 +539,7 @@ module.exports = function (app, ctx) {
     pskMqtt.client.unsubscribe([txTopic, rxTopic], (err) => {
       if (err) {
         if (err.message && err.message.includes('onnection closed')) return;
-        console.error(`[PSK-MQTT] Grid unsubscribe error for ${grid}:`, err.message);
+        console.error('[PSK-MQTT] Grid unsubscribe error for %s:', grid, err.message);
       }
     });
   }
diff --git a/server/routes/wsjtx.js b/server/routes/wsjtx.js
index 36f9d4a0..647edad6 100644
--- a/server/routes/wsjtx.js
+++ b/server/routes/wsjtx.js
@@ -481,6 +481,11 @@ module.exports = function (app, ctx) {
     // Reject dangerous msg.id values to prevent prototype pollution on state.clients
     if (msg.id && !isValidSessionId(msg.id)) return;
 
+    // Ensure clients is a prototype-less object to prevent prototype pollution
+    if (!state.clients || Object.getPrototypeOf(state.clients) !== null) {
+      state.clients = Object.assign(Object.create(null), state.clients || {});
+    }
+
     switch (msg.type) {
       case WSJTX_MSG.HEARTBEAT: {
         state.clients[msg.id] = {