From 4f9f86e310a433d56622527be002ba2a474c5240 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 18:56:26 +0000
Subject: [PATCH 1/7] We are now escaping many template fields

---
 src/Module/Contact.php                        | 10 +--
 src/Object/Post.php                           |  6 +-
 view/templates/admin/addon_details.tpl        |  2 +-
 view/templates/admin/contactblock.tpl         |  4 +-
 view/templates/admin/users.tpl                | 16 ++--
 view/templates/hovercard.tpl                  | 14 ++--
 view/templates/profile_vcard.tpl              |  6 +-
 view/templates/vcard-widget.tpl               | 10 +--
 view/templates/wall_thread.tpl                |  8 +-
 view/templates/widget_forumlist.tpl           |  8 +-
 .../duepuntozero/templates/profile_vcard.tpl  |  4 +-
 view/theme/frio/templates/admin/addons.tpl    |  2 +-
 .../frio/templates/admin/contactblock.tpl     |  8 +-
 view/theme/frio/templates/admin/queue.tpl     | 12 +--
 view/theme/frio/templates/admin/summary.tpl   |  6 +-
 view/theme/frio/templates/admin/users.tpl     | 24 +++---
 view/theme/frio/templates/comment_item.tpl    | 14 ++--
 view/theme/frio/templates/common_tabs.tpl     |  6 +-
 view/theme/frio/templates/contact_edit.tpl    | 76 ++++++++---------
 .../theme/frio/templates/contact_template.tpl | 40 ++++-----
 view/theme/frio/templates/credits.tpl         |  4 +-
 view/theme/frio/templates/crepair.tpl         |  2 +-
 view/theme/frio/templates/event.tpl           | 10 +--
 .../frio/templates/event_stream_item.tpl      |  8 +-
 view/theme/frio/templates/events_js.tpl       |  8 +-
 view/theme/frio/templates/filebrowser.tpl     | 10 +--
 view/theme/frio/templates/intros.tpl          |  4 +-
 view/theme/frio/templates/jot.tpl             |  2 +-
 view/theme/frio/templates/like_noshare.tpl    |  2 +-
 view/theme/frio/templates/mail_conv.tpl       |  4 +-
 view/theme/frio/templates/mail_list.tpl       |  2 +-
 view/theme/frio/templates/nav.tpl             | 84 +++++++++----------
 view/theme/frio/templates/photo_item.tpl      |  2 +-
 view/theme/frio/templates/photo_top.tpl       |  2 +-
 view/theme/frio/templates/photo_view.tpl      |  4 +-
 view/theme/frio/templates/profile_entry.tpl   |  2 +-
 view/theme/frio/templates/profile_vcard.tpl   | 46 +++++-----
 view/theme/frio/templates/search_item.tpl     | 64 +++++++-------
 view/theme/frio/templates/vcard-widget.tpl    | 10 +--
 view/theme/frio/templates/wall_thread.tpl     | 76 ++++++++---------
 .../quattro/templates/contact_template.tpl    |  8 +-
 view/theme/quattro/templates/events.tpl       |  6 +-
 view/theme/quattro/templates/mail_conv.tpl    | 18 ++--
 .../theme/quattro/templates/profile_vcard.tpl |  8 +-
 view/theme/quattro/templates/search_item.tpl  | 34 ++++----
 .../theme/quattro/templates/wall_item_tag.tpl |  8 +-
 view/theme/quattro/templates/wall_thread.tpl  | 10 +--
 .../quattro/templates/widget_forumlist.tpl    |  4 +-
 view/theme/vier/templates/ch_connectors.tpl   |  2 +-
 .../vier/templates/ch_directory_item.tpl      |  2 +-
 view/theme/vier/templates/comment_item.tpl    | 16 ++--
 .../theme/vier/templates/contact_template.tpl |  6 +-
 view/theme/vier/templates/nav.tpl             | 48 +++++------
 view/theme/vier/templates/photo_item.tpl      | 30 +++----
 view/theme/vier/templates/photo_view.tpl      |  4 +-
 view/theme/vier/templates/profile_vcard.tpl   |  6 +-
 view/theme/vier/templates/search_item.tpl     | 36 ++++----
 view/theme/vier/templates/wall_item_tag.tpl   |  8 +-
 view/theme/vier/templates/wall_thread.tpl     | 60 ++++++-------
 .../vier/templates/widget_forumlist_right.tpl | 12 +--
 60 files changed, 472 insertions(+), 476 deletions(-)

diff --git a/src/Module/Contact.php b/src/Module/Contact.php
index ec7e896925..66e8c97fdf 100644
--- a/src/Module/Contact.php
+++ b/src/Module/Contact.php
@@ -85,7 +85,7 @@ class Contact extends BaseModule
 
 			/// @TODO Add nice spaces
 			$vcard_widget = Renderer::replaceMacros(Renderer::getMarkupTemplate('vcard-widget.tpl'), [
-				'$name'         => htmlentities($contact['name']),
+				'$name'         => $contact['name'],
 				'$photo'        => $contact['photo'],
 				'$url'          => Model\Contact::MagicLink($contact['url']),
 				'$addr'         => defaults($contact, 'addr', ''),
@@ -639,7 +639,7 @@ class Contact extends BaseModule
 				'$ffi_keyword_blacklist' => $contact['ffi_keyword_blacklist'],
 				'$ffi_keyword_blacklist' => ['ffi_keyword_blacklist', L10n::t('Blacklisted keywords'), $contact['ffi_keyword_blacklist'], L10n::t('Comma separated list of keywords that should not be converted to hashtags, when "Fetch information and keywords" is selected')],
 				'$photo'          => $contact['photo'],
-				'$name'           => htmlentities($contact['name']),
+				'$name'           => $contact['name'],
 				'$dir_icon'       => $dir_icon,
 				'$sparkle'        => $sparkle,
 				'$url'            => $url,
@@ -1033,14 +1033,14 @@ class Contact extends BaseModule
 			'alt_text'  => $alt_text,
 			'dir_icon'  => $dir_icon,
 			'thumb'     => ProxyUtils::proxifyUrl($rr['thumb'], false, ProxyUtils::SIZE_THUMB),
-			'name'      => htmlentities($rr['name']),
-			'username'  => htmlentities($rr['name']),
+			'name'      => $rr['name'],
+			'username'  => $rr['name'],
 			'account_type' => Model\Contact::getAccountType($rr),
 			'sparkle'   => $sparkle,
 			'itemurl'   => defaults($rr, 'addr', $rr['url']),
 			'url'       => $url,
 			'network'   => ContactSelector::networkToName($rr['network'], $rr['url']),
-			'nick'      => htmlentities($rr['nick']),
+			'nick'      => $rr['nick'],
 		];
 	}
 
diff --git a/src/Object/Post.php b/src/Object/Post.php
index e7a9e6b020..50d903f025 100644
--- a/src/Object/Post.php
+++ b/src/Object/Post.php
@@ -213,7 +213,7 @@ class Post extends BaseObject
 
 		$filer = (($conv->getProfileOwner() == local_user() && ($item['uid'] != 0)) ? L10n::t("save to folder") : false);
 
-		$profile_name = htmlentities($item['author-name']);
+		$profile_name = $item['author-name'];
 		if (!empty($item['author-link']) && empty($item['author-name'])) {
 			$profile_name = $item['author-link'];
 		}
@@ -377,7 +377,7 @@ class Post extends BaseObject
 			'isevent'         => $isevent,
 			'attend'          => $attend,
 			'linktitle'       => L10n::t('View %s\'s profile @ %s', $profile_name, $item['author-link']),
-			'olinktitle'      => L10n::t('View %s\'s profile @ %s', htmlentities($this->getOwnerName()), $item['owner-link']),
+			'olinktitle'      => L10n::t('View %s\'s profile @ %s', $this->getOwnerName(), $item['owner-link']),
 			'to'              => L10n::t('to'),
 			'via'             => L10n::t('via'),
 			'wall'            => L10n::t('Wall-to-Wall'),
@@ -399,7 +399,7 @@ class Post extends BaseObject
 			'shiny'           => $shiny,
 			'owner_url'       => $this->getOwnerUrl(),
 			'owner_photo'     => $a->removeBaseURL(ProxyUtils::proxifyUrl($item['owner-avatar'], false, ProxyUtils::SIZE_THUMB)),
-			'owner_name'      => htmlentities($owner_name_e),
+			'owner_name'      => $owner_name_e,
 			'plink'           => Item::getPlink($item),
 			'edpost'          => $edpost,
 			'isstarred'       => $isstarred,
diff --git a/view/templates/admin/addon_details.tpl b/view/templates/admin/addon_details.tpl
index fb908b7058..96b26d2d09 100644
--- a/view/templates/admin/addon_details.tpl
+++ b/view/templates/admin/addon_details.tpl
@@ -18,7 +18,7 @@
 	</p>
 
 	{{if $screenshot}}
-	<a href="{{$screenshot.0}}" class='screenshot'><img src="{{$screenshot.0}}" alt="{{$screenshot.1}}" /></a>
+	<a href="{{$screenshot.0}}" class='screenshot'><img src="{{$screenshot.0}}" alt="{{$screenshot.1|escape}}" /></a>
 	{{/if}}
 
 	{{if $admin_form}}
diff --git a/view/templates/admin/contactblock.tpl b/view/templates/admin/contactblock.tpl
index 152550f017..c9bfc2efd0 100644
--- a/view/templates/admin/contactblock.tpl
+++ b/view/templates/admin/contactblock.tpl
@@ -32,10 +32,10 @@
 				{{foreach $contacts as $contact}}
 				<tr>
 					<td class="checkbox"><input type="checkbox" class="contacts_ckbx" id="id_contact_{{$contact.id}}" name="contacts[]" value="{{$contact.id}}"/></td>
-					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname}}" title="{{$contact.nickname}}"></td>
+					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.nickname|escape}}"></td>
 					<td class="name">{{$contact.name}}</td>
 					<td class="addr">{{$contact.addr}}</td>
-					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname}}" >{{$contact.url}}</a></td>
+					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname|escape}}" >{{$contact.url}}</a></td>
 				</tr>
 				{{/foreach}}
 			</tbody>
diff --git a/view/templates/admin/users.tpl b/view/templates/admin/users.tpl
index b2b0d615a4..f06b0f9734 100644
--- a/view/templates/admin/users.tpl
+++ b/view/templates/admin/users.tpl
@@ -35,8 +35,8 @@
 					<td class="email">{{$u.email}}</td>
 					<td class="checkbox"><input type="checkbox" class="pending_ckbx" id="id_pending_{{$u.hash}}" name="pending[]" value="{{$u.hash}}" /></td>
 					<td class="tools">
-						<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" title='{{$approve}}'><span class='icon like'></span></a>
-						<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" title='{{$deny}}'><span class='icon dislike'></span></a>
+						<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" title='{{$approve|escape}}'><span class='icon like'></span></a>
+						<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" title='{{$deny|escape}}'><span class='icon dislike'></span></a>
 					</td>
 				</tr>
 				<tr>
@@ -79,8 +79,8 @@
 				<tbody>
 				{{foreach $users as $u}}
 					<tr>
-						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname}}" title="{{$u.nickname}}"></td>
-						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname}}" >{{$u.name}}</a></td>
+						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname|escape}}" title="{{$u.nickname|escape}}"></td>
+						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname|escape}}" >{{$u.name}}</a></td>
 						<td class='email'>{{$u.email}}</td>
 						<td class='register_date'>{{$u.register_date}}</td>
 						<td class='login_date'>{{$u.login_date}}</td>
@@ -94,8 +94,8 @@
 						{{/if}}
 						<td class="tools">
 						{{if $u.is_deletable}}
-							<a href="{{$baseurl}}/admin/users/block/{{$u.uid}}?t={{$form_security_token}}" title='{{if $u.blocked}}{{$unblock}}{{else}}{{$block}}{{/if}}'><span class='icon block {{if $u.blocked==0}}dim{{/if}}'></span></a>
-							<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" title='{{$delete}}' onclick="return confirm_delete('{{$u.name}}')"><span class='icon drop'></span></a>
+							<a href="{{$baseurl}}/admin/users/block/{{$u.uid}}?t={{$form_security_token}}" title='{{if $u.blocked}}{{$unblock|escape}}{{else}}{{$block|escape}}{{/if}}'><span class='icon block {{if $u.blocked==0}}dim{{/if}}'></span></a>
+							<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" title='{{$delete|escape}}' onclick="return confirm_delete('{{$u.name}}')"><span class='icon drop'></span></a>
 						{{else}}
 							&nbsp;
 						{{/if}}
@@ -122,8 +122,8 @@
 				<tbody>
 				{{foreach $deleted as $u}}
 					<tr>
-						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname}}" title="{{$u.nickname}}"></td>
-						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname}}" >{{$u.name}}</a></td>
+						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname|escape}}" title="{{$u.nickname|escape}}"></td>
+						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname|escape}}" >{{$u.name}}</a></td>
 						<td class='email'>{{$u.email}}</td>
 						<td class='register_date'>{{$u.register_date}}</td>
 						<td class='login_date'>{{$u.login_date}}</td>
diff --git a/view/templates/hovercard.tpl b/view/templates/hovercard.tpl
index 7bf37e74b3..74f2700052 100644
--- a/view/templates/hovercard.tpl
+++ b/view/templates/hovercard.tpl
@@ -3,12 +3,12 @@
 		<div class="hover-card-header left-align">
 			<div class="hover-card-pic left-align">
 				<span class="image-wrapper medium">
-					<a href="{{$profile.url}}" title="{{$profile.name}}"><img href="" class="left-align thumbnail" src="{{$profile.thumb}}" alt="{{$profile.name}}"></a>
+					<a href="{{$profile.url}}" title="{{$profile.name|escape}}"><img href="" class="left-align thumbnail" src="{{$profile.thumb}}" alt="{{$profile.name|escape}}"></a>
 				</span>
 			</div>
 			<div class="hover-card-content">
 				<div class="profile-entry-name">
-					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
+					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name|escape}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
 				</div>
 				<div class="profile-details">
 					<span class="profile-addr">{{$profile.addr}}</span>
@@ -21,13 +21,13 @@
 				{{* here are the differnt actions like privat message, poke, delete and so on *}}
 				{{* @todo we have two different photo menus one for contacts and one for items at the network stream. We currently use the contact photo menu, so the items options are missing We need to move them *}}
 				<div class="hover-card-actions-social">
-					{{if $profile.actions.pm}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.pm.1}}')" aria-label="{{$profile.actions.pm.0}}" title="{{$profile.actions.pm.0}}"><i class="fa fa-envelope" aria-hidden="true"></i></a>{{/if}}
-					{{if $profile.actions.poke}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.poke.1}}')" aria-label="{{$profile.actions.poke.0}}" title="{{$profile.actions.poke.0}}"><i class="fa fa-heartbeat" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.pm}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.pm.1}}')" aria-label="{{$profile.actions.pm.0}}" title="{{$profile.actions.pm.0|escape}}"><i class="fa fa-envelope" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.poke}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.poke.1}}')" aria-label="{{$profile.actions.poke.0}}" title="{{$profile.actions.poke.0|escape}}"><i class="fa fa-heartbeat" aria-hidden="true"></i></a>{{/if}}
 				</div>
 				<div class="hover-card-actions-connection">
-					{{if $profile.actions.network}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.network.1}}" aria-label="{{$profile.actions.network.0}}" title="{{$profile.actions.network.0}}"><i class="fa fa-cloud" aria-hidden="true"></i></a>{{/if}}
-					{{if $profile.actions.edit}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.edit.1}}" aria-label="{{$profile.actions.edit.0}}" title="{{$profile.actions.edit.0}}"><i class="fa fa-user" aria-hidden="true"></i></a>{{/if}}
-					{{if $profile.actions.follow}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.follow.1}}" aria-label="{{$profile.actions.follow.0}}" title="{{$profile.actions.follow.0}}"><i class="fa fa-user-plus" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.network}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.network.1}}" aria-label="{{$profile.actions.network.0}}" title="{{$profile.actions.network.0|escape}}"><i class="fa fa-cloud" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.edit}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.edit.1}}" aria-label="{{$profile.actions.edit.0}}" title="{{$profile.actions.edit.0|escape}}"><i class="fa fa-user" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.follow}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.follow.1}}" aria-label="{{$profile.actions.follow.0}}" title="{{$profile.actions.follow.0|escape}}"><i class="fa fa-user-plus" aria-hidden="true"></i></a>{{/if}}
 				</div>
 			</div>
 		</div>
diff --git a/view/templates/profile_vcard.tpl b/view/templates/profile_vcard.tpl
index b56dd607ce..6f8e86b299 100644
--- a/view/templates/profile_vcard.tpl
+++ b/view/templates/profile_vcard.tpl
@@ -1,16 +1,16 @@
 
 <div class="vcard h-card">
 
-	<div class="fn label p-name">{{$profile.name}}</div>
+	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
 	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
 	{{if $profile.picdate}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></a></div>
 	{{else}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}" alt="{{$profile.name|escape}}"></a></div>
 	{{/if}}
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
 	{{if $profile.network_name}}<dl class="network"><dt class="network-label">{{$network}}</dt><dd class="x-network">{{$profile.network_name}}</dd></dl>{{/if}}
diff --git a/view/templates/vcard-widget.tpl b/view/templates/vcard-widget.tpl
index 47b64b68da..eed94193f5 100644
--- a/view/templates/vcard-widget.tpl
+++ b/view/templates/vcard-widget.tpl
@@ -1,14 +1,14 @@
 
 <div class="vcard h-card">
-	<div class="fn p-name">{{$name}}</div>
-	{{if $addr}}<div class="p-addr">{{$addr}}</div>{{/if}}
+	<div class="fn p-name">{{$name|escape}}</div>
+	{{if $addr}}<div class="p-addr">{{$addr|escape}}</div>{{/if}}
 	{{if $pdesc}}<div class="title p-job-title">{{$pdesc}}</div>{{/if}}
 	{{if $url}}
-	<div id="profile-photo-wrapper"><a href="{{$url}}"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name}}" /></a></div>
+	<div id="profile-photo-wrapper"><a href="{{$url}}"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name|escape}}" /></a></div>
 	{{else}}
-	<div id="profile-photo-wrapper"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name}}" /></div>
+	<div id="profile-photo-wrapper"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name|escape}}" /></div>
 	{{/if}}
-	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
+	{{if $account_type}}<div class="account-type">{{$account_type|escape}}</div>{{/if}}
 	{{if $network_name}}<dl class="network"><dt class="network-label">{{$network}}</dt><dd class="x-network">{{$network_name}}</dd></dl>{{/if}}
 	<div id="profile-vcard-break"></div>
 </div>
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index a82efa7d1c..63a8364f88 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -19,15 +19,15 @@
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name}}" /></a>
+				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escape}}" /></a>
 			</div>
-			<div class="wall-item-arrowphoto-wrapper" ><img src="images/larrow.gif" alt="{{$item.wall}}" /></div>
+			<div class="wall-item-arrowphoto-wrapper" ><img src="images/larrow.gif" alt="{{$item.wall|escape}}" /></div>
 			{{/if}}
 			<div class="wall-item-photo-wrapper{{if $item.owner_url}} wwfrom{{/if}} p-author h-card" id="wall-item-photo-wrapper-{{$item.id}}"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} u-photo p-name" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} u-photo p-name" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
                     <ul>
@@ -38,7 +38,7 @@
 			</div>
 			<div class="wall-item-photo-end"></div>
 			<div class="wall-item-wrapper" id="wall-item-wrapper-{{$item.id}}" >
-				{{if $item.lock}}<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="{{$item.lock}}" onclick="lockview(event,{{$item.id}});" /></div>
+				{{if $item.lock}}<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="{{$item.lock|escape}}" onclick="lockview(event,{{$item.id}});" /></div>
 				{{else}}<div class="wall-item-lock"></div>{{/if}}
 				<div class="wall-item-location" id="wall-item-location-{{$item.id}}">{{$item.location}}</div>
 			</div>
diff --git a/view/templates/widget_forumlist.tpl b/view/templates/widget_forumlist.tpl
index 32da71f816..da30967cd6 100644
--- a/view/templates/widget_forumlist.tpl
+++ b/view/templates/widget_forumlist.tpl
@@ -21,8 +21,8 @@ function showHideForumlist() {
 		{{if $forum.id <= $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-{{$forum.id}}" role="menuitem">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
 			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
 		</li>
@@ -31,8 +31,8 @@ function showHideForumlist() {
 		{{if $forum.id > $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-extended-{{$forum.id}}" role="menuitem" style="display: none;">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
 			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
 		</li>
diff --git a/view/theme/duepuntozero/templates/profile_vcard.tpl b/view/theme/duepuntozero/templates/profile_vcard.tpl
index 186b7e4490..505cf560e3 100644
--- a/view/theme/duepuntozero/templates/profile_vcard.tpl
+++ b/view/theme/duepuntozero/templates/profile_vcard.tpl
@@ -1,12 +1,12 @@
 
 <div class="vcard h-card">
 
-	<div class="fn label p-name">{{$profile.name}}</div>
+	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
 	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
-	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}"></div>
+	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></div>
 
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
 
diff --git a/view/theme/frio/templates/admin/addons.tpl b/view/theme/frio/templates/admin/addons.tpl
index 220abdc2c4..38efb62bd4 100644
--- a/view/theme/frio/templates/admin/addons.tpl
+++ b/view/theme/frio/templates/admin/addons.tpl
@@ -12,7 +12,7 @@
 			<li class="addon {{$p.1}}">
 				<span class="offset-anchor" id="{{$p.0}}"></span>
 				<a class='toggleaddon' href='{{$baseurl}}/admin/{{$function}}/{{$p.0}}?a=t&amp;t={{$form_security_token}}#{{$p.0}}' title="{{if $p.1==on}}Disable{{else}}Enable{{/if}}" ><span class='icon {{$p.1}}'></span></a>
-				<a href='{{$baseurl}}/admin/{{$function}}/{{$p.0}}'><span class='name'>{{$p.2.name}}</span></a> - <span class="version">{{$p.2.version}}</span>
+				<a href='{{$baseurl}}/admin/{{$function}}/{{$p.0}}'><span class='name'>{{$p.2.name|escape}}</span></a> - <span class="version">{{$p.2.version}}</span>
 				{{if $p.2.experimental}} {{$experimental}} {{/if}}{{if $p.2.unsupported}} {{$unsupported}} {{/if}}
 				<div class='desc'>{{$p.2.description}}</div>
 			</li>
diff --git a/view/theme/frio/templates/admin/contactblock.tpl b/view/theme/frio/templates/admin/contactblock.tpl
index 3173c238b6..3ac9a25173 100644
--- a/view/theme/frio/templates/admin/contactblock.tpl
+++ b/view/theme/frio/templates/admin/contactblock.tpl
@@ -67,9 +67,9 @@
 											<label for="id_contact_{{$contact.id}}"></label>
 										</div>
 									</td>
-									<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname}}" title="{{$contact.addr}}"></td>
-									<td class="name">{{$contact.name}}</td>
-									<td class="addr" colspan="3"><a href="{{$contact.url}}" title="{{$contact.addr}}" >{{$contact.url}}</a></td>
+									<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.addr|escape}}"></td>
+									<td class="name">{{$contact.name|escape}}</td>
+									<td class="addr" colspan="3"><a href="{{$contact.url}}" title="{{$contact.addr|escape}}" >{{$contact.url|escape}}</a></td>
 								</tr>
 							{{/foreach}}
 						</tbody>
@@ -78,7 +78,7 @@
 								<td>
 									{{* Checkbox to select all blocked contacts *}}
 									<div class="checkbox">
-										<input type="checkbox" id="contactblock-select" class="selecttoggle contacts_ckbx" data-select-class="contacts_ckbx" data-select-all="{{$select_all}}" data-select-none="{{$select_none}}" title="{{$select_all}}"/>
+										<input type="checkbox" id="contactblock-select" class="selecttoggle contacts_ckbx" data-select-class="contacts_ckbx" data-select-all="{{$select_all}}" data-select-none="{{$select_none}}" title="{{$select_all|escape}}"/>
 										<label for="contactblock-select"></label>
 									</div>
 								</td>
diff --git a/view/theme/frio/templates/admin/queue.tpl b/view/theme/frio/templates/admin/queue.tpl
index dde3863999..3ebe89052e 100644
--- a/view/theme/frio/templates/admin/queue.tpl
+++ b/view/theme/frio/templates/admin/queue.tpl
@@ -13,12 +13,12 @@
 		</tr>
 		{{foreach $entries as $e}}
 		<tr>
-			<td>{{$e.id}}</td>
-			<td>{{$e.name}}</td>
-			<td><a href="{{$e.nurl}}">{{$e.nurl}}</a></td>
-			<td>{{$e.network}}</td>
-			<td>{{$e.created}}</td>
-			<td>{{$e.last}}</td>
+			<td>{{$e.id|escape}}</td>
+			<td>{{$e.name|escape}}</td>
+			<td><a href="{{$e.nurl}}">{{$e.nurl|escape}}</a></td>
+			<td>{{$e.network|escape}}</td>
+			<td>{{$e.created|escape}}</td>
+			<td>{{$e.last|escape}}</td>
 		</tr>
 		{{/foreach}}
 	</table>
diff --git a/view/theme/frio/templates/admin/summary.tpl b/view/theme/frio/templates/admin/summary.tpl
index 66afda721b..c2bbf49a70 100644
--- a/view/theme/frio/templates/admin/summary.tpl
+++ b/view/theme/frio/templates/admin/summary.tpl
@@ -54,14 +54,14 @@
 		{{* The Friendica version. *}}
 		<div id="admin-summary-version" class="col-lg-12 col-md-12 col-sm-12 col-xs-12 admin-summary">
 			<hr class="admin-summary-separator">
-			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$version.0}}</div>
-			<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12 admin-summary-entry">{{$platform}} '{{$codename}}' {{$version.1}} - {{$build}}</div>
+			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$version.0|escape}}</div>
+			<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12 admin-summary-entry">{{$platform}} '{{$codename|escape}}' {{$version.1|escape}} - {{$build|escape}}</div>
 		</div>
 
 		{{* Server Settings. *}}
 		<div id="admin-summary-php" class="col-lg-12 col-md-12 col-sm-12 col-xs-12 admin-summary">
 			<hr class="admin-summary-separator">
-			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$serversettings.label}}</div>
+			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$serversettings.label|escape}}</div>
 			<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12 admin-summary-entry">
 				<table class="table">
 				<tbody>
diff --git a/view/theme/frio/templates/admin/users.tpl b/view/theme/frio/templates/admin/users.tpl
index 92ef9be6fa..031ffd0a47 100644
--- a/view/theme/frio/templates/admin/users.tpl
+++ b/view/theme/frio/templates/admin/users.tpl
@@ -46,11 +46,11 @@
 									</div>
 								</td>
 								<td>{{$u.created}}</td>
-								<td>{{$u.name}}</td>
+								<td>{{$u.name|escape}}</td>
 								<td>{{$u.email}}</td>
 								<td>
-									<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" class="admin-settings-action-link" title="{{$approve}}"><i class="fa fa-check" aria-hidden="true"></i></a>
-									<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" class="admin-settings-action-link" title="{{$deny}}"><i class="fa fa-trash-o" aria-hidden="true"></i></a>
+									<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" class="admin-settings-action-link" title="{{$approve|escape}}"><i class="fa fa-check" aria-hidden="true"></i></a>
+									<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" class="admin-settings-action-link" title="{{$deny|escape}}"><i class="fa fa-trash-o" aria-hidden="true"></i></a>
 								</td>
 							</tr>
 							{{if $u.note}}
@@ -145,8 +145,8 @@
 								&nbsp;
 								{{/if}}
 								</td>
-								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname}}"></td>
-								<td><a href="{{$u.url}}" title="{{$u.nickname}}"> {{$u.name}}</a></td>
+								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname|escape}}"></td>
+								<td><a href="{{$u.url}}" title="{{$u.nickname|escape}}"> {{$u.name|escape}}</a></td>
 								<td>{{$u.email}}</td>
 								{{if $order_users == $th_users.2.1}}
 								<td>{{$u.register_date}}</td>
@@ -169,18 +169,18 @@
 										{{if $u.page_flags_raw==3}}fa-heart{{/if}}		{{* PAGE_FREELOVE *}}
 										{{if $u.page_flags_raw==4}}fa-rss{{/if}}		{{* PAGE_BLOG *}}
 										{{if $u.page_flags_raw==5}}fa-user-secret{{/if}}	{{* PAGE_PRVGROUP *}}
-										" title="{{$u.page_flags}}">
+										" title="{{$u.page_flags|escape}}">
 									</i>
 									{{if $u.page_flags_raw==0 && $u.account_type_raw > 0}}
 									<i class="fa
 										{{if $u.account_type_raw==1}}fa-sitemap{{/if}}		{{* ACCOUNT_TYPE_ORGANISATION *}}
 										{{if $u.account_type_raw==2}}fa-newspaper-o{{/if}}	{{* ACCOUNT_TYPE_NEWS *}}
 										{{if $u.account_type_raw==3}}fa-comments{{/if}}		{{* ACCOUNT_TYPE_COMMUNITY *}}
-										" title="{{$u.account_type}}">
+										" title="{{$u.account_type|escape}}">
 									</i>
 									{{/if}}
-									{{if $u.is_admin}}<i class="fa fa-user-md text-primary" title="{{$siteadmin}}"></i>{{/if}}
-									{{if $u.account_expired}}<i class="fa fa-clock-o text-warning" title="{{$accountexpired}}"></i>{{/if}}
+									{{if $u.is_admin}}<i class="fa fa-user-md text-primary" title="{{$siteadmin|escape}}"></i>{{/if}}
+									{{if $u.account_expired}}<i class="fa fa-clock-o text-warning" title="{{$accountexpired|escape}}"></i>{{/if}}
 								</td>
 								{{/if}}
 
@@ -229,7 +229,7 @@
 										<i class="fa fa-circle-o" aria-hidden="true"></i>
 										{{/if}}
 									</a>
-									<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" class="admin-settings-action-link" title="{{$delete}}" onclick="return confirm_delete('{{$confirm_delete}}','{{$u.name}}')">
+									<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" class="admin-settings-action-link" title="{{$delete|escape}}" onclick="return confirm_delete('{{$confirm_delete}}','{{$u.name|escape}}')">
 										<i class="fa fa-trash" aria-hidden="true"></i>
 									</a>
 									{{else}}
@@ -297,8 +297,8 @@
 						<tbody>
 						{{foreach $deleted as $u}}
 							<tr>
-								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname}}"></td>
-								<td><a href="{{$u.url}}" title="{{$u.nickname}}" >{{$u.name}}</a></td>
+								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname|escape}}"></td>
+								<td><a href="{{$u.url}}" title="{{$u.nickname|escape}}" >{{$u.name|escape}}</a></td>
 								<td>{{$u.email}}</td>
 								<td>{{$u.deleted}}</td>
 							</tr>
diff --git a/view/theme/frio/templates/comment_item.tpl b/view/theme/frio/templates/comment_item.tpl
index 4ef5f2caa1..804d07ac01 100644
--- a/view/theme/frio/templates/comment_item.tpl
+++ b/view/theme/frio/templates/comment_item.tpl
@@ -33,37 +33,37 @@
 			{{/if}}
 			<ul class="comment-edit-bb-{{$id}} comment-icon-list nav nav-pills pull-right">
 				<li>
-					<button type="button" class="btn-link icon bb-img" style="cursor: pointer;" aria-label="{{$edimg}}" title="{{$edimg}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}">
+					<button type="button" class="btn-link icon bb-img" style="cursor: pointer;" aria-label="{{$edimg}}" title="{{$edimg|escape}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}">
 						<i class="fa fa-picture-o"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon bb-url" style="cursor: pointer;" aria-label="{{$edurl}}" title="{{$edurl}}" onclick="insertFormatting('url',{{$id}});">
+					<button type="button" class="btn-link icon bb-url" style="cursor: pointer;" aria-label="{{$edurl}}" title="{{$edurl|escape}}" onclick="insertFormatting('url',{{$id}});">
 						<i class="fa fa-link"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon" style="cursor: pointer;" aria-label="{{$edattach}}" title="{{$edattach}}" ondragenter="return commentLinkDrop(event, {{$id}});" ondragover="return commentLinkDrop(event, {{$id}});" ondrop="commentLinkDropper(event);" onclick="commentGetLink({{$id}}, '{{$prompttext}}');">
+					<button type="button" class="btn-link icon" style="cursor: pointer;" aria-label="{{$edattach}}" title="{{$edattach|escape}}" ondragenter="return commentLinkDrop(event, {{$id}});" ondragover="return commentLinkDrop(event, {{$id}});" ondrop="commentLinkDropper(event);" onclick="commentGetLink({{$id}}, '{{$prompttext}}');">
 						<i class="fa fa-paperclip"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon underline" style="cursor: pointer;" aria-label="{{$eduline}}" title="{{$eduline}}" onclick="insertFormatting('u',{{$id}});">
+					<button type="button" class="btn-link icon underline" style="cursor: pointer;" aria-label="{{$eduline}}" title="{{$eduline|escape}}" onclick="insertFormatting('u',{{$id}});">
 						<i class="fa fa-underline"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon italic" style="cursor: pointer;" aria-label="{{$editalic}}" title="{{$editalic}}" onclick="insertFormatting('i',{{$id}});">
+					<button type="button" class="btn-link icon italic" style="cursor: pointer;" aria-label="{{$editalic}}" title="{{$editalic|escape}}" onclick="insertFormatting('i',{{$id}});">
 						<i class="fa fa-italic"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon bold" style="cursor: pointer;" aria-label="{{$edbold}}" title="{{$edbold}}" onclick="insertFormatting('b',{{$id}});">
+					<button type="button" class="btn-link icon bold" style="cursor: pointer;" aria-label="{{$edbold}}" title="{{$edbold|escape}}" onclick="insertFormatting('b',{{$id}});">
 						<i class="fa fa-bold"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon quote" style="cursor: pointer;" aria-label="{{$edquote}}" title="{{$edquote}}" onclick="insertFormatting('quote',{{$id}});">
+					<button type="button" class="btn-link icon quote" style="cursor: pointer;" aria-label="{{$edquote}}" title="{{$edquote|escape}}" onclick="insertFormatting('quote',{{$id}});">
 						<i class="fa fa-quote-left"></i>
 					</button>
 				</li>
diff --git a/view/theme/frio/templates/common_tabs.tpl b/view/theme/frio/templates/common_tabs.tpl
index 76c6db0398..207ffefcb9 100644
--- a/view/theme/frio/templates/common_tabs.tpl
+++ b/view/theme/frio/templates/common_tabs.tpl
@@ -6,7 +6,7 @@
 		<li>
 			<ul class="tabs  flex-nav" role="menu" >
 			{{foreach $tabs as $tab}}
-				<li id="{{$tab.id}}" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.accesskey}}accesskey="{{$tab.accesskey}}"{{/if}} {{if $tab.title}} title="{{$tab.title}}"{{/if}}>{{$tab.label}}</a></li>
+				<li id="{{$tab.id}}" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.accesskey}}accesskey="{{$tab.accesskey}}"{{/if}} {{if $tab.title}} title="{{$tab.title|escape}}"{{/if}}>{{$tab.label}}</a></li>
 			{{/foreach}}
 			</ul>
 		</li>
@@ -31,7 +31,7 @@
 			<ul class="tabs" role="menu">
 				{{foreach $tabs as $tab}}
 					{{if $tab.sel}}
-					<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title}}"{{/if}}>{{$tab.label}}</a></li>
+					<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title|escape}}"{{/if}}>{{$tab.label}}</a></li>
 					{{else}}
 					{{$exttabs[]=$tab}}
 					{{/if}}
@@ -50,7 +50,7 @@
 					</button>
 					<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools">
 						{{foreach $exttabs as $tab}}
-						<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title}}"{{/if}}>{{$tab.label}}</a></li>
+						<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title|escape}}"{{/if}}>{{$tab.label}}</a></li>
 						{{/foreach}}
 					</ul>
 				</li>
diff --git a/view/theme/frio/templates/contact_edit.tpl b/view/theme/frio/templates/contact_edit.tpl
index 04426eeb12..e7d90ca286 100644
--- a/view/theme/frio/templates/contact_edit.tpl
+++ b/view/theme/frio/templates/contact_edit.tpl
@@ -1,6 +1,6 @@
 
 <div class="generic-page-wrapper">
-	{{if $header}}<h3>{{$header}}:&nbsp;{{$name}}{{if $account_type}}&nbsp;<small>({{$account_type}})</small>{{/if}}</h3>{{/if}}
+	{{if $header}}<h3>{{$header|escape}}:&nbsp;{{$name|escape}}{{if $account_type}}&nbsp;<small>({{$account_type|escape}})</small>{{/if}}</h3>{{/if}}
 
 	<div id="contact-edit-wrapper" >
 
@@ -19,15 +19,15 @@
 						</button>
 
 						<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="contact-edit-actions-button" aria-haspopup="true" id="contact-actions-menu" >
-							{{if $lblsuggest}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.suggest.url}}" title="{{$contact_actions.suggest.title}}">{{$contact_actions.suggest.label}}</a></li>{{/if}}
-							{{if $poll_enabled}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.update.url}}" title="{{$contact_actions.update.title}}">{{$contact_actions.update.label}}</a></li>{{/if}}
+							{{if $lblsuggest}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.suggest.url}}" title="{{$contact_actions.suggest.title|escape}}">{{$contact_actions.suggest.label|escape}}</a></li>{{/if}}
+							{{if $poll_enabled}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.update.url}}" title="{{$contact_actions.update.title|escape}}">{{$contact_actions.update.label|escape}}</a></li>{{/if}}
 							{{if $lblsuggest || $poll_enabled}}
 							<li role="presentation" class="divider"></li>
 							{{/if}}
-							<li role="presentation"><a role="menuitem" href="{{$contact_actions.block.url}}" title="{{$contact_actions.block.title}}">{{$contact_actions.block.label}}</a></li>
-							<li role="presentation"><a role="menuitem" href="{{$contact_actions.ignore.url}}" title="{{$contact_actions.ignore.title}}">{{$contact_actions.ignore.label}}</a></li>
-							{{if $contact_actions.archive.url}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.archive.url}}" title="{{$contact_actions.archive.title}}">{{$contact_actions.archive.label}}</a></li>{{/if}}
-							{{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title}}" onclick="addToModal('{{$contact_actions.delete.url}}?confirm=1');">{{$contact_actions.delete.label}}</button></li>{{/if}}
+							<li role="presentation"><a role="menuitem" href="{{$contact_actions.block.url}}" title="{{$contact_actions.block.title|escape}}">{{$contact_actions.block.label|escape}}</a></li>
+							<li role="presentation"><a role="menuitem" href="{{$contact_actions.ignore.url}}" title="{{$contact_actions.ignore.title|escape}}">{{$contact_actions.ignore.label|escape}}</a></li>
+							{{if $contact_actions.archive.url}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.archive.url}}" title="{{$contact_actions.archive.title|escape}}">{{$contact_actions.archive.label|escape}}</a></li>{{/if}}
+							{{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title|escape}}" onclick="addToModal('{{$contact_actions.delete.url}}?confirm=1');">{{$contact_actions.delete.label|escape}}</button></li>{{/if}}
 						</ul>
 					</li>
 				</ul>
@@ -35,35 +35,35 @@
 
 
 				<div id="contact-edit-status-wrapper">
-					<span id="contact-edit-contact-status">{{$contact_status}}</span>
+					<span id="contact-edit-contact-status">{{$contact_status|escape}}</span>
 
 					{{* Block with status information about the contact *}}
 					<ul>
-						{{if $relation_text}}<li><div id="contact-edit-rel">{{$relation_text}}</div></li>{{/if}}
-						{{if $nettype}}<li><div id="contact-edit-nettype">{{$nettype}}</div></li>{{/if}}
+						{{if $relation_text}}<li><div id="contact-edit-rel">{{$relation_text|escape}}</div></li>{{/if}}
+						{{if $nettype}}<li><div id="contact-edit-nettype">{{$nettype|escape}}</div></li>{{/if}}
 
 						{{if $poll_enabled}}
-							<li><div id="contact-edit-last-update-text">{{$lastupdtext}} <span id="contact-edit-last-updated">{{$last_update}}</span></div>
+							<li><div id="contact-edit-last-update-text">{{$lastupdtext|escape}} <span id="contact-edit-last-updated">{{$last_update|escape}}</span></div>
 							{{if $poll_interval}}
 								<form id="contact-edit-poll-form" action="/contact/{{$contact_id}}" method="post"> 
-									<span id="contact-edit-poll-text">{{$updpub}}</span> {{$poll_interval}}
+									<span id="contact-edit-poll-text">{{$updpub|escape}}</span> {{$poll_interval}}
 									<input class="btn btn-primary" type="submit" name="submit" value="{{$submit|escape:'html'}}" />
 								</form>
 							{{/if}}
 							</li>
 						{{/if}}
 
-						{{if $lost_contact}}<li><div id="lost-contact-message">{{$lost_contact}}</div></li>{{/if}}
-						{{if $insecure}}<li><div id="insecure-message">{{$insecure}}</div></li>	{{/if}}
-						{{if $blocked && !$pending}}<li><div id="block-message">{{$blocked}}</div></li>{{/if}}
-						{{if $pending}}<li><div id="pending-message">{{$pending}}</div></li>{{/if}}
-						{{if $ignored}}<li><div id="ignore-message">{{$ignored}}</div></li>{{/if}}
-						{{if $archived}}<li><div id="archive-message">{{$archived}}</div></li>{{/if}}
+						{{if $lost_contact}}<li><div id="lost-contact-message">{{$lost_contact|escape}}</div></li>{{/if}}
+						{{if $insecure}}<li><div id="insecure-message">{{$insecure|escape}}</div></li>	{{/if}}
+						{{if $blocked && !$pending}}<li><div id="block-message">{{$blocked|escape}}</div></li>{{/if}}
+						{{if $pending}}<li><div id="pending-message">{{$pending|escape}}</div></li>{{/if}}
+						{{if $ignored}}<li><div id="ignore-message">{{$ignored|escape}}</div></li>{{/if}}
+						{{if $archived}}<li><div id="archive-message">{{$archived|escape}}</div></li>{{/if}}
 					</ul>
 
 					<ul>
-						<!-- <li><a href="network/0?nets=all&cid={{$contact_id}}" id="contact-edit-view-recent">{{$lblrecent}}</a></li> -->
-						{{if $follow}}<li><div id="contact-edit-follow"><a href="{{$follow}}">{{$follow_text}}</a></div></li>{{/if}}
+						<!-- <li><a href="network/0?nets=all&cid={{$contact_id}}" id="contact-edit-view-recent">{{$lblrecent|escape}}</a></li> -->
+						{{if $follow}}<li><div id="contact-edit-follow"><a href="{{$follow}}">{{$follow_text|escape}}</a></div></li>{{/if}}
 					</ul>
 				</div> {{* End of contact-edit-status-wrapper *}}
 
@@ -83,38 +83,38 @@
 						<div id="contact-edit-profile-collapse" class="panel-collapse collapse in" role="tabpanel" aria-labelledby="contact-edit-profile">
 							<div class="section-content-tools-wrapper">
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$profileurllabel}}</div><a target="blank" href="{{$url}}">{{$profileurl}}</a>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$profileurllabel|escape}}</div><a target="blank" href="{{$url}}">{{$profileurl|escape}}</a>
 								</div>
 
 								{{if $location}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$location_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$location}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$location_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$location|escape}}</div>
 								</div>
 								{{/if}}
 
 								{{if $xmpp}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$xmpp_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$xmpp}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$xmpp_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$xmpp|escape}}</div>
 								</div>
 								{{/if}}
 
 								{{if $keywords}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$keywords_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$keywords}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$keywords_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$keywords|escape}}</div>
 								</div>
 								{{/if}}
 
 								{{if $about}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$about_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$about}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$about_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$about|escape}}</div>
 								</div>
 								{{/if}}
 							</div>
@@ -127,14 +127,14 @@
 						<div class="section-subtitle-wrapper" role="tab" id="contact-edit-settings">
 							<h4>
 								<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#contact-edit-tools" href="#contact-edit-settings-collapse" aria-expanded="false" aria-controls="contact-edit-settings-collapse">
-									{{$contact_settings_label}}
+									{{$contact_settings_label|escape}}
 								</a>
 							</h4>
 						</div>
 						<div id="contact-edit-settings-collapse" class="panel-collapse collapse" role="tabpanel" aria-labelledby="contact-edit-settings">
 							<div class="section-content-tools-wrapper">
 
-								<input type="hidden" name="contact_id" value="{{$contact_id}}">
+								<input type="hidden" name="contact_id" value="{{$contact_id|escape}}">
 
 								{{include file="field_checkbox.tpl" field=$notify}}
 								{{if $fetch_further_information}}
@@ -144,7 +144,7 @@
 								{{include file="field_checkbox.tpl" field=$hidden}}
 
 								<div class="form-group pull-right settings-submit-wrapper" >
-									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit}}</button>
+									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit|escape}}</button>
 								</div>
 								<div class="clear"></div>
 							</div>
@@ -157,7 +157,7 @@
 						<div class="section-subtitle-wrapper" role="tab" id="contact-edit-info">
 							<h4>
 								<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#contact-edit-tools" href="#contact-edit-info-collapse" aria-expanded="false" aria-controls="contact-edit-info-collapse">
-									{{$lbl_info1}}
+									{{$lbl_info1|escape}}
 								</a>
 							</h4>
 						</div>
@@ -167,11 +167,11 @@
 								{{include file="field_textarea.tpl" field=$cinfo}}
 
 								<div class="form-group pull-right settings-submit-wrapper" >
-									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit}}</button>
+									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit|escape}}</button>
 								</div>
 								<div class="clear"></div>
 								{{if $reason}}
-								<h4>{{$lbl_info2}}</h4>
+								<h4>{{$lbl_info2|escape}}</h4>
 								<p>{{$reason}}</p>
 								<div class="clear"></div>
 								{{/if}}
@@ -184,7 +184,7 @@
 						<div class="section-subtitle-wrapper" role="tab" id="contact-edit-profile-select">
 							<h4>
 								<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#contact-edit-tools" href="#contact-edit-profile-select-collapse" aria-expanded="false" aria-controls="contact-edit-profile-select-collapse">
-									{{$lbl_vis1}}
+									{{$lbl_vis1|escape}}
 								</a>
 							</h4>
 						</div>
@@ -192,7 +192,7 @@
 							<div class="section-content-tools-wrapper">
 								{{if $profile_select}}
 									<div id="contact-edit-profile-select-text">
-										<p>{{$lbl_vis2}}</p>
+										<p>{{$lbl_vis2|escape}}</p>
 									</div>
 									<div class="form-group">
 									{{$profile_select}}
@@ -201,7 +201,7 @@
 								{{/if}}
 
 								<div class="form-group pull-right settings-submit-wrapper" >
-									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit}}</button>
+									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit|escape}}</button>
 								</div>
 								<div class="clear"></div>
 							</div>
diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index e1c0a77009..4f07ad2b1d 100644
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -6,14 +6,14 @@
 			<div class="contact-entry-photo mframe" id="contact-entry-photo-{{$contact.id}}">
 
 				<div class="contact-photo-image-wrapper hidden-xs">
-					<img class="contact-photo media-object xl" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" />
+					<img class="contact-photo media-object xl" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 				</div>
 
 				{{* For very small displays we use a drobdown menu for contact relating actions *}}
 				<button type="button" class="btn btn-link dropdown-toggle visible-xs" id="contact-photo-menu-button-{{$contact.id}}" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 					{{* use a smaller picture on very small displays (e.g. mobiles) *}}
 					<div class="contact-photo-image-wrapper visible-xs">
-						<img class="contact-photo-xs media-object" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" />
+						<img class="contact-photo-xs media-object" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 
 						{{* Overlay background on hover the avatar picture *}}
 						<div class="contact-photo-overlay">
@@ -44,37 +44,37 @@
 			{{* The contact actions like private mail, delete contact, edit contact and so on *}}
 			<div class="contact-actions pull-right nav-pills preferences hidden-xs">
 				{{if $contact.photo_menu.pm}}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.pm.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.pm.0}}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.pm.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.pm.0|escape}}">
 					<i class="fa fa-envelope" aria-hidden="true"></i>
 				</button>
 				{{/if}}
 				{{if $contact.photo_menu.poke}}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.poke.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.poke.0}}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.poke.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.poke.0|escape}}">
 					<i class="fa fa-heartbeat" aria-hidden="true"></i>
 				</button>
 				{{/if}}
 				{{if $contact.photo_menu.network}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.network.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.network.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.network.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.network.0|escape}}">
 					<i class="fa fa-cloud" aria-hidden="true"></i>
 				</a>
 				{{/if}}
 				{{if $contact.photo_menu.edit}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.edit.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.edit.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.edit.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.edit.0|escape}}">
 					<i class="fa fa-user" aria-hidden="true"></i>
 				</a>
 				{{/if}}
 				{{if $contact.photo_menu.drop}}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.drop.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.drop.0}}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.drop.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.drop.0|escape}}">
 					<i class="fa fa-user-times" aria-hidden="true"></i>
 				</button>
 				{{/if}}
 				{{if $contact.photo_menu.follow}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.follow.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.follow.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.follow.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.follow.0|escape}}">
 					<i class="fa fa-user-plus" aria-hidden="true"></i>
 				</a>
 				{{/if}}
 				{{if $contact.photo_menu.hide}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.hide.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.hide.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.hide.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.hide.0|escape}}">
 					<i class="fa fa-times" aria-hidden="true"></i>
 				</a>
 				{{/if}}
@@ -84,7 +84,7 @@
 			{{* The button to add or remove contacts from a contact group - group edit page *}}
 			{{if $contact.change_member}}
 			<div class="contact-group-actions pull-right nav-pills preferences">
-				<button type="button" class="contact-action-link contact-group-link btn-link" onclick="groupChangeMember({{$contact.change_member.gid}},{{$contact.change_member.cid}},'{{$contact.change_member.sec_token}}'); return true;" data-toggle="tooltip" title="{{$contact.change_member.title}}">
+				<button type="button" class="contact-action-link contact-group-link btn-link" onclick="groupChangeMember({{$contact.change_member.gid}},{{$contact.change_member.cid}},'{{$contact.change_member.sec_token}}'); return true;" data-toggle="tooltip" title="{{$contact.change_member.title|escape}}">
 					{{if $contact.label == "members"}}
 					<i class="fa fa-times-circle" aria-hidden="true"></i>
 					{{elseif $contact.label == "contacts"}}
@@ -97,7 +97,7 @@
 			{{* The contact description (e.g. Name, Network, kind of connection and so on *}}
 			<div class="contact-entry-desc">
 				<div class="contact-entry-name" id="contact-entry-name-{{$contact.id}}">
-					<h4 class="media-heading"><a href="{{$contact.url}}">{{$contact.name}}</a>
+					<h4 class="media-heading"><a href="{{$contact.url}}">{{$contact.name|escape}}</a>
 					{{if $contact.account_type}} <small class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</small>{{/if}}
 					{{if $contact.account_type == 'Forum'}}<i class="fa fa-comments-o" aria-hidden="true"></i>{{/if}}
 					{{* @todo this needs some changing in core because $contact.account_type contains a translated string which may notbe the same in every language *}}
@@ -133,14 +133,14 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			<div class="contact-entry-photo mframe" id="contact-entry-photo-{$id}">
 
 				<div class="contact-photo-image-wrapper hidden-xs">
-					<img class="contact-photo media-object xl" src="{$thumb}" {11} alt="{$name}" />
+					<img class="contact-photo media-object xl" src="{$thumb}" {11} alt="{$name|escape}" />
 				</div>
 
 				{{* For very small displays we use a drobdown menu for contact relating actions *}}
 				<button type="button" class="btn btn-link dropdown-toggle visible-xs" id="contact-photo-menu-button{$id}" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 					{{* use a smaller picture on very small displays (e.g. mobiles) *}}
 					<div class="contact-photo-image-wrapper visible-xs">
-						<img class="contact-photo-xs media-object" src="{$thumb}" {11} alt="{$name}" />
+						<img class="contact-photo-xs media-object" src="{$thumb}" {11} alt="{$name|escape}" />
 
 						{{* Overlay background on hover the avatar picture *}}
 						<div class="contact-photo-overlay">
@@ -172,32 +172,32 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			{{* The contact actions like private mail, delete contact, edit contact and so on *}}
 			<div class="contact-actions pull-right nav-pills preferences hidden-xs">
 				{if $photo_menu.pm}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.pm.1}')" data-toggle="tooltip" title="{$photo_menu.pm.0}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.pm.1}')" data-toggle="tooltip" title="{$photo_menu.pm.0|escape}">
 					<i class="fa fa-envelope" aria-hidden="true"></i>
 				</button>
 				{/if}
 				{if $photo_menu.poke}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.poke.1}')" data-toggle="tooltip" title="{$photo_menu.poke.0}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.poke.1}')" data-toggle="tooltip" title="{$photo_menu.poke.0|escape}">
 					<i class="fa fa-heartbeat" aria-hidden="true"></i>
 				</button>
 				{/if}
 				{if $photo_menu.network}
-				<a class="contact-action-link btn-link" href="{$photo_menu.network.1}" data-toggle="tooltip" title="{$photo_menu.network.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.network.1}" data-toggle="tooltip" title="{$photo_menu.network.0|escape}">
 					<i class="fa fa-cloud" aria-hidden="true"></i>
 				</a>
 				{/if}
 				{if $photo_menu.edit}
-				<a class="contact-action-link btn-link" href="{$photo_menu.edit.1}" data-toggle="tooltip" title="{$photo_menu.edit.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.edit.1}" data-toggle="tooltip" title="{$photo_menu.edit.0|escape}">
 					<i class="fa fa-pencil" aria-hidden="true"></i>
 				</a>
 				{/if}
 				{if $photo_menu.drop}
-				<a class="contact-action-link btn-link" href="{$photo_menu.drop.1}" data-toggle="tooltip" title="{$photo_menu.drop.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.drop.1}" data-toggle="tooltip" title="{$photo_menu.drop.0|escape}">
 					<i class="fa fa-user-times" aria-hidden="true"></i>
 				</a>
 				{/if}
 				{if $photo_menu.follow}
-				<a class="contact-action-link btn-link" href="{$photo_menu.follow.1}" data-toggle="tooltip" title="{$photo_menu.follow.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.follow.1}" data-toggle="tooltip" title="{$photo_menu.follow.0|escape}">
 					<i class="fa fa-user-plus" aria-hidden="true"></i>
 				</a>
 				{/if}
@@ -207,7 +207,7 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			{{* The button to add or remove contacts from a contact group - group edit page *}}
 			{if $contact.change_member}
 			<div class="contact-group-actions pull-right nav-pills preferences">
-				<button type="button" class="contact-action-link btn-link" onclick="groupChangeMember({$contact.change_member.gid},{$contact.change_member.cid},'{$contact.change_member.sec_token}'); return true;" data-toggle="tooltip" title="{$contact.change_member.title}">
+				<button type="button" class="contact-action-link btn-link" onclick="groupChangeMember({$contact.change_member.gid},{$contact.change_member.cid},'{$contact.change_member.sec_token}'); return true;" data-toggle="tooltip" title="{$contact.change_member.title|escape}">
 					{if $contact.label == "members"}
 					<i class="fa fa-times-circle" aria-hidden="true"></i>
 					{elseif $contact.label == "contacts"}
diff --git a/view/theme/frio/templates/credits.tpl b/view/theme/frio/templates/credits.tpl
index 5e5aeecc25..75ab272df8 100644
--- a/view/theme/frio/templates/credits.tpl
+++ b/view/theme/frio/templates/credits.tpl
@@ -1,10 +1,10 @@
 <div id="credits" class="generic-page-wrapper">
         {{include file="section_title.tpl"}}
-        <p>{{$thanks}}</p>
+        <p>{{$thanks|escape}}</p>
 
         <ul class="credits">
                 {{foreach $names as $name}}
-                 <li>{{$name}}</li>
+                 <li>{{$name|escape}}</li>
                 {{/foreach}}
         </ul>
         <div class="clear"></div>
diff --git a/view/theme/frio/templates/crepair.tpl b/view/theme/frio/templates/crepair.tpl
index 3d45c6ddca..d4cdec5018 100644
--- a/view/theme/frio/templates/crepair.tpl
+++ b/view/theme/frio/templates/crepair.tpl
@@ -13,7 +13,7 @@
 
 	<form id="crepair-form" action="crepair/{{$contact_id}}" method="post" >
 
-		<!-- <h4>{{$contact_name}}</h4> -->
+		<!-- <h4>{{$contact_name|escape}}</h4> -->
 
 		<div id="contact-update-profile-wrapper">
 		{{if $update_profile}}
diff --git a/view/theme/frio/templates/event.tpl b/view/theme/frio/templates/event.tpl
index 947d09cb8d..82ed1de092 100644
--- a/view/theme/frio/templates/event.tpl
+++ b/view/theme/frio/templates/event.tpl
@@ -6,7 +6,7 @@
 				<div class="event-owner media-left">
 					{{if $event.item.author_name}}
 					<a href="{{$event.item.author_link}}" ><img src="{{$event.item.author_avatar}}" /></a>
-					<a href="{{$event.item.author_link}}" >{{$event.item.author_name}}</a>
+					<a href="{{$event.item.author_link}}" >{{$event.item.author_name|escape}}</a>
 					{{/if}}
 				</div>
 				<div class="media-body">
@@ -15,10 +15,10 @@
 			</div>
 
 			<div class="event-buttons pull-right">
-				{{if $event.edit}}<button type="button" class="btn" onclick="eventEdit('{{$event.edit.0}}')" title="{{$event.edit.1}}"><i class="fa fa-pencil" aria-hidden="true"></i></button>{{/if}}
-				{{if $event.copy}}<button type="button" class="btn" onclick="eventEdit('{{$event.copy.0}}')" title="{{$event.copy.1}}"><i class="fa fa-files-o" aria-hidden="true"></i></button>{{/if}}
-				{{if $event.drop}}<a href="{{$event.drop.0}}" onclick="return confirmDelete();" title="{{$event.drop.1}}" class="drop-event-link btn"><i class="fa fa-trash-o" aria-hidden="true"></i></a>{{/if}}
-				{{if $event.item.plink}}<a href="{{$event.plink.0}}" title="{{$event.plink.1}}" class="plink-event-link btn "><i class="fa fa-external-link" aria-hidden="true"></i></a>{{/if}}
+				{{if $event.edit}}<button type="button" class="btn" onclick="eventEdit('{{$event.edit.0}}')" title="{{$event.edit.1|escape}}"><i class="fa fa-pencil" aria-hidden="true"></i></button>{{/if}}
+				{{if $event.copy}}<button type="button" class="btn" onclick="eventEdit('{{$event.copy.0}}')" title="{{$event.copy.1|escape}}"><i class="fa fa-files-o" aria-hidden="true"></i></button>{{/if}}
+				{{if $event.drop}}<a href="{{$event.drop.0}}" onclick="return confirmDelete();" title="{{$event.drop.1|escape}}" class="drop-event-link btn"><i class="fa fa-trash-o" aria-hidden="true"></i></a>{{/if}}
+				{{if $event.item.plink}}<a href="{{$event.plink.0}}" title="{{$event.plink.1|escape}}" class="plink-event-link btn "><i class="fa fa-external-link" aria-hidden="true"></i></a>{{/if}}
 			</div>
 			<div class="clear"></div>
 		</div>
diff --git a/view/theme/frio/templates/event_stream_item.tpl b/view/theme/frio/templates/event_stream_item.tpl
index 87c2e70cad..58f39a0ee1 100644
--- a/view/theme/frio/templates/event_stream_item.tpl
+++ b/view/theme/frio/templates/event_stream_item.tpl
@@ -17,16 +17,16 @@
 					{{if $location.map}}<button id="event-map-btn-{{$id}}" class="event-map-btn btn-link fakelink nav nav-pills preferences" data-map-id="event-location-map-{{$id}}" data-show-label="{{$show_map_label}}" data-hide-label="{{$hide_map_label}}">{{$map_btn_label}}</button>{{/if}}
 					<div class="event-property">
 						<span class="event-date">
-							<span class="event-start dtstart" title="{{$dtstart_title}}">{{$start_short}}</span>
-							{{if $finish}} - <span class="event-end dtend" title="{{$dtend_title}}">{{if $same_date}}{{$end_time}}{{else}}{{$end_short}}{{/if}}</span>{{/if}}
+							<span class="event-start dtstart" title="{{$dtstart_title|escape}}">{{$start_short}}</span>
+							{{if $finish}} - <span class="event-end dtend" title="{{$dtend_title|escape}}">{{if $same_date}}{{$end_time}}{{else}}{{$end_short}}{{/if}}</span>{{/if}}
 						</span>
 						{{if $location.name}}
 						<span role="presentation" aria-hidden="true"> · </span>
-						<span class="event-location event-card-location">{{$location.name}}</span>
+						<span class="event-location event-card-location">{{$location.name|escape}}</span>
 						{{/if}}
 					</div>
 					<div class="event-card-profile-name profile-entry-name">
-						<a href="{{$author_link}}" class="userinfo">{{$author_name}}</a>
+						<a href="{{$author_link}}" class="userinfo">{{$author_name|escape}}</a>
 					</div>
 					{{if $location.map}}
 					<div id="event-location-map-{{$id}}" class="event-location-map">{{$location.map}}</div>
diff --git a/view/theme/frio/templates/events_js.tpl b/view/theme/frio/templates/events_js.tpl
index a4ca9004cd..3866282a33 100644
--- a/view/theme/frio/templates/events_js.tpl
+++ b/view/theme/frio/templates/events_js.tpl
@@ -5,7 +5,7 @@
 	{{* The link to create a new event *}}
 	{{if $new_event.0}}
 	<div class="pull-right" id="new-event-link">
-		<button type="button" class="btn-link page-action faded-icon" onclick="addToModal('{{$new_event.0}}')" title="{{$new_event.1}}" data-toggle="tooltip">
+		<button type="button" class="btn-link page-action faded-icon" onclick="addToModal('{{$new_event.0}}')" title="{{$new_event.1|escape}}" data-toggle="tooltip">
 			<i class="fa fa-plus"></i>
 		</button>
 	</div>
@@ -40,9 +40,9 @@
 
 		{{* The buttons to change the month/weeks/days *}}
 		<div id="fc-fc-header-left" class="btn-group">
-			<button class="btn btn-eventnav" onclick="changeView('prev', false);" title="{{$previous.1}}"><i class="fa fa-angle-up" aria-hidden="true"></i></button>
-			<button class="btn btn-eventnav btn-separator" onclick="changeView('next', false);" title="{{$next.1}}"><i class="fa fa-angle-down" aria-hidden="true"></i></button>
-			<button class="btn btn-eventnav btn-separator" onclick="changeView('today', false);" title="{{$today}}"><i class="fa fa-bullseye" aria-hidden="true"></i></button>
+			<button class="btn btn-eventnav" onclick="changeView('prev', false);" title="{{$previous.1|escape}}"><i class="fa fa-angle-up" aria-hidden="true"></i></button>
+			<button class="btn btn-eventnav btn-separator" onclick="changeView('next', false);" title="{{$next.1|escape}}"><i class="fa fa-angle-down" aria-hidden="true"></i></button>
+			<button class="btn btn-eventnav btn-separator" onclick="changeView('today', false);" title="{{$today|escape}}"><i class="fa fa-bullseye" aria-hidden="true"></i></button>
 		</div>
 
 		{{* The title (e.g. name of the mont/week/day) *}}
diff --git a/view/theme/frio/templates/filebrowser.tpl b/view/theme/frio/templates/filebrowser.tpl
index d452810c88..ce58ef0b98 100644
--- a/view/theme/frio/templates/filebrowser.tpl
+++ b/view/theme/frio/templates/filebrowser.tpl
@@ -9,8 +9,8 @@
 
 <div class="fbrowser {{$type}}">
 	<div class="fbrowser-content">
-		<input id="fb-nickname" type="hidden" name="type" value="{{$nickname}}" />
-		<input id="fb-type" type="hidden" name="type" value="{{$type}}" />
+		<input id="fb-nickname" type="hidden" name="type" value="{{$nickname|escape}}" />
+		<input id="fb-type" type="hidden" name="type" value="{{$type|escape}}" />
 
 		<div class="error hidden">
 			<span></span> <button type="button" class="btn btn-link close" aria-label="Close">X</a>
@@ -47,9 +47,9 @@
 				<div class="fbrowser-content-container">
 					{{foreach $files as $f}}
 					<div class="photo-album-image-wrapper">
-						<a href="#" class="photo-album-photo-link" data-link="{{$f.0}}" data-filename="{{$f.1}}" data-img="{{$f.2}}">
-							<img src="{{$f.2}}" alt="{{$f.1}}">
-							<p>{{$f.1}}</p>
+						<a href="#" class="photo-album-photo-link" data-link="{{$f.0}}" data-filename="{{$f.1|escape}}" data-img="{{$f.2|escape}}">
+							<img src="{{$f.2}}" alt="{{$f.1|escape}}">
+							<p>{{$f.1|escape}}</p>
 						</a>
 					</div>
 					{{/foreach}}
diff --git a/view/theme/frio/templates/intros.tpl b/view/theme/frio/templates/intros.tpl
index df46e453a8..9b34afcd9e 100644
--- a/view/theme/frio/templates/intros.tpl
+++ b/view/theme/frio/templates/intros.tpl
@@ -18,7 +18,7 @@
 				{{if $discard}}<button class="btn-link intro-submit-discard intro-action-link" type="submit" name="submit" value="{{$discard|escape:'html'}}" aria-label="{{$discard|escape:'html'}}" title="{{$discard|escape:'html'}}" data-toggle="tooltip"><i class="fa fa-trash-o" aria-hidden="true"></i></button>{{/if}}
 			</form>
 		</div>
-		<div class='intro-enty-name'><h4 class="media-heading"><a href="{{$zrl}}">{{$fullname}}</a></h4></div>
+		<div class='intro-enty-name'><h4 class="media-heading"><a href="{{$zrl}}">{{$fullname|escape}}</a></h4></div>
 		<div class="intro-desc"><span class="intro-desc-label">{{$str_notifytype}}</span>&nbsp;{{$notify_type}}</div>
 		{{* if the contact was suggestested by another contact, the contact who made the suggestion is displayed*}}
 		{{if $madeby}}<div class="intro-madeby"><span class="intro-madeby-label">{{$lbl_madeby}}</span>&nbsp;<a href="{{$madeby_zrl}}">{{$madeby}}</a></div>{{/if}}
@@ -51,7 +51,7 @@
 		a bootstrap modal in the case of approval *}}
 		<div id="intro-approve-wrapper-{{$intro_id}}" style="display: none;">
 
-			<h3 class="heading">{{$fullname}}{{if $addr}}&nbsp;({{$addr}}){{/if}}</h3>
+			<h3 class="heading">{{$fullname|escape}}{{if $addr}}&nbsp;({{$addr}}){{/if}}</h3>
 			<form class="intro-approve-form" {{if $request}}action="{{$request}}" method="get"{{else}}action="dfrn_confirm" method="post"{{/if}}>
 				{{include file="field_checkbox.tpl" field=$hidden}}
 				{{if $type != "friend_suggestion"}}
diff --git a/view/theme/frio/templates/jot.tpl b/view/theme/frio/templates/jot.tpl
index b5c061b75c..13e4d2ec1d 100644
--- a/view/theme/frio/templates/jot.tpl
+++ b/view/theme/frio/templates/jot.tpl
@@ -107,7 +107,7 @@
 						<li role="presentation" class="pull-right"><button class="btn btn-primary" type="submit" id="profile-jot-submit" name="submit" ><i class="fa fa-slideshare fa-fw" aria-hidden="true"></i> {{$share}}</button></li>
 						<li role="presentation" id="character-counter" class="grey jothidden text-info pull-right"></li>
 						<li role="presentation" id="profile-rotator-wrapper" class="pull-right" style="display: {{$visitor}};" >
-							<img role="presentation" id="profile-rotator" src="images/rotator.gif" alt="{{$wait}}" title="{{$wait}}" style="display: none;" />
+							<img role="presentation" id="profile-rotator" src="images/rotator.gif" alt="{{$wait|escape}}" title="{{$wait|escape}}" style="display: none;" />
 						</li>
 						<li role="presentation" id="profile-jot-plugin-wrapper">
 							{{$jotplugins}}
diff --git a/view/theme/frio/templates/like_noshare.tpl b/view/theme/frio/templates/like_noshare.tpl
index deb2383f4b..f58a7698ba 100644
--- a/view/theme/frio/templates/like_noshare.tpl
+++ b/view/theme/frio/templates/like_noshare.tpl
@@ -9,5 +9,5 @@
 		<i class="faded-icon page-action fa fa-thumbs-down" aria-hidden="true"></i>
 	</button>
 	{{/if}}
-	<img id="like-rotator-{{$id}}" class="like-rotator" src="images/rotator.gif" alt="{{$wait}}" title="{{$wait}}" style="display: none;" />
+	<img id="like-rotator-{{$id}}" class="like-rotator" src="images/rotator.gif" alt="{{$wait|escape}}" title="{{$wait|escape}}" style="display: none;" />
 </div>
diff --git a/view/theme/frio/templates/mail_conv.tpl b/view/theme/frio/templates/mail_conv.tpl
index 2ad9898495..b5154aa4c0 100644
--- a/view/theme/frio/templates/mail_conv.tpl
+++ b/view/theme/frio/templates/mail_conv.tpl
@@ -2,13 +2,13 @@
 	<div class="media">
 		<div class="pull-left contact-photo-wrapper">
 			<a href="{{$mail.from_url}}" title="{{$mail.from_addr}}">
-				<img class="media-object" src="{{$mail.from_photo}}" alt="{{$mail.from_name}}" title="{{$mail.from_addr}}" />
+				<img class="media-object" src="{{$mail.from_photo}}" alt="{{$mail.from_name|escape}}" title="{{$mail.from_addr}}" />
 			</a>
 		</div>
 		<div class="media-body">
 			<div class="text-muted time mail-ago pull-right" title="{{$mail.date}}" data-toggle="tooltip">{{$mail.date}}</div>
 			<div class="mail-conv-delete-end"></div>
-			<h4 class="media-heading"><a href="{{$mail.from_url}}" title="{{$mail.from_addr}}">{{$mail.from_name}}</a></h4>
+			<h4 class="media-heading"><a href="{{$mail.from_url}}" title="{{$mail.from_addr}}">{{$mail.from_name|escape}}</a></h4>
 
 			<div class="mail-body">
 				{{$mail.body}}
diff --git a/view/theme/frio/templates/mail_list.tpl b/view/theme/frio/templates/mail_list.tpl
index 4a797d47c0..225fd71c18 100644
--- a/view/theme/frio/templates/mail_list.tpl
+++ b/view/theme/frio/templates/mail_list.tpl
@@ -5,7 +5,7 @@
 		<div class="media">
 			<div class="pull-left contact-photo-wrapper">
 				<a href="{{$from_url}}" title="{{$from_addr}}">
-					<img class="media-object" src="{{$from_photo}}" alt="{{$from_name}}" title="{{$from_addr}}" />
+					<img class="media-object" src="{{$from_photo}}" alt="{{$from_name|escape}}" title="{{$from_addr|escape}}" />
 				</a>
 			</div>
 			<div class="media-body">
diff --git a/view/theme/frio/templates/nav.tpl b/view/theme/frio/templates/nav.tpl
index d64eae9c49..6f20c247c4 100644
--- a/view/theme/frio/templates/nav.tpl
+++ b/view/theme/frio/templates/nav.tpl
@@ -40,37 +40,37 @@
 				<ul class="nav navbar-nav navbar-left" role="menubar">
 					<li id="nav-communication" class="nav-segment" role="presentation">
 						{{if $nav.network}}
-						<a accesskey="n" role="menuitem" class="nav-menu {{$sel.network}}" href="{{$nav.network.0}}" data-toggle="tooltip" aria-label="{{$nav.network.3}}" title="{{$nav.network.3}}"><i class="fa fa-lg fa-th" aria-hidden="true"></i><span id="net-update" class="nav-network-badge badge nav-notify"></span></a>
+						<a accesskey="n" role="menuitem" class="nav-menu {{$sel.network}}" href="{{$nav.network.0}}" data-toggle="tooltip" aria-label="{{$nav.network.3}}" title="{{$nav.network.3|escape}}"><i class="fa fa-lg fa-th" aria-hidden="true"></i><span id="net-update" class="nav-network-badge badge nav-notify"></span></a>
 						{{/if}}
 
 						{{if $nav.home}}
-						<a accesskey="p" role="menuitem" class="nav-menu {{$sel.home}}" href="{{$nav.home.0}}" data-toggle="tooltip" aria-label="{{$nav.home.3}}" title="{{$nav.home.3}}"><i class="fa fa-lg fa-home" aria-hidden="true"></i><span id="home-update" class="nav-home-badge badge nav-notify"></span></a>
+						<a accesskey="p" role="menuitem" class="nav-menu {{$sel.home}}" href="{{$nav.home.0}}" data-toggle="tooltip" aria-label="{{$nav.home.3}}" title="{{$nav.home.3|escape}}"><i class="fa fa-lg fa-home" aria-hidden="true"></i><span id="home-update" class="nav-home-badge badge nav-notify"></span></a>
 						{{/if}}
 
 						{{if $nav.community}}
-						<a accesskey="c" role="menuitem" class="nav-menu {{$sel.community}}" href="{{$nav.community.0}}" data-toggle="tooltip" aria-label="{{$nav.community.3}}" title="{{$nav.community.3}}"><i class="fa fa-lg fa-bullseye" aria-hidden="true"></i></a>
+						<a accesskey="c" role="menuitem" class="nav-menu {{$sel.community}}" href="{{$nav.community.0}}" data-toggle="tooltip" aria-label="{{$nav.community.3}}" title="{{$nav.community.3|escape}}"><i class="fa fa-lg fa-bullseye" aria-hidden="true"></i></a>
 						{{/if}}
 					</li>
 
 					<li id="nav-personal" class="nav-segment hidden-xs" role="presentation">
 						{{if $nav.messages}}
-						<a role="menuitem" id="nav-messages-link" href="{{$nav.messages.0}}" data-toggle="tooltip" aria-label="{{$nav.messages.1}}" title="{{$nav.messages.1}}" class="nav-menu {{$sel.messages}}"><i class="fa fa-envelope fa-lg" aria-hidden="true"></i><span id="mail-update" class="nav-mail-badge badge nav-notify"></span></a>
+						<a role="menuitem" id="nav-messages-link" href="{{$nav.messages.0}}" data-toggle="tooltip" aria-label="{{$nav.messages.1}}" title="{{$nav.messages.1|escape}}" class="nav-menu {{$sel.messages}}"><i class="fa fa-envelope fa-lg" aria-hidden="true"></i><span id="mail-update" class="nav-mail-badge badge nav-notify"></span></a>
 						{{/if}}
 
 						{{if $nav.events}}
-						<a accesskey="e" role="menuitem" id="nav-events-link" href="{{$nav.events.0}}" data-toggle="tooltip" aria-label="{{$nav.events.1}}" title="{{$nav.events.1}}" class="nav-menu"><i class="fa fa-lg fa-calendar"></i></a>
+						<a accesskey="e" role="menuitem" id="nav-events-link" href="{{$nav.events.0}}" data-toggle="tooltip" aria-label="{{$nav.events.1}}" title="{{$nav.events.1|escape}}" class="nav-menu"><i class="fa fa-lg fa-calendar"></i></a>
 						{{/if}}
 
 						{{if $nav.contacts}}
-						<a role="menuitem" id="nav-contacts-link" class="nav-menu {{$sel.contacts}} {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" data-toggle="tooltip" aria-label="{{$nav.contacts.1}}" title="{{$nav.contacts.1}}" ><i class="fa fa-users fa-lg" aria-hidden="true"></i></a>
-						<span id="intro-update" class="nav-intro-badge badge nav-notify" onclick="window.location.href = '{{$nav.introductions.0}}' " data-toggle="tooltip" aria-label="{{$nav.introductions.3}}" title="{{$nav.introductions.3}}"></span>
+						<a role="menuitem" id="nav-contacts-link" class="nav-menu {{$sel.contacts}} {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" data-toggle="tooltip" aria-label="{{$nav.contacts.1}}" title="{{$nav.contacts.1|escape}}" ><i class="fa fa-users fa-lg" aria-hidden="true"></i></a>
+						<span id="intro-update" class="nav-intro-badge badge nav-notify" onclick="window.location.href = '{{$nav.introductions.0}}' " data-toggle="tooltip" aria-label="{{$nav.introductions.3}}" title="{{$nav.introductions.3|escape}}"></span>
 						{{/if}}
 					</li>
 
 					{{* The notifications dropdown *}}
 					{{if $nav.notifications}}
 						<li id="nav-notification" class="nav-segment hidden-xs" role="presentation">
-							<a href="{{$nav.notifications.0}}" rel="#nav-notifications-menu" data-toggle="tooltip" aria-label="{{$nav.notifications.1}}" title="{{$nav.notifications.1}}" role="button" id="dropdownMenu1" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+							<a href="{{$nav.notifications.0}}" rel="#nav-notifications-menu" data-toggle="tooltip" aria-label="{{$nav.notifications.1}}" title="{{$nav.notifications.1|escape}}" role="button" id="dropdownMenu1" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 								<i class="fa fa-exclamation-circle fa-lg" aria-hidden="true"></i>
 								<span role="menuitem" class="sr-only">{{$nav.notifications.1}}</span>
 								<span id="notify-update" class="nav-notify-badge badge nav-notify dropdown" data-toggle="dropdown"></span>
@@ -84,7 +84,7 @@
 									<div class="arrow"></div>
 									{{$nav.notifications.1}}
 									<div class="dropdown-header-link">
-										<button role="menuitem" type="button" class="btn-link" onclick="notifyMarkAll();" data-toggle="tooltip" aria-label="{{$nav.notifications.mark.3}}" title="{{$nav.notifications.mark.3}}">{{$nav.notifications.mark.1}}</button>
+										<button role="menuitem" type="button" class="btn-link" onclick="notifyMarkAll();" data-toggle="tooltip" aria-label="{{$nav.notifications.mark.3}}" title="{{$nav.notifications.mark.3|escape}}">{{$nav.notifications.mark.1}}</button>
 									</div>
 
 								</li>
@@ -107,9 +107,9 @@
 					{{if $nav.search}}
 					<li id="search-box" class="hidden-xs">
 							<form class="navbar-form" role="search" method="get" action="{{$nav.search.0}}">
-								<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
+								<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
 								<div class="form-group form-group-search">
-									<input accesskey="s" id="nav-search-input-field" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint}}" placeholder="{{$nav.search.1}}">
+									<input accesskey="s" id="nav-search-input-field" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint|escape}}" placeholder="{{$nav.search.1}}">
 									<button class="btn btn-default btn-sm form-button-search" type="submit">{{$nav.search.1}}</button>
 								</div>
 							</form>
@@ -121,61 +121,61 @@
 					<li id="nav-user-linkmenu" class="dropdown account nav-menu hidden-xs">
 						<button accesskey="u" id="main-menu" class="btn-link dropdown-toggle nav-avatar" data-toggle="dropdown" type="button" aria-haspopup="true" aria-expanded="false" aria-controls="nav-user-menu">
 							<div class="user-title pull-left hidden-xs hidden-sm hidden-md">
-								<strong>{{$nav.userinfo.name}}</strong><br>
+								<strong>{{$nav.userinfo.name|escape}}</strong><br>
 								{{if $nav.remote}}<span class="trunctate">{{$nav.remote}}</span>{{/if}}
 							</div>
 
-							<img  id="avatar" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}">
+							<img  id="avatar" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}">
 							<span class="caret"></span>
 						</button>
 
 						{{* The list of available usermenu links *}}
 						<ul id="nav-user-menu" class="dropdown-menu pull-right menu-popup" role="menu" aria-labelledby="main-menu">
 							{{if $nav.remote}}{{if $nav.sitename}}
-							<li id="nav-sitename" role="menuitem">{{$nav.sitename}}</li>
+							<li id="nav-sitename" role="menuitem">{{$nav.sitename|escape}}</li>
 							<li role="presentation" class="divider"></li>
 							{{/if}}{{/if}}
 							{{foreach $nav.usermenu as $usermenu}}
-							<li role="presentation"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3}}">{{$usermenu.1}}</a></li>
+							<li role="presentation"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3|escape}}">{{$usermenu.1}}</a></li>
 							{{/foreach}}
 							<li role="presentation" class="divider"></li>
 							{{if $nav.notifications}}
-							<li role="presentation"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
+							<li role="presentation"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1|escape}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
 							{{/if}}
 							{{if $nav.messages}}
-							<li role="presentation"><a role="menuitem" class="nav-commlink {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}} <span id="mail-update-li" class="nav-mail-badge badge nav-notify"></span></a></li>
+							<li role="presentation"><a role="menuitem" class="nav-commlink {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3|escape}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}} <span id="mail-update-li" class="nav-mail-badge badge nav-notify"></span></a></li>
 							{{/if}}
 							<li role="presentation" class="divider"></li>
 							{{if $nav.contacts}}
-							<li role="presentation"><a role="menuitem" id="nav-menu-contacts-link" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a><span id="intro-update-li" class="nav-intro-badge badge nav-notify"></span></li>
+							<li role="presentation"><a role="menuitem" id="nav-menu-contacts-link" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3|escape}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a><span id="intro-update-li" class="nav-intro-badge badge nav-notify"></span></li>
 							{{/if}}
 							{{if $nav.manage}}
-							<li role="presentation"><a role="menuitem" id="nav-manage-link" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-manage-link" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3|escape}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
 							{{/if}}
-							<li role="presentation"><a role="menuitem" id="nav-directory-link" class="nav-link {{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3}}"><i class="fa fa-sitemap fa-fw" aria-hidden="true"></i>{{$nav.directory.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-directory-link" class="nav-link {{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3|escape}}"><i class="fa fa-sitemap fa-fw" aria-hidden="true"></i>{{$nav.directory.1}}</a></li>
 							<li role="presentation" class="divider"></li>
 							{{if $nav.apps}}
-							<li role="presentation"><a role="menuitem" id="nav-apps-link" class="nav-link {{$nav.apps.2}} {{$sel.manage}}" href="{{$nav.apps.0}}" title="{{$nav.apps.3}}" ><i class="fa fa-puzzle-piece fa-fw" aria-hidden="true"></i> {{$nav.apps.1}}</a>
+							<li role="presentation"><a role="menuitem" id="nav-apps-link" class="nav-link {{$nav.apps.2}} {{$sel.manage}}" href="{{$nav.apps.0}}" title="{{$nav.apps.3|escape}}" ><i class="fa fa-puzzle-piece fa-fw" aria-hidden="true"></i> {{$nav.apps.1}}</a>
 							<li role="presentation" class="divider"></li>
 							{{/if}}
 							{{if $nav.help}}
-							<li role="presentation"><a role="menuitem" id="nav-help-link" class="nav-link {{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3}}" ><i class="fa fa-question-circle fa-fw" aria-hidden="true"></i> {{$nav.help.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-help-link" class="nav-link {{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3|escape}}" ><i class="fa fa-question-circle fa-fw" aria-hidden="true"></i> {{$nav.help.1}}</a></li>
 							{{/if}}
 							{{if $nav.settings}}
-							<li role="presentation"><a role="menuitem" id="nav-settings-link" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-settings-link" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3|escape}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
 							{{/if}}
 							{{if $nav.admin}}
-							<li role="presentation"><a accesskey="a" role="menuitem" id="nav-admin-link" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
+							<li role="presentation"><a accesskey="a" role="menuitem" id="nav-admin-link" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3|escape}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
 							{{/if}}
 							{{if $nav.tos}}
 							<li role="presentation" class="divider"></li>
-							<li role="presentation"><a role="menuitem" id="nav-tos-link" class="nav-link {{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3}}" ><i class="fa fa-file-text" aria-hidden="true"></i> {{$nav.tos.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-tos-link" class="nav-link {{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3|escape}}" ><i class="fa fa-file-text" aria-hidden="true"></i> {{$nav.tos.1}}</a></li>
 							{{/if}}
 							<li role="presentation" class="divider"></li>
 							{{if $nav.logout}}
-							<li role="presentation"><a role="menuitem" id="nav-logout-link" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-logout-link" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3|escape}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
 							{{else}}
-							<li role="presentation"><a role="menuitem" id="nav-login-link" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-login-link" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3|escape}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
 							{{/if}}
 						</ul>
 					</li>{{* End of userinfo dropdown menu *}}
@@ -192,34 +192,34 @@
 				<div class="nav-container">
 					<ul role="menu" class="list-group">
 						{{if $nav.remote}}{{if $nav.sitename}}
-						<li role="menuitem" class="nav-sitename list-group-item">{{$nav.sitename}}</li>
+						<li role="menuitem" class="nav-sitename list-group-item">{{$nav.sitename|escape}}</li>
 						{{/if}}{{/if}}
-						<li role="presentation" class="list-group-item"><img src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}" style="max-width:15px; max-height:15px; min-width:15px; min-height:15px; width:15px; height:15px;"> {{$nav.userinfo.name}}{{if $nav.remote}} ({{$nav.remote}}){{/if}}</li>
+						<li role="presentation" class="list-group-item"><img src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}" style="max-width:15px; max-height:15px; min-width:15px; min-height:15px; width:15px; height:15px;"> {{$nav.userinfo.name|escape}}{{if $nav.remote}} ({{$nav.remote}}){{/if}}</li>
 						{{foreach $nav.usermenu as $usermenu}}
-						<li role="menuitem" class="list-group-item"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3}}">{{$usermenu.1}}</a></li>
+						<li role="menuitem" class="list-group-item"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3|escape}}">{{$usermenu.1}}</a></li>
 						{{/foreach}}
 						{{if $nav.notifications}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1|escape}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
 						{{/if}}
 						{{if $nav.contacts}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3|escape}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a></li>
 						{{/if}}
 						{{if $nav.messages}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3|escape}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}}</a></li>
 						{{/if}}
 						{{if $nav.manage}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3|escape}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
 						{{/if}}
 						{{if $nav.settings}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3|escape}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
 						{{/if}}
 						{{if $nav.admin}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3|escape}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
 						{{/if}}
 						{{if $nav.logout}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3|escape}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
 						{{else}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3|escape}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
 						{{/if}}
 					</ul>
 				</div>
@@ -244,12 +244,12 @@
 			<ul class="nav navbar-nav navbar-right">
 				<li role="presentation">
 					<a href="login?mode=none" id="nav-login"
-						data-toggle="tooltip" aria-label="{{$nav.login.3}}" title="{{$nav.login.3}}">
+						data-toggle="tooltip" aria-label="{{$nav.login.3}}" title="{{$nav.login.3|escape}}">
 							<i class="fa fa-sign-in fa-fw" aria-hidden="true"></i>
 					</a>
 				</li>
 				<li role="presentation">
-					<a href="{{$nav.about.0}}" id="nav-about" data-toggle="tooltip" aria-label="{{$nav.about.3}}" title="{{$nav.about.3}}">
+					<a href="{{$nav.about.0}}" id="nav-about" data-toggle="tooltip" aria-label="{{$nav.about.3}}" title="{{$nav.about.3|escape}}">
 						<i class="fa fa-info fa-fw" aria-hidden="true"></i>
 					</a>
 				</li>
@@ -263,9 +263,9 @@
 {{* provide a a search input for mobile view, which expands by pressing the search icon *}}
 <div id="search-mobile" class="hidden-lg hidden-md collapse">
 	<form class="navbar-form" role="search" method="get" action="{{$nav.search.0}}">
-		<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
+		<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
 		<div class="form-group form-group-search">
-			<input id="nav-search-input-field-mobile" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint}}" placeholder="{{$nav.search.1}}">
+			<input id="nav-search-input-field-mobile" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint|escape}}" placeholder="{{$nav.search.1}}">
 			<button class="btn btn-default btn-sm form-button-search" type="submit">{{$nav.search.1}}</button>
 		</div>
 	</form>
diff --git a/view/theme/frio/templates/photo_item.tpl b/view/theme/frio/templates/photo_item.tpl
index 935e6288b3..8267fd6315 100644
--- a/view/theme/frio/templates/photo_item.tpl
+++ b/view/theme/frio/templates/photo_item.tpl
@@ -23,7 +23,7 @@
 	<div class="contact-photo-wrapper mframe p-author h-card pull-left">
 		<a class="userinfo u-url" id="wall-item-photo-menu-{{$id}}" href="{{$profile_url}}">
 			<div class="contact-photo-image-wrapper">
-				<img src="{{$thumb}}" class="contact-photo-xs media-object p-name u-photo" id="wall-item-photo-{{$id}}" alt="{{$name}}" />
+				<img src="{{$thumb}}" class="contact-photo-xs media-object p-name u-photo" id="wall-item-photo-{{$id}}" alt="{{$name|escape}}" />
 			</div>
 		</a>
 	</div>
diff --git a/view/theme/frio/templates/photo_top.tpl b/view/theme/frio/templates/photo_top.tpl
index a86aa7f809..fed29937ed 100644
--- a/view/theme/frio/templates/photo_top.tpl
+++ b/view/theme/frio/templates/photo_top.tpl
@@ -1,4 +1,4 @@
 <a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-	<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title}}" id="photo-top-photo-{{$photo.id}}" />
+	<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc|escape}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown|escape}}{{/if}}" title="{{$photo.title|escape}}" id="photo-top-photo-{{$photo.id}}" />
 </a>
 
diff --git a/view/theme/frio/templates/photo_view.tpl b/view/theme/frio/templates/photo_view.tpl
index 7dc2db901e..f8d12e133e 100644
--- a/view/theme/frio/templates/photo_view.tpl
+++ b/view/theme/frio/templates/photo_view.tpl
@@ -33,7 +33,7 @@
 		<div id="photo-photo">
 			{{* The photo *}}
 			<div class="photo-container">
-				<a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" alt="{{$photo.filename}}"/></a>
+				<a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
 			</div>
 
 			{{* Overlay buttons for previous and next photo *}}
@@ -54,7 +54,7 @@
 		<div id="photo-tags">{{$tags.title}}
 			{{foreach $tags.tags as $t}}
 			<span class="category label btn-success sm">
-				<span class="p-category">{{$t.name}}</span>
+				<span class="p-category">{{$t.name|escape}}</span>
 				{{if $t.removeurl}} <a href="{{$t.removeurl}}">(X)</a> {{/if}}
 			</span>
 			{{/foreach}}
diff --git a/view/theme/frio/templates/profile_entry.tpl b/view/theme/frio/templates/profile_entry.tpl
index fb5436fb52..1ee9eda85c 100644
--- a/view/theme/frio/templates/profile_entry.tpl
+++ b/view/theme/frio/templates/profile_entry.tpl
@@ -1,7 +1,7 @@
 
 <div class="profile-listing-row" >
 	<div class="profile-listing-cell" >
-		<a href="profiles/{{$id}}" class="profile-listing-edit-link"><img class="profile-listing-photo" id="profile-listing-photo-{{$id}}" src="{{$photo}}" alt="{{$alt}}" /></a>
+		<a href="profiles/{{$id}}" class="profile-listing-edit-link"><img class="profile-listing-photo" id="profile-listing-photo-{{$id}}" src="{{$photo}}" alt="{{$alt|escape}}" /></a>
 	</div>
 	<div class="profile-listing-photo-end"></div>
 	<div class="profile-listing-cell" id="profile-listing-name-{{$id}}">
diff --git a/view/theme/frio/templates/profile_vcard.tpl b/view/theme/frio/templates/profile_vcard.tpl
index 392adc1c48..793fec753a 100644
--- a/view/theme/frio/templates/profile_vcard.tpl
+++ b/view/theme/frio/templates/profile_vcard.tpl
@@ -2,19 +2,19 @@
 
 	<div id="profile-photo-wrapper">
 		{{if $profile.picdate}}
-		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}" /></a>
+		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></a>
 		{{else}}
-		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name}}" /></a>
+		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name|escape}}" /></a>
 		{{/if}}
 
 		<div class="tool visible-lg visible-md">
 			{{if $profile.edit}}
 			<div class="action">
-				<a class="" href="{{$profile.edit.0}}" title="{{$profile.edit.3}}"><i class="fa fa-pencil-square-o"></i></a>
+				<a class="" href="{{$profile.edit.0}}" title="{{$profile.edit.3|escape}}"><i class="fa fa-pencil-square-o"></i></a>
 			</div>
 			{{else}}
 				{{if $profile.menu}}
-				<div class="profile-edit-side-div"><a class="profile-edit-side-link icon edit" title="{{$editprofile}}" href="profiles" ></a></div>
+				<div class="profile-edit-side-div"><a class="profile-edit-side-link icon edit" title="{{$editprofile|escape}}" href="profiles" ></a></div>
 				{{/if}}
 			{{/if}}
 		</div>
@@ -25,23 +25,23 @@
 	<div id="vcard-short-info-wrapper" style="display: none;">
 		<div id="vcard-short-info" class="media" style="display: none">
 			<div id="vcard-short-photo-wrapper" class="pull-left">
-				<img class="media-object" src="{{$profile.photo}}" alt="{{$profile.name}}" />
+				<img class="media-object" src="{{$profile.photo}}" alt="{{$profile.name|escape}}" />
 			</div>
 
 			<div id="vcard-short-desc" class="media-body">
-				<h4 class="media-heading">{{$profile.name}}</h4>
-				{{if $profile.addr}}<div class="vcard-short-addr">{{$profile.addr}}</div>{{/if}}
+				<h4 class="media-heading">{{$profile.name|escape}}</h4>
+				{{if $profile.addr}}<div class="vcard-short-addr">{{$profile.addr|escape}}</div>{{/if}}
 			</div>
 		</div>
 	</div>
 
 	<div class="panel-body">
 		<div class="profile-header">
-			<h3 class="fn p-name">{{$profile.name}}</h3>
+			<h3 class="fn p-name">{{$profile.name|escape}}</h3>
 
-			{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+			{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 
-			{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
+			{{if $profile.pdesc}}<div class="title">{{$profile.pdesc|escape}}</div>{{/if}}
 		</div>
 
 		<div id="profile-extra-links">
@@ -62,7 +62,7 @@
 			{{/if}}
 			{{if $wallmessage}}
 			<div id="wallmessage-link-botton">
-				<button type="button" id="wallmessage-link" class="btn btn-labeled btn-primary btn-sm" onclick="openWallMessage('{{$wallmessage_link}}')">
+				<button type="button" id="wallmessage-link" class="btn btn-labeled btn-primary btn-sm" onclick="openWallMessage('{{$wallmessage_link|escape}}')">
 					<span class=""><i class="fa fa-envelope"></i></span>
 					<span class="">{{$wallmessage}}</span>
 				</button>
@@ -78,11 +78,11 @@
 			<span class="adr">
 				{{if $profile.address}}<span class="street-address p-street-address">{{$profile.address}}</span>{{/if}}
 				<span class="city-state-zip">
-					<span class="locality p-locality">{{$profile.locality}}</span>{{if $profile.locality}}, {{/if}}
-					<span class="region p-region">{{$profile.region}}</span>
-					<span class="postal-code p-postal-code">{{$profile.postal_code}}</span>
+					<span class="locality p-locality">{{$profile.locality|escape}}</span>{{if $profile.locality}}, {{/if}}
+					<span class="region p-region">{{$profile.region|escape}}</span>
+					<span class="postal-code p-postal-code">{{$profile.postal_code|escape}}</span>
 				</span>
-				{{if $profile.country_name}}<span class="country-name p-country-name">{{$profile.country_name}}</span>{{/if}}
+				{{if $profile.country_name}}<span class="country-name p-country-name">{{$profile.country_name|escape}}</span>{{/if}}
 			</span>
 		</div>
 		{{/if}}
@@ -90,38 +90,38 @@
 		{{if $profile.xmpp}}
 		<div class="xmpp">
 			<span class="xmpp-label icon"><i class="fa fa-comments"></i></span>
-			<span class="xmpp-data">{{$profile.xmpp}}</span>
+			<span class="xmpp-data">{{$profile.xmpp|escape}}</span>
 		</div>
 		{{/if}}
 
 		{{if $gender}}
 		<div class="mf detail">
 			<span class="gender-label icon"><i class="fa fa-venus-mars"></i></span>
-			<span class="p-gender">{{$profile.gender}}</span>
+			<span class="p-gender">{{$profile.gender|escape}}</span>
 		</div>
 		{{/if}}
 
-		{{if $profile.pubkey}}<div class="key u-key" style="display:none;">{{$profile.pubkey}}</div>{{/if}}
+		{{if $profile.pubkey}}<div class="key u-key" style="display:none;">{{$profile.pubkey|escape}}</div>{{/if}}
 
-		{{if $contacts}}<div class="contacts" style="display:none;">{{$contacts}}</div>{{/if}}
+		{{if $contacts}}<div class="contacts" style="display:none;">{{$contacts|escape}}</div>{{/if}}
 
-		{{if $updated}}<div class="updated" style="display:none;">{{$updated}}</div>{{/if}}
+		{{if $updated}}<div class="updated" style="display:none;">{{$updated|escape}}</div>{{/if}}
 
 		{{if $marital}}
 		<div class="marital detail">
 			<span class="marital-label icon"><i class="fa fa-heart"></i></span>
-			<span class="marital-text icon">{{$profile.marital}}</span>
+			<span class="marital-text icon">{{$profile.marital|escape}}</span>
 		</div>
 		{{/if}}
 
 		{{if $homepage}}
 		<div class="homepage detail">
 			<span class="homepage-label icon"><i class="fa fa-external-link-square"></i></span>
-			<span class="homepage-url u-url"><a href="{{$profile.homepage}}" rel="me" target="_blank">{{$profile.homepage}}</a></span>
+			<span class="homepage-url u-url"><a href="{{$profile.homepage}}" rel="me" target="_blank">{{$profile.homepage|escape}}</a></span>
 		</div>
 		{{/if}}
 
-		{{if $about}}<dl class="about"  style="display:none;"><dt class="about-label">{{$about}}</dt><dd class="x-network">{{$profile.about}}</dd></dl>{{/if}}
+		{{if $about}}<dl class="about"  style="display:none;"><dt class="about-label">{{$about|escape}}</dt><dd class="x-network">{{$profile.about}}</dd></dl>{{/if}}
 
 		{{include file="diaspora_vcard.tpl"}}
 	</div>
diff --git a/view/theme/frio/templates/search_item.tpl b/view/theme/frio/templates/search_item.tpl
index c6aa9536e6..88a0d2a0ea 100644
--- a/view/theme/frio/templates/search_item.tpl
+++ b/view/theme/frio/templates/search_item.tpl
@@ -1,7 +1,7 @@
 <!-- TODO => Unknow block -->
 <div class="wall-item-decor" style="display:none;">
-	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>
-	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event, {{$item.id}});" title="{{$item.lock}}"></span><span class="fa fa-lock" aria-hidden="true"></span>{{/if}}
+	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred}}</span>
+	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event, {{$item.id}});" title="{{$item.lock|escape}}"></span><span class="fa fa-lock" aria-hidden="true"></span>{{/if}}
 </div>
 <!-- ./TODO => Unknow block -->
 
@@ -12,7 +12,7 @@
 			{{* Put additional actions in a top-right dropdown menu *}}
 
 			<ul class="nav nav-pills preferences">
-				<li><span class="wall-item-network" title="{{$item.app}}">{{$item.network_name}}</span></li>
+				<li><span class="wall-item-network" title="{{$item.app|escape}}">{{$item.network_name|escape}}</span></li>
 
 				{{if $item.plink || $item.star || $item.drop.dropping || $item.edpost || $item.subthread}}
 				<li class="dropdown">
@@ -21,45 +21,45 @@
 					<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools-{{$item.id}}">
 						{{if $item.plink}}      {{*link to the original source of the item *}}
 						<li role="menuitem">
-							<a title="{{$item.plink.title}}" href="{{$item.plink.href}}" class="navicon plink"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
+							<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title|escape}}</a>
 						</li>
 						{{/if}}
 
 						{{if $item.edpost}} {{* edit the posting *}}
 						<li role="menuitem">
-							<button type="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
+							<button type="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.tagger}} {{* tag the post *}}
 						<li role="menuitem">
-							<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
+							<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add|escape}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.filer}}
 						<li role="menuitem">
-							<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
+							<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer|escape}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.star}}
 						<li role="menuitem">
-							<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
-							<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
+							<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do|escape}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
+							<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo|escape}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.subthread}}
 						<li role="menuitem">
-							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
+							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.drop.dropping}}
 						<li role="separator" class="divider"></li>
 						<li role="menuitem">
-							<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
+							<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete|escape}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
 						</li>
 						{{/if}}
 					</ul>
@@ -72,14 +72,14 @@
 				<div class="hidden-sm hidden-xs contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}}">
 					<a href="{{$item.profile_url}}" class="userinfo u-url" id="wall-item-photo-menu-{{$item.id}}">
 						<div class="contact-photo-image-wrapper">
-							<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+							<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 						</div>
 					</a>
 				</div>
 				<div class="hidden-lg hidden-md contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}}">
 					<a href="{{$item.profile_url}}" class="userinfo u-url" id="wall-item-photo-menu-xs-{{$item.id}}">
 						<div class="contact-photo-image-wrapper">
-							<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name}}" />
+							<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name|escape}}" />
 						</div>
 					</a>
 				</div>
@@ -88,13 +88,13 @@
 
 			{{* contact info header*}}
 			<div role="heading " class="contact-info hidden-sm hidden-xs media-body"><!-- <= For computer -->
-				<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name}}</span></a>
-					{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a>{{/if}}
-					{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event, {{$item.id}});" title="{{$item.lock}}">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
+				<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name|escape}}</span></a>
+					{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a>{{/if}}
+					{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event, {{$item.id}});" title="{{$item.lock|escape}}">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
 
 					<div class="additional-info text-muted">
 						<div id="wall-item-ago-{{$item.id}}" class="wall-item-ago">
-							<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime}}" data-toggle="tooltip">{{$item.ago}}</span></a></small>
+							<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime|escape}}" data-toggle="tooltip">{{$item.ago}}</span></a></small>
 						</div>
 
 						{{if $item.location}}
@@ -110,7 +110,7 @@
 			{{* contact info header for smartphones *}}
 			<div role="heading " class="contact-info-xs hidden-lg hidden-md">
 				<h5 class="media-heading">
-					<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span>{{$item.name}}</span></a>
+					<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span>{{$item.name|escape}}</span></a>
 					<p class="text-muted"><small>
 						<span class="wall-item-ago">{{$item.ago}}</span> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
 					</p>
@@ -150,14 +150,14 @@
 			{{/if}}
 
 				{{foreach $item.folders as $cat}}
-					<span class="folder label btn-danger sm">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+					<span class="folder label btn-danger sm">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 				{{/foreach}}
 
 				{{foreach $item.categories as $cat}}
-					<span class="category label btn-success sm">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+					<span class="category label btn-success sm">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 				{{/foreach}}
 				</div>
-				{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
+				{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']|escape}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
 			</div>
 			<!-- ./TODO -->
 
@@ -166,7 +166,7 @@
 				<div class="wall-item-actions-left pull-left">
 					<!--comment this out to try something different {{if $item.threaded}}{{if $item.comment}}
 					<div id="button-reply" class="pull-left">
-						<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment}}"></i> </span>
+						<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment|escape}}"></i> </span>
 					</div>
 					{{/if}}{{/if}}-->
 
@@ -175,14 +175,14 @@
 					{{* Buttons for like and dislike *}}
 					{{if $item.vote}}
 						{{if $item.vote.like}}
-					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0}}" onclick="doLikeAction({{$item.id}}, 'like');">{{$item.vote.like.0}}</button>
+					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0|escape}}" onclick="doLikeAction({{$item.id}}, 'like');">{{$item.vote.like.0}}</button>
 						{{/if}}
 						{{if $item.vote.like AND $item.vote.dislike}}
 					<span role="presentation" class="separator">•</span>
 						{{/if}}
 
 						{{if $item.vote.dislike}}
-					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0}}" onclick="doLikeAction({{$item.id}}, 'dislike');">{{$item.vote.dislike.0}}</button>
+					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0|escape}}" onclick="doLikeAction({{$item.id}}, 'dislike');">{{$item.vote.dislike.0}}</button>
 						{{/if}}
 						{{if ($item.vote.like OR $item.vote.dislike) AND $item.comment}}
 					<span role="presentation" class="separator">•</span>
@@ -191,7 +191,7 @@
 
 					{{* Button to open the comment text field *}}
 					{{if $item.comment}}
-						<button type="button" class="btn btn-default" id="comment-{{$item.id}}" title="{{$item.switchcomment}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});">{{$item.switchcomment}}</button>
+						<button type="button" class="btn btn-default" id="comment-{{$item.id}}" title="{{$item.switchcomment|escape}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});">{{$item.switchcomment}}</button>
 					{{/if}}
 
 					{{* Button for sharing the item *}}
@@ -200,10 +200,10 @@
 							{{if $item.vote.like OR $item.vote.dislike OR $item.comment}}
 					<span role="presentation" class="separator">•</span>
 							{{/if}}
-					<button type="button" class="btn btn-default" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.0}}</button>
+					<button type="button" class="btn btn-default" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.0}}</button>
 						{{/if}}
 					{{/if}}
-					<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+					<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 				</div>
 
 
@@ -211,15 +211,15 @@
 					{{* Event attendance buttons *}}
 					{{if $item.isevent}}
 					<div class="vote-event">
-						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0}}" onclick="doLikeAction({{$item.id}}, 'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
-						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1}}" onclick="doLikeAction({{$item.id}}, 'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
-						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2}}" onclick="doLikeAction({{$item.id}}, 'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
+						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0|escape}}" onclick="doLikeAction({{$item.id}}, 'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
+						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1|escape}}" onclick="doLikeAction({{$item.id}}, 'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
+						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2|escape}}" onclick="doLikeAction({{$item.id}}, 'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
 					</div>
 					{{/if}}
 
 					<div class="pull-right checkbox">
 						{{if $item.drop.pagedrop}}
-						<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
+						<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
 						<label for="checkbox-{{$item.id}}"></label>
 						{{/if}}
 					</div>
@@ -238,7 +238,7 @@
 
 			<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 			{{if $item.conv}}
-				<a href="{{$item.conv.href}}" id="context-{{$item.id}}" title="{{$item.conv.title}}">{{$item.conv.title}}</a>
+				<a href="{{$item.conv.href}}" id="context-{{$item.id}}" title="{{$item.conv.title|escape}}">{{$item.conv.title|escape}}</a>
 			{{/if}}
 			</div>
 		</div><!--./media>-->
diff --git a/view/theme/frio/templates/vcard-widget.tpl b/view/theme/frio/templates/vcard-widget.tpl
index 0115abd887..ab6f52f472 100644
--- a/view/theme/frio/templates/vcard-widget.tpl
+++ b/view/theme/frio/templates/vcard-widget.tpl
@@ -2,9 +2,9 @@
 
 	<div id="profile-photo-wrapper">
 		{{if $url}}
-		<a href="{{$url}}"><img class="photo u-photo" src="{{$photo}}" alt="{{$name}}" /></a>
+		<a href="{{$url}}"><img class="photo u-photo" src="{{$photo}}" alt="{{$name|escape}}" /></a>
 		{{else}}
-		<img class="photo u-photo" src="{{$photo}}" alt="{{$name}}" />
+		<img class="photo u-photo" src="{{$photo}}" alt="{{$name|escape}}" />
 		{{/if}}
 	</div>
 
@@ -12,11 +12,11 @@
 	<div id="vcard-short-info-wrapper" style="display: none;">
 		<div id="vcard-short-info" class="media" style="display: none">
 			<div id="vcard-short-photo-wrapper" class="pull-left">
-				<img class="media-object" src="{{$photo}}" alt="{{$name}}" />
+				<img class="media-object" src="{{$photo}}" alt="{{$name|escape}}" />
 			</div>
 
 			<div id="vcard-short-desc" class="media-body">
-				<h4 class="media-heading">{{$name}}</h4>
+				<h4 class="media-heading">{{$name|escape}}</h4>
 				{{if $addr}}<div class="vcard-short-addr">{{$addr}}</div>{{/if}}
 			</div>
 		</div>
@@ -24,7 +24,7 @@
 
 	<div class="panel-body">
 		<div class="profile-header">
-			<h3 class="fn p-name">{{$name}}</h3>
+			<h3 class="fn p-name">{{$name|escape}}</h3>
 
 			{{if $addr}}<div class="p-addr">{{$addr}}</div>{{/if}}
 
diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index c46fc339dd..961c241a14 100644
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -58,9 +58,9 @@ as the value of $top_child_total (this is done at the end of this file)
 <!-- TODO => Unknow block -->
 <div class="wall-item-decor" style="display:none;">
 	{{if $item.star}}
-	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>
+	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred}}</span>
 	{{/if}}
-	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}"></span><span class="fa fa-lock"></span>{{/if}}
+	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}"></span><span class="fa fa-lock"></span>{{/if}}
 </div>
 <!-- ./TODO => Unknow block -->
 
@@ -82,7 +82,7 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{* Put addional actions in a top-right dropdown menu *}}
 
 		<ul class="nav nav-pills preferences">
-			<li><span class="wall-item-network" title="{{$item.app}}">{{$item.network_name}}</span></li>
+			<li><span class="wall-item-network" title="{{$item.app|escape}}">{{$item.network_name|escape}}</span></li>
 
 			{{if $item.plink || $item.drop.dropping || $item.edpost || $item.ignore || $item.tagger || $item.star || $item.filer || $item.subthread}}
 			<li class="dropdown">
@@ -91,38 +91,38 @@ as the value of $top_child_total (this is done at the end of this file)
 				<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools-{{$item.id}}">
 					{{if $item.plink}}	{{*link to the original source of the item *}}
 					<li role="menuitem">
-						<a title="{{$item.plink.title}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
+						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
 					</li>
 					{{/if}}
 
 					{{if $item.edpost}} {{* edit the posting *}}
 					<li role="menuitem">
-						<button type="button" onclick="editpost('{{$item.edpost.0}}?mode=none');" title="{{$item.edpost.1}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
+						<button type="button" onclick="editpost('{{$item.edpost.0}}?mode=none');" title="{{$item.edpost.1|escape}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.tagger}} {{* tag the post *}}
 					<li role="menuitem">
-						<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
+						<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add|escape}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.filer}}
 					<li role="menuitem">
-						<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
+						<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer|escape}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.star}}
 					<li role="menuitem">
-						<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
-						<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
+						<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do|escape}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
+						<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo|escape}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.subthread}}
 					<li role="menuitem">
-						<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
+						<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
 					</li>
 					{{/if}}
 
@@ -132,16 +132,16 @@ as the value of $top_child_total (this is done at the end of this file)
 
 					{{if $item.ignore}}
 						<li role="menuitem">
-							<button type="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classdo}}" title="{{$item.ignore.do}}"><i class="fa fa-eye-slash" aria-hidden="true"></i> {{$item.ignore.do}}</button>
+							<button type="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classdo}}" title="{{$item.ignore.do|escape}}"><i class="fa fa-eye-slash" aria-hidden="true"></i> {{$item.ignore.do}}</button>
 						</li>
 						<li role="menuitem">
-							<button type="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classundo}}"  title="{{$item.ignore.undo}}"><i class="fa fa-eye" aria-hidden="true"></i> {{$item.ignore.undo}}</button>
+							<button type="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classundo}}"  title="{{$item.ignore.undo|escape}}"><i class="fa fa-eye" aria-hidden="true"></i> {{$item.ignore.undo}}</button>
 						</li>
 					{{/if}}
 
 					{{if $item.drop.dropping}}
 					<li role="menuitem">
-						<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}/{{$item.return}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
+						<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}/{{$item.return}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete|escape}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
 					</li>
 					{{/if}}
 				</ul>
@@ -156,14 +156,14 @@ as the value of $top_child_total (this is done at the end of this file)
 			<div class="hidden-sm hidden-xs contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card">
 				<a class="userinfo  u-url" id="wall-item-photo-menu-{{$item.id}}" href="{{$item.profile_url}}">
 					<div class="contact-photo-image-wrapper">
-						<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+						<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 					</div>
 				</a>
 			</div>
 			<div class="hidden-lg hidden-md contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}}">
 				<a class="userinfo u-url" id="wall-item-photo-menu-xs-{{$item.id}}" href="{{$item.profile_url}}">
 					<div class="contact-photo-image-wrapper">
-						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name}}" />
+						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name|escape}}" />
 					</div>
 				</a>
 			</div>
@@ -171,8 +171,8 @@ as the value of $top_child_total (this is done at the end of this file)
 			{{* The litle overlay avatar picture if someone is posting directly to a wall or a forum *}}
 			{{if $item.owner_url}}
 			<div aria-hidden="true" class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name}}" />
+				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
 			{{/if}}
@@ -184,7 +184,7 @@ as the value of $top_child_total (this is done at the end of this file)
 			<div class="contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card">
 				<a class="userinfo u-url" id="wall-item-photo-menu-{{$item.id}}" href="{{$item.profile_url}}">
 					<div class="contact-photo-image-wrapper">
-						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-comment-{{$item.id}}" alt="{{$item.name}}" />
+						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-comment-{{$item.id}}" alt="{{$item.name|escape}}" />
 					</div>
 				</a>
 			</div>
@@ -196,14 +196,14 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{* contact info header*}}
 		{{if $item.thread_level==1}}
 		<div role="heading " aria-level="{{$item.thread_level}}" class="contact-info hidden-sm hidden-xs media-body"><!-- <= For computer -->
-			<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name}}</span></a>
-			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a>{{/if}}
-			{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event,{{$item.id}});" title="{{$item.lock}}" data-toggle="tooltip">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
+			<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name|escape}}</span></a>
+			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a>{{/if}}
+			{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}" data-toggle="tooltip">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
 			</h4>
 
 			<div class="additional-info text-muted">
 				<div id="wall-item-ago-{{$item.id}}" class="wall-item-ago">
-					<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime}}" data-toggle="tooltip"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span></a></small>
+					<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime|escape}}" data-toggle="tooltip"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span></a></small>
 				</div>
 
 				{{if $item.location}}
@@ -218,7 +218,7 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{* contact info header for smartphones *}}
 		<div role="heading " aria-level="{{$item.thread_level}}" class="contact-info-xs hidden-lg hidden-md"><!-- <= For smartphone (responsive) -->
 			<h5 class="media-heading">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span>{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span>{{$item.name|escape}}</span></a>
 				<p class="text-muted">
 					<small><a class="time" href="{{$item.plink.orig}}"><span class="wall-item-ago">{{$item.ago}}</span></a> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
 				</p>
@@ -231,9 +231,9 @@ as the value of $top_child_total (this is done at the end of this file)
 		<div class="media-body">{{*this is the media body for comments - this div must be closed at the end of the file *}}
 		<div role="heading " aria-level="{{$item.thread_level}}" class="contact-info-comment">
 			<h5 class="media-heading">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span class="fakelink">{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span class="fakelink">{{$item.name|escape}}</span></a>
 				<span class="text-muted">
-					<small><a class="time" href="{{$item.plink.orig}}" title="{{$item.localtime}}" data-toggle="tooltip">{{$item.ago}}</a> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
+					<small><a class="time" href="{{$item.plink.orig}}" title="{{$item.localtime|escape}}" data-toggle="tooltip">{{$item.ago}}</a> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
 				</span>
 			</h5>
 		</div>
@@ -273,14 +273,14 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{/if}}
 
 			{{foreach $item.folders as $cat}}
-				<span class="folder label btn-danger sm"><span class="p-category">{{$cat.name}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="folder label btn-danger sm"><span class="p-category">{{$cat.name|escape}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 
 			{{foreach $item.categories as $cat}}
-				<span class="category label btn-success sm"><span class="p-category">{{$cat.name}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="category label btn-success sm"><span class="p-category">{{$cat.name|escape}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 			</div>
-			{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
+			{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']|escape}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
 		</div>
 		<!-- ./TODO -->
 
@@ -290,7 +290,7 @@ as the value of $top_child_total (this is done at the end of this file)
 			<div class="wall-item-actions-left pull-left">
 				<!--comment this out to try something different {{if $item.threaded}}{{if $item.comment}}
 				<div id="button-reply" class="pull-left">
-					<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment}}"></i> </span>
+					<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment|escape}}"></i> </span>
 				</div>
 				{{/if}}{{/if}}-->
 
@@ -299,13 +299,13 @@ as the value of $top_child_total (this is done at the end of this file)
 				{{* Buttons for like and dislike *}}
 				{{if $item.vote}}
 					{{if $item.vote.like}}
-					<button type="button" class="btn-link button-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0}}" onclick="doLikeAction({{$item.id}},'like');" data-toggle="button"><i class="fa fa-thumbs-up" aria-hidden="true"></i>&nbsp;{{$item.vote.like.1}}</button>
+					<button type="button" class="btn-link button-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0|escape}}" onclick="doLikeAction({{$item.id}},'like');" data-toggle="button"><i class="fa fa-thumbs-up" aria-hidden="true"></i>&nbsp;{{$item.vote.like.1}}</button>
 					{{/if}}
 					{{if $item.vote.like AND $item.vote.dislike}}
 					<span role="presentation" class="separator">•</span>
 					{{/if}}
 					{{if $item.vote.dislike}}
-					<button type="button" class="btn-link button-likes{{if $item.responses.dislike.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0}}" onclick="doLikeAction({{$item.id}},'dislike');" data-toggle="button"><i class="fa fa-thumbs-down" aria-hidden="true"></i>&nbsp;{{$item.vote.dislike.1}}</button>
+					<button type="button" class="btn-link button-likes{{if $item.responses.dislike.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0|escape}}" onclick="doLikeAction({{$item.id}},'dislike');" data-toggle="button"><i class="fa fa-thumbs-down" aria-hidden="true"></i>&nbsp;{{$item.vote.dislike.1}}</button>
 					{{/if}}
 
 					{{if ($item.vote.like OR $item.vote.dislike) AND $item.comment}}
@@ -315,7 +315,7 @@ as the value of $top_child_total (this is done at the end of this file)
 
 				{{* Button to open the comment text field *}}
 				{{if $item.comment}}
-				<button type="button" class="btn-link button-comments" id="comment-{{$item.id}}" title="{{$item.switchcomment}}" {{if $item.thread_level != 1}}onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" {{else}} onclick="showHide('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"{{/if}}><i class="fa fa-commenting" aria-hidden="true"></i>&nbsp;{{$item.switchcomment}}</button>
+				<button type="button" class="btn-link button-comments" id="comment-{{$item.id}}" title="{{$item.switchcomment|escape}}" {{if $item.thread_level != 1}}onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" {{else}} onclick="showHide('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"{{/if}}><i class="fa fa-commenting" aria-hidden="true"></i>&nbsp;{{$item.switchcomment}}</button>
 				{{/if}}
 
 				{{* Button for sharing the item *}}
@@ -324,25 +324,25 @@ as the value of $top_child_total (this is done at the end of this file)
 						{{if $item.vote.like OR $item.vote.dislike OR $item.comment}}
 					<span role="presentation" class="separator">•</span>
 						{{/if}}
-					<button type="button" class="btn-link button-votes" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.1}}</button>
+					<button type="button" class="btn-link button-votes" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.1}}</button>
 					{{/if}}
 				{{/if}}
-				<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+				<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 			</div>
 
 			<div class="wall-item-actions-right pull-right">
 				{{* Event attendance buttons *}}
 				{{if $item.isevent}}
 				<div class="vote-event">
-					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0}}" onclick="doLikeAction({{$item.id}},'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
-					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1}}" onclick="doLikeAction({{$item.id}},'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
-					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2}}" onclick="doLikeAction({{$item.id}},'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
+					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0|escape}}" onclick="doLikeAction({{$item.id}},'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
+					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1|escape}}" onclick="doLikeAction({{$item.id}},'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
+					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2|escape}}" onclick="doLikeAction({{$item.id}},'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
 				</div>
 				{{/if}}
 
 				<div class="pull-right checkbox">
 					{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
 					<label for="checkbox-{{$item.id}}"></label>
 				{{/if}}
 				</div>
diff --git a/view/theme/quattro/templates/contact_template.tpl b/view/theme/quattro/templates/contact_template.tpl
index 2d59a8a256..bc7bd59557 100644
--- a/view/theme/quattro/templates/contact_template.tpl
+++ b/view/theme/quattro/templates/contact_template.tpl
@@ -1,12 +1,12 @@
 
 <div class="contact-wrapper" id="contact-entry-wrapper-{{$id}}" >
-	{{if $contact.ignlnk}}<a href="{{$contact.ignlnk}}" title="{{$contact.ignore}}" class="icon drophide profile-match-ignore" onmouseout="imgdull(this);" onmouseover="imgbright(this);" onclick="return confirmDelete();" ></a>{{/if}}
+	{{if $contact.ignlnk}}<a href="{{$contact.ignlnk}}" title="{{$contact.ignore|escape}}" class="icon drophide profile-match-ignore" onmouseout="imgdull(this);" onmouseover="imgbright(this);" onclick="return confirmDelete();" ></a>{{/if}}
 	<div class="contact-photo-wrapper" >
 		<div class="contact-photo mframe" id="contact-entry-photo-{{$contact.id}}"
 		onmouseover="if (typeof t{{$contact.id}} != 'undefined') clearTimeout(t{{$contact.id}}); openMenu('contact-photo-menu-button-{{$contact.id}}')" 
 		onmouseout="t{{$contact.id}}=setTimeout('closeMenu(\'contact-photo-menu-button-{{$contact.id}}\'); closeMenu(\'contact-photo-menu-{{$contact.id}}\');',200)" >
 
-			<a href="{{$contact.url}}" title="{{$contact.img_hover}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" /></a>
+			<a href="{{$contact.url}}" title="{{$contact.img_hover|escape}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" /></a>
 
 			{{if $multiselect}}
 			<input type="checkbox" class="contact-select" name="contact_batch[]" value="{{$contact.id}}">
@@ -27,7 +27,7 @@
 			
 	</div>
 	<div class="contact-name" id="contact-entry-name-{{$contact.id}}" >
-		{{$contact.name}}
+		{{$contact.name|escape}}
 		{{if $contact.account_type}} <span class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</span>{{/if}}
 	</div>
 	{{if $contact.alt_text}}<div class="contact-details" id="contact-entry-rel-{{$contact.id}}" >{{$contact.alt_text}}</div>{{/if}}
@@ -37,7 +37,7 @@
 	{{if $contact.network}}<div class="contact-details" id="contact-entry-network-{{$contact.id}}" >{{$contact.network}}</div>{{/if}}
 
 	{{if $contact.connlnk}}
-	<div class="contact-entry-connect"><a href="{{$contact.connlnk}}" title="{{$contact.conntxt}}">{{$contact.conntxt}}</a></div>
+	<div class="contact-entry-connect"><a href="{{$contact.connlnk}}" title="{{$contact.conntxt|escape}}">{{$contact.conntxt|escape}}</a></div>
 	{{/if}}
 
 
diff --git a/view/theme/quattro/templates/events.tpl b/view/theme/quattro/templates/events.tpl
index 7a50498ebd..0d3db22671 100644
--- a/view/theme/quattro/templates/events.tpl
+++ b/view/theme/quattro/templates/events.tpl
@@ -1,8 +1,6 @@
-
 {{$tabs}}
 <h2>{{$title}} <a class="actionbutton" href="{{$new_event.0}}" ><i class="icon add s10"></i> {{$new_event.1}}</a></h2>
 
-
 <div id="event-calendar-wrapper">
 	<a href="{{$previus.0}}" class="prevcal {{$previus.2}}"><div id="event-calendar-prev" class="icon s22 prev" title="{{$previus.1}}"></div></a>
 	{{$calendar}}
@@ -10,15 +8,13 @@
 </div>
 <div class="event-calendar-end"></div>
 
-
 {{foreach $events as $event}}
 	<div class="event">
 	{{if $event.is_first}}<hr /><a name="link-{{$event.j}}" ><div class="event-list-date">{{$event.d}}</div></a>{{/if}}
-	{{if $event.item.author_name}}<a href="{{$event.item.author_link}}" ><img src="{{$event.item.author_avatar}}" height="32" width="32" />{{$event.item.author_name}}</a>{{/if}}
+	{{if $event.item.author_name}}<a href="{{$event.item.author_link}}" ><img src="{{$event.item.author_avatar}}" height="32" width="32" />{{$event.item.author_name|escape}}</a>{{/if}}
 	{{$event.html}}
 	{{if $event.item.plink}}<a href="{{$event.plink.0}}" title="{{$event.plink.1}}" target="_blank" class="plink-event-link icon s22 remote-link"></a>{{/if}}
 	{{if $event.edit}}<a href="{{$event.edit.0}}" title="{{$event.edit.1}}" class="edit-event-link icon s22 pencil"></a>{{/if}}
 	</div>
 	<div class="clear"></div>
-
 {{/foreach}}
diff --git a/view/theme/quattro/templates/mail_conv.tpl b/view/theme/quattro/templates/mail_conv.tpl
index 89827cd314..f06d1cbcfb 100644
--- a/view/theme/quattro/templates/mail_conv.tpl
+++ b/view/theme/quattro/templates/mail_conv.tpl
@@ -2,8 +2,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper"
-				<a href="{{$mail.profile_url}}" target="redir" title="{{$mail.from_name}}" class="contact-photo-link" id="wall-item-photo-link-{{$mail.id}}">
-					<img src="{{$mail.from_photo}}" class="contact-photo{{$mail.sparkle}}" id="wall-item-photo-{{$mail.id}}" alt="{{$mail.from_name}}" />
+				<a href="{{$mail.profile_url}}" target="redir" title="{{$mail.from_name|escape}}" class="contact-photo-link" id="wall-item-photo-link-{{$mail.id}}">
+					<img src="{{$mail.from_photo}}" class="contact-photo{{$mail.sparkle}}" id="wall-item-photo-{{$mail.id}}" alt="{{$mail.from_name|escape}}" />
 				</a>
 			</div>
 		</div>
@@ -23,16 +23,16 @@
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
 				<a href="{{$mail.from_url}}" target="redir"
-                                class="wall-item-name-link" title="{{$mail.from_addr}}"><span
-                                class="wall-item-name{{$mail.sparkle}}">{{$mail.from_name}}</span></a>
-                                <span class="wall-item-ago" title="{{$mail.date}}">{{$mail.ago}}</span>
+                                class="wall-item-name-link" title="{{$mail.from_addr|escape}}"><span
+                                class="wall-item-name{{$mail.sparkle}}">{{$mail.from_name|escape}}</span></a>
+                                <span class="wall-item-ago" title="{{$mail.date|escape}}">{{$mail.ago|escape}}</span>
 			</div>
 			
 			<div class="wall-item-actions-social">
 			</div>
 			
 			<div class="wall-item-actions-tools">
-				<a href="message/drop/{{$mail.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$mail.delete}}">{{$mail.delete}}</a>
+				<a href="message/drop/{{$mail.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$mail.delete|escape}}">{{$mail.delete|escape}}</a>
 			</div>
 			
 		</div>
@@ -47,14 +47,14 @@
 
 <div class="mail-conv-outside-wrapper">
 	<div class="mail-conv-sender" >
-		<a href="{{$mail.from_url}}" title="{{$mail.from_addr}}" class="mail-conv-sender-url" ><img class="mframe mail-conv-sender-photo{{$mail.sparkle}}" src="{{$mail.from_photo}}" heigth="80" width="80" alt="{{$mail.from_name}}" title="{{$mail.from_addr}}" /></a>
+		<a href="{{$mail.from_url}}" title="{{$mail.from_addr|escape}}" class="mail-conv-sender-url" ><img class="mframe mail-conv-sender-photo{{$mail.sparkle}}" src="{{$mail.from_photo}}" heigth="80" width="80" alt="{{$mail.from_name|escape}}" title="{{$mail.from_addr|escape}}" /></a>
 	</div>
 	<div class="mail-conv-detail" >
-		<div class="mail-conv-sender-name" >{{$mail.from_name}}</div>
+		<div class="mail-conv-sender-name" >{{$mail.from_name|escape}}</div>
 		<div class="mail-conv-date">{{$mail.date}}</div>
 		<div class="mail-conv-subject">{{$mail.subject}}</div>
 		<div class="mail-conv-body">{{$mail.body}}</div>
-	<div class="mail-conv-delete-wrapper" id="mail-conv-delete-wrapper-{{$mail.id}}" ><a href="message/drop/{{$mail.id}}" class="icon drophide delete-icon mail-list-delete-icon" onclick="return confirmDelete();" title="{{$mail.delete}}" id="mail-conv-delete-icon-{{$mail.id}}" class="mail-conv-delete-icon" onmouseover="imgbright(this);" onmouseout="imgdull(this);" ></a></div><div class="mail-conv-delete-end"></div>
+	<div class="mail-conv-delete-wrapper" id="mail-conv-delete-wrapper-{{$mail.id}}" ><a href="message/drop/{{$mail.id}}" class="icon drophide delete-icon mail-list-delete-icon" onclick="return confirmDelete();" title="{{$mail.delete|escape}}" id="mail-conv-delete-icon-{{$mail.id}}" class="mail-conv-delete-icon" onmouseover="imgbright(this);" onmouseout="imgdull(this);" ></a></div><div class="mail-conv-delete-end"></div>
 	<div class="mail-conv-outside-wrapper-end"></div>
 </div>
 </div>
diff --git a/view/theme/quattro/templates/profile_vcard.tpl b/view/theme/quattro/templates/profile_vcard.tpl
index d25234b733..f999f1f572 100644
--- a/view/theme/quattro/templates/profile_vcard.tpl
+++ b/view/theme/quattro/templates/profile_vcard.tpl
@@ -1,15 +1,15 @@
 <div class="vcard h-card">
 
 	<div class="tool">
-		<div class="fn label p-name">{{$profile.name}}</div>
+		<div class="fn label p-name">{{$profile.name|escape}}</div>
 		{{if $profile.edit}}
 			<div class="action">
-			<a class="icon s16 edit ttright" href="#" rel="#profiles-menu" title="{{$profile.edit.3}}"><span>{{$profile.edit.1}}</span></a>
+			<a class="icon s16 edit ttright" href="#" rel="#profiles-menu" title="{{$profile.edit.3|escape}}"><span>{{$profile.edit.1}}</span></a>
 			<ul id="profiles-menu" class="menu-popup">
 			{{if $profile.menu.entries}}
 				{{foreach $profile.menu.entries as $e}}
 				<li>
-					<a href="profiles/{{$e.id}}"><img src='{{$e.photo}}'>{{$e.profile_name}}</a>
+					<a href="profiles/{{$e.id}}"><img src='{{$e.photo}}'>{{$e.profile_name|escape}}</a>
 				</li>
 				{{/foreach}}
 			{{else}}
@@ -29,7 +29,7 @@
 	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
 
 	{{if $pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
-	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}" /></div>
+	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></div>
 
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
 
diff --git a/view/theme/quattro/templates/search_item.tpl b/view/theme/quattro/templates/search_item.tpl
index cf79b24c07..33bf5fbb8a 100644
--- a/view/theme/quattro/templates/search_item.tpl
+++ b/view/theme/quattro/templates/search_item.tpl
@@ -1,7 +1,7 @@
 <div class="wall-item-decor">
-	{{if $item.star}}<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>{{/if}}
-	{{if $item.lock}}<span class="icon s22 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}">{{$item.lock}}</span>{{/if}}
-	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+	{{if $item.star}}<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred|escape}}</span>{{/if}}
+	{{if $item.lock}}<span class="icon s22 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}">{{$item.lock|escape}}</span>{{/if}}
+	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 </div>
 
 <div class="wall-item-container {{$item.indent}}">
@@ -10,8 +10,8 @@
 			<div class="contact-photo-wrapper"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<a href="#" rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a>
 				<ul class="wall-item-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
@@ -39,40 +39,40 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a> <span class="wall-item-ago" title="{{$item.localtime}}">{{$item.ago}}</span>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a> <span class="wall-item-ago" title="{{$item.localtime|escape}}">{{$item.ago}}</span>
 			</div>
 
 			<div class="wall-item-actions-social">
 			{{if $item.star}}
-				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do}}">{{$item.star.do}}</a>
-				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo}}">{{$item.star.undo}}</a>
-				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger}}">{{$item.star.tagger}}</a>
+				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do|escape}}">{{$item.star.do}}</a>
+				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo|escape}}">{{$item.star.undo}}</a>
+				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger|escape}}">{{$item.star.tagger}}</a>
 			{{/if}}
 
 			{{if $item.vote}}
-				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active{{/if}}" title="{{$item.vote.like.0}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
-				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active{{/if}}" title="{{$item.vote.dislike.0}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
+				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active{{/if}}" title="{{$item.vote.like.0|escape}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
+				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active{{/if}}" title="{{$item.vote.dislike.0|escape}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
 			{{/if}}
 
 			{{if $item.vote.share}}
-				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
+				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
 			{{/if}}
 			</div>
 
 			<div class="wall-item-actions-tools">
 
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete}}</a>
 				{{/if}}
 				{{if $item.edpost}}
-					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}"></a>
+					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}"></a>
 				{{/if}}
 			</div>
 
@@ -84,7 +84,7 @@
 		<div class="wall-item-dislike" id="wall-item-dislike-{{$item.id}}">{{$item.dislike}}</div>
 		{{if $item.conv}}
 		<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 		</div>
 		{{/if}}
 	</div>
diff --git a/view/theme/quattro/templates/wall_item_tag.tpl b/view/theme/quattro/templates/wall_item_tag.tpl
index efcb528881..d9510da438 100644
--- a/view/theme/quattro/templates/wall_item_tag.tpl
+++ b/view/theme/quattro/templates/wall_item_tag.tpl
@@ -26,8 +26,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}">
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}">
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<ul class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
@@ -41,10 +41,10 @@
 		</div>
 			<div class="wall-item-tools">
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete}}</a>
 				{{/if}}
 			</div>
 	</div>
diff --git a/view/theme/quattro/templates/wall_thread.tpl b/view/theme/quattro/templates/wall_thread.tpl
index fda871b196..694557ccae 100644
--- a/view/theme/quattro/templates/wall_thread.tpl
+++ b/view/theme/quattro/templates/wall_thread.tpl
@@ -41,7 +41,7 @@
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<a href="#" rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a>
 				<ul class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
@@ -52,7 +52,7 @@
 			{{if $item.owner_url}}
 			<div class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name}}" />
+					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
 			{{/if}}
@@ -71,7 +71,7 @@
 			{{foreach $item.hashtags as $tag}}
 				<span class="tag">{{$tag}}</span>
 			{{/foreach}}
-  			{{foreach $item.mentions as $tag}}
+			{{foreach $item.mentions as $tag}}
 				<span class="mention">{{$tag}}</span>
 			{{/foreach}}
 			{{foreach $item.folders as $cat}}
@@ -92,9 +92,9 @@
 				<a href="{{$item.profile_url}}" target="redir"
                                 title="{{$item.linktitle}}"
                                 class="wall-item-name-link"><span
-                                class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a>
+                                class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
                                 <span class="wall-item-ago" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span>
-				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a> {{$item.vwall}}
+				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
 				 {{/if}}
 			</div>
 
diff --git a/view/theme/quattro/templates/widget_forumlist.tpl b/view/theme/quattro/templates/widget_forumlist.tpl
index 35c54bc690..050c991cfe 100644
--- a/view/theme/quattro/templates/widget_forumlist.tpl
+++ b/view/theme/quattro/templates/widget_forumlist.tpl
@@ -24,7 +24,7 @@ function showHideForumlist() {
 			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
 				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
 			</a>
-			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 	
@@ -34,7 +34,7 @@ function showHideForumlist() {
 			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
 				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
 			</a>
-			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 		{{/foreach}}
diff --git a/view/theme/vier/templates/ch_connectors.tpl b/view/theme/vier/templates/ch_connectors.tpl
index 2ca114807b..9aa81740b9 100644
--- a/view/theme/vier/templates/ch_connectors.tpl
+++ b/view/theme/vier/templates/ch_connectors.tpl
@@ -1,2 +1,2 @@
-<a href="{{$url}}/settings/connectors"><img alt="{{$alt_text}}" src="{{$photo}}" title="{{$alt_text}}"></a>
+<a href="{{$url}}/settings/connectors"><img alt="{{$alt_text|escape}}" src="{{$photo}}" title="{{$alt_text|escape}}"></a>
 
diff --git a/view/theme/vier/templates/ch_directory_item.tpl b/view/theme/vier/templates/ch_directory_item.tpl
index 6813e1186e..9d25b3294b 100644
--- a/view/theme/vier/templates/ch_directory_item.tpl
+++ b/view/theme/vier/templates/ch_directory_item.tpl
@@ -4,7 +4,7 @@
 	<div class="directory-photo-wrapper" id="directory-photo-wrapper-{{$id}}" > 
 		<div class="directory-photo" id="directory-photo-{{$id}}" >
 			<a href="{{$profile_link}}" class="directory-profile-link" id="directory-profile-link-{{$id}}" >
-				<img class="directory-photo-img" src="{{$photo}}" alt="{{$alt_text}}" title="{{$alt_text}}" />
+				<img class="directory-photo-img" src="{{$photo}}" alt="{{$alt_text|escape}}" title="{{$alt_text|escape}}" />
 			</a>
 		</div>
 	</div>
diff --git a/view/theme/vier/templates/comment_item.tpl b/view/theme/vier/templates/comment_item.tpl
index 3e72df6dc6..af8fa4c9d1 100644
--- a/view/theme/vier/templates/comment_item.tpl
+++ b/view/theme/vier/templates/comment_item.tpl
@@ -14,7 +14,7 @@
 				<input type="hidden" name="post_id_random" value="{{$rand_num}}" />
 
 				<div class="comment-edit-photo" id="comment-edit-photo-{{$id}}">
-					<a class="comment-edit-photo-link" href="{{$mylink}}" title="{{$mytitle}}"><img class="my-comment-photo" src="{{$myphoto}}" alt="{{$mytitle}}" title="{{$mytitle}}" /></a>
+					<a class="comment-edit-photo-link" href="{{$mylink}}" title="{{$mytitle|escape}}"><img class="my-comment-photo" src="{{$myphoto}}" alt="{{$mytitle|escape}}" title="{{$mytitle|escape}}" /></a>
 				</div>
 				<div class="comment-edit-photo-end"></div>
 				<textarea id="comment-edit-text-{{$id}}" class="comment-edit-text-empty" name="body" placeholder="{{$comment}}" onFocus="commentOpen(this,{{$id}});"></textarea>
@@ -31,14 +31,14 @@
 				<div class="comment-edit-submit-wrapper" id="comment-edit-submit-wrapper-{{$id}}" style="display: none;">
 
 				<div class="comment-edit-bb">
-	                                <a title="{{$edimg}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}"><i class="icon-picture"></i></a>
-	                                <a title="{{$edurl}}" data-role="insert-formatting" data-bbcode="url" data-id="{{$id}}"><i class="icon-link"></i></a>
-	                                <a title="{{$edvideo}}" data-role="insert-formatting" data-bbcode="video" data-id="{{$id}}"><i class="icon-film"></i></a>
+	                                <a title="{{$edimg|escape}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}"><i class="icon-picture"></i></a>
+	                                <a title="{{$edurl|escape}}" data-role="insert-formatting" data-bbcode="url" data-id="{{$id}}"><i class="icon-link"></i></a>
+	                                <a title="{{$edvideo|escape}}" data-role="insert-formatting" data-bbcode="video" data-id="{{$id}}"><i class="icon-film"></i></a>
 
-	                                <a title="{{$eduline}}" data-role="insert-formatting" data-bbcode="u" data-id="{{$id}}"><i class="icon-underline"></i></a>
-	                                <a title="{{$editalic}}" data-role="insert-formatting" data-bbcode="i" data-id="{{$id}}"><i class="icon-italic"></i></a>
-	                                <a title="{{$edbold}}" data-role="insert-formatting" data-bbcode="b" data-id="{{$id}}"><i class="icon-bold"></i></a>
-	                                <a title="{{$edquote}}" data-role="insert-formatting" data-bbcode="quote" data-id="{{$id}}"><i class="icon-quote-left"></i></a>
+	                                <a title="{{$eduline|escape}}" data-role="insert-formatting" data-bbcode="u" data-id="{{$id}}"><i class="icon-underline"></i></a>
+	                                <a title="{{$editalic|escape}}" data-role="insert-formatting" data-bbcode="i" data-id="{{$id}}"><i class="icon-italic"></i></a>
+	                                <a title="{{$edbold|escape}}" data-role="insert-formatting" data-bbcode="b" data-id="{{$id}}"><i class="icon-bold"></i></a>
+	                                <a title="{{$edquote|escape}}" data-role="insert-formatting" data-bbcode="quote" data-id="{{$id}}"><i class="icon-quote-left"></i></a>
 
                                 </div>
 					<input type="submit" onclick="post_comment({{$id}}); return false;" id="comment-edit-submit-{{$id}}" class="comment-edit-submit" name="submit" value="{{$submit}}" />
diff --git a/view/theme/vier/templates/contact_template.tpl b/view/theme/vier/templates/contact_template.tpl
index c4ed99caa4..f36995e9c2 100644
--- a/view/theme/vier/templates/contact_template.tpl
+++ b/view/theme/vier/templates/contact_template.tpl
@@ -5,8 +5,8 @@
 		<!-- onmouseover="if (typeof t{{$contact.id}} != 'undefined') clearTimeout(t{{$contact.id}}); openMenu('contact-photo-menu-button-{{$contact.id}}')" 
 		onmouseout="t{{$contact.id}}=setTimeout('closeMenu(\'contact-photo-menu-button-{{$contact.id}}\'); closeMenu(\'contact-photo-menu-{{$contact.id}}\');',200)" > -->
 
-			<!-- <a href="{{$contact.url}}" title="{{$contact.img_hover}}" /></a> -->
-			<img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" />
+			<!-- <a href="{{$contact.url}}" title="{{$contact.img_hover|escape}}" /></a> -->
+			<img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 
 			{{if $multiselect}}
 			<input type="checkbox" class="contact-select" name="contact_batch[]" value="{{$contact.id}}">
@@ -32,7 +32,7 @@
 	
 	<div class="contact-entry-desc">
 		<div class="contact-entry-name" id="contact-entry-name-{{$contact.id}}" >
-			{{$contact.name}}
+			{{$contact.name|escape}}
 			{{if $contact.account_type}} <span class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</span>{{/if}}
 		</div>
 		{{if $contact.alt_text}}<div class="contact-entry-details" id="contact-entry-rel-{{$contact.id}}" >{{$contact.alt_text}}</div>{{/if}}
diff --git a/view/theme/vier/templates/nav.tpl b/view/theme/vier/templates/nav.tpl
index 376fcdc312..70dee37550 100644
--- a/view/theme/vier/templates/nav.tpl
+++ b/view/theme/vier/templates/nav.tpl
@@ -14,42 +14,42 @@
 		</li>
 		{{if $nav.home}}
 			<li role="menuitem" id="nav-home-link" class="nav-menu {{$sel.home}}">
-				<a accesskey="p" class="{{$nav.home.2}} desktop-view" href="{{$nav.home.0}}" title="{{$nav.home.3}}" >{{$nav.home.1}}</a>
-				<a class="{{$nav.home.2}} mobile-view" href="{{$nav.home.0}}" title="{{$nav.home.3}}" ><i class="icon s22 icon-home"></i></a>
+				<a accesskey="p" class="{{$nav.home.2}} desktop-view" href="{{$nav.home.0}}" title="{{$nav.home.3|escape}}" >{{$nav.home.1}}</a>
+				<a class="{{$nav.home.2}} mobile-view" href="{{$nav.home.0}}" title="{{$nav.home.3|escape}}" ><i class="icon s22 icon-home"></i></a>
 				<span id="home-update" class="nav-notify"></span>
 			</li>
 		{{/if}}
 		{{if $nav.network}}
 			<li role="menuitem" id="nav-network-link" class="nav-menu {{$sel.network}}">
-				<a accesskey="n" class="{{$nav.network.2}} desktop-view" href="{{$nav.network.0}}" title="{{$nav.network.3}}" >{{$nav.network.1}}</a>
-				<a class="{{$nav.network.2}} mobile-view" href="{{$nav.network.0}}" title="{{$nav.network.3}}" ><i class="icon s22 icon-th"></i></a>
+				<a accesskey="n" class="{{$nav.network.2}} desktop-view" href="{{$nav.network.0}}" title="{{$nav.network.3|escape}}" >{{$nav.network.1}}</a>
+				<a class="{{$nav.network.2}} mobile-view" href="{{$nav.network.0}}" title="{{$nav.network.3|escape}}" ><i class="icon s22 icon-th"></i></a>
 				<span id="net-update" class="nav-notify"></span>
 			</li>
 		{{/if}}
 		{{if $nav.events}}
 			<li role="menuitem" id="nav-events-link" class="nav-menu {{$sel.events}}">
-				<a accesskey="e" class="{{$nav.events.2}} desktop-view" href="{{$nav.events.0}}" title="{{$nav.events.3}}" >{{$nav.events.1}}</a>
-				<a class="{{$nav.events.2}} mobile-view" href="{{$nav.events.0}}" title="{{$nav.events.3}}" ><i class="icon s22 icon-calendar"></i></a>
+				<a accesskey="e" class="{{$nav.events.2}} desktop-view" href="{{$nav.events.0}}" title="{{$nav.events.3|escape}}" >{{$nav.events.1}}</a>
+				<a class="{{$nav.events.2}} mobile-view" href="{{$nav.events.0}}" title="{{$nav.events.3|escape}}" ><i class="icon s22 icon-calendar"></i></a>
 			</li>
 		{{/if}}
 		{{if $nav.community}}
 			<li role="menuitem" id="nav-community-link" class="nav-menu {{$sel.community}}">
-				<a accesskey="c" class="{{$nav.community.2}} desktop-view" href="{{$nav.community.0}}" title="{{$nav.community.3}}" >{{$nav.community.1}}</a>
-				<a class="{{$nav.community.2}} mobile-view" href="{{$nav.community.0}}" title="{{$nav.community.3}}" ><i class="icon s22 icon-bullseye"></i></a>
+				<a accesskey="c" class="{{$nav.community.2}} desktop-view" href="{{$nav.community.0}}" title="{{$nav.community.3|escape}}" >{{$nav.community.1}}</a>
+				<a class="{{$nav.community.2}} mobile-view" href="{{$nav.community.0}}" title="{{$nav.community.3|escape}}" ><i class="icon s22 icon-bullseye"></i></a>
 			</li>
 		{{/if}}
 
 		<li role="menu" aria-haspopup="true" id="nav-site-linkmenu" class="nav-menu-icon"><a><span class="icon s22 icon-question"><span class="sr-only">{{$nav.help.3}}</span></span></a>
 			<ul id="nav-site-menu" class="menu-popup">
-				{{if $nav.help}} <li role="menuitem"><a class="{{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3}}" >{{$nav.help.1}}</a></li>{{/if}}
-				<li role="menuitem"><a class="{{$nav.about.2}}" href="{{$nav.about.0}}" title="{{$nav.about.3}}" >{{$nav.about.1}}</a></li>
-				{{if $nav.tos}}<a class="{{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3}}" >{{$nav.tos.1}}</a></li>{{/if}}
-				<li role="menuitem"><a class="{{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3}}" >{{$nav.directory.1}}</a></li>
+				{{if $nav.help}} <li role="menuitem"><a class="{{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3|escape}}" >{{$nav.help.1}}</a></li>{{/if}}
+				<li role="menuitem"><a class="{{$nav.about.2}}" href="{{$nav.about.0}}" title="{{$nav.about.3|escape}}" >{{$nav.about.1}}</a></li>
+				{{if $nav.tos}}<a class="{{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3|escape}}" >{{$nav.tos.1}}</a></li>{{/if}}
+				<li role="menuitem"><a class="{{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3|escape}}" >{{$nav.directory.1}}</a></li>
 			</ul>
 		</li>
 
 		{{if $nav.notifications}}
-			<li role="menu" aria-haspopup="true" id="nav-notifications-linkmenu" class="nav-menu-icon"><a title="{{$nav.notifications.1}}"><span class="icon s22 icon-bell tilted-icon"><span class="sr-only">{{$nav.notifications.1}}</span></span></a>
+			<li role="menu" aria-haspopup="true" id="nav-notifications-linkmenu" class="nav-menu-icon"><a title="{{$nav.notifications.1|escape}}"><span class="icon s22 icon-bell tilted-icon"><span class="sr-only">{{$nav.notifications.1}}</span></span></a>
 				<span id="notify-update" class="nav-notify"></span>
 				<ul id="nav-notifications-menu" class="menu-popup">
 					<li role="menuitem" id="nav-notifications-mark-all"><a onclick="notifyMarkAll(); return false;">{{$nav.notifications.mark.1}}</a></li>
@@ -61,22 +61,22 @@
 
 		{{if $userinfo}}
 			<li role="menu" aria-haspopup="true" id="nav-user-linkmenu" class="nav-menu">
-				<a accesskey="u" title="{{$sitelocation}}"><img src="{{$userinfo.icon}}" alt="{{$userinfo.name}}"><span id="nav-user-linklabel">{{$userinfo.name}}</span><span id="intro-update" class="nav-notify"></span></a>
+				<a accesskey="u" title="{{$sitelocation|escape}}"><img src="{{$userinfo.icon}}" alt="{{$userinfo.name|escape}}"><span id="nav-user-linklabel">{{$userinfo.name|escape}}</span><span id="intro-update" class="nav-notify"></span></a>
 				<ul id="nav-user-menu" class="menu-popup">
-					{{if $nav.introductions}}<li role="menuitem"><a class="{{$nav.introductions.2}}" href="{{$nav.introductions.0}}" title="{{$nav.introductions.3}}" >{{$nav.introductions.1}}</a><span id="intro-update-li" class="nav-notify"></span></li>{{/if}}
-					{{if $nav.contacts}}<li role="menuitem"><a class="{{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3}}" >{{$nav.contacts.1}}</a></li>{{/if}}
-					{{if $nav.messages}}<li role="menuitem"><a class="{{$nav.messages.2}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3}}" >{{$nav.messages.1}}</a><span id="mail-update" class="nav-notify"></span></a></li>{{/if}}
-					{{if $nav.manage}}<li role="menuitem"><a class="{{$nav.manage.2}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3}}">{{$nav.manage.1}}</a></li>{{/if}}
-					{{if $nav.usermenu.1}}<li role="menuitem"><a class="{{$nav.usermenu.1.2}}" href="{{$nav.usermenu.1.0}}" title="{{$nav.usermenu.1.3}}">{{$nav.usermenu.1.1}}</a></li>{{/if}}
-					{{if $nav.settings}}<li role="menuitem"><a class="{{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3}}">{{$nav.settings.1}}</a></li>{{/if}}
-					{{if $nav.logout}}<li role="menuitem"><a class="menu-sep {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3}}" >{{$nav.logout.1}}</a></li>{{/if}}
+					{{if $nav.introductions}}<li role="menuitem"><a class="{{$nav.introductions.2}}" href="{{$nav.introductions.0}}" title="{{$nav.introductions.3|escape}}" >{{$nav.introductions.1}}</a><span id="intro-update-li" class="nav-notify"></span></li>{{/if}}
+					{{if $nav.contacts}}<li role="menuitem"><a class="{{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3|escape}}" >{{$nav.contacts.1}}</a></li>{{/if}}
+					{{if $nav.messages}}<li role="menuitem"><a class="{{$nav.messages.2}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3|escape}}" >{{$nav.messages.1}}</a><span id="mail-update" class="nav-notify"></span></a></li>{{/if}}
+					{{if $nav.manage}}<li role="menuitem"><a class="{{$nav.manage.2}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3|escape}}">{{$nav.manage.1}}</a></li>{{/if}}
+					{{if $nav.usermenu.1}}<li role="menuitem"><a class="{{$nav.usermenu.1.2}}" href="{{$nav.usermenu.1.0}}" title="{{$nav.usermenu.1.3|escape}}">{{$nav.usermenu.1.1}}</a></li>{{/if}}
+					{{if $nav.settings}}<li role="menuitem"><a class="{{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3|escape}}">{{$nav.settings.1}}</a></li>{{/if}}
+					{{if $nav.logout}}<li role="menuitem"><a class="menu-sep {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3|escape}}" >{{$nav.logout.1}}</a></li>{{/if}}
 				</ul>
 			</li>
 		{{/if}}
 
 		{{if $nav.login}}
 			<li role="menuitem" id="nav-login-link" class="nav-menu">
-				<a class="{{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3}}" >{{$nav.login.1}}</a>
+				<a class="{{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3|escape}}" >{{$nav.login.1}}</a>
 			</li>
 		{{/if}}
 
@@ -96,13 +96,13 @@
 
 		{{if $nav.admin}}
 			<li role="menuitem" id="nav-admin-link" class="nav-menu">
-				<a accesskey="a" class="{{$nav.admin.2}} icon-sliders" href="{{$nav.admin.0}}" title="{{$nav.admin.3}}" ><span class="sr-only">{{$nav.admin.3}}</span></a>
+				<a accesskey="a" class="{{$nav.admin.2}} icon-sliders" href="{{$nav.admin.0}}" title="{{$nav.admin.3|escape}}" ><span class="sr-only">{{$nav.admin.3|escape}}</span></a>
 			</li>
 		{{/if}}
 
 		{{if $nav.apps}}
 			<li role="menu" aria-haspopup="true" id="nav-apps-link" class="nav-menu {{$sel.apps}}">
-				<a class=" {{$nav.apps.2}}" title="{{$nav.apps.3}}" >{{$nav.apps.1}}</a>
+				<a class=" {{$nav.apps.2}}" title="{{$nav.apps.3|escape}}" >{{$nav.apps.1}}</a>
 				<ul id="nav-apps-menu" class="menu-popup">
 					{{foreach $apps as $ap}}
 					<li role="menuitem">{{$ap}}</li>
diff --git a/view/theme/vier/templates/photo_item.tpl b/view/theme/vier/templates/photo_item.tpl
index bc77eaa9cd..f696a683a6 100644
--- a/view/theme/vier/templates/photo_item.tpl
+++ b/view/theme/vier/templates/photo_item.tpl
@@ -2,15 +2,15 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper">
-				<a href="{{$profile_url}}" target="redir" title="{{$linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$id}}">
-					<img src="{{$thumb}}" class="contact-photo{{$sparkle}}" id="wall-item-photo-{{$id}}" alt="{{$name}}" />
+				<a href="{{$profile_url}}" target="redir" title="{{$linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$id}}">
+					<img src="{{$thumb}}" class="contact-photo{{$sparkle}}" id="wall-item-photo-{{$id}}" alt="{{$name|escape}}" />
 				</a>
 			</div>
 		</div>
 		<div class="wall-item-actions-author">
-			<a href="{{$profile_url}}" target="redir" title="{{$linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$sparkle}}">{{$name}}</span></a>
+			<a href="{{$profile_url}}" target="redir" title="{{$linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$sparkle}}">{{$name|escape}}</span></a>
 			<span class="wall-item-ago">
-				{{if $plink}}<a class="link" title="{{$plink.title}}" href="{{$plink.href}}" style="color: #999">{{$ago}}</a>{{else}} {{$ago}} {{/if}}
+				{{if $plink}}<a class="link" title="{{$plink.title|escape}}" href="{{$plink.href}}" style="color: #999">{{$ago}}</a>{{else}} {{$ago}} {{/if}}
 				{{if $lock}}<span class="fakelink" style="color: #999" onclick="lockview(event,{{$id}});">{{$lock}}</span> {{/if}}
 			</span>
 		</div>
@@ -31,8 +31,8 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			<!-- {{if $plink}}<a title="{{$plink.title}}" href="{{$plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
-			{{if $conv}}<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title}}'><i class="icon-link icon-large"></i></a>{{/if}}
+			<!-- {{if $plink}}<a title="{{$plink.title|escape}}" href="{{$plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
+			{{if $conv}}<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title|escape}}'><i class="icon-link icon-large"></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 
@@ -40,31 +40,31 @@
 
 			<div class="wall-item-actions-social">
 			{{if $star}}
-				<a href="#" id="star-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classdo}}"  title="{{$star.do}}">{{$star.do}}</a>
-				<a href="#" id="unstar-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classundo}}"  title="{{$star.undo}}">{{$star.undo}}</a>
-				<a href="#" id="tagger-{{$id}}" onclick="itemTag({{$id}}); return false;" class="{{$star.classtagger}}" title="{{$star.tagger}}">{{$star.tagger}}</a>
+				<a href="#" id="star-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classdo}}"  title="{{$star.do|escape}}">{{$star.do}}</a>
+				<a href="#" id="unstar-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classundo}}"  title="{{$star.undo|escape}}">{{$star.undo}}</a>
+				<a href="#" id="tagger-{{$id}}" onclick="itemTag({{$id}}); return false;" class="{{$star.classtagger}}" title="{{$star.tagger|escape}}">{{$star.tagger}}</a>
 			{{/if}}
 
 			{{if $vote}}
-				<a href="#" id="like-{{$id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$vote.like.0}}" onclick="dolike({{$id}},'like'); return false">{{$vote.like.1}}</a>
-				<a href="#" id="dislike-{{$id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$vote.dislike.0}}" onclick="dolike({{$id}},'dislike'); return false">{{$vote.dislike.1}}</a>
+				<a href="#" id="like-{{$id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$vote.like.0|escape}}" onclick="dolike({{$id}},'like'); return false">{{$vote.like.1}}</a>
+				<a href="#" id="dislike-{{$id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$vote.dislike.0|escape}}" onclick="dolike({{$id}},'dislike'); return false">{{$vote.dislike.1}}</a>
 			{{/if}}
 
 			{{if $vote.share}}
-				<a href="#" id="share-{{$id}}" title="{{$vote.share.0}}" onclick="jotShare({{$id}}); return false">{{$vote.share.1}}</a>
+				<a href="#" id="share-{{$id}}" title="{{$vote.share.0|escape}}" onclick="jotShare({{$id}}); return false">{{$vote.share.1}}</a>
 			{{/if}}
 			</div>
 
 			<div class="wall-item-actions-tools">
 
 				{{if $drop.pagedrop}}
-					<input type="checkbox" title="{{$drop.select}}" name="itemselected[]" class="item-select" value="{{$id}}" />
+					<input type="checkbox" title="{{$drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$id}}" />
 				{{/if}}
 				{{if $drop.dropping}}
-					<a href="item/drop/{{$id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$drop.delete}}">{{$drop.delete}}</a>
+					<a href="item/drop/{{$id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$drop.delete|escape}}">{{$drop.delete}}</a>
 				{{/if}}
 				{{if $edpost}}
-					<a class="icon edit s16" href="{{$edpost.0}}" title="{{$edpost.1}}"></a>
+					<a class="icon edit s16" href="{{$edpost.0}}" title="{{$edpost.1|escape}}"></a>
 				{{/if}}
 			</div>
 
diff --git a/view/theme/vier/templates/photo_view.tpl b/view/theme/vier/templates/photo_view.tpl
index c252960c08..5a6613dd1e 100644
--- a/view/theme/vier/templates/photo_view.tpl
+++ b/view/theme/vier/templates/photo_view.tpl
@@ -8,11 +8,11 @@
 |
 <a id="photo-toprofile-link" href="{{$tools.profile.0}}">{{$tools.profile.1}}</a>
 {{/if}}
-{{if $lock}} | <img src="images/lock_icon.gif" class="lockview" alt="{{$lock}}" onclick="lockview(event,'photo/{{$id}}');" /> {{/if}}
+{{if $lock}} | <img src="images/lock_icon.gif" class="lockview" alt="{{$lock|escape}}" onclick="lockview(event,'photo/{{$id}}');" /> {{/if}}
 </div>
 
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-photo-end"></div>
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/theme/vier/templates/profile_vcard.tpl b/view/theme/vier/templates/profile_vcard.tpl
index dfa341b260..6ba3119caa 100644
--- a/view/theme/vier/templates/profile_vcard.tpl
+++ b/view/theme/vier/templates/profile_vcard.tpl
@@ -1,7 +1,7 @@
 <div class="vcard h-card">
 
 	<div class="tool">
-		<div class="fn label p-name">{{$profile.name}}</div>
+		<div class="fn label p-name">{{$profile.name|escape}}</div>
 		{{if $profile.edit}}
 			<div class="action">
 				<a class="icon s16 edit ttright" href="{{$profile.edit.0}}" title="{{$profile.edit.3}}"><span>{{$profile.edit.1}}</span></a>
@@ -18,9 +18,9 @@
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
 	{{if $profile.picdate}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></a></div>
 	{{else}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name|escape}}"></a></div>
 	{{/if}}
 
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
diff --git a/view/theme/vier/templates/search_item.tpl b/view/theme/vier/templates/search_item.tpl
index c1383ba434..c274ca3e38 100644
--- a/view/theme/vier/templates/search_item.tpl
+++ b/view/theme/vier/templates/search_item.tpl
@@ -1,9 +1,9 @@
 
 
 <div class="wall-item-decor">
-	{{if $item.star}}<span class="icon star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>{{/if}}
-	{{if $item.lock}}<span class="icon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}">{{$item.lock}}</span>{{/if}}
-	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+	{{if $item.star}}<span class="icon star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred|escape}}</span>{{/if}}
+	{{if $item.lock}}<span class="icon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}">{{$item.lock|escape}}</span>{{/if}}
+	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 </div>
 
 <div class="wall-item-container {{$item.indent}} {{$item.shiny}} ">
@@ -12,8 +12,8 @@
 			<div class="contact-photo-wrapper">
 				<!-- onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)"> -->
-				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				<!-- <a rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a> -->
 				<ul role="menu" aria-haspopup="true" class="wall-item-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
@@ -22,9 +22,9 @@
 			</div>
 		</div>
 		<div class="wall-item-actions-author">
-			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a>
+			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
 			<span class="wall-item-ago">
-				{{if $item.plink}}<a class="link" title="{{$item.plink.title}}" href="{{$item.plink.href}}" style="color: #999">{{$item.ago}}</a>{{else}} {{$item.ago}} {{/if}}
+				{{if $item.plink}}<a class="link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" style="color: #999">{{$item.ago}}</a>{{else}} {{$item.ago}} {{/if}}
 				{{if $item.lock}}<span class="fakelink" style="color: #999" onclick="lockview(event,{{$item.id}});">{{$item.lock}}</span> {{/if}}
 			</span>
 		</div>
@@ -46,8 +46,8 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			<!-- {{if $item.plink}}<a title="{{$item.plink.title}}" href="{{$item.plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
-			{{if $item.conv}}<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'><i class="icon-link icon-large"></i></a>{{/if}}
+			<!-- {{if $item.plink}}<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
+			{{if $item.conv}}<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'><i class="icon-link icon-large"></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 
@@ -55,31 +55,31 @@
 
 			<div class="wall-item-actions-social">
 			{{if $item.star}}
-				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do}}">{{$item.star.do}}</a>
-				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo}}">{{$item.star.undo}}</a>
-				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger}}">{{$item.star.tagger}}</a>
+				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do|escape}}">{{$item.star.do}}</a>
+				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo|escape}}">{{$item.star.undo}}</a>
+				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger|escape}}">{{$item.star.tagger}}</a>
 			{{/if}}
 
 			{{if $item.vote}}
-				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
-				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
+				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0|escape}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
+				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0|escape}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
 			{{/if}}
 
 			{{if $item.vote.share}}
-				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
+				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
 			{{/if}}
 			</div>
 
 			<div class="wall-item-actions-tools">
 
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete|escape}}</a>
 				{{/if}}
 				{{if $item.edpost}}
-					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}"></a>
+					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}"></a>
 				{{/if}}
 			</div>
 
diff --git a/view/theme/vier/templates/wall_item_tag.tpl b/view/theme/vier/templates/wall_item_tag.tpl
index be6b143b9f..2c02036a0e 100644
--- a/view/theme/vier/templates/wall_item_tag.tpl
+++ b/view/theme/vier/templates/wall_item_tag.tpl
@@ -27,8 +27,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper">
-				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				<ul role="menu" aria-haspopup="true" class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
 				</ul>
@@ -41,10 +41,10 @@
 		</div>
 			<div class="wall-item-tools">
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete}}</a>
 				{{/if}}
 			</div>
 	</div>
diff --git a/view/theme/vier/templates/wall_thread.tpl b/view/theme/vier/templates/wall_thread.tpl
index 8debce3649..57ca699e34 100644
--- a/view/theme/vier/templates/wall_thread.tpl
+++ b/view/theme/vier/templates/wall_thread.tpl
@@ -19,7 +19,7 @@
 {{if $item.thread_level!=1}}<div class="children u-comment h-cite">{{/if}}
 
 <div aria-hidden="true" class="wall-item-decor">
-	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 </div>
 
 {{if $item.thread_level<7}}
@@ -36,8 +36,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card">
-				<!-- <a aria-hidden="true" href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}"></a> -->
-					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<!-- <a aria-hidden="true" href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}"></a> -->
+					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				<ul role="menu" aria-haspopup="true" class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
 				</ul>
@@ -45,20 +45,20 @@
 			</div>
 			{{if $item.owner_url}}
 			<div aria-hidden="true" class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link u-url" id="wall-item-ownerphoto-link-{{$item.id}}">
-					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}} p-name u-photo" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name}}" />
+				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="contact-photo-link u-url" id="wall-item-ownerphoto-link-{{$item.id}}">
+					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}} p-name u-photo" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
 			{{/if}}
 		</div>
 		<div role="heading" aria-level="{{$item.thread_level}}" class="wall-item-actions-author">
-			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a>
-			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a>{{/if}}
+			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
+			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a>{{/if}}
 			<span class="wall-item-ago">
-				{{if $item.plink}}<a title="{{$item.plink.title}}" href="{{$item.plink.href}}" class="u-url" style="color: #999"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time></a>{{else}} <time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time> {{/if}}
+				{{if $item.plink}}<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="u-url" style="color: #999"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time></a>{{else}} <time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time> {{/if}}
 			</span>
-			{{if $item.lock}}<span class="icon s10 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}">{{$item.lock}}</span>{{/if}}
-			<span class="wall-item-network" title="{{$item.app}}">
+			{{if $item.lock}}<span class="icon s10 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}">{{$item.lock}}</span>{{/if}}
+			<span class="wall-item-network" title="{{$item.app|escape}}">
 				{{$item.network_name}}
 			</span>
 			<div class="wall-item-network-end"></div>
@@ -77,60 +77,60 @@
 			{{foreach $item.hashtags as $tag}}
 				<span class="tag">{{$tag}}</span>
 			{{/foreach}}
-  			{{foreach $item.mentions as $tag}}
+			{{foreach $item.mentions as $tag}}
 				<span class="mention">{{$tag}}</span>
 			{{/foreach}}
 		{{/if}}
 			{{foreach $item.folders as $cat}}
-				<span class="folder p-category">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="folder p-category">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 			{{foreach $item.categories as $cat}}
-				<span class="category p-category">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="category p-category">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 		</div>
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title}}</span></i></a>{{/if}}
+			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title}}</span></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-social">
 			{{if $item.threaded}}
 			{{/if}}
 			{{if $item.comment}}
-				<a role="button" id="comment-{{$item.id}}" class="fakelink togglecomment" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" title="{{$item.switchcomment}}"><i class="icon-commenting"><span class="sr-only">{{$item.switchcomment}}</span></i></a>
+				<a role="button" id="comment-{{$item.id}}" class="fakelink togglecomment" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" title="{{$item.switchcomment|escape}}"><i class="icon-commenting"><span class="sr-only">{{$item.switchcomment}}</span></i></a>
 			{{/if}}
 
 			{{if $item.isevent}}
-				<a role="button" id="attendyes-{{$item.id}}"{{if $item.responses.attendyes.self}} class="active"{{/if}} title="{{$item.attend.0}}" onclick="dolike({{$item.id}},'attendyes'); return false;"><i class="icon-ok icon-large"><span class="sr-only">{{$item.attend.0}}</span></i></a>
-				<a role="button" id="attendno-{{$item.id}}"{{if $item.responses.attendno.self}} class="active"{{/if}} title="{{$item.attend.1}}" onclick="dolike({{$item.id}},'attendno'); return false;"><i class="icon-remove icon-large"><span class="sr-only">{{$item.attend.1}}</span></i></a>
-				<a role="button" id="attendmaybe-{{$item.id}}"{{if $item.responses.attendmaybe.self}} class="active"{{/if}} title="{{$item.attend.2}}" onclick="dolike({{$item.id}},'attendmaybe'); return false;"><i class="icon-question icon-large"><span class="sr-only">{{$item.attend.2}}</span></i></a>
+				<a role="button" id="attendyes-{{$item.id}}"{{if $item.responses.attendyes.self}} class="active"{{/if}} title="{{$item.attend.0|escape}}" onclick="dolike({{$item.id}},'attendyes'); return false;"><i class="icon-ok icon-large"><span class="sr-only">{{$item.attend.0}}</span></i></a>
+				<a role="button" id="attendno-{{$item.id}}"{{if $item.responses.attendno.self}} class="active"{{/if}} title="{{$item.attend.1|escape}}" onclick="dolike({{$item.id}},'attendno'); return false;"><i class="icon-remove icon-large"><span class="sr-only">{{$item.attend.1}}</span></i></a>
+				<a role="button" id="attendmaybe-{{$item.id}}"{{if $item.responses.attendmaybe.self}} class="active"{{/if}} title="{{$item.attend.2|escape}}" onclick="dolike({{$item.id}},'attendmaybe'); return false;"><i class="icon-question icon-large"><span class="sr-only">{{$item.attend.2}}</span></i></a>
 			{{/if}}
 
 			{{if $item.vote}}
 				{{if $item.vote.like}}
-				<a role="button" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0}}" onclick="dolike({{$item.id}},'like'); return false"><i class="icon-thumbs-up icon-large"><span class="sr-only">{{$item.vote.like.0}}</span></i></a>
+				<a role="button" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0|escape}}" onclick="dolike({{$item.id}},'like'); return false"><i class="icon-thumbs-up icon-large"><span class="sr-only">{{$item.vote.like.0}}</span></i></a>
 				{{/if}}{{if $item.vote.dislike}}
-				<a role="button" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0}}" onclick="dolike({{$item.id}},'dislike'); return false"><i class="icon-thumbs-down icon-large"><span class="sr-only">{{$item.vote.dislike.0}}</span></i></a>
+				<a role="button" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0|escape}}" onclick="dolike({{$item.id}},'dislike'); return false"><i class="icon-thumbs-down icon-large"><span class="sr-only">{{$item.vote.dislike.0}}</span></i></a>
 				{{/if}}
 			    {{if $item.vote.share}}
-				    <a role="button" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}}); return false"><i class="icon-retweet icon-large"><span class="sr-only">{{$item.vote.share.0}}</span></i></a>
+				    <a role="button" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}}); return false"><i class="icon-retweet icon-large"><span class="sr-only">{{$item.vote.share.0}}</span></i></a>
 			    {{/if}}
 			{{/if}}
 
 			{{if $item.star}}
-				<a role="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}" title="{{$item.star.do}}"><i class="icon-star icon-large"><span class="sr-only">{{$item.star.do}}</span></i></a>
-				<a role="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo}}"><i class="icon-star-empty icon-large"><span class="sr-only">{{$item.star.undo}}</span></i></a>
+				<a role="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}" title="{{$item.star.do|escape}}"><i class="icon-star icon-large"><span class="sr-only">{{$item.star.do}}</span></i></a>
+				<a role="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo|escape}}"><i class="icon-star-empty icon-large"><span class="sr-only">{{$item.star.undo}}</span></i></a>
 			{{/if}}
 			{{if $item.ignore}}
-				<a role="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classdo}}"  title="{{$item.ignore.do}}"><i class="icon-bell-slash icon-large"><span class="sr-only">{{$item.ignore.do}}</span></i></a>
-				<a role="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classundo}}"  title="{{$item.ignore.undo}}"><i class="icon-bell-slash-o icon-large"><span class="sr-only">{{$item.ignore.undo}}</span></i></a>
+				<a role="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classdo}}"  title="{{$item.ignore.do|escape}}"><i class="icon-bell-slash icon-large"><span class="sr-only">{{$item.ignore.do}}</span></i></a>
+				<a role="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classundo}}"  title="{{$item.ignore.undo|escape}}"><i class="icon-bell-slash-o icon-large"><span class="sr-only">{{$item.ignore.undo}}</span></i></a>
 			{{/if}}
 			{{if $item.tagger}}
-				<a role="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.tagger.class}}" title="{{$item.tagger.add}}"><i class="icon-tags icon-large"><span class="sr-only">{{$item.tagger.add}}</span></i></a>
+				<a role="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.tagger.class}}" title="{{$item.tagger.add|escape}}"><i class="icon-tags icon-large"><span class="sr-only">{{$item.tagger.add}}</span></i></a>
 			{{/if}}
 			{{if $item.filer}}
-                                <a role="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}}); return false;" class="filer-item filer-icon" title="{{$item.filer}}"><i class="icon-folder-close icon-large"><span class="sr-only">{{$item.filer}}</span></i></a>
+                                <a role="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}}); return false;" class="filer-item filer-icon" title="{{$item.filer|escape}}"><i class="icon-folder-close icon-large"><span class="sr-only">{{$item.filer}}</span></i></a>
 			{{/if}}
 			</div>
 
@@ -142,13 +142,13 @@
 			<div class="wall-item-actions-tools">
 
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a role="button" href="item/drop/{{$item.id}}/{{$item.return}}" onclick="return confirmDelete();" title="{{$item.drop.delete}}"><i class="icon-trash icon-large"><span class="sr-only">{{$item.drop.delete}}</span></i></a>
+					<a role="button" href="item/drop/{{$item.id}}/{{$item.return}}" onclick="return confirmDelete();" title="{{$item.drop.delete|escape}}"><i class="icon-trash icon-large"><span class="sr-only">{{$item.drop.delete}}</span></i></a>
 				{{/if}}
 				{{if $item.edpost}}
-					<a role="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}"><i class="icon-edit icon-large"><span class="sr-only">{{$item.edpost.1}}</span></i></a>
+					<a role="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}"><i class="icon-edit icon-large"><span class="sr-only">{{$item.edpost.1}}</span></i></a>
 				{{/if}}
 			</div>
 
diff --git a/view/theme/vier/templates/widget_forumlist_right.tpl b/view/theme/vier/templates/widget_forumlist_right.tpl
index fe72ffcaf6..8b2700e01b 100644
--- a/view/theme/vier/templates/widget_forumlist_right.tpl
+++ b/view/theme/vier/templates/widget_forumlist_right.tpl
@@ -21,20 +21,20 @@ function showHideForumlist() {
 		{{if $forum.id <= $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-{{$forum.id}}" role="menuitem">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
-			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 	
 		{{if $forum.id > $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-extended-{{$forum.id}}" role="menuitem" style="display: none;">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
-			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 		{{/foreach}}

From 56f21a4b89cef0c4c691096fe294abf356f1cfa9 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 19:26:46 +0000
Subject: [PATCH 2/7] Some more escaping

---
 mod/dirfind.php                                | 2 +-
 view/templates/contact_template.tpl            | 4 ++--
 view/theme/frio/templates/contact_template.tpl | 2 +-
 view/theme/frio/templates/mail_list.tpl        | 2 +-
 view/theme/frio/templates/wall_thread.tpl      | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mod/dirfind.php b/mod/dirfind.php
index 2609760e91..7f1a6691f5 100644
--- a/mod/dirfind.php
+++ b/mod/dirfind.php
@@ -235,7 +235,7 @@ function dirfind_content(App $a, $prefix = "") {
 					'alt_text' => $alt_text,
 					'url' => Model\Contact::magicLink($jj->url),
 					'itemurl' => $itemurl,
-					'name' => htmlentities($jj->name),
+					'name' => $jj->name,
 					'thumb' => ProxyUtils::proxifyUrl($jj->photo, false, ProxyUtils::SIZE_THUMB),
 					'img_hover' => $jj->tags,
 					'conntxt' => $conntxt,
diff --git a/view/templates/contact_template.tpl b/view/templates/contact_template.tpl
index 06918533ca..6845c62562 100644
--- a/view/templates/contact_template.tpl
+++ b/view/templates/contact_template.tpl
@@ -5,7 +5,7 @@
 		onmouseover="if (typeof t{{$contact.id}} != 'undefined') clearTimeout(t{{$contact.id}}); openMenu('contact-photo-menu-button-{{$contact.id}}')" 
 		onmouseout="t{{$contact.id}}=setTimeout('closeMenu(\'contact-photo-menu-button-{{$contact.id}}\'); closeMenu(\'contact-photo-menu-{{$contact.id}}\');',200)" >
 
-			<a href="{{$contact.url}}" title="{{$contact.img_hover}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" /></a>
+			<a href="{{$contact.url}}" title="{{$contact.img_hover|escape}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" /></a>
 
 			{{if $multiselect}}
 			<input type="checkbox" class="contact-select" name="contact_batch[]" value="{{$contact.id}}">
@@ -31,7 +31,7 @@
 
 	<div class="contact-entry-desc">
 		<div class="contact-entry-name" id="contact-entry-name-{{$contact.id}}" >
-			{{$contact.name}}
+			{{$contact.name|escape}}
 			{{if $contact.account_type}} <span class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</span>{{/if}}
 		</div>
 		{{if $contact.alt_text}}<div class="contact-entry-details" id="contact-entry-rel-{{$contact.id}}" >{{$contact.alt_text}}</div>{{/if}}
diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index 4f07ad2b1d..1b56a6b62c 100644
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -220,7 +220,7 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			{{* The contact description (e.g. Name, Network, kind of connection and so on *}}
 			<div class="contact-entry-desc">
 				<div class="contact-entry-name" id="contact-entry-name-{$id}">
-					<h4 class="media-heading"><a href="{$url}">{$name}</a>
+					<h4 class="media-heading"><a href="{$url}">{$name|escape}</a>
 					{if $account_type} <small class="contact-entry-details" id="contact-entry-accounttype-{$id}">({$account_type})</small>{/if}
 					{if $account_type == 'Forum'}<i class="fa fa-comments-o" aria-hidden="true"></i>{/if}
 					{{* @todo this needs some changing in core because $contact.account_type contains a translated string which may notbe the same in every language *}}
diff --git a/view/theme/frio/templates/mail_list.tpl b/view/theme/frio/templates/mail_list.tpl
index 225fd71c18..e6a024f11c 100644
--- a/view/theme/frio/templates/mail_list.tpl
+++ b/view/theme/frio/templates/mail_list.tpl
@@ -11,7 +11,7 @@
 			<div class="media-body">
 				<div class="text-muted time ago pull-right" title="{{$date}}">{{$ago}}</div>
 
-				<h4 class="media-heading">{{$from_name}}</h4>
+				<h4 class="media-heading">{{$from_name|escape}}</h4>
 				<div class="mail-list-subject"><a href="message/{{$id}}">{{$subject}}</a></div>
 				<a href="message/dropconv/{{$id}}" onclick="return confirmDelete();"  title="{{$delete}}" class="pull-right" onmouseover="imgbright(this);" onmouseout="imgdull(this);">
 				<i class="faded-icon fa fa-trash"></i>
diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index 961c241a14..f90b2f72a4 100644
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -252,7 +252,7 @@ as the value of $top_child_total (this is done at the end of this file)
 			{{/if}}
 
 			{{if $item.title}}
-			<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h4><br /></span>
+			<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h4><br /></span>
 			{{/if}}
 
 			<div class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}" id="wall-item-body-{{$item.id}}">{{$item.body}}</div>

From 4ce320fc791f2ad4d848c45098214df92536ccde Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 19:48:26 +0000
Subject: [PATCH 3/7] Contact search is now escaped

---
 mod/acl.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mod/acl.php b/mod/acl.php
index cb378dc27c..86eafe2902 100644
--- a/mod/acl.php
+++ b/mod/acl.php
@@ -127,7 +127,7 @@ function acl_content(App $a)
 			$groups[] = [
 				'type'  => 'g',
 				'photo' => 'images/twopeople.png',
-				'name'  => htmlentities($g['name']),
+				'name'  => htmlspecialchars($g['name']),
 				'id'    => intval($g['id']),
 				'uids'  => array_map('intval', explode(',', $g['uids'])),
 				'link'  => '',
@@ -198,7 +198,7 @@ function acl_content(App $a)
 		foreach ($r as $g) {
 			$contacts[] = [
 				'photo'   => ProxyUtils::proxifyUrl($g['photo'], false, ProxyUtils::SIZE_MICRO),
-				'name'    => $g['name'],
+				'name'    => htmlspecialchars($g['name']),
 				'nick'    => defaults($g, 'addr', $g['url']),
 				'network' => $g['network'],
 				'link'    => $g['url'],
@@ -220,7 +220,7 @@ function acl_content(App $a)
 			$entry = [
 				'type'    => 'c',
 				'photo'   => ProxyUtils::proxifyUrl($g['micro'], false, ProxyUtils::SIZE_MICRO),
-				'name'    => htmlentities($g['name']),
+				'name'    => htmlspecialchars($g['name']),
 				'id'      => intval($g['id']),
 				'network' => $g['network'],
 				'link'    => $g['url'],
@@ -281,7 +281,7 @@ function acl_content(App $a)
 				$unknown_contacts[] = [
 					'type'    => 'c',
 					'photo'   => ProxyUtils::proxifyUrl($contact['micro'], false, ProxyUtils::SIZE_MICRO),
-					'name'    => htmlentities($contact['name']),
+					'name'    => htmlspecialchars($contact['name']),
 					'id'      => intval($contact['cid']),
 					'network' => $contact['network'],
 					'link'    => $contact['url'],

From 7381540039985b4046b4adac018263304111243e Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 20:04:01 +0000
Subject: [PATCH 4/7] Escaping the address field

---
 view/templates/admin/contactblock.tpl               | 4 ++--
 view/templates/hovercard.tpl                        | 2 +-
 view/templates/profile_vcard.tpl                    | 2 +-
 view/templates/remote_friends_common.tpl            | 4 ++--
 view/templates/search_item.tpl                      | 4 ++--
 view/templates/wall_thread.tpl                      | 2 +-
 view/theme/duepuntozero/templates/profile_vcard.tpl | 2 +-
 view/theme/quattro/templates/profile_vcard.tpl      | 2 +-
 view/theme/smoothly/templates/search_item.tpl       | 4 ++--
 view/theme/smoothly/templates/wall_thread.tpl       | 6 +++---
 view/theme/vier/templates/profile_vcard.tpl         | 2 +-
 11 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/view/templates/admin/contactblock.tpl b/view/templates/admin/contactblock.tpl
index c9bfc2efd0..e3dfb52a12 100644
--- a/view/templates/admin/contactblock.tpl
+++ b/view/templates/admin/contactblock.tpl
@@ -33,8 +33,8 @@
 				<tr>
 					<td class="checkbox"><input type="checkbox" class="contacts_ckbx" id="id_contact_{{$contact.id}}" name="contacts[]" value="{{$contact.id}}"/></td>
 					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.nickname|escape}}"></td>
-					<td class="name">{{$contact.name}}</td>
-					<td class="addr">{{$contact.addr}}</td>
+					<td class="name">{{$contact.name|escaped}}</td>
+					<td class="addr">{{$contact.addr|escaped}}</td>
 					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname|escape}}" >{{$contact.url}}</a></td>
 				</tr>
 				{{/foreach}}
diff --git a/view/templates/hovercard.tpl b/view/templates/hovercard.tpl
index 74f2700052..5487a4cd05 100644
--- a/view/templates/hovercard.tpl
+++ b/view/templates/hovercard.tpl
@@ -11,7 +11,7 @@
 					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name|escape}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
 				</div>
 				<div class="profile-details">
-					<span class="profile-addr">{{$profile.addr}}</span>
+					<span class="profile-addr">{{$profile.addr|escaped}}</span>
 					{{if $profile.network}}<span class="profile-network"> ({{$profile.network}})</span>{{/if}}
 				</div>
 				{{*{{if $profile.about}}<div class="profile-details profile-about">{{$profile.about}}</div>{{/if}}*}}
diff --git a/view/templates/profile_vcard.tpl b/view/templates/profile_vcard.tpl
index 6f8e86b299..fb78756415 100644
--- a/view/templates/profile_vcard.tpl
+++ b/view/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
diff --git a/view/templates/remote_friends_common.tpl b/view/templates/remote_friends_common.tpl
index 354c8e46a2..f018727c06 100644
--- a/view/templates/remote_friends_common.tpl
+++ b/view/templates/remote_friends_common.tpl
@@ -6,12 +6,12 @@
 	<div class="profile-match-wrapper">
 		<div class="profile-match-photo">
 			<a href="{{$item.url}}">
-				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name}}" title="{{$item.name}}" />
+				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name|escaped}}" title="{{$item.name|escaped}}" />
 			</a>
 		</div>
 		<div class="profile-match-break"></div>
 		<div class="profile-match-name">
-			<a href="{{$item.url}}" title="{{$item.name}}">{{$item.name}}</a>
+			<a href="{{$item.url}}" title="{{$item.name|escaped}}">{{$item.name|escaped}}</a>
 		</div>
 		<div class="profile-match-end"></div>
 	</div>
diff --git a/view/templates/search_item.tpl b/view/templates/search_item.tpl
index fbcf770f1b..462624957e 100644
--- a/view/templates/search_item.tpl
+++ b/view/templates/search_item.tpl
@@ -7,7 +7,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -23,7 +23,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index 63a8364f88..113a93e8c9 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -44,7 +44,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a> {{$item.vwall}}{{/if}}<br />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escaped}}</span></a> {{$item.vwall}}{{/if}}<br />
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime|escape:'html'}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
diff --git a/view/theme/duepuntozero/templates/profile_vcard.tpl b/view/theme/duepuntozero/templates/profile_vcard.tpl
index 505cf560e3..311132b815 100644
--- a/view/theme/duepuntozero/templates/profile_vcard.tpl
+++ b/view/theme/duepuntozero/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></div>
diff --git a/view/theme/quattro/templates/profile_vcard.tpl b/view/theme/quattro/templates/profile_vcard.tpl
index f999f1f572..e62da464d9 100644
--- a/view/theme/quattro/templates/profile_vcard.tpl
+++ b/view/theme/quattro/templates/profile_vcard.tpl
@@ -26,7 +26,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 
 	{{if $pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></div>
diff --git a/view/theme/smoothly/templates/search_item.tpl b/view/theme/smoothly/templates/search_item.tpl
index d441ebe2de..35820088b5 100644
--- a/view/theme/smoothly/templates/search_item.tpl
+++ b/view/theme/smoothly/templates/search_item.tpl
@@ -6,7 +6,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -34,7 +34,7 @@
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/theme/smoothly/templates/wall_thread.tpl b/view/theme/smoothly/templates/wall_thread.tpl
index 5aaa9c4eb1..f4c4154a02 100644
--- a/view/theme/smoothly/templates/wall_thread.tpl
+++ b/view/theme/smoothly/templates/wall_thread.tpl
@@ -15,7 +15,7 @@
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" title="{{$item.olinktitle}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name}}" /></a>
+				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escaped}}" /></a>
 			</div>
 			<div class="wall-item-arrowphoto-wrapper" ><img src="view/theme/smoothly/images/larrow.gif" alt="{{$item.wall}}" /></div>
 			{{/if}}
@@ -23,7 +23,7 @@
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
                     <ul>
@@ -47,7 +47,7 @@
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
 		<div class="wall-item-author">
 			<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link">
-			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span>
+			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span>
 			</a>
 			<div class="wall-item-ago">&bull;</div>
 			<div class="wall-item-ago" id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
diff --git a/view/theme/vier/templates/profile_vcard.tpl b/view/theme/vier/templates/profile_vcard.tpl
index 6ba3119caa..1733969aa8 100644
--- a/view/theme/vier/templates/profile_vcard.tpl
+++ b/view/theme/vier/templates/profile_vcard.tpl
@@ -13,7 +13,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 

From 6075245b840a28e8c2d8976ddd624e59d3d2a81f Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 20:34:02 +0000
Subject: [PATCH 5/7] Much more escapes

---
 view/templates/admin/site.tpl                  |  6 +++---
 view/templates/birthdays_reminder.tpl          |  4 ++--
 view/templates/event_stream_item.tpl           |  6 +++---
 view/templates/events_reminder.tpl             |  4 ++--
 view/templates/files.tpl                       |  4 ++--
 view/templates/photo_album.tpl                 |  4 ++--
 view/templates/photo_top.tpl                   |  8 +++-----
 view/templates/photo_view.tpl                  |  2 +-
 view/templates/search_item.tpl                 |  8 ++++----
 view/templates/settings/display.tpl            |  2 +-
 view/templates/wall_thread.tpl                 |  2 +-
 view/theme/frio/templates/admin/site.tpl       |  6 +++---
 view/theme/frio/templates/photo_top.tpl        |  2 +-
 view/theme/frio/templates/photo_view.tpl       | 10 +++++-----
 view/theme/frio/templates/search_item.tpl      |  4 ++--
 view/theme/frio/templates/settings/display.tpl |  2 +-
 view/theme/frio/templates/theme_settings.tpl   |  2 +-
 view/theme/frio/templates/wall_thread.tpl      |  2 +-
 view/theme/quattro/templates/photo_item.tpl    |  4 ++--
 view/theme/quattro/templates/photo_view.tpl    |  2 +-
 view/theme/quattro/templates/search_item.tpl   |  4 ++--
 view/theme/quattro/templates/wall_thread.tpl   | 12 ++++++------
 view/theme/smoothly/templates/search_item.tpl  |  8 ++++----
 view/theme/smoothly/templates/wall_thread.tpl  | 10 +++++-----
 view/theme/vier/templates/communityhome.tpl    |  6 +++---
 view/theme/vier/templates/wall_thread.tpl      |  4 ++--
 26 files changed, 63 insertions(+), 65 deletions(-)

diff --git a/view/templates/admin/site.tpl b/view/templates/admin/site.tpl
index bf1d215ec8..34b1e3b1b2 100644
--- a/view/templates/admin/site.tpl
+++ b/view/templates/admin/site.tpl
@@ -39,7 +39,7 @@
 	});
 </script>
 <div id='adminpage'>
-	<h1>{{$title}} - {{$page}}</h1>
+	<h1>{{$title|escape}} - {{$page|escape}}</h1>
 
 	<form action="{{$baseurl}}/admin/site" method="post">
     <input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
@@ -145,7 +145,7 @@
 	{{include file="field_input.tpl" field=$dbclean_expire_conv}}
 	<div class="submit"><input type="submit" name="page_site" value="{{$submit|escape:'html'}}" /></div>
 
-	<h3>{{$worker_title}}</h3>
+	<h3>{{$worker_title|escape}}</h3>
 	{{include file="field_input.tpl" field=$maxloadavg}}
 	{{include file="field_input.tpl" field=$min_memory}}
 	{{include file="field_input.tpl" field=$worker_queues}}
@@ -155,7 +155,7 @@
 
 	<div class="submit"><input type="submit" name="page_site" value="{{$submit|escape:'html'}}" /></div>
 
-	<h3>{{$relay_title}}</h3>
+	<h3>{{$relay_title|escape}}</h3>
 	{{include file="field_checkbox.tpl" field=$relay_subscribe}}
 	{{include file="field_input.tpl" field=$relay_server}}
 	{{include file="field_checkbox.tpl" field=$relay_directly}}
diff --git a/view/templates/birthdays_reminder.tpl b/view/templates/birthdays_reminder.tpl
index 6aa51d4702..9261ff8d32 100644
--- a/view/templates/birthdays_reminder.tpl
+++ b/view/templates/birthdays_reminder.tpl
@@ -1,10 +1,10 @@
 
 {{if $count}}
 <div id="birthday-notice" class="birthday-notice fakelink {{$classtoday}}" onclick="openClose('birthday-wrapper');">{{$event_reminders}} ({{$count}})</div>
-<div id="birthday-wrapper" style="display: none;" ><div id="birthday-title">{{$event_title}}</div>
+<div id="birthday-wrapper" style="display: none;" ><div id="birthday-title">{{$event_title|escape}}</div>
 <div id="birthday-title-end"></div>
 {{foreach $events as $event}}
-<div class="birthday-list" id="birthday-{{$event.id}}"> <a href="{{$event.link}}">{{$event.title}}</a> {{$event.date}} </div>
+<div class="birthday-list" id="birthday-{{$event.id}}"> <a href="{{$event.link}}">{{$event.title|escape}}</a> {{$event.date}} </div>
 {{/foreach}}
 </div>
 {{/if}}
diff --git a/view/templates/event_stream_item.tpl b/view/templates/event_stream_item.tpl
index 15975c5d51..af9a554942 100644
--- a/view/templates/event_stream_item.tpl
+++ b/view/templates/event_stream_item.tpl
@@ -1,16 +1,16 @@
 
 <div class="vevent">
-	<div class="summary event-summary">{{$title}}</div>
+	<div class="summary event-summary">{{$title|escape}}</div>
 
 	<div class="event-start">
 		<span class="event-label">{{$dtstart_label}}</span>&nbsp;
-		<span class="dtstart" title="{{$dtstart_title}}">{{$dtstart_dt}}</span>
+		<span class="dtstart" title="{{$dtstart_title|escape}}">{{$dtstart_dt}}</span>
 	</div>
 
 	{{if $finish}}
 	<div class="event-end">
 		<span class="event-label">{{$dtend_label}}</span>&nbsp;
-		<span class="dtend" title="{{$dtend_title}}">{{$dtend_dt}}</span>
+		<span class="dtend" title="{{$dtend_title|escape}}">{{$dtend_dt}}</span>
 	</div>
 	{{/if}}
 
diff --git a/view/templates/events_reminder.tpl b/view/templates/events_reminder.tpl
index 2fcb1908d7..08278954c3 100644
--- a/view/templates/events_reminder.tpl
+++ b/view/templates/events_reminder.tpl
@@ -1,10 +1,10 @@
 
 {{if $count}}
 <div id="event-notice" class="birthday-notice fakelink {{$classtoday}}" onclick="openClose('event-wrapper');">{{$event_reminders}} ({{$count}})</div>
-<div id="event-wrapper" style="display: none;" ><div id="event-title">{{$event_title}}</div>
+<div id="event-wrapper" style="display: none;" ><div id="event-title">{{$event_title|escape}}</div>
 <div id="event-title-end"></div>
 {{foreach $events as $event}}
-<div class="event-list" id="event-{{$event.id}}"> <a class="ajax-popupbox" href="events/?id={{$event.id}}">{{$event.title}}</a> - {{$event.date}} </div>
+<div class="event-list" id="event-{{$event.id}}"> <a class="ajax-popupbox" href="events/?id={{$event.id}}">{{$event.title|escape}}</a> - {{$event.date}} </div>
 {{/foreach}}
 </div>
 {{/if}}
diff --git a/view/templates/files.tpl b/view/templates/files.tpl
index a2a337bd76..b622bb3e1d 100644
--- a/view/templates/files.tpl
+++ b/view/templates/files.tpl
@@ -1,4 +1,4 @@
 {{foreach $items as $item }}
-<p>{{$item.title}}  ({{$item.mime}}) ({{$item.filename}})</p>
+<p>{{$item.title|escape}}  ({{$item.mime|escape}}) ({{$item.filename|escape}})</p>
 {{/foreach}}
-{{include "paginate.tpl"}}
\ No newline at end of file
+{{include "paginate.tpl"}}
diff --git a/view/templates/photo_album.tpl b/view/templates/photo_album.tpl
index d3e7ca4874..08df8f7567 100644
--- a/view/templates/photo_album.tpl
+++ b/view/templates/photo_album.tpl
@@ -10,8 +10,8 @@
 
 {{foreach $photos as $photo}}
 <div class="photo-album-image-wrapper" id="photo-album-image-wrapper-{{$photo.id}}">
-	<a href="{{$photo.link}}" class="photo-album-photo-link" id="photo-album-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-		<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title}}" class="photo-album-photo lframe resize{{$photo.twist}}" id="photo-album-photo-{{$photo.id}}" />
+	<a href="{{$photo.link}}" class="photo-album-photo-link" id="photo-album-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
+		<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title|escape}}" class="photo-album-photo lframe resize{{$photo.twist}}" id="photo-album-photo-{{$photo.id}}" />
 		<p class='caption'>{{$photo.desc}}</p>		
 	</a>
 </div>
diff --git a/view/templates/photo_top.tpl b/view/templates/photo_top.tpl
index b5fc51a23a..0dd8c4e996 100644
--- a/view/templates/photo_top.tpl
+++ b/view/templates/photo_top.tpl
@@ -1,9 +1,7 @@
-
-
 <div class="photo-top-image-wrapper lframe" id="photo-top-image-wrapper-{{$photo.id}}">
-	<a href="{{$photo.link}}" class="photo-top-photo-link" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-		<img src="{{$photo.src}}" alt="{{$photo.alt}}" title="{{$photo.title}}" class="photo-top-photo{{$photo.twist}}" id="photo-top-photo-{{$photo.id}}" />
+	<a href="{{$photo.link}}" class="photo-top-photo-link" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
+		<img src="{{$photo.src}}" alt="{{$photo.alt|escape}}" title="{{$photo.title|escape}}" class="photo-top-photo{{$photo.twist}}" id="photo-top-photo-{{$photo.id}}" />
 	</a>
-	<div class="photo-top-album-name"><a href="{{$photo.album.link}}" class="photo-top-album-link" title="{{$photo.album.alt}}" >{{$photo.album.name}}</a></div>
+	<div class="photo-top-album-name"><a href="{{$photo.album.link}}" class="photo-top-album-link" title="{{$photo.album.alt|escape}}" >{{$photo.album.name|escape}}</a></div>
 </div>
 
diff --git a/view/templates/photo_view.tpl b/view/templates/photo_view.tpl
index b85a1c2f53..8fa3de61d2 100644
--- a/view/templates/photo_view.tpl
+++ b/view/templates/photo_view.tpl
@@ -12,7 +12,7 @@
 </div>
 
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-photo-end"></div>
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/templates/search_item.tpl b/view/templates/search_item.tpl
index 462624957e..c004fe74c4 100644
--- a/view/templates/search_item.tpl
+++ b/view/templates/search_item.tpl
@@ -6,7 +6,7 @@
 			<div class="wall-item-photo-wrapper" id="wall-item-photo-wrapper-{{$item.id}}" 
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -23,12 +23,12 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}">{{$item.ago}}</div>
 				
 		</div>			
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 			{{if $item.has_cats}}
@@ -54,7 +54,7 @@
 
 	<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 	{{if $item.conv}}
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 	{{/if}}
 	</div>
 
diff --git a/view/templates/settings/display.tpl b/view/templates/settings/display.tpl
index ff3e4fba6e..e1a0123804 100644
--- a/view/templates/settings/display.tpl
+++ b/view/templates/settings/display.tpl
@@ -21,7 +21,7 @@
 {{include file="field_checkbox.tpl" field=$infinite_scroll}}
 {{include file="field_checkbox.tpl" field=$bandwidth_saver}}
 {{include file="field_checkbox.tpl" field=$smart_threading}}
-<h2>{{$calendar_title}}</h2>
+<h2>{{$calendar_title|escape}}</h2>
 {{include file="field_select.tpl" field=$first_day_of_week}}
 
 
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index 113a93e8c9..6108b80c60 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -48,7 +48,7 @@
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime|escape:'html'}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" ><span class="e-content">{{$item.body}}<span>
 			<div class="body-tag">
diff --git a/view/theme/frio/templates/admin/site.tpl b/view/theme/frio/templates/admin/site.tpl
index 10afecb668..77ae1d532b 100644
--- a/view/theme/frio/templates/admin/site.tpl
+++ b/view/theme/frio/templates/admin/site.tpl
@@ -54,7 +54,7 @@
 <link rel="stylesheet" href="view/theme/frio/css/mod_admin.css" type="text/css" media="screen"/>
 
 <div id='adminpage' class="adminpage generic-page-wrapper">
-	<h1>{{$title}} - {{$page}}</h1>
+	<h1>{{$title|escape}} - {{$page}}</h1>
 	<form action="{{$baseurl}}/admin/site" method="post">
 		<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
 		<input type='hidden' name='active_panel' value=''>
@@ -293,7 +293,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="admin-settings-worker">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#admin-settings" href="#admin-settings-worker-collapse" aria-expanded="false" aria-controls="admin-settings-worker-collapse">
-							{{$worker_title}}
+							{{$worker_title|escape}}
 						</a>
 					</h4>
 				</div>
@@ -319,7 +319,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="admin-relay-corporate">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#admin-settings" href="#admin-settings-relay-collapse" aria-expanded="false" aria-controls="admin-settings-relay-collapse">
-							{{$relay_title}}
+							{{$relay_title|escape}}
 						</a>
 					</h4>
 				</div>
diff --git a/view/theme/frio/templates/photo_top.tpl b/view/theme/frio/templates/photo_top.tpl
index fed29937ed..c64f9b89b5 100644
--- a/view/theme/frio/templates/photo_top.tpl
+++ b/view/theme/frio/templates/photo_top.tpl
@@ -1,4 +1,4 @@
-<a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
+<a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
 	<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc|escape}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown|escape}}{{/if}}" title="{{$photo.title|escape}}" id="photo-top-photo-{{$photo.id}}" />
 </a>
 
diff --git a/view/theme/frio/templates/photo_view.tpl b/view/theme/frio/templates/photo_view.tpl
index f8d12e133e..e540a03f90 100644
--- a/view/theme/frio/templates/photo_view.tpl
+++ b/view/theme/frio/templates/photo_view.tpl
@@ -5,24 +5,24 @@
 
 <div id="photo-view-{{$id}}" class="generic-page-wrapper">
 	<div class="pull-left" id="photo-edit-link-wrap">
-		<a class="page-action faded-icon" id="photo-album-link" href="{{$album.0}}" title="{{$album.1}}" data-toggle="tooltip">
+		<a class="page-action faded-icon" id="photo-album-link" href="{{$album.0}}" title="{{$album.1|escape}}" data-toggle="tooltip">
 			<i class="fa fa-folder-open"></i>&nbsp;{{$album.1}}
 		</a>
 	</div>
 	<div class="pull-right" id="photo-edit-link-wrap">
 		{{if $tools}}
 		<span class="icon-padding"> </span>
-		<a id="photo-edit-link" href="{{$tools.edit.0}}" title="{{$tools.edit.1}}" data-toggle="tooltip">
+		<a id="photo-edit-link" href="{{$tools.edit.0}}" title="{{$tools.edit.1|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-pencil"></i>
 		</a>
 		<span class="icon-padding"> </span>
-		<a id="photo-toprofile-link" href="{{$tools.profile.0}}" title="{{$tools.profile.1}}" data-toggle="tooltip">
+		<a id="photo-toprofile-link" href="{{$tools.profile.0}}" title="{{$tools.profile.1|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-user"></i>
 		</a>
 		{{/if}}
 		{{if $lock}}
 		<span class="icon-padding"> </span>
-		<a id="photo-lock-link" onclick="lockview(event,'photo/{{$id}}');" title="{{$lock}}" data-toggle="tooltip">
+		<a id="photo-lock-link" onclick="lockview(event,'photo/{{$id}}');" title="{{$lock|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-lock"></i>
 		</a>
 		{{/if}}
@@ -33,7 +33,7 @@
 		<div id="photo-photo">
 			{{* The photo *}}
 			<div class="photo-container">
-				<a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
+				<a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
 			</div>
 
 			{{* Overlay buttons for previous and next photo *}}
diff --git a/view/theme/frio/templates/search_item.tpl b/view/theme/frio/templates/search_item.tpl
index 88a0d2a0ea..f31b7b7a44 100644
--- a/view/theme/frio/templates/search_item.tpl
+++ b/view/theme/frio/templates/search_item.tpl
@@ -52,7 +52,7 @@
 
 						{{if $item.subthread}}
 						<li role="menuitem">
-							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
+							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title|escape}}</button>
 						</li>
 						{{/if}}
 
@@ -129,7 +129,7 @@
 				{{/if}}
 
 				{{if $item.title}}
-				<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}}">{{$item.title}}</a></h4><br /></span>
+				<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}}">{{$item.title|escape}}</a></h4><br /></span>
 				{{/if}}
 
 				<div class="wall-item-body" id="wall-item-body-{{$item.id}}">{{$item.body}}</div>
diff --git a/view/theme/frio/templates/settings/display.tpl b/view/theme/frio/templates/settings/display.tpl
index cc36762dc9..70307c440c 100644
--- a/view/theme/frio/templates/settings/display.tpl
+++ b/view/theme/frio/templates/settings/display.tpl
@@ -89,7 +89,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="calendar-settings-title">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#settings" href="#calendar-settings-content" aria-expanded="false" aria-controls="calendar-settings-content">
-							{{$calendar_title}}
+							{{$calendar_title|escape}}
 						</a>
 					</h4>
 				</div>
diff --git a/view/theme/frio/templates/theme_settings.tpl b/view/theme/frio/templates/theme_settings.tpl
index 50a8934d1b..9b8322a85d 100644
--- a/view/theme/frio/templates/theme_settings.tpl
+++ b/view/theme/frio/templates/theme_settings.tpl
@@ -25,7 +25,7 @@
 {{if $background_image}}{{include file="field_fileinput.tpl" field=$background_image}}{{/if}}
 
 <div id="frio_bg_image_options" style="display: none;">
-	<label>{{$bg_image_options_title}}:</label>
+	<label>{{$bg_image_options_title|escape}}:</label>
 {{foreach $bg_image_options as $options}}
 	{{include file="field_radio.tpl" field=$options}}
 {{/foreach}}
diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index f90b2f72a4..77fdf8dae5 100644
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -91,7 +91,7 @@ as the value of $top_child_total (this is done at the end of this file)
 				<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools-{{$item.id}}">
 					{{if $item.plink}}	{{*link to the original source of the item *}}
 					<li role="menuitem">
-						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
+						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title|escape}}</a>
 					</li>
 					{{/if}}
 
diff --git a/view/theme/quattro/templates/photo_item.tpl b/view/theme/quattro/templates/photo_item.tpl
index 6dfacdb78c..e37a7242cb 100644
--- a/view/theme/quattro/templates/photo_item.tpl
+++ b/view/theme/quattro/templates/photo_item.tpl
@@ -24,7 +24,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $plink}}<a class="icon s16 link" title="{{$plink.title}}" href="{{$plink.href}}">{{$plink.title}}</a>{{/if}}
+			{{if $plink}}<a class="icon s16 link" title="{{$plink.title|escape}}" href="{{$plink.href}}">{{$plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
@@ -69,7 +69,7 @@
 		<div class="wall-item-dislike" id="wall-item-dislike-{{$id}}">{{$dislike}}</div>
 		{{if $conv}}
 		<div class="wall-item-conv" id="wall-item-conv-{{$id}}" >
-			<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title}}'>{{$conv.title}}</a>
+			<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title|escape}}'>{{$conv.title|escape}}</a>
 		</div>
 		{{/if}}
 	</div>
diff --git a/view/theme/quattro/templates/photo_view.tpl b/view/theme/quattro/templates/photo_view.tpl
index f4a780a0ac..f41fd9a96d 100644
--- a/view/theme/quattro/templates/photo_view.tpl
+++ b/view/theme/quattro/templates/photo_view.tpl
@@ -10,7 +10,7 @@
 {{if $lock}} | <img src="images/lock_icon.gif" class="lockview" alt="{{$lock}}" onclick="lockview(event,'photo/{{$id}}');" /> {{/if}}
 </div>
 
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/theme/quattro/templates/search_item.tpl b/view/theme/quattro/templates/search_item.tpl
index 33bf5fbb8a..8e7b9ee280 100644
--- a/view/theme/quattro/templates/search_item.tpl
+++ b/view/theme/quattro/templates/search_item.tpl
@@ -22,7 +22,7 @@
 			<div class="wall-item-location">{{$item.location}}</div>
 		</div>
 		<div class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}">{{$item.title|escape}}</a></h2>{{/if}}
 			<div class="wall-item-body">{{$item.body}}</div>
 		</div>
 	</div>
@@ -39,7 +39,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
diff --git a/view/theme/quattro/templates/wall_thread.tpl b/view/theme/quattro/templates/wall_thread.tpl
index 694557ccae..cc6ab7d623 100644
--- a/view/theme/quattro/templates/wall_thread.tpl
+++ b/view/theme/quattro/templates/wall_thread.tpl
@@ -40,7 +40,7 @@
 			<div class="contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
 					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<a href="#" rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a>
@@ -51,7 +51,7 @@
 			</div>
 			{{if $item.owner_url}}
 			<div class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
 					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
@@ -59,7 +59,7 @@
 			<div class="wall-item-location">{{$item.location}}</div>
 		</div>
 		<div class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h2>{{/if}}
 			<span class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}">{{$item.body}}</span>
 		</div>
 	</div>
@@ -85,16 +85,16 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a class="icon s16 link{{$item.sparkle}} u-url" title="{{$item.plink.title}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link{{$item.sparkle}} u-url" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
 				<a href="{{$item.profile_url}}" target="redir"
-                                title="{{$item.linktitle}}"
+                                title="{{$item.linktitle|escape}}"
                                 class="wall-item-name-link"><span
                                 class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
                                 <span class="wall-item-ago" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span>
-				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
+				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
 				 {{/if}}
 			</div>
 
diff --git a/view/theme/smoothly/templates/search_item.tpl b/view/theme/smoothly/templates/search_item.tpl
index 35820088b5..46cbff6928 100644
--- a/view/theme/smoothly/templates/search_item.tpl
+++ b/view/theme/smoothly/templates/search_item.tpl
@@ -5,7 +5,7 @@
 			<div class="wall-item-photo-wrapper mframe" id="wall-item-photo-wrapper-{{$item.id}}" 
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -29,12 +29,12 @@
 			<div class="wall-item-delete-end"></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}">{{$item.ago}}</div>
 				
 		</div>			
@@ -45,7 +45,7 @@
 
 	<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 	{{if $item.conv}}
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 	{{/if}}
 	</div>
 	<div class="wall-item-wrapper-end"></div>
diff --git a/view/theme/smoothly/templates/wall_thread.tpl b/view/theme/smoothly/templates/wall_thread.tpl
index f4c4154a02..b62b077e28 100644
--- a/view/theme/smoothly/templates/wall_thread.tpl
+++ b/view/theme/smoothly/templates/wall_thread.tpl
@@ -14,7 +14,7 @@
 		<div class="wall-item-info{{if $item.owner_url}} wallwall{{/if}}" id="wall-item-info-{{$item.id}}">
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" title="{{$item.olinktitle}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+				<a href="{{$item.owner_url}}" title="{{$item.olinktitle|escape}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
 				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escaped}}" /></a>
 			</div>
 			<div class="wall-item-arrowphoto-wrapper" ><img src="view/theme/smoothly/images/larrow.gif" alt="{{$item.wall}}" /></div>
@@ -22,7 +22,7 @@
 			<div class="wall-item-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card" id="wall-item-photo-wrapper-{{$item.id}}"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -46,7 +46,7 @@
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
 		<div class="wall-item-author">
-			<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link">
+			<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link">
 			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span>
 			</a>
 			<div class="wall-item-ago">&bull;</div>
@@ -56,7 +56,7 @@
 		<div>
 		<hr class="line-dots">
 		</div>
-			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" ><span class="e-content">{{$item.body}}</span>
 				<div class="body-tag">
@@ -99,7 +99,7 @@
 
 			{{if $item.plink}}
 			<div class="wall-item-links-wrapper">
-				<a href="{{$item.plink.href}}" title="{{$item.plink.title}}" target="external-link" class="icon remote-link u-url"></a>
+				<a href="{{$item.plink.href}}" title="{{$item.plink.title|escape}}" target="external-link" class="icon remote-link u-url"></a>
 			</div>
 			{{/if}}
 
diff --git a/view/theme/vier/templates/communityhome.tpl b/view/theme/vier/templates/communityhome.tpl
index b32b638042..94e2312d09 100644
--- a/view/theme/vier/templates/communityhome.tpl
+++ b/view/theme/vier/templates/communityhome.tpl
@@ -6,7 +6,7 @@
 
 {{if $comunity_profiles_title}}
 <div id="right_profiles" class="widget">
-<h3>{{$comunity_profiles_title}}</h3>
+<h3>{{$comunity_profiles_title|escape}}</h3>
 <div id='lastusers-wrapper' class='items-wrapper'>
 {{foreach $comunity_profiles_items as $i}}
 	{{$i}}
@@ -44,7 +44,7 @@
 
 {{if $lastusers_title}}
 <div id="right_lastusers" class="widget">
-<h3>{{$lastusers_title}}</h3>
+<h3>{{$lastusers_title|escape}}</h3>
 <div id='lastusers-wrapper' class='items-wrapper'>
 {{foreach $lastusers_items as $i}}
 	{{$i}}
@@ -55,7 +55,7 @@
 {{/if}}
 
 {{if $activeusers_title}}
-<h3>{{$activeusers_title}}</h3>
+<h3>{{$activeusers_title|escape}}</h3>
 <div class='items-wrapper'>
 {{foreach $activeusers_items as $i}}
 	{{$i}}
diff --git a/view/theme/vier/templates/wall_thread.tpl b/view/theme/vier/templates/wall_thread.tpl
index 57ca699e34..d99061798a 100644
--- a/view/theme/vier/templates/wall_thread.tpl
+++ b/view/theme/vier/templates/wall_thread.tpl
@@ -65,7 +65,7 @@
 		</div>
 
 		<div itemprop="description" class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h2>{{/if}}
 			<span class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}">{{$item.body}}</span>
 		</div>
 	</div>
@@ -91,7 +91,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title}}</span></i></a>{{/if}}
+			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title|escape}}</span></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-social">

From 73528fa279ad940ae6c9f39e0da0814498e5f92f Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 20:40:30 +0000
Subject: [PATCH 6/7] Some correction

---
 view/templates/admin/contactblock.tpl               | 4 ++--
 view/templates/hovercard.tpl                        | 2 +-
 view/templates/profile_vcard.tpl                    | 2 +-
 view/templates/remote_friends_common.tpl            | 4 ++--
 view/templates/search_item.tpl                      | 4 ++--
 view/templates/wall_thread.tpl                      | 2 +-
 view/theme/duepuntozero/templates/profile_vcard.tpl | 2 +-
 view/theme/quattro/templates/profile_vcard.tpl      | 2 +-
 view/theme/smoothly/templates/search_item.tpl       | 4 ++--
 view/theme/smoothly/templates/wall_thread.tpl       | 6 +++---
 view/theme/vier/templates/profile_vcard.tpl         | 2 +-
 11 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/view/templates/admin/contactblock.tpl b/view/templates/admin/contactblock.tpl
index e3dfb52a12..3afeb5355c 100644
--- a/view/templates/admin/contactblock.tpl
+++ b/view/templates/admin/contactblock.tpl
@@ -33,8 +33,8 @@
 				<tr>
 					<td class="checkbox"><input type="checkbox" class="contacts_ckbx" id="id_contact_{{$contact.id}}" name="contacts[]" value="{{$contact.id}}"/></td>
 					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.nickname|escape}}"></td>
-					<td class="name">{{$contact.name|escaped}}</td>
-					<td class="addr">{{$contact.addr|escaped}}</td>
+					<td class="name">{{$contact.name|escape}}</td>
+					<td class="addr">{{$contact.addr|escape}}</td>
 					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname|escape}}" >{{$contact.url}}</a></td>
 				</tr>
 				{{/foreach}}
diff --git a/view/templates/hovercard.tpl b/view/templates/hovercard.tpl
index 5487a4cd05..ec87591b9f 100644
--- a/view/templates/hovercard.tpl
+++ b/view/templates/hovercard.tpl
@@ -11,7 +11,7 @@
 					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name|escape}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
 				</div>
 				<div class="profile-details">
-					<span class="profile-addr">{{$profile.addr|escaped}}</span>
+					<span class="profile-addr">{{$profile.addr|escape}}</span>
 					{{if $profile.network}}<span class="profile-network"> ({{$profile.network}})</span>{{/if}}
 				</div>
 				{{*{{if $profile.about}}<div class="profile-details profile-about">{{$profile.about}}</div>{{/if}}*}}
diff --git a/view/templates/profile_vcard.tpl b/view/templates/profile_vcard.tpl
index fb78756415..14e1a03736 100644
--- a/view/templates/profile_vcard.tpl
+++ b/view/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
diff --git a/view/templates/remote_friends_common.tpl b/view/templates/remote_friends_common.tpl
index f018727c06..f5f43360a7 100644
--- a/view/templates/remote_friends_common.tpl
+++ b/view/templates/remote_friends_common.tpl
@@ -6,12 +6,12 @@
 	<div class="profile-match-wrapper">
 		<div class="profile-match-photo">
 			<a href="{{$item.url}}">
-				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name|escaped}}" title="{{$item.name|escaped}}" />
+				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name|escape}}" title="{{$item.name|escape}}" />
 			</a>
 		</div>
 		<div class="profile-match-break"></div>
 		<div class="profile-match-name">
-			<a href="{{$item.url}}" title="{{$item.name|escaped}}">{{$item.name|escaped}}</a>
+			<a href="{{$item.url}}" title="{{$item.name|escape}}">{{$item.name|escape}}</a>
 		</div>
 		<div class="profile-match-end"></div>
 	</div>
diff --git a/view/templates/search_item.tpl b/view/templates/search_item.tpl
index c004fe74c4..a97574b7b4 100644
--- a/view/templates/search_item.tpl
+++ b/view/templates/search_item.tpl
@@ -7,7 +7,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -23,7 +23,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index 6108b80c60..6f54d024da 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -44,7 +44,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escaped}}</span></a> {{$item.vwall}}{{/if}}<br />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}{{/if}}<br />
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime|escape:'html'}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
diff --git a/view/theme/duepuntozero/templates/profile_vcard.tpl b/view/theme/duepuntozero/templates/profile_vcard.tpl
index 311132b815..31afc71fea 100644
--- a/view/theme/duepuntozero/templates/profile_vcard.tpl
+++ b/view/theme/duepuntozero/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></div>
diff --git a/view/theme/quattro/templates/profile_vcard.tpl b/view/theme/quattro/templates/profile_vcard.tpl
index e62da464d9..a316f58aa5 100644
--- a/view/theme/quattro/templates/profile_vcard.tpl
+++ b/view/theme/quattro/templates/profile_vcard.tpl
@@ -26,7 +26,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 
 	{{if $pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></div>
diff --git a/view/theme/smoothly/templates/search_item.tpl b/view/theme/smoothly/templates/search_item.tpl
index 46cbff6928..2c9e621935 100644
--- a/view/theme/smoothly/templates/search_item.tpl
+++ b/view/theme/smoothly/templates/search_item.tpl
@@ -6,7 +6,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -34,7 +34,7 @@
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/theme/smoothly/templates/wall_thread.tpl b/view/theme/smoothly/templates/wall_thread.tpl
index b62b077e28..616c20f4dc 100644
--- a/view/theme/smoothly/templates/wall_thread.tpl
+++ b/view/theme/smoothly/templates/wall_thread.tpl
@@ -15,7 +15,7 @@
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" title="{{$item.olinktitle|escape}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escaped}}" /></a>
+				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escape}}" /></a>
 			</div>
 			<div class="wall-item-arrowphoto-wrapper" ><img src="view/theme/smoothly/images/larrow.gif" alt="{{$item.wall}}" /></div>
 			{{/if}}
@@ -23,7 +23,7 @@
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
                     <ul>
@@ -47,7 +47,7 @@
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
 		<div class="wall-item-author">
 			<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link">
-			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span>
+			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span>
 			</a>
 			<div class="wall-item-ago">&bull;</div>
 			<div class="wall-item-ago" id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
diff --git a/view/theme/vier/templates/profile_vcard.tpl b/view/theme/vier/templates/profile_vcard.tpl
index 1733969aa8..a464416959 100644
--- a/view/theme/vier/templates/profile_vcard.tpl
+++ b/view/theme/vier/templates/profile_vcard.tpl
@@ -13,7 +13,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 

From 069c92049a99f78baa494f8be3bb014f194e86d1 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 23:49:40 +0000
Subject: [PATCH 7/7] Just some misspelling

---
 view/theme/frio/templates/contact_template.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index 1b56a6b62c..604f8d7e5d 100644
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -9,7 +9,7 @@
 					<img class="contact-photo media-object xl" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 				</div>
 
-				{{* For very small displays we use a drobdown menu for contact relating actions *}}
+				{{* For very small displays we use a dropdown menu for contact relating actions *}}
 				<button type="button" class="btn btn-link dropdown-toggle visible-xs" id="contact-photo-menu-button-{{$contact.id}}" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 					{{* use a smaller picture on very small displays (e.g. mobiles) *}}
 					<div class="contact-photo-image-wrapper visible-xs">