From 6075245b840a28e8c2d8976ddd624e59d3d2a81f Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 20:34:02 +0000
Subject: [PATCH] Much more escapes

---
 view/templates/admin/site.tpl                  |  6 +++---
 view/templates/birthdays_reminder.tpl          |  4 ++--
 view/templates/event_stream_item.tpl           |  6 +++---
 view/templates/events_reminder.tpl             |  4 ++--
 view/templates/files.tpl                       |  4 ++--
 view/templates/photo_album.tpl                 |  4 ++--
 view/templates/photo_top.tpl                   |  8 +++-----
 view/templates/photo_view.tpl                  |  2 +-
 view/templates/search_item.tpl                 |  8 ++++----
 view/templates/settings/display.tpl            |  2 +-
 view/templates/wall_thread.tpl                 |  2 +-
 view/theme/frio/templates/admin/site.tpl       |  6 +++---
 view/theme/frio/templates/photo_top.tpl        |  2 +-
 view/theme/frio/templates/photo_view.tpl       | 10 +++++-----
 view/theme/frio/templates/search_item.tpl      |  4 ++--
 view/theme/frio/templates/settings/display.tpl |  2 +-
 view/theme/frio/templates/theme_settings.tpl   |  2 +-
 view/theme/frio/templates/wall_thread.tpl      |  2 +-
 view/theme/quattro/templates/photo_item.tpl    |  4 ++--
 view/theme/quattro/templates/photo_view.tpl    |  2 +-
 view/theme/quattro/templates/search_item.tpl   |  4 ++--
 view/theme/quattro/templates/wall_thread.tpl   | 12 ++++++------
 view/theme/smoothly/templates/search_item.tpl  |  8 ++++----
 view/theme/smoothly/templates/wall_thread.tpl  | 10 +++++-----
 view/theme/vier/templates/communityhome.tpl    |  6 +++---
 view/theme/vier/templates/wall_thread.tpl      |  4 ++--
 26 files changed, 63 insertions(+), 65 deletions(-)

diff --git a/view/templates/admin/site.tpl b/view/templates/admin/site.tpl
index bf1d215ec..34b1e3b1b 100644
--- a/view/templates/admin/site.tpl
+++ b/view/templates/admin/site.tpl
@@ -39,7 +39,7 @@
 	});
 </script>
 <div id='adminpage'>
-	<h1>{{$title}} - {{$page}}</h1>
+	<h1>{{$title|escape}} - {{$page|escape}}</h1>
 
 	<form action="{{$baseurl}}/admin/site" method="post">
     <input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
@@ -145,7 +145,7 @@
 	{{include file="field_input.tpl" field=$dbclean_expire_conv}}
 	<div class="submit"><input type="submit" name="page_site" value="{{$submit|escape:'html'}}" /></div>
 
-	<h3>{{$worker_title}}</h3>
+	<h3>{{$worker_title|escape}}</h3>
 	{{include file="field_input.tpl" field=$maxloadavg}}
 	{{include file="field_input.tpl" field=$min_memory}}
 	{{include file="field_input.tpl" field=$worker_queues}}
@@ -155,7 +155,7 @@
 
 	<div class="submit"><input type="submit" name="page_site" value="{{$submit|escape:'html'}}" /></div>
 
-	<h3>{{$relay_title}}</h3>
+	<h3>{{$relay_title|escape}}</h3>
 	{{include file="field_checkbox.tpl" field=$relay_subscribe}}
 	{{include file="field_input.tpl" field=$relay_server}}
 	{{include file="field_checkbox.tpl" field=$relay_directly}}
diff --git a/view/templates/birthdays_reminder.tpl b/view/templates/birthdays_reminder.tpl
index 6aa51d470..9261ff8d3 100644
--- a/view/templates/birthdays_reminder.tpl
+++ b/view/templates/birthdays_reminder.tpl
@@ -1,10 +1,10 @@
 
 {{if $count}}
 <div id="birthday-notice" class="birthday-notice fakelink {{$classtoday}}" onclick="openClose('birthday-wrapper');">{{$event_reminders}} ({{$count}})</div>
-<div id="birthday-wrapper" style="display: none;" ><div id="birthday-title">{{$event_title}}</div>
+<div id="birthday-wrapper" style="display: none;" ><div id="birthday-title">{{$event_title|escape}}</div>
 <div id="birthday-title-end"></div>
 {{foreach $events as $event}}
-<div class="birthday-list" id="birthday-{{$event.id}}"> <a href="{{$event.link}}">{{$event.title}}</a> {{$event.date}} </div>
+<div class="birthday-list" id="birthday-{{$event.id}}"> <a href="{{$event.link}}">{{$event.title|escape}}</a> {{$event.date}} </div>
 {{/foreach}}
 </div>
 {{/if}}
diff --git a/view/templates/event_stream_item.tpl b/view/templates/event_stream_item.tpl
index 15975c5d5..af9a55494 100644
--- a/view/templates/event_stream_item.tpl
+++ b/view/templates/event_stream_item.tpl
@@ -1,16 +1,16 @@
 
 <div class="vevent">
-	<div class="summary event-summary">{{$title}}</div>
+	<div class="summary event-summary">{{$title|escape}}</div>
 
 	<div class="event-start">
 		<span class="event-label">{{$dtstart_label}}</span>&nbsp;
-		<span class="dtstart" title="{{$dtstart_title}}">{{$dtstart_dt}}</span>
+		<span class="dtstart" title="{{$dtstart_title|escape}}">{{$dtstart_dt}}</span>
 	</div>
 
 	{{if $finish}}
 	<div class="event-end">
 		<span class="event-label">{{$dtend_label}}</span>&nbsp;
-		<span class="dtend" title="{{$dtend_title}}">{{$dtend_dt}}</span>
+		<span class="dtend" title="{{$dtend_title|escape}}">{{$dtend_dt}}</span>
 	</div>
 	{{/if}}
 
diff --git a/view/templates/events_reminder.tpl b/view/templates/events_reminder.tpl
index 2fcb1908d..08278954c 100644
--- a/view/templates/events_reminder.tpl
+++ b/view/templates/events_reminder.tpl
@@ -1,10 +1,10 @@
 
 {{if $count}}
 <div id="event-notice" class="birthday-notice fakelink {{$classtoday}}" onclick="openClose('event-wrapper');">{{$event_reminders}} ({{$count}})</div>
-<div id="event-wrapper" style="display: none;" ><div id="event-title">{{$event_title}}</div>
+<div id="event-wrapper" style="display: none;" ><div id="event-title">{{$event_title|escape}}</div>
 <div id="event-title-end"></div>
 {{foreach $events as $event}}
-<div class="event-list" id="event-{{$event.id}}"> <a class="ajax-popupbox" href="events/?id={{$event.id}}">{{$event.title}}</a> - {{$event.date}} </div>
+<div class="event-list" id="event-{{$event.id}}"> <a class="ajax-popupbox" href="events/?id={{$event.id}}">{{$event.title|escape}}</a> - {{$event.date}} </div>
 {{/foreach}}
 </div>
 {{/if}}
diff --git a/view/templates/files.tpl b/view/templates/files.tpl
index a2a337bd7..b622bb3e1 100644
--- a/view/templates/files.tpl
+++ b/view/templates/files.tpl
@@ -1,4 +1,4 @@
 {{foreach $items as $item }}
-<p>{{$item.title}}  ({{$item.mime}}) ({{$item.filename}})</p>
+<p>{{$item.title|escape}}  ({{$item.mime|escape}}) ({{$item.filename|escape}})</p>
 {{/foreach}}
-{{include "paginate.tpl"}}
\ No newline at end of file
+{{include "paginate.tpl"}}
diff --git a/view/templates/photo_album.tpl b/view/templates/photo_album.tpl
index d3e7ca487..08df8f756 100644
--- a/view/templates/photo_album.tpl
+++ b/view/templates/photo_album.tpl
@@ -10,8 +10,8 @@
 
 {{foreach $photos as $photo}}
 <div class="photo-album-image-wrapper" id="photo-album-image-wrapper-{{$photo.id}}">
-	<a href="{{$photo.link}}" class="photo-album-photo-link" id="photo-album-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-		<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title}}" class="photo-album-photo lframe resize{{$photo.twist}}" id="photo-album-photo-{{$photo.id}}" />
+	<a href="{{$photo.link}}" class="photo-album-photo-link" id="photo-album-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
+		<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title|escape}}" class="photo-album-photo lframe resize{{$photo.twist}}" id="photo-album-photo-{{$photo.id}}" />
 		<p class='caption'>{{$photo.desc}}</p>		
 	</a>
 </div>
diff --git a/view/templates/photo_top.tpl b/view/templates/photo_top.tpl
index b5fc51a23..0dd8c4e99 100644
--- a/view/templates/photo_top.tpl
+++ b/view/templates/photo_top.tpl
@@ -1,9 +1,7 @@
-
-
 <div class="photo-top-image-wrapper lframe" id="photo-top-image-wrapper-{{$photo.id}}">
-	<a href="{{$photo.link}}" class="photo-top-photo-link" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-		<img src="{{$photo.src}}" alt="{{$photo.alt}}" title="{{$photo.title}}" class="photo-top-photo{{$photo.twist}}" id="photo-top-photo-{{$photo.id}}" />
+	<a href="{{$photo.link}}" class="photo-top-photo-link" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
+		<img src="{{$photo.src}}" alt="{{$photo.alt|escape}}" title="{{$photo.title|escape}}" class="photo-top-photo{{$photo.twist}}" id="photo-top-photo-{{$photo.id}}" />
 	</a>
-	<div class="photo-top-album-name"><a href="{{$photo.album.link}}" class="photo-top-album-link" title="{{$photo.album.alt}}" >{{$photo.album.name}}</a></div>
+	<div class="photo-top-album-name"><a href="{{$photo.album.link}}" class="photo-top-album-link" title="{{$photo.album.alt|escape}}" >{{$photo.album.name|escape}}</a></div>
 </div>
 
diff --git a/view/templates/photo_view.tpl b/view/templates/photo_view.tpl
index b85a1c2f5..8fa3de61d 100644
--- a/view/templates/photo_view.tpl
+++ b/view/templates/photo_view.tpl
@@ -12,7 +12,7 @@
 </div>
 
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-photo-end"></div>
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/templates/search_item.tpl b/view/templates/search_item.tpl
index 462624957..c004fe74c 100644
--- a/view/templates/search_item.tpl
+++ b/view/templates/search_item.tpl
@@ -6,7 +6,7 @@
 			<div class="wall-item-photo-wrapper" id="wall-item-photo-wrapper-{{$item.id}}" 
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -23,12 +23,12 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}">{{$item.ago}}</div>
 				
 		</div>			
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 			{{if $item.has_cats}}
@@ -54,7 +54,7 @@
 
 	<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 	{{if $item.conv}}
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 	{{/if}}
 	</div>
 
diff --git a/view/templates/settings/display.tpl b/view/templates/settings/display.tpl
index ff3e4fba6..e1a012380 100644
--- a/view/templates/settings/display.tpl
+++ b/view/templates/settings/display.tpl
@@ -21,7 +21,7 @@
 {{include file="field_checkbox.tpl" field=$infinite_scroll}}
 {{include file="field_checkbox.tpl" field=$bandwidth_saver}}
 {{include file="field_checkbox.tpl" field=$smart_threading}}
-<h2>{{$calendar_title}}</h2>
+<h2>{{$calendar_title|escape}}</h2>
 {{include file="field_select.tpl" field=$first_day_of_week}}
 
 
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index 113a93e8c..6108b80c6 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -48,7 +48,7 @@
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime|escape:'html'}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" ><span class="e-content">{{$item.body}}<span>
 			<div class="body-tag">
diff --git a/view/theme/frio/templates/admin/site.tpl b/view/theme/frio/templates/admin/site.tpl
index 10afecb66..77ae1d532 100644
--- a/view/theme/frio/templates/admin/site.tpl
+++ b/view/theme/frio/templates/admin/site.tpl
@@ -54,7 +54,7 @@
 <link rel="stylesheet" href="view/theme/frio/css/mod_admin.css" type="text/css" media="screen"/>
 
 <div id='adminpage' class="adminpage generic-page-wrapper">
-	<h1>{{$title}} - {{$page}}</h1>
+	<h1>{{$title|escape}} - {{$page}}</h1>
 	<form action="{{$baseurl}}/admin/site" method="post">
 		<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
 		<input type='hidden' name='active_panel' value=''>
@@ -293,7 +293,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="admin-settings-worker">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#admin-settings" href="#admin-settings-worker-collapse" aria-expanded="false" aria-controls="admin-settings-worker-collapse">
-							{{$worker_title}}
+							{{$worker_title|escape}}
 						</a>
 					</h4>
 				</div>
@@ -319,7 +319,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="admin-relay-corporate">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#admin-settings" href="#admin-settings-relay-collapse" aria-expanded="false" aria-controls="admin-settings-relay-collapse">
-							{{$relay_title}}
+							{{$relay_title|escape}}
 						</a>
 					</h4>
 				</div>
diff --git a/view/theme/frio/templates/photo_top.tpl b/view/theme/frio/templates/photo_top.tpl
index fed29937e..c64f9b89b 100644
--- a/view/theme/frio/templates/photo_top.tpl
+++ b/view/theme/frio/templates/photo_top.tpl
@@ -1,4 +1,4 @@
-<a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
+<a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
 	<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc|escape}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown|escape}}{{/if}}" title="{{$photo.title|escape}}" id="photo-top-photo-{{$photo.id}}" />
 </a>
 
diff --git a/view/theme/frio/templates/photo_view.tpl b/view/theme/frio/templates/photo_view.tpl
index f8d12e133..e540a03f9 100644
--- a/view/theme/frio/templates/photo_view.tpl
+++ b/view/theme/frio/templates/photo_view.tpl
@@ -5,24 +5,24 @@
 
 <div id="photo-view-{{$id}}" class="generic-page-wrapper">
 	<div class="pull-left" id="photo-edit-link-wrap">
-		<a class="page-action faded-icon" id="photo-album-link" href="{{$album.0}}" title="{{$album.1}}" data-toggle="tooltip">
+		<a class="page-action faded-icon" id="photo-album-link" href="{{$album.0}}" title="{{$album.1|escape}}" data-toggle="tooltip">
 			<i class="fa fa-folder-open"></i>&nbsp;{{$album.1}}
 		</a>
 	</div>
 	<div class="pull-right" id="photo-edit-link-wrap">
 		{{if $tools}}
 		<span class="icon-padding"> </span>
-		<a id="photo-edit-link" href="{{$tools.edit.0}}" title="{{$tools.edit.1}}" data-toggle="tooltip">
+		<a id="photo-edit-link" href="{{$tools.edit.0}}" title="{{$tools.edit.1|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-pencil"></i>
 		</a>
 		<span class="icon-padding"> </span>
-		<a id="photo-toprofile-link" href="{{$tools.profile.0}}" title="{{$tools.profile.1}}" data-toggle="tooltip">
+		<a id="photo-toprofile-link" href="{{$tools.profile.0}}" title="{{$tools.profile.1|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-user"></i>
 		</a>
 		{{/if}}
 		{{if $lock}}
 		<span class="icon-padding"> </span>
-		<a id="photo-lock-link" onclick="lockview(event,'photo/{{$id}}');" title="{{$lock}}" data-toggle="tooltip">
+		<a id="photo-lock-link" onclick="lockview(event,'photo/{{$id}}');" title="{{$lock|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-lock"></i>
 		</a>
 		{{/if}}
@@ -33,7 +33,7 @@
 		<div id="photo-photo">
 			{{* The photo *}}
 			<div class="photo-container">
-				<a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
+				<a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
 			</div>
 
 			{{* Overlay buttons for previous and next photo *}}
diff --git a/view/theme/frio/templates/search_item.tpl b/view/theme/frio/templates/search_item.tpl
index 88a0d2a0e..f31b7b7a4 100644
--- a/view/theme/frio/templates/search_item.tpl
+++ b/view/theme/frio/templates/search_item.tpl
@@ -52,7 +52,7 @@
 
 						{{if $item.subthread}}
 						<li role="menuitem">
-							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
+							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title|escape}}</button>
 						</li>
 						{{/if}}
 
@@ -129,7 +129,7 @@
 				{{/if}}
 
 				{{if $item.title}}
-				<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}}">{{$item.title}}</a></h4><br /></span>
+				<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}}">{{$item.title|escape}}</a></h4><br /></span>
 				{{/if}}
 
 				<div class="wall-item-body" id="wall-item-body-{{$item.id}}">{{$item.body}}</div>
diff --git a/view/theme/frio/templates/settings/display.tpl b/view/theme/frio/templates/settings/display.tpl
index cc36762dc..70307c440 100644
--- a/view/theme/frio/templates/settings/display.tpl
+++ b/view/theme/frio/templates/settings/display.tpl
@@ -89,7 +89,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="calendar-settings-title">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#settings" href="#calendar-settings-content" aria-expanded="false" aria-controls="calendar-settings-content">
-							{{$calendar_title}}
+							{{$calendar_title|escape}}
 						</a>
 					</h4>
 				</div>
diff --git a/view/theme/frio/templates/theme_settings.tpl b/view/theme/frio/templates/theme_settings.tpl
index 50a8934d1..9b8322a85 100644
--- a/view/theme/frio/templates/theme_settings.tpl
+++ b/view/theme/frio/templates/theme_settings.tpl
@@ -25,7 +25,7 @@
 {{if $background_image}}{{include file="field_fileinput.tpl" field=$background_image}}{{/if}}
 
 <div id="frio_bg_image_options" style="display: none;">
-	<label>{{$bg_image_options_title}}:</label>
+	<label>{{$bg_image_options_title|escape}}:</label>
 {{foreach $bg_image_options as $options}}
 	{{include file="field_radio.tpl" field=$options}}
 {{/foreach}}
diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index f90b2f72a..77fdf8dae 100644
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -91,7 +91,7 @@ as the value of $top_child_total (this is done at the end of this file)
 				<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools-{{$item.id}}">
 					{{if $item.plink}}	{{*link to the original source of the item *}}
 					<li role="menuitem">
-						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
+						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title|escape}}</a>
 					</li>
 					{{/if}}
 
diff --git a/view/theme/quattro/templates/photo_item.tpl b/view/theme/quattro/templates/photo_item.tpl
index 6dfacdb78..e37a7242c 100644
--- a/view/theme/quattro/templates/photo_item.tpl
+++ b/view/theme/quattro/templates/photo_item.tpl
@@ -24,7 +24,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $plink}}<a class="icon s16 link" title="{{$plink.title}}" href="{{$plink.href}}">{{$plink.title}}</a>{{/if}}
+			{{if $plink}}<a class="icon s16 link" title="{{$plink.title|escape}}" href="{{$plink.href}}">{{$plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
@@ -69,7 +69,7 @@
 		<div class="wall-item-dislike" id="wall-item-dislike-{{$id}}">{{$dislike}}</div>
 		{{if $conv}}
 		<div class="wall-item-conv" id="wall-item-conv-{{$id}}" >
-			<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title}}'>{{$conv.title}}</a>
+			<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title|escape}}'>{{$conv.title|escape}}</a>
 		</div>
 		{{/if}}
 	</div>
diff --git a/view/theme/quattro/templates/photo_view.tpl b/view/theme/quattro/templates/photo_view.tpl
index f4a780a0a..f41fd9a96 100644
--- a/view/theme/quattro/templates/photo_view.tpl
+++ b/view/theme/quattro/templates/photo_view.tpl
@@ -10,7 +10,7 @@
 {{if $lock}} | <img src="images/lock_icon.gif" class="lockview" alt="{{$lock}}" onclick="lockview(event,'photo/{{$id}}');" /> {{/if}}
 </div>
 
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/theme/quattro/templates/search_item.tpl b/view/theme/quattro/templates/search_item.tpl
index 33bf5fbb8..8e7b9ee28 100644
--- a/view/theme/quattro/templates/search_item.tpl
+++ b/view/theme/quattro/templates/search_item.tpl
@@ -22,7 +22,7 @@
 			<div class="wall-item-location">{{$item.location}}</div>
 		</div>
 		<div class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}">{{$item.title|escape}}</a></h2>{{/if}}
 			<div class="wall-item-body">{{$item.body}}</div>
 		</div>
 	</div>
@@ -39,7 +39,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
diff --git a/view/theme/quattro/templates/wall_thread.tpl b/view/theme/quattro/templates/wall_thread.tpl
index 694557cca..cc6ab7d62 100644
--- a/view/theme/quattro/templates/wall_thread.tpl
+++ b/view/theme/quattro/templates/wall_thread.tpl
@@ -40,7 +40,7 @@
 			<div class="contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
 					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<a href="#" rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a>
@@ -51,7 +51,7 @@
 			</div>
 			{{if $item.owner_url}}
 			<div class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
 					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
@@ -59,7 +59,7 @@
 			<div class="wall-item-location">{{$item.location}}</div>
 		</div>
 		<div class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h2>{{/if}}
 			<span class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}">{{$item.body}}</span>
 		</div>
 	</div>
@@ -85,16 +85,16 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a class="icon s16 link{{$item.sparkle}} u-url" title="{{$item.plink.title}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link{{$item.sparkle}} u-url" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
 				<a href="{{$item.profile_url}}" target="redir"
-                                title="{{$item.linktitle}}"
+                                title="{{$item.linktitle|escape}}"
                                 class="wall-item-name-link"><span
                                 class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
                                 <span class="wall-item-ago" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span>
-				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
+				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
 				 {{/if}}
 			</div>
 
diff --git a/view/theme/smoothly/templates/search_item.tpl b/view/theme/smoothly/templates/search_item.tpl
index 35820088b..46cbff692 100644
--- a/view/theme/smoothly/templates/search_item.tpl
+++ b/view/theme/smoothly/templates/search_item.tpl
@@ -5,7 +5,7 @@
 			<div class="wall-item-photo-wrapper mframe" id="wall-item-photo-wrapper-{{$item.id}}" 
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -29,12 +29,12 @@
 			<div class="wall-item-delete-end"></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}">{{$item.ago}}</div>
 				
 		</div>			
@@ -45,7 +45,7 @@
 
 	<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 	{{if $item.conv}}
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 	{{/if}}
 	</div>
 	<div class="wall-item-wrapper-end"></div>
diff --git a/view/theme/smoothly/templates/wall_thread.tpl b/view/theme/smoothly/templates/wall_thread.tpl
index f4c4154a0..b62b077e2 100644
--- a/view/theme/smoothly/templates/wall_thread.tpl
+++ b/view/theme/smoothly/templates/wall_thread.tpl
@@ -14,7 +14,7 @@
 		<div class="wall-item-info{{if $item.owner_url}} wallwall{{/if}}" id="wall-item-info-{{$item.id}}">
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" title="{{$item.olinktitle}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+				<a href="{{$item.owner_url}}" title="{{$item.olinktitle|escape}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
 				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escaped}}" /></a>
 			</div>
 			<div class="wall-item-arrowphoto-wrapper" ><img src="view/theme/smoothly/images/larrow.gif" alt="{{$item.wall}}" /></div>
@@ -22,7 +22,7 @@
 			<div class="wall-item-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card" id="wall-item-photo-wrapper-{{$item.id}}"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -46,7 +46,7 @@
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
 		<div class="wall-item-author">
-			<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link">
+			<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link">
 			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span>
 			</a>
 			<div class="wall-item-ago">&bull;</div>
@@ -56,7 +56,7 @@
 		<div>
 		<hr class="line-dots">
 		</div>
-			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" ><span class="e-content">{{$item.body}}</span>
 				<div class="body-tag">
@@ -99,7 +99,7 @@
 
 			{{if $item.plink}}
 			<div class="wall-item-links-wrapper">
-				<a href="{{$item.plink.href}}" title="{{$item.plink.title}}" target="external-link" class="icon remote-link u-url"></a>
+				<a href="{{$item.plink.href}}" title="{{$item.plink.title|escape}}" target="external-link" class="icon remote-link u-url"></a>
 			</div>
 			{{/if}}
 
diff --git a/view/theme/vier/templates/communityhome.tpl b/view/theme/vier/templates/communityhome.tpl
index b32b63804..94e2312d0 100644
--- a/view/theme/vier/templates/communityhome.tpl
+++ b/view/theme/vier/templates/communityhome.tpl
@@ -6,7 +6,7 @@
 
 {{if $comunity_profiles_title}}
 <div id="right_profiles" class="widget">
-<h3>{{$comunity_profiles_title}}</h3>
+<h3>{{$comunity_profiles_title|escape}}</h3>
 <div id='lastusers-wrapper' class='items-wrapper'>
 {{foreach $comunity_profiles_items as $i}}
 	{{$i}}
@@ -44,7 +44,7 @@
 
 {{if $lastusers_title}}
 <div id="right_lastusers" class="widget">
-<h3>{{$lastusers_title}}</h3>
+<h3>{{$lastusers_title|escape}}</h3>
 <div id='lastusers-wrapper' class='items-wrapper'>
 {{foreach $lastusers_items as $i}}
 	{{$i}}
@@ -55,7 +55,7 @@
 {{/if}}
 
 {{if $activeusers_title}}
-<h3>{{$activeusers_title}}</h3>
+<h3>{{$activeusers_title|escape}}</h3>
 <div class='items-wrapper'>
 {{foreach $activeusers_items as $i}}
 	{{$i}}
diff --git a/view/theme/vier/templates/wall_thread.tpl b/view/theme/vier/templates/wall_thread.tpl
index 57ca699e3..d99061798 100644
--- a/view/theme/vier/templates/wall_thread.tpl
+++ b/view/theme/vier/templates/wall_thread.tpl
@@ -65,7 +65,7 @@
 		</div>
 
 		<div itemprop="description" class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h2>{{/if}}
 			<span class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}">{{$item.body}}</span>
 		</div>
 	</div>
@@ -91,7 +91,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title}}</span></i></a>{{/if}}
+			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title|escape}}</span></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-social">