From 4f9f86e310a433d56622527be002ba2a474c5240 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 18:56:26 +0000
Subject: [PATCH 1/7] We are now escaping many template fields

---
 src/Module/Contact.php                        | 10 +--
 src/Object/Post.php                           |  6 +-
 view/templates/admin/addon_details.tpl        |  2 +-
 view/templates/admin/contactblock.tpl         |  4 +-
 view/templates/admin/users.tpl                | 16 ++--
 view/templates/hovercard.tpl                  | 14 ++--
 view/templates/profile_vcard.tpl              |  6 +-
 view/templates/vcard-widget.tpl               | 10 +--
 view/templates/wall_thread.tpl                |  8 +-
 view/templates/widget_forumlist.tpl           |  8 +-
 .../duepuntozero/templates/profile_vcard.tpl  |  4 +-
 view/theme/frio/templates/admin/addons.tpl    |  2 +-
 .../frio/templates/admin/contactblock.tpl     |  8 +-
 view/theme/frio/templates/admin/queue.tpl     | 12 +--
 view/theme/frio/templates/admin/summary.tpl   |  6 +-
 view/theme/frio/templates/admin/users.tpl     | 24 +++---
 view/theme/frio/templates/comment_item.tpl    | 14 ++--
 view/theme/frio/templates/common_tabs.tpl     |  6 +-
 view/theme/frio/templates/contact_edit.tpl    | 76 ++++++++---------
 .../theme/frio/templates/contact_template.tpl | 40 ++++-----
 view/theme/frio/templates/credits.tpl         |  4 +-
 view/theme/frio/templates/crepair.tpl         |  2 +-
 view/theme/frio/templates/event.tpl           | 10 +--
 .../frio/templates/event_stream_item.tpl      |  8 +-
 view/theme/frio/templates/events_js.tpl       |  8 +-
 view/theme/frio/templates/filebrowser.tpl     | 10 +--
 view/theme/frio/templates/intros.tpl          |  4 +-
 view/theme/frio/templates/jot.tpl             |  2 +-
 view/theme/frio/templates/like_noshare.tpl    |  2 +-
 view/theme/frio/templates/mail_conv.tpl       |  4 +-
 view/theme/frio/templates/mail_list.tpl       |  2 +-
 view/theme/frio/templates/nav.tpl             | 84 +++++++++----------
 view/theme/frio/templates/photo_item.tpl      |  2 +-
 view/theme/frio/templates/photo_top.tpl       |  2 +-
 view/theme/frio/templates/photo_view.tpl      |  4 +-
 view/theme/frio/templates/profile_entry.tpl   |  2 +-
 view/theme/frio/templates/profile_vcard.tpl   | 46 +++++-----
 view/theme/frio/templates/search_item.tpl     | 64 +++++++-------
 view/theme/frio/templates/vcard-widget.tpl    | 10 +--
 view/theme/frio/templates/wall_thread.tpl     | 76 ++++++++---------
 .../quattro/templates/contact_template.tpl    |  8 +-
 view/theme/quattro/templates/events.tpl       |  6 +-
 view/theme/quattro/templates/mail_conv.tpl    | 18 ++--
 .../theme/quattro/templates/profile_vcard.tpl |  8 +-
 view/theme/quattro/templates/search_item.tpl  | 34 ++++----
 .../theme/quattro/templates/wall_item_tag.tpl |  8 +-
 view/theme/quattro/templates/wall_thread.tpl  | 10 +--
 .../quattro/templates/widget_forumlist.tpl    |  4 +-
 view/theme/vier/templates/ch_connectors.tpl   |  2 +-
 .../vier/templates/ch_directory_item.tpl      |  2 +-
 view/theme/vier/templates/comment_item.tpl    | 16 ++--
 .../theme/vier/templates/contact_template.tpl |  6 +-
 view/theme/vier/templates/nav.tpl             | 48 +++++------
 view/theme/vier/templates/photo_item.tpl      | 30 +++----
 view/theme/vier/templates/photo_view.tpl      |  4 +-
 view/theme/vier/templates/profile_vcard.tpl   |  6 +-
 view/theme/vier/templates/search_item.tpl     | 36 ++++----
 view/theme/vier/templates/wall_item_tag.tpl   |  8 +-
 view/theme/vier/templates/wall_thread.tpl     | 60 ++++++-------
 .../vier/templates/widget_forumlist_right.tpl | 12 +--
 60 files changed, 472 insertions(+), 476 deletions(-)

diff --git a/src/Module/Contact.php b/src/Module/Contact.php
index ec7e89692..66e8c97fd 100644
--- a/src/Module/Contact.php
+++ b/src/Module/Contact.php
@@ -85,7 +85,7 @@ class Contact extends BaseModule
 
 			/// @TODO Add nice spaces
 			$vcard_widget = Renderer::replaceMacros(Renderer::getMarkupTemplate('vcard-widget.tpl'), [
-				'$name'         => htmlentities($contact['name']),
+				'$name'         => $contact['name'],
 				'$photo'        => $contact['photo'],
 				'$url'          => Model\Contact::MagicLink($contact['url']),
 				'$addr'         => defaults($contact, 'addr', ''),
@@ -639,7 +639,7 @@ class Contact extends BaseModule
 				'$ffi_keyword_blacklist' => $contact['ffi_keyword_blacklist'],
 				'$ffi_keyword_blacklist' => ['ffi_keyword_blacklist', L10n::t('Blacklisted keywords'), $contact['ffi_keyword_blacklist'], L10n::t('Comma separated list of keywords that should not be converted to hashtags, when "Fetch information and keywords" is selected')],
 				'$photo'          => $contact['photo'],
-				'$name'           => htmlentities($contact['name']),
+				'$name'           => $contact['name'],
 				'$dir_icon'       => $dir_icon,
 				'$sparkle'        => $sparkle,
 				'$url'            => $url,
@@ -1033,14 +1033,14 @@ class Contact extends BaseModule
 			'alt_text'  => $alt_text,
 			'dir_icon'  => $dir_icon,
 			'thumb'     => ProxyUtils::proxifyUrl($rr['thumb'], false, ProxyUtils::SIZE_THUMB),
-			'name'      => htmlentities($rr['name']),
-			'username'  => htmlentities($rr['name']),
+			'name'      => $rr['name'],
+			'username'  => $rr['name'],
 			'account_type' => Model\Contact::getAccountType($rr),
 			'sparkle'   => $sparkle,
 			'itemurl'   => defaults($rr, 'addr', $rr['url']),
 			'url'       => $url,
 			'network'   => ContactSelector::networkToName($rr['network'], $rr['url']),
-			'nick'      => htmlentities($rr['nick']),
+			'nick'      => $rr['nick'],
 		];
 	}
 
diff --git a/src/Object/Post.php b/src/Object/Post.php
index e7a9e6b02..50d903f02 100644
--- a/src/Object/Post.php
+++ b/src/Object/Post.php
@@ -213,7 +213,7 @@ class Post extends BaseObject
 
 		$filer = (($conv->getProfileOwner() == local_user() && ($item['uid'] != 0)) ? L10n::t("save to folder") : false);
 
-		$profile_name = htmlentities($item['author-name']);
+		$profile_name = $item['author-name'];
 		if (!empty($item['author-link']) && empty($item['author-name'])) {
 			$profile_name = $item['author-link'];
 		}
@@ -377,7 +377,7 @@ class Post extends BaseObject
 			'isevent'         => $isevent,
 			'attend'          => $attend,
 			'linktitle'       => L10n::t('View %s\'s profile @ %s', $profile_name, $item['author-link']),
-			'olinktitle'      => L10n::t('View %s\'s profile @ %s', htmlentities($this->getOwnerName()), $item['owner-link']),
+			'olinktitle'      => L10n::t('View %s\'s profile @ %s', $this->getOwnerName(), $item['owner-link']),
 			'to'              => L10n::t('to'),
 			'via'             => L10n::t('via'),
 			'wall'            => L10n::t('Wall-to-Wall'),
@@ -399,7 +399,7 @@ class Post extends BaseObject
 			'shiny'           => $shiny,
 			'owner_url'       => $this->getOwnerUrl(),
 			'owner_photo'     => $a->removeBaseURL(ProxyUtils::proxifyUrl($item['owner-avatar'], false, ProxyUtils::SIZE_THUMB)),
-			'owner_name'      => htmlentities($owner_name_e),
+			'owner_name'      => $owner_name_e,
 			'plink'           => Item::getPlink($item),
 			'edpost'          => $edpost,
 			'isstarred'       => $isstarred,
diff --git a/view/templates/admin/addon_details.tpl b/view/templates/admin/addon_details.tpl
index fb908b705..96b26d2d0 100644
--- a/view/templates/admin/addon_details.tpl
+++ b/view/templates/admin/addon_details.tpl
@@ -18,7 +18,7 @@
 	</p>
 
 	{{if $screenshot}}
-	<a href="{{$screenshot.0}}" class='screenshot'><img src="{{$screenshot.0}}" alt="{{$screenshot.1}}" /></a>
+	<a href="{{$screenshot.0}}" class='screenshot'><img src="{{$screenshot.0}}" alt="{{$screenshot.1|escape}}" /></a>
 	{{/if}}
 
 	{{if $admin_form}}
diff --git a/view/templates/admin/contactblock.tpl b/view/templates/admin/contactblock.tpl
index 152550f01..c9bfc2efd 100644
--- a/view/templates/admin/contactblock.tpl
+++ b/view/templates/admin/contactblock.tpl
@@ -32,10 +32,10 @@
 				{{foreach $contacts as $contact}}
 				<tr>
 					<td class="checkbox"><input type="checkbox" class="contacts_ckbx" id="id_contact_{{$contact.id}}" name="contacts[]" value="{{$contact.id}}"/></td>
-					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname}}" title="{{$contact.nickname}}"></td>
+					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.nickname|escape}}"></td>
 					<td class="name">{{$contact.name}}</td>
 					<td class="addr">{{$contact.addr}}</td>
-					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname}}" >{{$contact.url}}</a></td>
+					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname|escape}}" >{{$contact.url}}</a></td>
 				</tr>
 				{{/foreach}}
 			</tbody>
diff --git a/view/templates/admin/users.tpl b/view/templates/admin/users.tpl
index b2b0d615a..f06b0f973 100644
--- a/view/templates/admin/users.tpl
+++ b/view/templates/admin/users.tpl
@@ -35,8 +35,8 @@
 					<td class="email">{{$u.email}}</td>
 					<td class="checkbox"><input type="checkbox" class="pending_ckbx" id="id_pending_{{$u.hash}}" name="pending[]" value="{{$u.hash}}" /></td>
 					<td class="tools">
-						<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" title='{{$approve}}'><span class='icon like'></span></a>
-						<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" title='{{$deny}}'><span class='icon dislike'></span></a>
+						<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" title='{{$approve|escape}}'><span class='icon like'></span></a>
+						<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" title='{{$deny|escape}}'><span class='icon dislike'></span></a>
 					</td>
 				</tr>
 				<tr>
@@ -79,8 +79,8 @@
 				<tbody>
 				{{foreach $users as $u}}
 					<tr>
-						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname}}" title="{{$u.nickname}}"></td>
-						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname}}" >{{$u.name}}</a></td>
+						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname|escape}}" title="{{$u.nickname|escape}}"></td>
+						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname|escape}}" >{{$u.name}}</a></td>
 						<td class='email'>{{$u.email}}</td>
 						<td class='register_date'>{{$u.register_date}}</td>
 						<td class='login_date'>{{$u.login_date}}</td>
@@ -94,8 +94,8 @@
 						{{/if}}
 						<td class="tools">
 						{{if $u.is_deletable}}
-							<a href="{{$baseurl}}/admin/users/block/{{$u.uid}}?t={{$form_security_token}}" title='{{if $u.blocked}}{{$unblock}}{{else}}{{$block}}{{/if}}'><span class='icon block {{if $u.blocked==0}}dim{{/if}}'></span></a>
-							<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" title='{{$delete}}' onclick="return confirm_delete('{{$u.name}}')"><span class='icon drop'></span></a>
+							<a href="{{$baseurl}}/admin/users/block/{{$u.uid}}?t={{$form_security_token}}" title='{{if $u.blocked}}{{$unblock|escape}}{{else}}{{$block|escape}}{{/if}}'><span class='icon block {{if $u.blocked==0}}dim{{/if}}'></span></a>
+							<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" title='{{$delete|escape}}' onclick="return confirm_delete('{{$u.name}}')"><span class='icon drop'></span></a>
 						{{else}}
 							&nbsp;
 						{{/if}}
@@ -122,8 +122,8 @@
 				<tbody>
 				{{foreach $deleted as $u}}
 					<tr>
-						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname}}" title="{{$u.nickname}}"></td>
-						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname}}" >{{$u.name}}</a></td>
+						<td><img class='icon' src="{{$u.micro}}" alt="{{$u.nickname|escape}}" title="{{$u.nickname|escape}}"></td>
+						<td class='name'><a href="{{$u.url}}" title="{{$u.nickname|escape}}" >{{$u.name}}</a></td>
 						<td class='email'>{{$u.email}}</td>
 						<td class='register_date'>{{$u.register_date}}</td>
 						<td class='login_date'>{{$u.login_date}}</td>
diff --git a/view/templates/hovercard.tpl b/view/templates/hovercard.tpl
index 7bf37e74b..74f270005 100644
--- a/view/templates/hovercard.tpl
+++ b/view/templates/hovercard.tpl
@@ -3,12 +3,12 @@
 		<div class="hover-card-header left-align">
 			<div class="hover-card-pic left-align">
 				<span class="image-wrapper medium">
-					<a href="{{$profile.url}}" title="{{$profile.name}}"><img href="" class="left-align thumbnail" src="{{$profile.thumb}}" alt="{{$profile.name}}"></a>
+					<a href="{{$profile.url}}" title="{{$profile.name|escape}}"><img href="" class="left-align thumbnail" src="{{$profile.thumb}}" alt="{{$profile.name|escape}}"></a>
 				</span>
 			</div>
 			<div class="hover-card-content">
 				<div class="profile-entry-name">
-					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
+					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name|escape}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
 				</div>
 				<div class="profile-details">
 					<span class="profile-addr">{{$profile.addr}}</span>
@@ -21,13 +21,13 @@
 				{{* here are the differnt actions like privat message, poke, delete and so on *}}
 				{{* @todo we have two different photo menus one for contacts and one for items at the network stream. We currently use the contact photo menu, so the items options are missing We need to move them *}}
 				<div class="hover-card-actions-social">
-					{{if $profile.actions.pm}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.pm.1}}')" aria-label="{{$profile.actions.pm.0}}" title="{{$profile.actions.pm.0}}"><i class="fa fa-envelope" aria-hidden="true"></i></a>{{/if}}
-					{{if $profile.actions.poke}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.poke.1}}')" aria-label="{{$profile.actions.poke.0}}" title="{{$profile.actions.poke.0}}"><i class="fa fa-heartbeat" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.pm}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.pm.1}}')" aria-label="{{$profile.actions.pm.0}}" title="{{$profile.actions.pm.0|escape}}"><i class="fa fa-envelope" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.poke}}<a class="btn btn-labeled btn-primary btn-sm" onclick="addToModal('{{$profile.actions.poke.1}}')" aria-label="{{$profile.actions.poke.0}}" title="{{$profile.actions.poke.0|escape}}"><i class="fa fa-heartbeat" aria-hidden="true"></i></a>{{/if}}
 				</div>
 				<div class="hover-card-actions-connection">
-					{{if $profile.actions.network}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.network.1}}" aria-label="{{$profile.actions.network.0}}" title="{{$profile.actions.network.0}}"><i class="fa fa-cloud" aria-hidden="true"></i></a>{{/if}}
-					{{if $profile.actions.edit}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.edit.1}}" aria-label="{{$profile.actions.edit.0}}" title="{{$profile.actions.edit.0}}"><i class="fa fa-user" aria-hidden="true"></i></a>{{/if}}
-					{{if $profile.actions.follow}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.follow.1}}" aria-label="{{$profile.actions.follow.0}}" title="{{$profile.actions.follow.0}}"><i class="fa fa-user-plus" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.network}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.network.1}}" aria-label="{{$profile.actions.network.0}}" title="{{$profile.actions.network.0|escape}}"><i class="fa fa-cloud" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.edit}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.edit.1}}" aria-label="{{$profile.actions.edit.0}}" title="{{$profile.actions.edit.0|escape}}"><i class="fa fa-user" aria-hidden="true"></i></a>{{/if}}
+					{{if $profile.actions.follow}}<a class="btn btn-labeled btn-primary btn-sm" href="{{$profile.actions.follow.1}}" aria-label="{{$profile.actions.follow.0}}" title="{{$profile.actions.follow.0|escape}}"><i class="fa fa-user-plus" aria-hidden="true"></i></a>{{/if}}
 				</div>
 			</div>
 		</div>
diff --git a/view/templates/profile_vcard.tpl b/view/templates/profile_vcard.tpl
index b56dd607c..6f8e86b29 100644
--- a/view/templates/profile_vcard.tpl
+++ b/view/templates/profile_vcard.tpl
@@ -1,16 +1,16 @@
 
 <div class="vcard h-card">
 
-	<div class="fn label p-name">{{$profile.name}}</div>
+	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
 	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
 	{{if $profile.picdate}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></a></div>
 	{{else}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}" alt="{{$profile.name|escape}}"></a></div>
 	{{/if}}
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
 	{{if $profile.network_name}}<dl class="network"><dt class="network-label">{{$network}}</dt><dd class="x-network">{{$profile.network_name}}</dd></dl>{{/if}}
diff --git a/view/templates/vcard-widget.tpl b/view/templates/vcard-widget.tpl
index 47b64b68d..eed94193f 100644
--- a/view/templates/vcard-widget.tpl
+++ b/view/templates/vcard-widget.tpl
@@ -1,14 +1,14 @@
 
 <div class="vcard h-card">
-	<div class="fn p-name">{{$name}}</div>
-	{{if $addr}}<div class="p-addr">{{$addr}}</div>{{/if}}
+	<div class="fn p-name">{{$name|escape}}</div>
+	{{if $addr}}<div class="p-addr">{{$addr|escape}}</div>{{/if}}
 	{{if $pdesc}}<div class="title p-job-title">{{$pdesc}}</div>{{/if}}
 	{{if $url}}
-	<div id="profile-photo-wrapper"><a href="{{$url}}"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name}}" /></a></div>
+	<div id="profile-photo-wrapper"><a href="{{$url}}"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name|escape}}" /></a></div>
 	{{else}}
-	<div id="profile-photo-wrapper"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name}}" /></div>
+	<div id="profile-photo-wrapper"><img class="vcard-photo photo u-photo" style="width: 175px; height: 175px;" src="{{$photo}}" alt="{{$name|escape}}" /></div>
 	{{/if}}
-	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
+	{{if $account_type}}<div class="account-type">{{$account_type|escape}}</div>{{/if}}
 	{{if $network_name}}<dl class="network"><dt class="network-label">{{$network}}</dt><dd class="x-network">{{$network_name}}</dd></dl>{{/if}}
 	<div id="profile-vcard-break"></div>
 </div>
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index a82efa7d1..63a8364f8 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -19,15 +19,15 @@
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name}}" /></a>
+				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escape}}" /></a>
 			</div>
-			<div class="wall-item-arrowphoto-wrapper" ><img src="images/larrow.gif" alt="{{$item.wall}}" /></div>
+			<div class="wall-item-arrowphoto-wrapper" ><img src="images/larrow.gif" alt="{{$item.wall|escape}}" /></div>
 			{{/if}}
 			<div class="wall-item-photo-wrapper{{if $item.owner_url}} wwfrom{{/if}} p-author h-card" id="wall-item-photo-wrapper-{{$item.id}}"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} u-photo p-name" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} u-photo p-name" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
                     <ul>
@@ -38,7 +38,7 @@
 			</div>
 			<div class="wall-item-photo-end"></div>
 			<div class="wall-item-wrapper" id="wall-item-wrapper-{{$item.id}}" >
-				{{if $item.lock}}<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="{{$item.lock}}" onclick="lockview(event,{{$item.id}});" /></div>
+				{{if $item.lock}}<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="{{$item.lock|escape}}" onclick="lockview(event,{{$item.id}});" /></div>
 				{{else}}<div class="wall-item-lock"></div>{{/if}}
 				<div class="wall-item-location" id="wall-item-location-{{$item.id}}">{{$item.location}}</div>
 			</div>
diff --git a/view/templates/widget_forumlist.tpl b/view/templates/widget_forumlist.tpl
index 32da71f81..da30967cd 100644
--- a/view/templates/widget_forumlist.tpl
+++ b/view/templates/widget_forumlist.tpl
@@ -21,8 +21,8 @@ function showHideForumlist() {
 		{{if $forum.id <= $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-{{$forum.id}}" role="menuitem">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
 			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
 		</li>
@@ -31,8 +31,8 @@ function showHideForumlist() {
 		{{if $forum.id > $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-extended-{{$forum.id}}" role="menuitem" style="display: none;">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
 			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
 		</li>
diff --git a/view/theme/duepuntozero/templates/profile_vcard.tpl b/view/theme/duepuntozero/templates/profile_vcard.tpl
index 186b7e449..505cf560e 100644
--- a/view/theme/duepuntozero/templates/profile_vcard.tpl
+++ b/view/theme/duepuntozero/templates/profile_vcard.tpl
@@ -1,12 +1,12 @@
 
 <div class="vcard h-card">
 
-	<div class="fn label p-name">{{$profile.name}}</div>
+	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
 	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
-	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}"></div>
+	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></div>
 
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
 
diff --git a/view/theme/frio/templates/admin/addons.tpl b/view/theme/frio/templates/admin/addons.tpl
index 220abdc2c..38efb62bd 100644
--- a/view/theme/frio/templates/admin/addons.tpl
+++ b/view/theme/frio/templates/admin/addons.tpl
@@ -12,7 +12,7 @@
 			<li class="addon {{$p.1}}">
 				<span class="offset-anchor" id="{{$p.0}}"></span>
 				<a class='toggleaddon' href='{{$baseurl}}/admin/{{$function}}/{{$p.0}}?a=t&amp;t={{$form_security_token}}#{{$p.0}}' title="{{if $p.1==on}}Disable{{else}}Enable{{/if}}" ><span class='icon {{$p.1}}'></span></a>
-				<a href='{{$baseurl}}/admin/{{$function}}/{{$p.0}}'><span class='name'>{{$p.2.name}}</span></a> - <span class="version">{{$p.2.version}}</span>
+				<a href='{{$baseurl}}/admin/{{$function}}/{{$p.0}}'><span class='name'>{{$p.2.name|escape}}</span></a> - <span class="version">{{$p.2.version}}</span>
 				{{if $p.2.experimental}} {{$experimental}} {{/if}}{{if $p.2.unsupported}} {{$unsupported}} {{/if}}
 				<div class='desc'>{{$p.2.description}}</div>
 			</li>
diff --git a/view/theme/frio/templates/admin/contactblock.tpl b/view/theme/frio/templates/admin/contactblock.tpl
index 3173c238b..3ac9a2517 100644
--- a/view/theme/frio/templates/admin/contactblock.tpl
+++ b/view/theme/frio/templates/admin/contactblock.tpl
@@ -67,9 +67,9 @@
 											<label for="id_contact_{{$contact.id}}"></label>
 										</div>
 									</td>
-									<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname}}" title="{{$contact.addr}}"></td>
-									<td class="name">{{$contact.name}}</td>
-									<td class="addr" colspan="3"><a href="{{$contact.url}}" title="{{$contact.addr}}" >{{$contact.url}}</a></td>
+									<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.addr|escape}}"></td>
+									<td class="name">{{$contact.name|escape}}</td>
+									<td class="addr" colspan="3"><a href="{{$contact.url}}" title="{{$contact.addr|escape}}" >{{$contact.url|escape}}</a></td>
 								</tr>
 							{{/foreach}}
 						</tbody>
@@ -78,7 +78,7 @@
 								<td>
 									{{* Checkbox to select all blocked contacts *}}
 									<div class="checkbox">
-										<input type="checkbox" id="contactblock-select" class="selecttoggle contacts_ckbx" data-select-class="contacts_ckbx" data-select-all="{{$select_all}}" data-select-none="{{$select_none}}" title="{{$select_all}}"/>
+										<input type="checkbox" id="contactblock-select" class="selecttoggle contacts_ckbx" data-select-class="contacts_ckbx" data-select-all="{{$select_all}}" data-select-none="{{$select_none}}" title="{{$select_all|escape}}"/>
 										<label for="contactblock-select"></label>
 									</div>
 								</td>
diff --git a/view/theme/frio/templates/admin/queue.tpl b/view/theme/frio/templates/admin/queue.tpl
index dde386399..3ebe89052 100644
--- a/view/theme/frio/templates/admin/queue.tpl
+++ b/view/theme/frio/templates/admin/queue.tpl
@@ -13,12 +13,12 @@
 		</tr>
 		{{foreach $entries as $e}}
 		<tr>
-			<td>{{$e.id}}</td>
-			<td>{{$e.name}}</td>
-			<td><a href="{{$e.nurl}}">{{$e.nurl}}</a></td>
-			<td>{{$e.network}}</td>
-			<td>{{$e.created}}</td>
-			<td>{{$e.last}}</td>
+			<td>{{$e.id|escape}}</td>
+			<td>{{$e.name|escape}}</td>
+			<td><a href="{{$e.nurl}}">{{$e.nurl|escape}}</a></td>
+			<td>{{$e.network|escape}}</td>
+			<td>{{$e.created|escape}}</td>
+			<td>{{$e.last|escape}}</td>
 		</tr>
 		{{/foreach}}
 	</table>
diff --git a/view/theme/frio/templates/admin/summary.tpl b/view/theme/frio/templates/admin/summary.tpl
index 66afda721..c2bbf49a7 100644
--- a/view/theme/frio/templates/admin/summary.tpl
+++ b/view/theme/frio/templates/admin/summary.tpl
@@ -54,14 +54,14 @@
 		{{* The Friendica version. *}}
 		<div id="admin-summary-version" class="col-lg-12 col-md-12 col-sm-12 col-xs-12 admin-summary">
 			<hr class="admin-summary-separator">
-			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$version.0}}</div>
-			<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12 admin-summary-entry">{{$platform}} '{{$codename}}' {{$version.1}} - {{$build}}</div>
+			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$version.0|escape}}</div>
+			<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12 admin-summary-entry">{{$platform}} '{{$codename|escape}}' {{$version.1|escape}} - {{$build|escape}}</div>
 		</div>
 
 		{{* Server Settings. *}}
 		<div id="admin-summary-php" class="col-lg-12 col-md-12 col-sm-12 col-xs-12 admin-summary">
 			<hr class="admin-summary-separator">
-			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$serversettings.label}}</div>
+			<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 admin-summary-label-name text-muted">{{$serversettings.label|escape}}</div>
 			<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12 admin-summary-entry">
 				<table class="table">
 				<tbody>
diff --git a/view/theme/frio/templates/admin/users.tpl b/view/theme/frio/templates/admin/users.tpl
index 92ef9be6f..031ffd0a4 100644
--- a/view/theme/frio/templates/admin/users.tpl
+++ b/view/theme/frio/templates/admin/users.tpl
@@ -46,11 +46,11 @@
 									</div>
 								</td>
 								<td>{{$u.created}}</td>
-								<td>{{$u.name}}</td>
+								<td>{{$u.name|escape}}</td>
 								<td>{{$u.email}}</td>
 								<td>
-									<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" class="admin-settings-action-link" title="{{$approve}}"><i class="fa fa-check" aria-hidden="true"></i></a>
-									<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" class="admin-settings-action-link" title="{{$deny}}"><i class="fa fa-trash-o" aria-hidden="true"></i></a>
+									<a href="{{$baseurl}}/regmod/allow/{{$u.hash}}" class="admin-settings-action-link" title="{{$approve|escape}}"><i class="fa fa-check" aria-hidden="true"></i></a>
+									<a href="{{$baseurl}}/regmod/deny/{{$u.hash}}" class="admin-settings-action-link" title="{{$deny|escape}}"><i class="fa fa-trash-o" aria-hidden="true"></i></a>
 								</td>
 							</tr>
 							{{if $u.note}}
@@ -145,8 +145,8 @@
 								&nbsp;
 								{{/if}}
 								</td>
-								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname}}"></td>
-								<td><a href="{{$u.url}}" title="{{$u.nickname}}"> {{$u.name}}</a></td>
+								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname|escape}}"></td>
+								<td><a href="{{$u.url}}" title="{{$u.nickname|escape}}"> {{$u.name|escape}}</a></td>
 								<td>{{$u.email}}</td>
 								{{if $order_users == $th_users.2.1}}
 								<td>{{$u.register_date}}</td>
@@ -169,18 +169,18 @@
 										{{if $u.page_flags_raw==3}}fa-heart{{/if}}		{{* PAGE_FREELOVE *}}
 										{{if $u.page_flags_raw==4}}fa-rss{{/if}}		{{* PAGE_BLOG *}}
 										{{if $u.page_flags_raw==5}}fa-user-secret{{/if}}	{{* PAGE_PRVGROUP *}}
-										" title="{{$u.page_flags}}">
+										" title="{{$u.page_flags|escape}}">
 									</i>
 									{{if $u.page_flags_raw==0 && $u.account_type_raw > 0}}
 									<i class="fa
 										{{if $u.account_type_raw==1}}fa-sitemap{{/if}}		{{* ACCOUNT_TYPE_ORGANISATION *}}
 										{{if $u.account_type_raw==2}}fa-newspaper-o{{/if}}	{{* ACCOUNT_TYPE_NEWS *}}
 										{{if $u.account_type_raw==3}}fa-comments{{/if}}		{{* ACCOUNT_TYPE_COMMUNITY *}}
-										" title="{{$u.account_type}}">
+										" title="{{$u.account_type|escape}}">
 									</i>
 									{{/if}}
-									{{if $u.is_admin}}<i class="fa fa-user-md text-primary" title="{{$siteadmin}}"></i>{{/if}}
-									{{if $u.account_expired}}<i class="fa fa-clock-o text-warning" title="{{$accountexpired}}"></i>{{/if}}
+									{{if $u.is_admin}}<i class="fa fa-user-md text-primary" title="{{$siteadmin|escape}}"></i>{{/if}}
+									{{if $u.account_expired}}<i class="fa fa-clock-o text-warning" title="{{$accountexpired|escape}}"></i>{{/if}}
 								</td>
 								{{/if}}
 
@@ -229,7 +229,7 @@
 										<i class="fa fa-circle-o" aria-hidden="true"></i>
 										{{/if}}
 									</a>
-									<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" class="admin-settings-action-link" title="{{$delete}}" onclick="return confirm_delete('{{$confirm_delete}}','{{$u.name}}')">
+									<a href="{{$baseurl}}/admin/users/delete/{{$u.uid}}?t={{$form_security_token}}" class="admin-settings-action-link" title="{{$delete|escape}}" onclick="return confirm_delete('{{$confirm_delete}}','{{$u.name|escape}}')">
 										<i class="fa fa-trash" aria-hidden="true"></i>
 									</a>
 									{{else}}
@@ -297,8 +297,8 @@
 						<tbody>
 						{{foreach $deleted as $u}}
 							<tr>
-								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname}}"></td>
-								<td><a href="{{$u.url}}" title="{{$u.nickname}}" >{{$u.name}}</a></td>
+								<td><img class="avatar-nano" src="{{$u.micro}}" title="{{$u.nickname|escape}}"></td>
+								<td><a href="{{$u.url}}" title="{{$u.nickname|escape}}" >{{$u.name|escape}}</a></td>
 								<td>{{$u.email}}</td>
 								<td>{{$u.deleted}}</td>
 							</tr>
diff --git a/view/theme/frio/templates/comment_item.tpl b/view/theme/frio/templates/comment_item.tpl
index 4ef5f2caa..804d07ac0 100644
--- a/view/theme/frio/templates/comment_item.tpl
+++ b/view/theme/frio/templates/comment_item.tpl
@@ -33,37 +33,37 @@
 			{{/if}}
 			<ul class="comment-edit-bb-{{$id}} comment-icon-list nav nav-pills pull-right">
 				<li>
-					<button type="button" class="btn-link icon bb-img" style="cursor: pointer;" aria-label="{{$edimg}}" title="{{$edimg}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}">
+					<button type="button" class="btn-link icon bb-img" style="cursor: pointer;" aria-label="{{$edimg}}" title="{{$edimg|escape}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}">
 						<i class="fa fa-picture-o"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon bb-url" style="cursor: pointer;" aria-label="{{$edurl}}" title="{{$edurl}}" onclick="insertFormatting('url',{{$id}});">
+					<button type="button" class="btn-link icon bb-url" style="cursor: pointer;" aria-label="{{$edurl}}" title="{{$edurl|escape}}" onclick="insertFormatting('url',{{$id}});">
 						<i class="fa fa-link"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon" style="cursor: pointer;" aria-label="{{$edattach}}" title="{{$edattach}}" ondragenter="return commentLinkDrop(event, {{$id}});" ondragover="return commentLinkDrop(event, {{$id}});" ondrop="commentLinkDropper(event);" onclick="commentGetLink({{$id}}, '{{$prompttext}}');">
+					<button type="button" class="btn-link icon" style="cursor: pointer;" aria-label="{{$edattach}}" title="{{$edattach|escape}}" ondragenter="return commentLinkDrop(event, {{$id}});" ondragover="return commentLinkDrop(event, {{$id}});" ondrop="commentLinkDropper(event);" onclick="commentGetLink({{$id}}, '{{$prompttext}}');">
 						<i class="fa fa-paperclip"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon underline" style="cursor: pointer;" aria-label="{{$eduline}}" title="{{$eduline}}" onclick="insertFormatting('u',{{$id}});">
+					<button type="button" class="btn-link icon underline" style="cursor: pointer;" aria-label="{{$eduline}}" title="{{$eduline|escape}}" onclick="insertFormatting('u',{{$id}});">
 						<i class="fa fa-underline"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon italic" style="cursor: pointer;" aria-label="{{$editalic}}" title="{{$editalic}}" onclick="insertFormatting('i',{{$id}});">
+					<button type="button" class="btn-link icon italic" style="cursor: pointer;" aria-label="{{$editalic}}" title="{{$editalic|escape}}" onclick="insertFormatting('i',{{$id}});">
 						<i class="fa fa-italic"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon bold" style="cursor: pointer;" aria-label="{{$edbold}}" title="{{$edbold}}" onclick="insertFormatting('b',{{$id}});">
+					<button type="button" class="btn-link icon bold" style="cursor: pointer;" aria-label="{{$edbold}}" title="{{$edbold|escape}}" onclick="insertFormatting('b',{{$id}});">
 						<i class="fa fa-bold"></i>
 					</button>
 				</li>
 				<li>
-					<button type="button" class="btn-link icon quote" style="cursor: pointer;" aria-label="{{$edquote}}" title="{{$edquote}}" onclick="insertFormatting('quote',{{$id}});">
+					<button type="button" class="btn-link icon quote" style="cursor: pointer;" aria-label="{{$edquote}}" title="{{$edquote|escape}}" onclick="insertFormatting('quote',{{$id}});">
 						<i class="fa fa-quote-left"></i>
 					</button>
 				</li>
diff --git a/view/theme/frio/templates/common_tabs.tpl b/view/theme/frio/templates/common_tabs.tpl
index 76c6db039..207ffefcb 100644
--- a/view/theme/frio/templates/common_tabs.tpl
+++ b/view/theme/frio/templates/common_tabs.tpl
@@ -6,7 +6,7 @@
 		<li>
 			<ul class="tabs  flex-nav" role="menu" >
 			{{foreach $tabs as $tab}}
-				<li id="{{$tab.id}}" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.accesskey}}accesskey="{{$tab.accesskey}}"{{/if}} {{if $tab.title}} title="{{$tab.title}}"{{/if}}>{{$tab.label}}</a></li>
+				<li id="{{$tab.id}}" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.accesskey}}accesskey="{{$tab.accesskey}}"{{/if}} {{if $tab.title}} title="{{$tab.title|escape}}"{{/if}}>{{$tab.label}}</a></li>
 			{{/foreach}}
 			</ul>
 		</li>
@@ -31,7 +31,7 @@
 			<ul class="tabs" role="menu">
 				{{foreach $tabs as $tab}}
 					{{if $tab.sel}}
-					<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title}}"{{/if}}>{{$tab.label}}</a></li>
+					<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title|escape}}"{{/if}}>{{$tab.label}}</a></li>
 					{{else}}
 					{{$exttabs[]=$tab}}
 					{{/if}}
@@ -50,7 +50,7 @@
 					</button>
 					<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools">
 						{{foreach $exttabs as $tab}}
-						<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title}}"{{/if}}>{{$tab.label}}</a></li>
+						<li id="{{$tab.id}}-xs" role="presentation" {{if $tab.sel}} class="{{$tab.sel}}" {{/if}}><a role="menuitem" href="{{$tab.url}}" {{if $tab.title}} title="{{$tab.title|escape}}"{{/if}}>{{$tab.label}}</a></li>
 						{{/foreach}}
 					</ul>
 				</li>
diff --git a/view/theme/frio/templates/contact_edit.tpl b/view/theme/frio/templates/contact_edit.tpl
index 04426eeb1..e7d90ca28 100644
--- a/view/theme/frio/templates/contact_edit.tpl
+++ b/view/theme/frio/templates/contact_edit.tpl
@@ -1,6 +1,6 @@
 
 <div class="generic-page-wrapper">
-	{{if $header}}<h3>{{$header}}:&nbsp;{{$name}}{{if $account_type}}&nbsp;<small>({{$account_type}})</small>{{/if}}</h3>{{/if}}
+	{{if $header}}<h3>{{$header|escape}}:&nbsp;{{$name|escape}}{{if $account_type}}&nbsp;<small>({{$account_type|escape}})</small>{{/if}}</h3>{{/if}}
 
 	<div id="contact-edit-wrapper" >
 
@@ -19,15 +19,15 @@
 						</button>
 
 						<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="contact-edit-actions-button" aria-haspopup="true" id="contact-actions-menu" >
-							{{if $lblsuggest}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.suggest.url}}" title="{{$contact_actions.suggest.title}}">{{$contact_actions.suggest.label}}</a></li>{{/if}}
-							{{if $poll_enabled}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.update.url}}" title="{{$contact_actions.update.title}}">{{$contact_actions.update.label}}</a></li>{{/if}}
+							{{if $lblsuggest}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.suggest.url}}" title="{{$contact_actions.suggest.title|escape}}">{{$contact_actions.suggest.label|escape}}</a></li>{{/if}}
+							{{if $poll_enabled}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.update.url}}" title="{{$contact_actions.update.title|escape}}">{{$contact_actions.update.label|escape}}</a></li>{{/if}}
 							{{if $lblsuggest || $poll_enabled}}
 							<li role="presentation" class="divider"></li>
 							{{/if}}
-							<li role="presentation"><a role="menuitem" href="{{$contact_actions.block.url}}" title="{{$contact_actions.block.title}}">{{$contact_actions.block.label}}</a></li>
-							<li role="presentation"><a role="menuitem" href="{{$contact_actions.ignore.url}}" title="{{$contact_actions.ignore.title}}">{{$contact_actions.ignore.label}}</a></li>
-							{{if $contact_actions.archive.url}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.archive.url}}" title="{{$contact_actions.archive.title}}">{{$contact_actions.archive.label}}</a></li>{{/if}}
-							{{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title}}" onclick="addToModal('{{$contact_actions.delete.url}}?confirm=1');">{{$contact_actions.delete.label}}</button></li>{{/if}}
+							<li role="presentation"><a role="menuitem" href="{{$contact_actions.block.url}}" title="{{$contact_actions.block.title|escape}}">{{$contact_actions.block.label|escape}}</a></li>
+							<li role="presentation"><a role="menuitem" href="{{$contact_actions.ignore.url}}" title="{{$contact_actions.ignore.title|escape}}">{{$contact_actions.ignore.label|escape}}</a></li>
+							{{if $contact_actions.archive.url}}<li role="presentation"><a role="menuitem" href="{{$contact_actions.archive.url}}" title="{{$contact_actions.archive.title|escape}}">{{$contact_actions.archive.label|escape}}</a></li>{{/if}}
+							{{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title|escape}}" onclick="addToModal('{{$contact_actions.delete.url}}?confirm=1');">{{$contact_actions.delete.label|escape}}</button></li>{{/if}}
 						</ul>
 					</li>
 				</ul>
@@ -35,35 +35,35 @@
 
 
 				<div id="contact-edit-status-wrapper">
-					<span id="contact-edit-contact-status">{{$contact_status}}</span>
+					<span id="contact-edit-contact-status">{{$contact_status|escape}}</span>
 
 					{{* Block with status information about the contact *}}
 					<ul>
-						{{if $relation_text}}<li><div id="contact-edit-rel">{{$relation_text}}</div></li>{{/if}}
-						{{if $nettype}}<li><div id="contact-edit-nettype">{{$nettype}}</div></li>{{/if}}
+						{{if $relation_text}}<li><div id="contact-edit-rel">{{$relation_text|escape}}</div></li>{{/if}}
+						{{if $nettype}}<li><div id="contact-edit-nettype">{{$nettype|escape}}</div></li>{{/if}}
 
 						{{if $poll_enabled}}
-							<li><div id="contact-edit-last-update-text">{{$lastupdtext}} <span id="contact-edit-last-updated">{{$last_update}}</span></div>
+							<li><div id="contact-edit-last-update-text">{{$lastupdtext|escape}} <span id="contact-edit-last-updated">{{$last_update|escape}}</span></div>
 							{{if $poll_interval}}
 								<form id="contact-edit-poll-form" action="/contact/{{$contact_id}}" method="post"> 
-									<span id="contact-edit-poll-text">{{$updpub}}</span> {{$poll_interval}}
+									<span id="contact-edit-poll-text">{{$updpub|escape}}</span> {{$poll_interval}}
 									<input class="btn btn-primary" type="submit" name="submit" value="{{$submit|escape:'html'}}" />
 								</form>
 							{{/if}}
 							</li>
 						{{/if}}
 
-						{{if $lost_contact}}<li><div id="lost-contact-message">{{$lost_contact}}</div></li>{{/if}}
-						{{if $insecure}}<li><div id="insecure-message">{{$insecure}}</div></li>	{{/if}}
-						{{if $blocked && !$pending}}<li><div id="block-message">{{$blocked}}</div></li>{{/if}}
-						{{if $pending}}<li><div id="pending-message">{{$pending}}</div></li>{{/if}}
-						{{if $ignored}}<li><div id="ignore-message">{{$ignored}}</div></li>{{/if}}
-						{{if $archived}}<li><div id="archive-message">{{$archived}}</div></li>{{/if}}
+						{{if $lost_contact}}<li><div id="lost-contact-message">{{$lost_contact|escape}}</div></li>{{/if}}
+						{{if $insecure}}<li><div id="insecure-message">{{$insecure|escape}}</div></li>	{{/if}}
+						{{if $blocked && !$pending}}<li><div id="block-message">{{$blocked|escape}}</div></li>{{/if}}
+						{{if $pending}}<li><div id="pending-message">{{$pending|escape}}</div></li>{{/if}}
+						{{if $ignored}}<li><div id="ignore-message">{{$ignored|escape}}</div></li>{{/if}}
+						{{if $archived}}<li><div id="archive-message">{{$archived|escape}}</div></li>{{/if}}
 					</ul>
 
 					<ul>
-						<!-- <li><a href="network/0?nets=all&cid={{$contact_id}}" id="contact-edit-view-recent">{{$lblrecent}}</a></li> -->
-						{{if $follow}}<li><div id="contact-edit-follow"><a href="{{$follow}}">{{$follow_text}}</a></div></li>{{/if}}
+						<!-- <li><a href="network/0?nets=all&cid={{$contact_id}}" id="contact-edit-view-recent">{{$lblrecent|escape}}</a></li> -->
+						{{if $follow}}<li><div id="contact-edit-follow"><a href="{{$follow}}">{{$follow_text|escape}}</a></div></li>{{/if}}
 					</ul>
 				</div> {{* End of contact-edit-status-wrapper *}}
 
@@ -83,38 +83,38 @@
 						<div id="contact-edit-profile-collapse" class="panel-collapse collapse in" role="tabpanel" aria-labelledby="contact-edit-profile">
 							<div class="section-content-tools-wrapper">
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$profileurllabel}}</div><a target="blank" href="{{$url}}">{{$profileurl}}</a>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$profileurllabel|escape}}</div><a target="blank" href="{{$url}}">{{$profileurl|escape}}</a>
 								</div>
 
 								{{if $location}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$location_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$location}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$location_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$location|escape}}</div>
 								</div>
 								{{/if}}
 
 								{{if $xmpp}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$xmpp_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$xmpp}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$xmpp_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$xmpp|escape}}</div>
 								</div>
 								{{/if}}
 
 								{{if $keywords}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$keywords_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$keywords}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$keywords_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$keywords|escape}}</div>
 								</div>
 								{{/if}}
 
 								{{if $about}}
 								<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
 									<hr class="profile-separator">
-									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$about_label}}</div>
-									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$about}}</div>
+									<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12 text-muted">{{$about_label|escape}}</div>
+									<div class="col-lg-8 col-md-8 col-sm-8 col-xs-12">{{$about|escape}}</div>
 								</div>
 								{{/if}}
 							</div>
@@ -127,14 +127,14 @@
 						<div class="section-subtitle-wrapper" role="tab" id="contact-edit-settings">
 							<h4>
 								<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#contact-edit-tools" href="#contact-edit-settings-collapse" aria-expanded="false" aria-controls="contact-edit-settings-collapse">
-									{{$contact_settings_label}}
+									{{$contact_settings_label|escape}}
 								</a>
 							</h4>
 						</div>
 						<div id="contact-edit-settings-collapse" class="panel-collapse collapse" role="tabpanel" aria-labelledby="contact-edit-settings">
 							<div class="section-content-tools-wrapper">
 
-								<input type="hidden" name="contact_id" value="{{$contact_id}}">
+								<input type="hidden" name="contact_id" value="{{$contact_id|escape}}">
 
 								{{include file="field_checkbox.tpl" field=$notify}}
 								{{if $fetch_further_information}}
@@ -144,7 +144,7 @@
 								{{include file="field_checkbox.tpl" field=$hidden}}
 
 								<div class="form-group pull-right settings-submit-wrapper" >
-									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit}}</button>
+									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit|escape}}</button>
 								</div>
 								<div class="clear"></div>
 							</div>
@@ -157,7 +157,7 @@
 						<div class="section-subtitle-wrapper" role="tab" id="contact-edit-info">
 							<h4>
 								<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#contact-edit-tools" href="#contact-edit-info-collapse" aria-expanded="false" aria-controls="contact-edit-info-collapse">
-									{{$lbl_info1}}
+									{{$lbl_info1|escape}}
 								</a>
 							</h4>
 						</div>
@@ -167,11 +167,11 @@
 								{{include file="field_textarea.tpl" field=$cinfo}}
 
 								<div class="form-group pull-right settings-submit-wrapper" >
-									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit}}</button>
+									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit|escape}}</button>
 								</div>
 								<div class="clear"></div>
 								{{if $reason}}
-								<h4>{{$lbl_info2}}</h4>
+								<h4>{{$lbl_info2|escape}}</h4>
 								<p>{{$reason}}</p>
 								<div class="clear"></div>
 								{{/if}}
@@ -184,7 +184,7 @@
 						<div class="section-subtitle-wrapper" role="tab" id="contact-edit-profile-select">
 							<h4>
 								<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#contact-edit-tools" href="#contact-edit-profile-select-collapse" aria-expanded="false" aria-controls="contact-edit-profile-select-collapse">
-									{{$lbl_vis1}}
+									{{$lbl_vis1|escape}}
 								</a>
 							</h4>
 						</div>
@@ -192,7 +192,7 @@
 							<div class="section-content-tools-wrapper">
 								{{if $profile_select}}
 									<div id="contact-edit-profile-select-text">
-										<p>{{$lbl_vis2}}</p>
+										<p>{{$lbl_vis2|escape}}</p>
 									</div>
 									<div class="form-group">
 									{{$profile_select}}
@@ -201,7 +201,7 @@
 								{{/if}}
 
 								<div class="form-group pull-right settings-submit-wrapper" >
-									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit}}</button>
+									<button type="submit" name="submit" class="btn btn-primary" value="{{$submit|escape:'html'}}">{{$submit|escape}}</button>
 								</div>
 								<div class="clear"></div>
 							</div>
diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index e1c0a7700..4f07ad2b1 100644
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -6,14 +6,14 @@
 			<div class="contact-entry-photo mframe" id="contact-entry-photo-{{$contact.id}}">
 
 				<div class="contact-photo-image-wrapper hidden-xs">
-					<img class="contact-photo media-object xl" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" />
+					<img class="contact-photo media-object xl" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 				</div>
 
 				{{* For very small displays we use a drobdown menu for contact relating actions *}}
 				<button type="button" class="btn btn-link dropdown-toggle visible-xs" id="contact-photo-menu-button-{{$contact.id}}" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 					{{* use a smaller picture on very small displays (e.g. mobiles) *}}
 					<div class="contact-photo-image-wrapper visible-xs">
-						<img class="contact-photo-xs media-object" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" />
+						<img class="contact-photo-xs media-object" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 
 						{{* Overlay background on hover the avatar picture *}}
 						<div class="contact-photo-overlay">
@@ -44,37 +44,37 @@
 			{{* The contact actions like private mail, delete contact, edit contact and so on *}}
 			<div class="contact-actions pull-right nav-pills preferences hidden-xs">
 				{{if $contact.photo_menu.pm}}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.pm.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.pm.0}}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.pm.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.pm.0|escape}}">
 					<i class="fa fa-envelope" aria-hidden="true"></i>
 				</button>
 				{{/if}}
 				{{if $contact.photo_menu.poke}}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.poke.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.poke.0}}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.poke.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.poke.0|escape}}">
 					<i class="fa fa-heartbeat" aria-hidden="true"></i>
 				</button>
 				{{/if}}
 				{{if $contact.photo_menu.network}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.network.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.network.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.network.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.network.0|escape}}">
 					<i class="fa fa-cloud" aria-hidden="true"></i>
 				</a>
 				{{/if}}
 				{{if $contact.photo_menu.edit}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.edit.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.edit.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.edit.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.edit.0|escape}}">
 					<i class="fa fa-user" aria-hidden="true"></i>
 				</a>
 				{{/if}}
 				{{if $contact.photo_menu.drop}}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.drop.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.drop.0}}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{{$contact.photo_menu.drop.1}}'); return false;" data-toggle="tooltip" title="{{$contact.photo_menu.drop.0|escape}}">
 					<i class="fa fa-user-times" aria-hidden="true"></i>
 				</button>
 				{{/if}}
 				{{if $contact.photo_menu.follow}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.follow.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.follow.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.follow.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.follow.0|escape}}">
 					<i class="fa fa-user-plus" aria-hidden="true"></i>
 				</a>
 				{{/if}}
 				{{if $contact.photo_menu.hide}}
-				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.hide.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.hide.0}}">
+				<a class="contact-action-link btn-link" href="{{$contact.photo_menu.hide.1}}" data-toggle="tooltip" title="{{$contact.photo_menu.hide.0|escape}}">
 					<i class="fa fa-times" aria-hidden="true"></i>
 				</a>
 				{{/if}}
@@ -84,7 +84,7 @@
 			{{* The button to add or remove contacts from a contact group - group edit page *}}
 			{{if $contact.change_member}}
 			<div class="contact-group-actions pull-right nav-pills preferences">
-				<button type="button" class="contact-action-link contact-group-link btn-link" onclick="groupChangeMember({{$contact.change_member.gid}},{{$contact.change_member.cid}},'{{$contact.change_member.sec_token}}'); return true;" data-toggle="tooltip" title="{{$contact.change_member.title}}">
+				<button type="button" class="contact-action-link contact-group-link btn-link" onclick="groupChangeMember({{$contact.change_member.gid}},{{$contact.change_member.cid}},'{{$contact.change_member.sec_token}}'); return true;" data-toggle="tooltip" title="{{$contact.change_member.title|escape}}">
 					{{if $contact.label == "members"}}
 					<i class="fa fa-times-circle" aria-hidden="true"></i>
 					{{elseif $contact.label == "contacts"}}
@@ -97,7 +97,7 @@
 			{{* The contact description (e.g. Name, Network, kind of connection and so on *}}
 			<div class="contact-entry-desc">
 				<div class="contact-entry-name" id="contact-entry-name-{{$contact.id}}">
-					<h4 class="media-heading"><a href="{{$contact.url}}">{{$contact.name}}</a>
+					<h4 class="media-heading"><a href="{{$contact.url}}">{{$contact.name|escape}}</a>
 					{{if $contact.account_type}} <small class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</small>{{/if}}
 					{{if $contact.account_type == 'Forum'}}<i class="fa fa-comments-o" aria-hidden="true"></i>{{/if}}
 					{{* @todo this needs some changing in core because $contact.account_type contains a translated string which may notbe the same in every language *}}
@@ -133,14 +133,14 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			<div class="contact-entry-photo mframe" id="contact-entry-photo-{$id}">
 
 				<div class="contact-photo-image-wrapper hidden-xs">
-					<img class="contact-photo media-object xl" src="{$thumb}" {11} alt="{$name}" />
+					<img class="contact-photo media-object xl" src="{$thumb}" {11} alt="{$name|escape}" />
 				</div>
 
 				{{* For very small displays we use a drobdown menu for contact relating actions *}}
 				<button type="button" class="btn btn-link dropdown-toggle visible-xs" id="contact-photo-menu-button{$id}" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 					{{* use a smaller picture on very small displays (e.g. mobiles) *}}
 					<div class="contact-photo-image-wrapper visible-xs">
-						<img class="contact-photo-xs media-object" src="{$thumb}" {11} alt="{$name}" />
+						<img class="contact-photo-xs media-object" src="{$thumb}" {11} alt="{$name|escape}" />
 
 						{{* Overlay background on hover the avatar picture *}}
 						<div class="contact-photo-overlay">
@@ -172,32 +172,32 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			{{* The contact actions like private mail, delete contact, edit contact and so on *}}
 			<div class="contact-actions pull-right nav-pills preferences hidden-xs">
 				{if $photo_menu.pm}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.pm.1}')" data-toggle="tooltip" title="{$photo_menu.pm.0}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.pm.1}')" data-toggle="tooltip" title="{$photo_menu.pm.0|escape}">
 					<i class="fa fa-envelope" aria-hidden="true"></i>
 				</button>
 				{/if}
 				{if $photo_menu.poke}
-				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.poke.1}')" data-toggle="tooltip" title="{$photo_menu.poke.0}">
+				<button type="button" class="contact-action-link btn-link" onclick="addToModal('{$photo_menu.poke.1}')" data-toggle="tooltip" title="{$photo_menu.poke.0|escape}">
 					<i class="fa fa-heartbeat" aria-hidden="true"></i>
 				</button>
 				{/if}
 				{if $photo_menu.network}
-				<a class="contact-action-link btn-link" href="{$photo_menu.network.1}" data-toggle="tooltip" title="{$photo_menu.network.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.network.1}" data-toggle="tooltip" title="{$photo_menu.network.0|escape}">
 					<i class="fa fa-cloud" aria-hidden="true"></i>
 				</a>
 				{/if}
 				{if $photo_menu.edit}
-				<a class="contact-action-link btn-link" href="{$photo_menu.edit.1}" data-toggle="tooltip" title="{$photo_menu.edit.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.edit.1}" data-toggle="tooltip" title="{$photo_menu.edit.0|escape}">
 					<i class="fa fa-pencil" aria-hidden="true"></i>
 				</a>
 				{/if}
 				{if $photo_menu.drop}
-				<a class="contact-action-link btn-link" href="{$photo_menu.drop.1}" data-toggle="tooltip" title="{$photo_menu.drop.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.drop.1}" data-toggle="tooltip" title="{$photo_menu.drop.0|escape}">
 					<i class="fa fa-user-times" aria-hidden="true"></i>
 				</a>
 				{/if}
 				{if $photo_menu.follow}
-				<a class="contact-action-link btn-link" href="{$photo_menu.follow.1}" data-toggle="tooltip" title="{$photo_menu.follow.0}">
+				<a class="contact-action-link btn-link" href="{$photo_menu.follow.1}" data-toggle="tooltip" title="{$photo_menu.follow.0|escape}">
 					<i class="fa fa-user-plus" aria-hidden="true"></i>
 				</a>
 				{/if}
@@ -207,7 +207,7 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			{{* The button to add or remove contacts from a contact group - group edit page *}}
 			{if $contact.change_member}
 			<div class="contact-group-actions pull-right nav-pills preferences">
-				<button type="button" class="contact-action-link btn-link" onclick="groupChangeMember({$contact.change_member.gid},{$contact.change_member.cid},'{$contact.change_member.sec_token}'); return true;" data-toggle="tooltip" title="{$contact.change_member.title}">
+				<button type="button" class="contact-action-link btn-link" onclick="groupChangeMember({$contact.change_member.gid},{$contact.change_member.cid},'{$contact.change_member.sec_token}'); return true;" data-toggle="tooltip" title="{$contact.change_member.title|escape}">
 					{if $contact.label == "members"}
 					<i class="fa fa-times-circle" aria-hidden="true"></i>
 					{elseif $contact.label == "contacts"}
diff --git a/view/theme/frio/templates/credits.tpl b/view/theme/frio/templates/credits.tpl
index 5e5aeecc2..75ab272df 100644
--- a/view/theme/frio/templates/credits.tpl
+++ b/view/theme/frio/templates/credits.tpl
@@ -1,10 +1,10 @@
 <div id="credits" class="generic-page-wrapper">
         {{include file="section_title.tpl"}}
-        <p>{{$thanks}}</p>
+        <p>{{$thanks|escape}}</p>
 
         <ul class="credits">
                 {{foreach $names as $name}}
-                 <li>{{$name}}</li>
+                 <li>{{$name|escape}}</li>
                 {{/foreach}}
         </ul>
         <div class="clear"></div>
diff --git a/view/theme/frio/templates/crepair.tpl b/view/theme/frio/templates/crepair.tpl
index 3d45c6ddc..d4cdec501 100644
--- a/view/theme/frio/templates/crepair.tpl
+++ b/view/theme/frio/templates/crepair.tpl
@@ -13,7 +13,7 @@
 
 	<form id="crepair-form" action="crepair/{{$contact_id}}" method="post" >
 
-		<!-- <h4>{{$contact_name}}</h4> -->
+		<!-- <h4>{{$contact_name|escape}}</h4> -->
 
 		<div id="contact-update-profile-wrapper">
 		{{if $update_profile}}
diff --git a/view/theme/frio/templates/event.tpl b/view/theme/frio/templates/event.tpl
index 947d09cb8..82ed1de09 100644
--- a/view/theme/frio/templates/event.tpl
+++ b/view/theme/frio/templates/event.tpl
@@ -6,7 +6,7 @@
 				<div class="event-owner media-left">
 					{{if $event.item.author_name}}
 					<a href="{{$event.item.author_link}}" ><img src="{{$event.item.author_avatar}}" /></a>
-					<a href="{{$event.item.author_link}}" >{{$event.item.author_name}}</a>
+					<a href="{{$event.item.author_link}}" >{{$event.item.author_name|escape}}</a>
 					{{/if}}
 				</div>
 				<div class="media-body">
@@ -15,10 +15,10 @@
 			</div>
 
 			<div class="event-buttons pull-right">
-				{{if $event.edit}}<button type="button" class="btn" onclick="eventEdit('{{$event.edit.0}}')" title="{{$event.edit.1}}"><i class="fa fa-pencil" aria-hidden="true"></i></button>{{/if}}
-				{{if $event.copy}}<button type="button" class="btn" onclick="eventEdit('{{$event.copy.0}}')" title="{{$event.copy.1}}"><i class="fa fa-files-o" aria-hidden="true"></i></button>{{/if}}
-				{{if $event.drop}}<a href="{{$event.drop.0}}" onclick="return confirmDelete();" title="{{$event.drop.1}}" class="drop-event-link btn"><i class="fa fa-trash-o" aria-hidden="true"></i></a>{{/if}}
-				{{if $event.item.plink}}<a href="{{$event.plink.0}}" title="{{$event.plink.1}}" class="plink-event-link btn "><i class="fa fa-external-link" aria-hidden="true"></i></a>{{/if}}
+				{{if $event.edit}}<button type="button" class="btn" onclick="eventEdit('{{$event.edit.0}}')" title="{{$event.edit.1|escape}}"><i class="fa fa-pencil" aria-hidden="true"></i></button>{{/if}}
+				{{if $event.copy}}<button type="button" class="btn" onclick="eventEdit('{{$event.copy.0}}')" title="{{$event.copy.1|escape}}"><i class="fa fa-files-o" aria-hidden="true"></i></button>{{/if}}
+				{{if $event.drop}}<a href="{{$event.drop.0}}" onclick="return confirmDelete();" title="{{$event.drop.1|escape}}" class="drop-event-link btn"><i class="fa fa-trash-o" aria-hidden="true"></i></a>{{/if}}
+				{{if $event.item.plink}}<a href="{{$event.plink.0}}" title="{{$event.plink.1|escape}}" class="plink-event-link btn "><i class="fa fa-external-link" aria-hidden="true"></i></a>{{/if}}
 			</div>
 			<div class="clear"></div>
 		</div>
diff --git a/view/theme/frio/templates/event_stream_item.tpl b/view/theme/frio/templates/event_stream_item.tpl
index 87c2e70ca..58f39a0ee 100644
--- a/view/theme/frio/templates/event_stream_item.tpl
+++ b/view/theme/frio/templates/event_stream_item.tpl
@@ -17,16 +17,16 @@
 					{{if $location.map}}<button id="event-map-btn-{{$id}}" class="event-map-btn btn-link fakelink nav nav-pills preferences" data-map-id="event-location-map-{{$id}}" data-show-label="{{$show_map_label}}" data-hide-label="{{$hide_map_label}}">{{$map_btn_label}}</button>{{/if}}
 					<div class="event-property">
 						<span class="event-date">
-							<span class="event-start dtstart" title="{{$dtstart_title}}">{{$start_short}}</span>
-							{{if $finish}} - <span class="event-end dtend" title="{{$dtend_title}}">{{if $same_date}}{{$end_time}}{{else}}{{$end_short}}{{/if}}</span>{{/if}}
+							<span class="event-start dtstart" title="{{$dtstart_title|escape}}">{{$start_short}}</span>
+							{{if $finish}} - <span class="event-end dtend" title="{{$dtend_title|escape}}">{{if $same_date}}{{$end_time}}{{else}}{{$end_short}}{{/if}}</span>{{/if}}
 						</span>
 						{{if $location.name}}
 						<span role="presentation" aria-hidden="true"> · </span>
-						<span class="event-location event-card-location">{{$location.name}}</span>
+						<span class="event-location event-card-location">{{$location.name|escape}}</span>
 						{{/if}}
 					</div>
 					<div class="event-card-profile-name profile-entry-name">
-						<a href="{{$author_link}}" class="userinfo">{{$author_name}}</a>
+						<a href="{{$author_link}}" class="userinfo">{{$author_name|escape}}</a>
 					</div>
 					{{if $location.map}}
 					<div id="event-location-map-{{$id}}" class="event-location-map">{{$location.map}}</div>
diff --git a/view/theme/frio/templates/events_js.tpl b/view/theme/frio/templates/events_js.tpl
index a4ca9004c..3866282a3 100644
--- a/view/theme/frio/templates/events_js.tpl
+++ b/view/theme/frio/templates/events_js.tpl
@@ -5,7 +5,7 @@
 	{{* The link to create a new event *}}
 	{{if $new_event.0}}
 	<div class="pull-right" id="new-event-link">
-		<button type="button" class="btn-link page-action faded-icon" onclick="addToModal('{{$new_event.0}}')" title="{{$new_event.1}}" data-toggle="tooltip">
+		<button type="button" class="btn-link page-action faded-icon" onclick="addToModal('{{$new_event.0}}')" title="{{$new_event.1|escape}}" data-toggle="tooltip">
 			<i class="fa fa-plus"></i>
 		</button>
 	</div>
@@ -40,9 +40,9 @@
 
 		{{* The buttons to change the month/weeks/days *}}
 		<div id="fc-fc-header-left" class="btn-group">
-			<button class="btn btn-eventnav" onclick="changeView('prev', false);" title="{{$previous.1}}"><i class="fa fa-angle-up" aria-hidden="true"></i></button>
-			<button class="btn btn-eventnav btn-separator" onclick="changeView('next', false);" title="{{$next.1}}"><i class="fa fa-angle-down" aria-hidden="true"></i></button>
-			<button class="btn btn-eventnav btn-separator" onclick="changeView('today', false);" title="{{$today}}"><i class="fa fa-bullseye" aria-hidden="true"></i></button>
+			<button class="btn btn-eventnav" onclick="changeView('prev', false);" title="{{$previous.1|escape}}"><i class="fa fa-angle-up" aria-hidden="true"></i></button>
+			<button class="btn btn-eventnav btn-separator" onclick="changeView('next', false);" title="{{$next.1|escape}}"><i class="fa fa-angle-down" aria-hidden="true"></i></button>
+			<button class="btn btn-eventnav btn-separator" onclick="changeView('today', false);" title="{{$today|escape}}"><i class="fa fa-bullseye" aria-hidden="true"></i></button>
 		</div>
 
 		{{* The title (e.g. name of the mont/week/day) *}}
diff --git a/view/theme/frio/templates/filebrowser.tpl b/view/theme/frio/templates/filebrowser.tpl
index d452810c8..ce58ef0b9 100644
--- a/view/theme/frio/templates/filebrowser.tpl
+++ b/view/theme/frio/templates/filebrowser.tpl
@@ -9,8 +9,8 @@
 
 <div class="fbrowser {{$type}}">
 	<div class="fbrowser-content">
-		<input id="fb-nickname" type="hidden" name="type" value="{{$nickname}}" />
-		<input id="fb-type" type="hidden" name="type" value="{{$type}}" />
+		<input id="fb-nickname" type="hidden" name="type" value="{{$nickname|escape}}" />
+		<input id="fb-type" type="hidden" name="type" value="{{$type|escape}}" />
 
 		<div class="error hidden">
 			<span></span> <button type="button" class="btn btn-link close" aria-label="Close">X</a>
@@ -47,9 +47,9 @@
 				<div class="fbrowser-content-container">
 					{{foreach $files as $f}}
 					<div class="photo-album-image-wrapper">
-						<a href="#" class="photo-album-photo-link" data-link="{{$f.0}}" data-filename="{{$f.1}}" data-img="{{$f.2}}">
-							<img src="{{$f.2}}" alt="{{$f.1}}">
-							<p>{{$f.1}}</p>
+						<a href="#" class="photo-album-photo-link" data-link="{{$f.0}}" data-filename="{{$f.1|escape}}" data-img="{{$f.2|escape}}">
+							<img src="{{$f.2}}" alt="{{$f.1|escape}}">
+							<p>{{$f.1|escape}}</p>
 						</a>
 					</div>
 					{{/foreach}}
diff --git a/view/theme/frio/templates/intros.tpl b/view/theme/frio/templates/intros.tpl
index df46e453a..9b34afcd9 100644
--- a/view/theme/frio/templates/intros.tpl
+++ b/view/theme/frio/templates/intros.tpl
@@ -18,7 +18,7 @@
 				{{if $discard}}<button class="btn-link intro-submit-discard intro-action-link" type="submit" name="submit" value="{{$discard|escape:'html'}}" aria-label="{{$discard|escape:'html'}}" title="{{$discard|escape:'html'}}" data-toggle="tooltip"><i class="fa fa-trash-o" aria-hidden="true"></i></button>{{/if}}
 			</form>
 		</div>
-		<div class='intro-enty-name'><h4 class="media-heading"><a href="{{$zrl}}">{{$fullname}}</a></h4></div>
+		<div class='intro-enty-name'><h4 class="media-heading"><a href="{{$zrl}}">{{$fullname|escape}}</a></h4></div>
 		<div class="intro-desc"><span class="intro-desc-label">{{$str_notifytype}}</span>&nbsp;{{$notify_type}}</div>
 		{{* if the contact was suggestested by another contact, the contact who made the suggestion is displayed*}}
 		{{if $madeby}}<div class="intro-madeby"><span class="intro-madeby-label">{{$lbl_madeby}}</span>&nbsp;<a href="{{$madeby_zrl}}">{{$madeby}}</a></div>{{/if}}
@@ -51,7 +51,7 @@
 		a bootstrap modal in the case of approval *}}
 		<div id="intro-approve-wrapper-{{$intro_id}}" style="display: none;">
 
-			<h3 class="heading">{{$fullname}}{{if $addr}}&nbsp;({{$addr}}){{/if}}</h3>
+			<h3 class="heading">{{$fullname|escape}}{{if $addr}}&nbsp;({{$addr}}){{/if}}</h3>
 			<form class="intro-approve-form" {{if $request}}action="{{$request}}" method="get"{{else}}action="dfrn_confirm" method="post"{{/if}}>
 				{{include file="field_checkbox.tpl" field=$hidden}}
 				{{if $type != "friend_suggestion"}}
diff --git a/view/theme/frio/templates/jot.tpl b/view/theme/frio/templates/jot.tpl
index b5c061b75..13e4d2ec1 100644
--- a/view/theme/frio/templates/jot.tpl
+++ b/view/theme/frio/templates/jot.tpl
@@ -107,7 +107,7 @@
 						<li role="presentation" class="pull-right"><button class="btn btn-primary" type="submit" id="profile-jot-submit" name="submit" ><i class="fa fa-slideshare fa-fw" aria-hidden="true"></i> {{$share}}</button></li>
 						<li role="presentation" id="character-counter" class="grey jothidden text-info pull-right"></li>
 						<li role="presentation" id="profile-rotator-wrapper" class="pull-right" style="display: {{$visitor}};" >
-							<img role="presentation" id="profile-rotator" src="images/rotator.gif" alt="{{$wait}}" title="{{$wait}}" style="display: none;" />
+							<img role="presentation" id="profile-rotator" src="images/rotator.gif" alt="{{$wait|escape}}" title="{{$wait|escape}}" style="display: none;" />
 						</li>
 						<li role="presentation" id="profile-jot-plugin-wrapper">
 							{{$jotplugins}}
diff --git a/view/theme/frio/templates/like_noshare.tpl b/view/theme/frio/templates/like_noshare.tpl
index deb2383f4..f58a7698b 100644
--- a/view/theme/frio/templates/like_noshare.tpl
+++ b/view/theme/frio/templates/like_noshare.tpl
@@ -9,5 +9,5 @@
 		<i class="faded-icon page-action fa fa-thumbs-down" aria-hidden="true"></i>
 	</button>
 	{{/if}}
-	<img id="like-rotator-{{$id}}" class="like-rotator" src="images/rotator.gif" alt="{{$wait}}" title="{{$wait}}" style="display: none;" />
+	<img id="like-rotator-{{$id}}" class="like-rotator" src="images/rotator.gif" alt="{{$wait|escape}}" title="{{$wait|escape}}" style="display: none;" />
 </div>
diff --git a/view/theme/frio/templates/mail_conv.tpl b/view/theme/frio/templates/mail_conv.tpl
index 2ad989849..b5154aa4c 100644
--- a/view/theme/frio/templates/mail_conv.tpl
+++ b/view/theme/frio/templates/mail_conv.tpl
@@ -2,13 +2,13 @@
 	<div class="media">
 		<div class="pull-left contact-photo-wrapper">
 			<a href="{{$mail.from_url}}" title="{{$mail.from_addr}}">
-				<img class="media-object" src="{{$mail.from_photo}}" alt="{{$mail.from_name}}" title="{{$mail.from_addr}}" />
+				<img class="media-object" src="{{$mail.from_photo}}" alt="{{$mail.from_name|escape}}" title="{{$mail.from_addr}}" />
 			</a>
 		</div>
 		<div class="media-body">
 			<div class="text-muted time mail-ago pull-right" title="{{$mail.date}}" data-toggle="tooltip">{{$mail.date}}</div>
 			<div class="mail-conv-delete-end"></div>
-			<h4 class="media-heading"><a href="{{$mail.from_url}}" title="{{$mail.from_addr}}">{{$mail.from_name}}</a></h4>
+			<h4 class="media-heading"><a href="{{$mail.from_url}}" title="{{$mail.from_addr}}">{{$mail.from_name|escape}}</a></h4>
 
 			<div class="mail-body">
 				{{$mail.body}}
diff --git a/view/theme/frio/templates/mail_list.tpl b/view/theme/frio/templates/mail_list.tpl
index 4a797d47c..225fd71c1 100644
--- a/view/theme/frio/templates/mail_list.tpl
+++ b/view/theme/frio/templates/mail_list.tpl
@@ -5,7 +5,7 @@
 		<div class="media">
 			<div class="pull-left contact-photo-wrapper">
 				<a href="{{$from_url}}" title="{{$from_addr}}">
-					<img class="media-object" src="{{$from_photo}}" alt="{{$from_name}}" title="{{$from_addr}}" />
+					<img class="media-object" src="{{$from_photo}}" alt="{{$from_name|escape}}" title="{{$from_addr|escape}}" />
 				</a>
 			</div>
 			<div class="media-body">
diff --git a/view/theme/frio/templates/nav.tpl b/view/theme/frio/templates/nav.tpl
index d64eae9c4..6f20c247c 100644
--- a/view/theme/frio/templates/nav.tpl
+++ b/view/theme/frio/templates/nav.tpl
@@ -40,37 +40,37 @@
 				<ul class="nav navbar-nav navbar-left" role="menubar">
 					<li id="nav-communication" class="nav-segment" role="presentation">
 						{{if $nav.network}}
-						<a accesskey="n" role="menuitem" class="nav-menu {{$sel.network}}" href="{{$nav.network.0}}" data-toggle="tooltip" aria-label="{{$nav.network.3}}" title="{{$nav.network.3}}"><i class="fa fa-lg fa-th" aria-hidden="true"></i><span id="net-update" class="nav-network-badge badge nav-notify"></span></a>
+						<a accesskey="n" role="menuitem" class="nav-menu {{$sel.network}}" href="{{$nav.network.0}}" data-toggle="tooltip" aria-label="{{$nav.network.3}}" title="{{$nav.network.3|escape}}"><i class="fa fa-lg fa-th" aria-hidden="true"></i><span id="net-update" class="nav-network-badge badge nav-notify"></span></a>
 						{{/if}}
 
 						{{if $nav.home}}
-						<a accesskey="p" role="menuitem" class="nav-menu {{$sel.home}}" href="{{$nav.home.0}}" data-toggle="tooltip" aria-label="{{$nav.home.3}}" title="{{$nav.home.3}}"><i class="fa fa-lg fa-home" aria-hidden="true"></i><span id="home-update" class="nav-home-badge badge nav-notify"></span></a>
+						<a accesskey="p" role="menuitem" class="nav-menu {{$sel.home}}" href="{{$nav.home.0}}" data-toggle="tooltip" aria-label="{{$nav.home.3}}" title="{{$nav.home.3|escape}}"><i class="fa fa-lg fa-home" aria-hidden="true"></i><span id="home-update" class="nav-home-badge badge nav-notify"></span></a>
 						{{/if}}
 
 						{{if $nav.community}}
-						<a accesskey="c" role="menuitem" class="nav-menu {{$sel.community}}" href="{{$nav.community.0}}" data-toggle="tooltip" aria-label="{{$nav.community.3}}" title="{{$nav.community.3}}"><i class="fa fa-lg fa-bullseye" aria-hidden="true"></i></a>
+						<a accesskey="c" role="menuitem" class="nav-menu {{$sel.community}}" href="{{$nav.community.0}}" data-toggle="tooltip" aria-label="{{$nav.community.3}}" title="{{$nav.community.3|escape}}"><i class="fa fa-lg fa-bullseye" aria-hidden="true"></i></a>
 						{{/if}}
 					</li>
 
 					<li id="nav-personal" class="nav-segment hidden-xs" role="presentation">
 						{{if $nav.messages}}
-						<a role="menuitem" id="nav-messages-link" href="{{$nav.messages.0}}" data-toggle="tooltip" aria-label="{{$nav.messages.1}}" title="{{$nav.messages.1}}" class="nav-menu {{$sel.messages}}"><i class="fa fa-envelope fa-lg" aria-hidden="true"></i><span id="mail-update" class="nav-mail-badge badge nav-notify"></span></a>
+						<a role="menuitem" id="nav-messages-link" href="{{$nav.messages.0}}" data-toggle="tooltip" aria-label="{{$nav.messages.1}}" title="{{$nav.messages.1|escape}}" class="nav-menu {{$sel.messages}}"><i class="fa fa-envelope fa-lg" aria-hidden="true"></i><span id="mail-update" class="nav-mail-badge badge nav-notify"></span></a>
 						{{/if}}
 
 						{{if $nav.events}}
-						<a accesskey="e" role="menuitem" id="nav-events-link" href="{{$nav.events.0}}" data-toggle="tooltip" aria-label="{{$nav.events.1}}" title="{{$nav.events.1}}" class="nav-menu"><i class="fa fa-lg fa-calendar"></i></a>
+						<a accesskey="e" role="menuitem" id="nav-events-link" href="{{$nav.events.0}}" data-toggle="tooltip" aria-label="{{$nav.events.1}}" title="{{$nav.events.1|escape}}" class="nav-menu"><i class="fa fa-lg fa-calendar"></i></a>
 						{{/if}}
 
 						{{if $nav.contacts}}
-						<a role="menuitem" id="nav-contacts-link" class="nav-menu {{$sel.contacts}} {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" data-toggle="tooltip" aria-label="{{$nav.contacts.1}}" title="{{$nav.contacts.1}}" ><i class="fa fa-users fa-lg" aria-hidden="true"></i></a>
-						<span id="intro-update" class="nav-intro-badge badge nav-notify" onclick="window.location.href = '{{$nav.introductions.0}}' " data-toggle="tooltip" aria-label="{{$nav.introductions.3}}" title="{{$nav.introductions.3}}"></span>
+						<a role="menuitem" id="nav-contacts-link" class="nav-menu {{$sel.contacts}} {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" data-toggle="tooltip" aria-label="{{$nav.contacts.1}}" title="{{$nav.contacts.1|escape}}" ><i class="fa fa-users fa-lg" aria-hidden="true"></i></a>
+						<span id="intro-update" class="nav-intro-badge badge nav-notify" onclick="window.location.href = '{{$nav.introductions.0}}' " data-toggle="tooltip" aria-label="{{$nav.introductions.3}}" title="{{$nav.introductions.3|escape}}"></span>
 						{{/if}}
 					</li>
 
 					{{* The notifications dropdown *}}
 					{{if $nav.notifications}}
 						<li id="nav-notification" class="nav-segment hidden-xs" role="presentation">
-							<a href="{{$nav.notifications.0}}" rel="#nav-notifications-menu" data-toggle="tooltip" aria-label="{{$nav.notifications.1}}" title="{{$nav.notifications.1}}" role="button" id="dropdownMenu1" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+							<a href="{{$nav.notifications.0}}" rel="#nav-notifications-menu" data-toggle="tooltip" aria-label="{{$nav.notifications.1}}" title="{{$nav.notifications.1|escape}}" role="button" id="dropdownMenu1" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 								<i class="fa fa-exclamation-circle fa-lg" aria-hidden="true"></i>
 								<span role="menuitem" class="sr-only">{{$nav.notifications.1}}</span>
 								<span id="notify-update" class="nav-notify-badge badge nav-notify dropdown" data-toggle="dropdown"></span>
@@ -84,7 +84,7 @@
 									<div class="arrow"></div>
 									{{$nav.notifications.1}}
 									<div class="dropdown-header-link">
-										<button role="menuitem" type="button" class="btn-link" onclick="notifyMarkAll();" data-toggle="tooltip" aria-label="{{$nav.notifications.mark.3}}" title="{{$nav.notifications.mark.3}}">{{$nav.notifications.mark.1}}</button>
+										<button role="menuitem" type="button" class="btn-link" onclick="notifyMarkAll();" data-toggle="tooltip" aria-label="{{$nav.notifications.mark.3}}" title="{{$nav.notifications.mark.3|escape}}">{{$nav.notifications.mark.1}}</button>
 									</div>
 
 								</li>
@@ -107,9 +107,9 @@
 					{{if $nav.search}}
 					<li id="search-box" class="hidden-xs">
 							<form class="navbar-form" role="search" method="get" action="{{$nav.search.0}}">
-								<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
+								<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
 								<div class="form-group form-group-search">
-									<input accesskey="s" id="nav-search-input-field" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint}}" placeholder="{{$nav.search.1}}">
+									<input accesskey="s" id="nav-search-input-field" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint|escape}}" placeholder="{{$nav.search.1}}">
 									<button class="btn btn-default btn-sm form-button-search" type="submit">{{$nav.search.1}}</button>
 								</div>
 							</form>
@@ -121,61 +121,61 @@
 					<li id="nav-user-linkmenu" class="dropdown account nav-menu hidden-xs">
 						<button accesskey="u" id="main-menu" class="btn-link dropdown-toggle nav-avatar" data-toggle="dropdown" type="button" aria-haspopup="true" aria-expanded="false" aria-controls="nav-user-menu">
 							<div class="user-title pull-left hidden-xs hidden-sm hidden-md">
-								<strong>{{$nav.userinfo.name}}</strong><br>
+								<strong>{{$nav.userinfo.name|escape}}</strong><br>
 								{{if $nav.remote}}<span class="trunctate">{{$nav.remote}}</span>{{/if}}
 							</div>
 
-							<img  id="avatar" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}">
+							<img  id="avatar" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}">
 							<span class="caret"></span>
 						</button>
 
 						{{* The list of available usermenu links *}}
 						<ul id="nav-user-menu" class="dropdown-menu pull-right menu-popup" role="menu" aria-labelledby="main-menu">
 							{{if $nav.remote}}{{if $nav.sitename}}
-							<li id="nav-sitename" role="menuitem">{{$nav.sitename}}</li>
+							<li id="nav-sitename" role="menuitem">{{$nav.sitename|escape}}</li>
 							<li role="presentation" class="divider"></li>
 							{{/if}}{{/if}}
 							{{foreach $nav.usermenu as $usermenu}}
-							<li role="presentation"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3}}">{{$usermenu.1}}</a></li>
+							<li role="presentation"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3|escape}}">{{$usermenu.1}}</a></li>
 							{{/foreach}}
 							<li role="presentation" class="divider"></li>
 							{{if $nav.notifications}}
-							<li role="presentation"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
+							<li role="presentation"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1|escape}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
 							{{/if}}
 							{{if $nav.messages}}
-							<li role="presentation"><a role="menuitem" class="nav-commlink {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}} <span id="mail-update-li" class="nav-mail-badge badge nav-notify"></span></a></li>
+							<li role="presentation"><a role="menuitem" class="nav-commlink {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3|escape}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}} <span id="mail-update-li" class="nav-mail-badge badge nav-notify"></span></a></li>
 							{{/if}}
 							<li role="presentation" class="divider"></li>
 							{{if $nav.contacts}}
-							<li role="presentation"><a role="menuitem" id="nav-menu-contacts-link" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a><span id="intro-update-li" class="nav-intro-badge badge nav-notify"></span></li>
+							<li role="presentation"><a role="menuitem" id="nav-menu-contacts-link" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3|escape}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a><span id="intro-update-li" class="nav-intro-badge badge nav-notify"></span></li>
 							{{/if}}
 							{{if $nav.manage}}
-							<li role="presentation"><a role="menuitem" id="nav-manage-link" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-manage-link" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3|escape}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
 							{{/if}}
-							<li role="presentation"><a role="menuitem" id="nav-directory-link" class="nav-link {{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3}}"><i class="fa fa-sitemap fa-fw" aria-hidden="true"></i>{{$nav.directory.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-directory-link" class="nav-link {{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3|escape}}"><i class="fa fa-sitemap fa-fw" aria-hidden="true"></i>{{$nav.directory.1}}</a></li>
 							<li role="presentation" class="divider"></li>
 							{{if $nav.apps}}
-							<li role="presentation"><a role="menuitem" id="nav-apps-link" class="nav-link {{$nav.apps.2}} {{$sel.manage}}" href="{{$nav.apps.0}}" title="{{$nav.apps.3}}" ><i class="fa fa-puzzle-piece fa-fw" aria-hidden="true"></i> {{$nav.apps.1}}</a>
+							<li role="presentation"><a role="menuitem" id="nav-apps-link" class="nav-link {{$nav.apps.2}} {{$sel.manage}}" href="{{$nav.apps.0}}" title="{{$nav.apps.3|escape}}" ><i class="fa fa-puzzle-piece fa-fw" aria-hidden="true"></i> {{$nav.apps.1}}</a>
 							<li role="presentation" class="divider"></li>
 							{{/if}}
 							{{if $nav.help}}
-							<li role="presentation"><a role="menuitem" id="nav-help-link" class="nav-link {{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3}}" ><i class="fa fa-question-circle fa-fw" aria-hidden="true"></i> {{$nav.help.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-help-link" class="nav-link {{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3|escape}}" ><i class="fa fa-question-circle fa-fw" aria-hidden="true"></i> {{$nav.help.1}}</a></li>
 							{{/if}}
 							{{if $nav.settings}}
-							<li role="presentation"><a role="menuitem" id="nav-settings-link" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-settings-link" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3|escape}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
 							{{/if}}
 							{{if $nav.admin}}
-							<li role="presentation"><a accesskey="a" role="menuitem" id="nav-admin-link" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
+							<li role="presentation"><a accesskey="a" role="menuitem" id="nav-admin-link" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3|escape}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
 							{{/if}}
 							{{if $nav.tos}}
 							<li role="presentation" class="divider"></li>
-							<li role="presentation"><a role="menuitem" id="nav-tos-link" class="nav-link {{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3}}" ><i class="fa fa-file-text" aria-hidden="true"></i> {{$nav.tos.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-tos-link" class="nav-link {{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3|escape}}" ><i class="fa fa-file-text" aria-hidden="true"></i> {{$nav.tos.1}}</a></li>
 							{{/if}}
 							<li role="presentation" class="divider"></li>
 							{{if $nav.logout}}
-							<li role="presentation"><a role="menuitem" id="nav-logout-link" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-logout-link" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3|escape}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
 							{{else}}
-							<li role="presentation"><a role="menuitem" id="nav-login-link" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
+							<li role="presentation"><a role="menuitem" id="nav-login-link" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3|escape}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
 							{{/if}}
 						</ul>
 					</li>{{* End of userinfo dropdown menu *}}
@@ -192,34 +192,34 @@
 				<div class="nav-container">
 					<ul role="menu" class="list-group">
 						{{if $nav.remote}}{{if $nav.sitename}}
-						<li role="menuitem" class="nav-sitename list-group-item">{{$nav.sitename}}</li>
+						<li role="menuitem" class="nav-sitename list-group-item">{{$nav.sitename|escape}}</li>
 						{{/if}}{{/if}}
-						<li role="presentation" class="list-group-item"><img src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}" style="max-width:15px; max-height:15px; min-width:15px; min-height:15px; width:15px; height:15px;"> {{$nav.userinfo.name}}{{if $nav.remote}} ({{$nav.remote}}){{/if}}</li>
+						<li role="presentation" class="list-group-item"><img src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}" style="max-width:15px; max-height:15px; min-width:15px; min-height:15px; width:15px; height:15px;"> {{$nav.userinfo.name|escape}}{{if $nav.remote}} ({{$nav.remote}}){{/if}}</li>
 						{{foreach $nav.usermenu as $usermenu}}
-						<li role="menuitem" class="list-group-item"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3}}">{{$usermenu.1}}</a></li>
+						<li role="menuitem" class="list-group-item"><a role="menuitem" class="{{$usermenu.2}}" href="{{$usermenu.0}}" title="{{$usermenu.3|escape}}">{{$usermenu.1}}</a></li>
 						{{/foreach}}
 						{{if $nav.notifications}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" href="{{$nav.notifications.all.0}}" title="{{$nav.notifications.1|escape}}"><i class="fa fa-exclamation-circle fa-fw" aria-hidden="true"></i> {{$nav.notifications.1}}</a></li>
 						{{/if}}
 						{{if $nav.contacts}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3|escape}}"><i class="fa fa-users fa-fw" aria-hidden="true"></i> {{$nav.contacts.1}}</a></li>
 						{{/if}}
 						{{if $nav.messages}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.messages.2}} {{$sel.messages}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3|escape}}" ><i class="fa fa-envelope fa-fw" aria-hidden="true"></i> {{$nav.messages.1}}</a></li>
 						{{/if}}
 						{{if $nav.manage}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-commlink {{$nav.manage.2}} {{$sel.manage}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3|escape}}"><i class="fa fa-flag fa-fw" aria-hidden="true"></i> {{$nav.manage.1}}</a></li>
 						{{/if}}
 						{{if $nav.settings}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3|escape}}"><i class="fa fa-cog fa-fw" aria-hidden="true"></i> {{$nav.settings.1}}</a></li>
 						{{/if}}
 						{{if $nav.admin}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.admin.2}}" href="{{$nav.admin.0}}" title="{{$nav.admin.3|escape}}" ><i class="fa fa-user-secret fa-fw" aria-hidden="true"></i> {{$nav.admin.1}}</a></li>
 						{{/if}}
 						{{if $nav.logout}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-link {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3|escape}}" ><i class="fa fa fa-sign-out fa-fw" aria-hidden="true"></i> {{$nav.logout.1}}</a></li>
 						{{else}}
-						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
+						<li role="presentation" class="list-group-item"><a role="menuitem" class="nav-login-link {{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3|escape}}" ><i class="fa fa-power-off fa-fw" aria-hidden="true"></i> {{$nav.login.1}}</a></li>
 						{{/if}}
 					</ul>
 				</div>
@@ -244,12 +244,12 @@
 			<ul class="nav navbar-nav navbar-right">
 				<li role="presentation">
 					<a href="login?mode=none" id="nav-login"
-						data-toggle="tooltip" aria-label="{{$nav.login.3}}" title="{{$nav.login.3}}">
+						data-toggle="tooltip" aria-label="{{$nav.login.3}}" title="{{$nav.login.3|escape}}">
 							<i class="fa fa-sign-in fa-fw" aria-hidden="true"></i>
 					</a>
 				</li>
 				<li role="presentation">
-					<a href="{{$nav.about.0}}" id="nav-about" data-toggle="tooltip" aria-label="{{$nav.about.3}}" title="{{$nav.about.3}}">
+					<a href="{{$nav.about.0}}" id="nav-about" data-toggle="tooltip" aria-label="{{$nav.about.3}}" title="{{$nav.about.3|escape}}">
 						<i class="fa fa-info fa-fw" aria-hidden="true"></i>
 					</a>
 				</li>
@@ -263,9 +263,9 @@
 {{* provide a a search input for mobile view, which expands by pressing the search icon *}}
 <div id="search-mobile" class="hidden-lg hidden-md collapse">
 	<form class="navbar-form" role="search" method="get" action="{{$nav.search.0}}">
-		<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
+		<!-- <img class="hidden-xs" src="{{$nav.userinfo.icon}}" alt="{{$nav.userinfo.name|escape}}" style="max-width:33px; max-height:33px; min-width:33px; min-height:33px; width:33px; height:33px;"> -->
 		<div class="form-group form-group-search">
-			<input id="nav-search-input-field-mobile" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint}}" placeholder="{{$nav.search.1}}">
+			<input id="nav-search-input-field-mobile" class="form-control form-search" type="text" name="search" data-toggle="tooltip" title="{{$search_hint|escape}}" placeholder="{{$nav.search.1}}">
 			<button class="btn btn-default btn-sm form-button-search" type="submit">{{$nav.search.1}}</button>
 		</div>
 	</form>
diff --git a/view/theme/frio/templates/photo_item.tpl b/view/theme/frio/templates/photo_item.tpl
index 935e6288b..8267fd631 100644
--- a/view/theme/frio/templates/photo_item.tpl
+++ b/view/theme/frio/templates/photo_item.tpl
@@ -23,7 +23,7 @@
 	<div class="contact-photo-wrapper mframe p-author h-card pull-left">
 		<a class="userinfo u-url" id="wall-item-photo-menu-{{$id}}" href="{{$profile_url}}">
 			<div class="contact-photo-image-wrapper">
-				<img src="{{$thumb}}" class="contact-photo-xs media-object p-name u-photo" id="wall-item-photo-{{$id}}" alt="{{$name}}" />
+				<img src="{{$thumb}}" class="contact-photo-xs media-object p-name u-photo" id="wall-item-photo-{{$id}}" alt="{{$name|escape}}" />
 			</div>
 		</a>
 	</div>
diff --git a/view/theme/frio/templates/photo_top.tpl b/view/theme/frio/templates/photo_top.tpl
index a86aa7f80..fed29937e 100644
--- a/view/theme/frio/templates/photo_top.tpl
+++ b/view/theme/frio/templates/photo_top.tpl
@@ -1,4 +1,4 @@
 <a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-	<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title}}" id="photo-top-photo-{{$photo.id}}" />
+	<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc|escape}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown|escape}}{{/if}}" title="{{$photo.title|escape}}" id="photo-top-photo-{{$photo.id}}" />
 </a>
 
diff --git a/view/theme/frio/templates/photo_view.tpl b/view/theme/frio/templates/photo_view.tpl
index 7dc2db901..f8d12e133 100644
--- a/view/theme/frio/templates/photo_view.tpl
+++ b/view/theme/frio/templates/photo_view.tpl
@@ -33,7 +33,7 @@
 		<div id="photo-photo">
 			{{* The photo *}}
 			<div class="photo-container">
-				<a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" alt="{{$photo.filename}}"/></a>
+				<a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
 			</div>
 
 			{{* Overlay buttons for previous and next photo *}}
@@ -54,7 +54,7 @@
 		<div id="photo-tags">{{$tags.title}}
 			{{foreach $tags.tags as $t}}
 			<span class="category label btn-success sm">
-				<span class="p-category">{{$t.name}}</span>
+				<span class="p-category">{{$t.name|escape}}</span>
 				{{if $t.removeurl}} <a href="{{$t.removeurl}}">(X)</a> {{/if}}
 			</span>
 			{{/foreach}}
diff --git a/view/theme/frio/templates/profile_entry.tpl b/view/theme/frio/templates/profile_entry.tpl
index fb5436fb5..1ee9eda85 100644
--- a/view/theme/frio/templates/profile_entry.tpl
+++ b/view/theme/frio/templates/profile_entry.tpl
@@ -1,7 +1,7 @@
 
 <div class="profile-listing-row" >
 	<div class="profile-listing-cell" >
-		<a href="profiles/{{$id}}" class="profile-listing-edit-link"><img class="profile-listing-photo" id="profile-listing-photo-{{$id}}" src="{{$photo}}" alt="{{$alt}}" /></a>
+		<a href="profiles/{{$id}}" class="profile-listing-edit-link"><img class="profile-listing-photo" id="profile-listing-photo-{{$id}}" src="{{$photo}}" alt="{{$alt|escape}}" /></a>
 	</div>
 	<div class="profile-listing-photo-end"></div>
 	<div class="profile-listing-cell" id="profile-listing-name-{{$id}}">
diff --git a/view/theme/frio/templates/profile_vcard.tpl b/view/theme/frio/templates/profile_vcard.tpl
index 392adc1c4..793fec753 100644
--- a/view/theme/frio/templates/profile_vcard.tpl
+++ b/view/theme/frio/templates/profile_vcard.tpl
@@ -2,19 +2,19 @@
 
 	<div id="profile-photo-wrapper">
 		{{if $profile.picdate}}
-		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}" /></a>
+		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></a>
 		{{else}}
-		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name}}" /></a>
+		<a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name|escape}}" /></a>
 		{{/if}}
 
 		<div class="tool visible-lg visible-md">
 			{{if $profile.edit}}
 			<div class="action">
-				<a class="" href="{{$profile.edit.0}}" title="{{$profile.edit.3}}"><i class="fa fa-pencil-square-o"></i></a>
+				<a class="" href="{{$profile.edit.0}}" title="{{$profile.edit.3|escape}}"><i class="fa fa-pencil-square-o"></i></a>
 			</div>
 			{{else}}
 				{{if $profile.menu}}
-				<div class="profile-edit-side-div"><a class="profile-edit-side-link icon edit" title="{{$editprofile}}" href="profiles" ></a></div>
+				<div class="profile-edit-side-div"><a class="profile-edit-side-link icon edit" title="{{$editprofile|escape}}" href="profiles" ></a></div>
 				{{/if}}
 			{{/if}}
 		</div>
@@ -25,23 +25,23 @@
 	<div id="vcard-short-info-wrapper" style="display: none;">
 		<div id="vcard-short-info" class="media" style="display: none">
 			<div id="vcard-short-photo-wrapper" class="pull-left">
-				<img class="media-object" src="{{$profile.photo}}" alt="{{$profile.name}}" />
+				<img class="media-object" src="{{$profile.photo}}" alt="{{$profile.name|escape}}" />
 			</div>
 
 			<div id="vcard-short-desc" class="media-body">
-				<h4 class="media-heading">{{$profile.name}}</h4>
-				{{if $profile.addr}}<div class="vcard-short-addr">{{$profile.addr}}</div>{{/if}}
+				<h4 class="media-heading">{{$profile.name|escape}}</h4>
+				{{if $profile.addr}}<div class="vcard-short-addr">{{$profile.addr|escape}}</div>{{/if}}
 			</div>
 		</div>
 	</div>
 
 	<div class="panel-body">
 		<div class="profile-header">
-			<h3 class="fn p-name">{{$profile.name}}</h3>
+			<h3 class="fn p-name">{{$profile.name|escape}}</h3>
 
-			{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+			{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 
-			{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
+			{{if $profile.pdesc}}<div class="title">{{$profile.pdesc|escape}}</div>{{/if}}
 		</div>
 
 		<div id="profile-extra-links">
@@ -62,7 +62,7 @@
 			{{/if}}
 			{{if $wallmessage}}
 			<div id="wallmessage-link-botton">
-				<button type="button" id="wallmessage-link" class="btn btn-labeled btn-primary btn-sm" onclick="openWallMessage('{{$wallmessage_link}}')">
+				<button type="button" id="wallmessage-link" class="btn btn-labeled btn-primary btn-sm" onclick="openWallMessage('{{$wallmessage_link|escape}}')">
 					<span class=""><i class="fa fa-envelope"></i></span>
 					<span class="">{{$wallmessage}}</span>
 				</button>
@@ -78,11 +78,11 @@
 			<span class="adr">
 				{{if $profile.address}}<span class="street-address p-street-address">{{$profile.address}}</span>{{/if}}
 				<span class="city-state-zip">
-					<span class="locality p-locality">{{$profile.locality}}</span>{{if $profile.locality}}, {{/if}}
-					<span class="region p-region">{{$profile.region}}</span>
-					<span class="postal-code p-postal-code">{{$profile.postal_code}}</span>
+					<span class="locality p-locality">{{$profile.locality|escape}}</span>{{if $profile.locality}}, {{/if}}
+					<span class="region p-region">{{$profile.region|escape}}</span>
+					<span class="postal-code p-postal-code">{{$profile.postal_code|escape}}</span>
 				</span>
-				{{if $profile.country_name}}<span class="country-name p-country-name">{{$profile.country_name}}</span>{{/if}}
+				{{if $profile.country_name}}<span class="country-name p-country-name">{{$profile.country_name|escape}}</span>{{/if}}
 			</span>
 		</div>
 		{{/if}}
@@ -90,38 +90,38 @@
 		{{if $profile.xmpp}}
 		<div class="xmpp">
 			<span class="xmpp-label icon"><i class="fa fa-comments"></i></span>
-			<span class="xmpp-data">{{$profile.xmpp}}</span>
+			<span class="xmpp-data">{{$profile.xmpp|escape}}</span>
 		</div>
 		{{/if}}
 
 		{{if $gender}}
 		<div class="mf detail">
 			<span class="gender-label icon"><i class="fa fa-venus-mars"></i></span>
-			<span class="p-gender">{{$profile.gender}}</span>
+			<span class="p-gender">{{$profile.gender|escape}}</span>
 		</div>
 		{{/if}}
 
-		{{if $profile.pubkey}}<div class="key u-key" style="display:none;">{{$profile.pubkey}}</div>{{/if}}
+		{{if $profile.pubkey}}<div class="key u-key" style="display:none;">{{$profile.pubkey|escape}}</div>{{/if}}
 
-		{{if $contacts}}<div class="contacts" style="display:none;">{{$contacts}}</div>{{/if}}
+		{{if $contacts}}<div class="contacts" style="display:none;">{{$contacts|escape}}</div>{{/if}}
 
-		{{if $updated}}<div class="updated" style="display:none;">{{$updated}}</div>{{/if}}
+		{{if $updated}}<div class="updated" style="display:none;">{{$updated|escape}}</div>{{/if}}
 
 		{{if $marital}}
 		<div class="marital detail">
 			<span class="marital-label icon"><i class="fa fa-heart"></i></span>
-			<span class="marital-text icon">{{$profile.marital}}</span>
+			<span class="marital-text icon">{{$profile.marital|escape}}</span>
 		</div>
 		{{/if}}
 
 		{{if $homepage}}
 		<div class="homepage detail">
 			<span class="homepage-label icon"><i class="fa fa-external-link-square"></i></span>
-			<span class="homepage-url u-url"><a href="{{$profile.homepage}}" rel="me" target="_blank">{{$profile.homepage}}</a></span>
+			<span class="homepage-url u-url"><a href="{{$profile.homepage}}" rel="me" target="_blank">{{$profile.homepage|escape}}</a></span>
 		</div>
 		{{/if}}
 
-		{{if $about}}<dl class="about"  style="display:none;"><dt class="about-label">{{$about}}</dt><dd class="x-network">{{$profile.about}}</dd></dl>{{/if}}
+		{{if $about}}<dl class="about"  style="display:none;"><dt class="about-label">{{$about|escape}}</dt><dd class="x-network">{{$profile.about}}</dd></dl>{{/if}}
 
 		{{include file="diaspora_vcard.tpl"}}
 	</div>
diff --git a/view/theme/frio/templates/search_item.tpl b/view/theme/frio/templates/search_item.tpl
index c6aa9536e..88a0d2a0e 100644
--- a/view/theme/frio/templates/search_item.tpl
+++ b/view/theme/frio/templates/search_item.tpl
@@ -1,7 +1,7 @@
 <!-- TODO => Unknow block -->
 <div class="wall-item-decor" style="display:none;">
-	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>
-	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event, {{$item.id}});" title="{{$item.lock}}"></span><span class="fa fa-lock" aria-hidden="true"></span>{{/if}}
+	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred}}</span>
+	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event, {{$item.id}});" title="{{$item.lock|escape}}"></span><span class="fa fa-lock" aria-hidden="true"></span>{{/if}}
 </div>
 <!-- ./TODO => Unknow block -->
 
@@ -12,7 +12,7 @@
 			{{* Put additional actions in a top-right dropdown menu *}}
 
 			<ul class="nav nav-pills preferences">
-				<li><span class="wall-item-network" title="{{$item.app}}">{{$item.network_name}}</span></li>
+				<li><span class="wall-item-network" title="{{$item.app|escape}}">{{$item.network_name|escape}}</span></li>
 
 				{{if $item.plink || $item.star || $item.drop.dropping || $item.edpost || $item.subthread}}
 				<li class="dropdown">
@@ -21,45 +21,45 @@
 					<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools-{{$item.id}}">
 						{{if $item.plink}}      {{*link to the original source of the item *}}
 						<li role="menuitem">
-							<a title="{{$item.plink.title}}" href="{{$item.plink.href}}" class="navicon plink"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
+							<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title|escape}}</a>
 						</li>
 						{{/if}}
 
 						{{if $item.edpost}} {{* edit the posting *}}
 						<li role="menuitem">
-							<button type="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
+							<button type="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.tagger}} {{* tag the post *}}
 						<li role="menuitem">
-							<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
+							<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add|escape}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.filer}}
 						<li role="menuitem">
-							<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
+							<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer|escape}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.star}}
 						<li role="menuitem">
-							<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
-							<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
+							<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do|escape}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
+							<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo|escape}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.subthread}}
 						<li role="menuitem">
-							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
+							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
 						</li>
 						{{/if}}
 
 						{{if $item.drop.dropping}}
 						<li role="separator" class="divider"></li>
 						<li role="menuitem">
-							<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
+							<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete|escape}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
 						</li>
 						{{/if}}
 					</ul>
@@ -72,14 +72,14 @@
 				<div class="hidden-sm hidden-xs contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}}">
 					<a href="{{$item.profile_url}}" class="userinfo u-url" id="wall-item-photo-menu-{{$item.id}}">
 						<div class="contact-photo-image-wrapper">
-							<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+							<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 						</div>
 					</a>
 				</div>
 				<div class="hidden-lg hidden-md contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}}">
 					<a href="{{$item.profile_url}}" class="userinfo u-url" id="wall-item-photo-menu-xs-{{$item.id}}">
 						<div class="contact-photo-image-wrapper">
-							<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name}}" />
+							<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name|escape}}" />
 						</div>
 					</a>
 				</div>
@@ -88,13 +88,13 @@
 
 			{{* contact info header*}}
 			<div role="heading " class="contact-info hidden-sm hidden-xs media-body"><!-- <= For computer -->
-				<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name}}</span></a>
-					{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a>{{/if}}
-					{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event, {{$item.id}});" title="{{$item.lock}}">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
+				<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name|escape}}</span></a>
+					{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a>{{/if}}
+					{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event, {{$item.id}});" title="{{$item.lock|escape}}">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
 
 					<div class="additional-info text-muted">
 						<div id="wall-item-ago-{{$item.id}}" class="wall-item-ago">
-							<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime}}" data-toggle="tooltip">{{$item.ago}}</span></a></small>
+							<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime|escape}}" data-toggle="tooltip">{{$item.ago}}</span></a></small>
 						</div>
 
 						{{if $item.location}}
@@ -110,7 +110,7 @@
 			{{* contact info header for smartphones *}}
 			<div role="heading " class="contact-info-xs hidden-lg hidden-md">
 				<h5 class="media-heading">
-					<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span>{{$item.name}}</span></a>
+					<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span>{{$item.name|escape}}</span></a>
 					<p class="text-muted"><small>
 						<span class="wall-item-ago">{{$item.ago}}</span> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
 					</p>
@@ -150,14 +150,14 @@
 			{{/if}}
 
 				{{foreach $item.folders as $cat}}
-					<span class="folder label btn-danger sm">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+					<span class="folder label btn-danger sm">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 				{{/foreach}}
 
 				{{foreach $item.categories as $cat}}
-					<span class="category label btn-success sm">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+					<span class="category label btn-success sm">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 				{{/foreach}}
 				</div>
-				{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
+				{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']|escape}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
 			</div>
 			<!-- ./TODO -->
 
@@ -166,7 +166,7 @@
 				<div class="wall-item-actions-left pull-left">
 					<!--comment this out to try something different {{if $item.threaded}}{{if $item.comment}}
 					<div id="button-reply" class="pull-left">
-						<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment}}"></i> </span>
+						<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment|escape}}"></i> </span>
 					</div>
 					{{/if}}{{/if}}-->
 
@@ -175,14 +175,14 @@
 					{{* Buttons for like and dislike *}}
 					{{if $item.vote}}
 						{{if $item.vote.like}}
-					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0}}" onclick="doLikeAction({{$item.id}}, 'like');">{{$item.vote.like.0}}</button>
+					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0|escape}}" onclick="doLikeAction({{$item.id}}, 'like');">{{$item.vote.like.0}}</button>
 						{{/if}}
 						{{if $item.vote.like AND $item.vote.dislike}}
 					<span role="presentation" class="separator">•</span>
 						{{/if}}
 
 						{{if $item.vote.dislike}}
-					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0}}" onclick="doLikeAction({{$item.id}}, 'dislike');">{{$item.vote.dislike.0}}</button>
+					<button type="button" class="btn btn-defaultbutton-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0|escape}}" onclick="doLikeAction({{$item.id}}, 'dislike');">{{$item.vote.dislike.0}}</button>
 						{{/if}}
 						{{if ($item.vote.like OR $item.vote.dislike) AND $item.comment}}
 					<span role="presentation" class="separator">•</span>
@@ -191,7 +191,7 @@
 
 					{{* Button to open the comment text field *}}
 					{{if $item.comment}}
-						<button type="button" class="btn btn-default" id="comment-{{$item.id}}" title="{{$item.switchcomment}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});">{{$item.switchcomment}}</button>
+						<button type="button" class="btn btn-default" id="comment-{{$item.id}}" title="{{$item.switchcomment|escape}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});">{{$item.switchcomment}}</button>
 					{{/if}}
 
 					{{* Button for sharing the item *}}
@@ -200,10 +200,10 @@
 							{{if $item.vote.like OR $item.vote.dislike OR $item.comment}}
 					<span role="presentation" class="separator">•</span>
 							{{/if}}
-					<button type="button" class="btn btn-default" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.0}}</button>
+					<button type="button" class="btn btn-default" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.0}}</button>
 						{{/if}}
 					{{/if}}
-					<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+					<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 				</div>
 
 
@@ -211,15 +211,15 @@
 					{{* Event attendance buttons *}}
 					{{if $item.isevent}}
 					<div class="vote-event">
-						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0}}" onclick="doLikeAction({{$item.id}}, 'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
-						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1}}" onclick="doLikeAction({{$item.id}}, 'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
-						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2}}" onclick="doLikeAction({{$item.id}}, 'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
+						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0|escape}}" onclick="doLikeAction({{$item.id}}, 'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
+						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1|escape}}" onclick="doLikeAction({{$item.id}}, 'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
+						<button type="button" class="btn btn-defaultbutton-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2|escape}}" onclick="doLikeAction({{$item.id}}, 'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
 					</div>
 					{{/if}}
 
 					<div class="pull-right checkbox">
 						{{if $item.drop.pagedrop}}
-						<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
+						<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
 						<label for="checkbox-{{$item.id}}"></label>
 						{{/if}}
 					</div>
@@ -238,7 +238,7 @@
 
 			<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 			{{if $item.conv}}
-				<a href="{{$item.conv.href}}" id="context-{{$item.id}}" title="{{$item.conv.title}}">{{$item.conv.title}}</a>
+				<a href="{{$item.conv.href}}" id="context-{{$item.id}}" title="{{$item.conv.title|escape}}">{{$item.conv.title|escape}}</a>
 			{{/if}}
 			</div>
 		</div><!--./media>-->
diff --git a/view/theme/frio/templates/vcard-widget.tpl b/view/theme/frio/templates/vcard-widget.tpl
index 0115abd88..ab6f52f47 100644
--- a/view/theme/frio/templates/vcard-widget.tpl
+++ b/view/theme/frio/templates/vcard-widget.tpl
@@ -2,9 +2,9 @@
 
 	<div id="profile-photo-wrapper">
 		{{if $url}}
-		<a href="{{$url}}"><img class="photo u-photo" src="{{$photo}}" alt="{{$name}}" /></a>
+		<a href="{{$url}}"><img class="photo u-photo" src="{{$photo}}" alt="{{$name|escape}}" /></a>
 		{{else}}
-		<img class="photo u-photo" src="{{$photo}}" alt="{{$name}}" />
+		<img class="photo u-photo" src="{{$photo}}" alt="{{$name|escape}}" />
 		{{/if}}
 	</div>
 
@@ -12,11 +12,11 @@
 	<div id="vcard-short-info-wrapper" style="display: none;">
 		<div id="vcard-short-info" class="media" style="display: none">
 			<div id="vcard-short-photo-wrapper" class="pull-left">
-				<img class="media-object" src="{{$photo}}" alt="{{$name}}" />
+				<img class="media-object" src="{{$photo}}" alt="{{$name|escape}}" />
 			</div>
 
 			<div id="vcard-short-desc" class="media-body">
-				<h4 class="media-heading">{{$name}}</h4>
+				<h4 class="media-heading">{{$name|escape}}</h4>
 				{{if $addr}}<div class="vcard-short-addr">{{$addr}}</div>{{/if}}
 			</div>
 		</div>
@@ -24,7 +24,7 @@
 
 	<div class="panel-body">
 		<div class="profile-header">
-			<h3 class="fn p-name">{{$name}}</h3>
+			<h3 class="fn p-name">{{$name|escape}}</h3>
 
 			{{if $addr}}<div class="p-addr">{{$addr}}</div>{{/if}}
 
diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index c46fc339d..961c241a1 100644
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -58,9 +58,9 @@ as the value of $top_child_total (this is done at the end of this file)
 <!-- TODO => Unknow block -->
 <div class="wall-item-decor" style="display:none;">
 	{{if $item.star}}
-	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>
+	<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred}}</span>
 	{{/if}}
-	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}"></span><span class="fa fa-lock"></span>{{/if}}
+	{{if $item.lock}}<span class="navicon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}"></span><span class="fa fa-lock"></span>{{/if}}
 </div>
 <!-- ./TODO => Unknow block -->
 
@@ -82,7 +82,7 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{* Put addional actions in a top-right dropdown menu *}}
 
 		<ul class="nav nav-pills preferences">
-			<li><span class="wall-item-network" title="{{$item.app}}">{{$item.network_name}}</span></li>
+			<li><span class="wall-item-network" title="{{$item.app|escape}}">{{$item.network_name|escape}}</span></li>
 
 			{{if $item.plink || $item.drop.dropping || $item.edpost || $item.ignore || $item.tagger || $item.star || $item.filer || $item.subthread}}
 			<li class="dropdown">
@@ -91,38 +91,38 @@ as the value of $top_child_total (this is done at the end of this file)
 				<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools-{{$item.id}}">
 					{{if $item.plink}}	{{*link to the original source of the item *}}
 					<li role="menuitem">
-						<a title="{{$item.plink.title}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
+						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
 					</li>
 					{{/if}}
 
 					{{if $item.edpost}} {{* edit the posting *}}
 					<li role="menuitem">
-						<button type="button" onclick="editpost('{{$item.edpost.0}}?mode=none');" title="{{$item.edpost.1}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
+						<button type="button" onclick="editpost('{{$item.edpost.0}}?mode=none');" title="{{$item.edpost.1|escape}}" class="btn-link navicon pencil"><i class="fa fa-pencil" aria-hidden="true"></i> {{$item.edpost.1}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.tagger}} {{* tag the post *}}
 					<li role="menuitem">
-						<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
+						<button type="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}});" class="btn-link {{$item.tagger.class}}" title="{{$item.tagger.add|escape}}"><i class="fa fa-tag" aria-hidden="true"></i> {{$item.tagger.add}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.filer}}
 					<li role="menuitem">
-						<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
+						<button type="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}});" class="btn-link filer-item filer-icon" title="{{$item.filer|escape}}"><i class="fa fa-folder" aria-hidden="true"></i>&nbsp;{{$item.filer}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.star}}
 					<li role="menuitem">
-						<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
-						<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
+						<button type="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classdo}}" title="{{$item.star.do|escape}}"><i class="fa fa-star-o" aria-hidden="true"></i>&nbsp;{{$item.star.do}}</button>
+						<button type="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}});" class="btn-link {{$item.star.classundo}}" title="{{$item.star.undo|escape}}"><i class="fa fa-star" aria-hidden="true"></i>&nbsp;{{$item.star.undo}}</button>
 					</li>
 					{{/if}}
 
 					{{if $item.subthread}}
 					<li role="menuitem">
-						<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
+						<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
 					</li>
 					{{/if}}
 
@@ -132,16 +132,16 @@ as the value of $top_child_total (this is done at the end of this file)
 
 					{{if $item.ignore}}
 						<li role="menuitem">
-							<button type="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classdo}}" title="{{$item.ignore.do}}"><i class="fa fa-eye-slash" aria-hidden="true"></i> {{$item.ignore.do}}</button>
+							<button type="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classdo}}" title="{{$item.ignore.do|escape}}"><i class="fa fa-eye-slash" aria-hidden="true"></i> {{$item.ignore.do}}</button>
 						</li>
 						<li role="menuitem">
-							<button type="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classundo}}"  title="{{$item.ignore.undo}}"><i class="fa fa-eye" aria-hidden="true"></i> {{$item.ignore.undo}}</button>
+							<button type="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}});" class="btn-link {{$item.ignore.classundo}}"  title="{{$item.ignore.undo|escape}}"><i class="fa fa-eye" aria-hidden="true"></i> {{$item.ignore.undo}}</button>
 						</li>
 					{{/if}}
 
 					{{if $item.drop.dropping}}
 					<li role="menuitem">
-						<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}/{{$item.return}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
+						<button type="button" class="btn-link navicon delete" onclick="dropItem('item/drop/{{$item.id}}/{{$item.return}}', 'item-{{$item.guid}}');" title="{{$item.drop.delete|escape}}"><i class="fa fa-trash" aria-hidden="true"></i> {{$item.drop.delete}}</button>
 					</li>
 					{{/if}}
 				</ul>
@@ -156,14 +156,14 @@ as the value of $top_child_total (this is done at the end of this file)
 			<div class="hidden-sm hidden-xs contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card">
 				<a class="userinfo  u-url" id="wall-item-photo-menu-{{$item.id}}" href="{{$item.profile_url}}">
 					<div class="contact-photo-image-wrapper">
-						<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+						<img src="{{$item.thumb}}" class="contact-photo media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 					</div>
 				</a>
 			</div>
 			<div class="hidden-lg hidden-md contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}}">
 				<a class="userinfo u-url" id="wall-item-photo-menu-xs-{{$item.id}}" href="{{$item.profile_url}}">
 					<div class="contact-photo-image-wrapper">
-						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name}}" />
+						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}}" id="wall-item-photo-xs-{{$item.id}}" alt="{{$item.name|escape}}" />
 					</div>
 				</a>
 			</div>
@@ -171,8 +171,8 @@ as the value of $top_child_total (this is done at the end of this file)
 			{{* The litle overlay avatar picture if someone is posting directly to a wall or a forum *}}
 			{{if $item.owner_url}}
 			<div aria-hidden="true" class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name}}" />
+				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
 			{{/if}}
@@ -184,7 +184,7 @@ as the value of $top_child_total (this is done at the end of this file)
 			<div class="contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card">
 				<a class="userinfo u-url" id="wall-item-photo-menu-{{$item.id}}" href="{{$item.profile_url}}">
 					<div class="contact-photo-image-wrapper">
-						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-comment-{{$item.id}}" alt="{{$item.name}}" />
+						<img src="{{$item.thumb}}" class="contact-photo-xs media-object {{$item.sparkle}} p-name u-photo" id="wall-item-photo-comment-{{$item.id}}" alt="{{$item.name|escape}}" />
 					</div>
 				</a>
 			</div>
@@ -196,14 +196,14 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{* contact info header*}}
 		{{if $item.thread_level==1}}
 		<div role="heading " aria-level="{{$item.thread_level}}" class="contact-info hidden-sm hidden-xs media-body"><!-- <= For computer -->
-			<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name}}</span></a>
-			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a>{{/if}}
-			{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event,{{$item.id}});" title="{{$item.lock}}" data-toggle="tooltip">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
+			<h4 class="media-heading"><a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.sparkle}}">{{$item.name|escape}}</span></a>
+			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link userinfo"><span class="wall-item-name {{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a>{{/if}}
+			{{if $item.lock}}<span class="navicon lock fakelink" onClick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}" data-toggle="tooltip">&nbsp;<small><i class="fa fa-lock" aria-hidden="true"></i></small></span>{{/if}}
 			</h4>
 
 			<div class="additional-info text-muted">
 				<div id="wall-item-ago-{{$item.id}}" class="wall-item-ago">
-					<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime}}" data-toggle="tooltip"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span></a></small>
+					<small><a href="{{$item.plink.orig}}"><span class="time" title="{{$item.localtime|escape}}" data-toggle="tooltip"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span></a></small>
 				</div>
 
 				{{if $item.location}}
@@ -218,7 +218,7 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{* contact info header for smartphones *}}
 		<div role="heading " aria-level="{{$item.thread_level}}" class="contact-info-xs hidden-lg hidden-md"><!-- <= For smartphone (responsive) -->
 			<h5 class="media-heading">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span>{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span>{{$item.name|escape}}</span></a>
 				<p class="text-muted">
 					<small><a class="time" href="{{$item.plink.orig}}"><span class="wall-item-ago">{{$item.ago}}</span></a> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
 				</p>
@@ -231,9 +231,9 @@ as the value of $top_child_total (this is done at the end of this file)
 		<div class="media-body">{{*this is the media body for comments - this div must be closed at the end of the file *}}
 		<div role="heading " aria-level="{{$item.thread_level}}" class="contact-info-comment">
 			<h5 class="media-heading">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link userinfo"><span class="fakelink">{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link userinfo"><span class="fakelink">{{$item.name|escape}}</span></a>
 				<span class="text-muted">
-					<small><a class="time" href="{{$item.plink.orig}}" title="{{$item.localtime}}" data-toggle="tooltip">{{$item.ago}}</a> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
+					<small><a class="time" href="{{$item.plink.orig}}" title="{{$item.localtime|escape}}" data-toggle="tooltip">{{$item.ago}}</a> {{if $item.location}}&nbsp;&mdash;&nbsp;({{$item.location}}){{/if}}</small>
 				</span>
 			</h5>
 		</div>
@@ -273,14 +273,14 @@ as the value of $top_child_total (this is done at the end of this file)
 		{{/if}}
 
 			{{foreach $item.folders as $cat}}
-				<span class="folder label btn-danger sm"><span class="p-category">{{$cat.name}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="folder label btn-danger sm"><span class="p-category">{{$cat.name|escape}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 
 			{{foreach $item.categories as $cat}}
-				<span class="category label btn-success sm"><span class="p-category">{{$cat.name}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="category label btn-success sm"><span class="p-category">{{$cat.name|escape}}</span></a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 			</div>
-			{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
+			{{if $item.edited}}<div class="itemedited text-muted">{{$item.edited['label']}} (<span title="{{$item.edited['date']|escape}}">{{$item.edited['relative']}}</span>)</div>{{/if}}
 		</div>
 		<!-- ./TODO -->
 
@@ -290,7 +290,7 @@ as the value of $top_child_total (this is done at the end of this file)
 			<div class="wall-item-actions-left pull-left">
 				<!--comment this out to try something different {{if $item.threaded}}{{if $item.comment}}
 				<div id="button-reply" class="pull-left">
-					<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment}}"></i> </span>
+					<button type="button" class="btn-link" id="comment-{{$item.id}}" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"><i class="fa fa-reply" title="{{$item.switchcomment|escape}}"></i> </span>
 				</div>
 				{{/if}}{{/if}}-->
 
@@ -299,13 +299,13 @@ as the value of $top_child_total (this is done at the end of this file)
 				{{* Buttons for like and dislike *}}
 				{{if $item.vote}}
 					{{if $item.vote.like}}
-					<button type="button" class="btn-link button-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0}}" onclick="doLikeAction({{$item.id}},'like');" data-toggle="button"><i class="fa fa-thumbs-up" aria-hidden="true"></i>&nbsp;{{$item.vote.like.1}}</button>
+					<button type="button" class="btn-link button-likes{{if $item.responses.like.self}} active" aria-pressed="true{{/if}}" id="like-{{$item.id}}" title="{{$item.vote.like.0|escape}}" onclick="doLikeAction({{$item.id}},'like');" data-toggle="button"><i class="fa fa-thumbs-up" aria-hidden="true"></i>&nbsp;{{$item.vote.like.1}}</button>
 					{{/if}}
 					{{if $item.vote.like AND $item.vote.dislike}}
 					<span role="presentation" class="separator">•</span>
 					{{/if}}
 					{{if $item.vote.dislike}}
-					<button type="button" class="btn-link button-likes{{if $item.responses.dislike.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0}}" onclick="doLikeAction({{$item.id}},'dislike');" data-toggle="button"><i class="fa fa-thumbs-down" aria-hidden="true"></i>&nbsp;{{$item.vote.dislike.1}}</button>
+					<button type="button" class="btn-link button-likes{{if $item.responses.dislike.self}} active" aria-pressed="true{{/if}}" id="dislike-{{$item.id}}" title="{{$item.vote.dislike.0|escape}}" onclick="doLikeAction({{$item.id}},'dislike');" data-toggle="button"><i class="fa fa-thumbs-down" aria-hidden="true"></i>&nbsp;{{$item.vote.dislike.1}}</button>
 					{{/if}}
 
 					{{if ($item.vote.like OR $item.vote.dislike) AND $item.comment}}
@@ -315,7 +315,7 @@ as the value of $top_child_total (this is done at the end of this file)
 
 				{{* Button to open the comment text field *}}
 				{{if $item.comment}}
-				<button type="button" class="btn-link button-comments" id="comment-{{$item.id}}" title="{{$item.switchcomment}}" {{if $item.thread_level != 1}}onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" {{else}} onclick="showHide('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"{{/if}}><i class="fa fa-commenting" aria-hidden="true"></i>&nbsp;{{$item.switchcomment}}</button>
+				<button type="button" class="btn-link button-comments" id="comment-{{$item.id}}" title="{{$item.switchcomment|escape}}" {{if $item.thread_level != 1}}onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" {{else}} onclick="showHide('item-comments-{{$item.id}}'); commentExpand({{$item.id}});"{{/if}}><i class="fa fa-commenting" aria-hidden="true"></i>&nbsp;{{$item.switchcomment}}</button>
 				{{/if}}
 
 				{{* Button for sharing the item *}}
@@ -324,25 +324,25 @@ as the value of $top_child_total (this is done at the end of this file)
 						{{if $item.vote.like OR $item.vote.dislike OR $item.comment}}
 					<span role="presentation" class="separator">•</span>
 						{{/if}}
-					<button type="button" class="btn-link button-votes" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.1}}</button>
+					<button type="button" class="btn-link button-votes" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}});"><i class="fa fa-retweet" aria-hidden="true"></i>&nbsp;{{$item.vote.share.1}}</button>
 					{{/if}}
 				{{/if}}
-				<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+				<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 			</div>
 
 			<div class="wall-item-actions-right pull-right">
 				{{* Event attendance buttons *}}
 				{{if $item.isevent}}
 				<div class="vote-event">
-					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0}}" onclick="doLikeAction({{$item.id}},'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
-					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1}}" onclick="doLikeAction({{$item.id}},'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
-					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2}}" onclick="doLikeAction({{$item.id}},'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
+					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendyes.self}} active" aria-pressed="true{{/if}}" id="attendyes-{{$item.id}}" title="{{$item.attend.0|escape}}" onclick="doLikeAction({{$item.id}},'attendyes');"><i class="fa fa-check" aria-hidden="true"><span class="sr-only">{{$item.attend.0}}</span></i></button>
+					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendno.self}} active" aria-pressed="true{{/if}}" id="attendno-{{$item.id}}" title="{{$item.attend.1|escape}}" onclick="doLikeAction({{$item.id}},'attendno');"><i class="fa fa-times" aria-hidden="true"><span class="sr-only">{{$item.attend.1}}</span></i></button>
+					<button type="button" class="btn btn-xs btn-default button-event{{if $item.responses.attendmaybe.self}} active" aria-pressed="true{{/if}}" id="attendmaybe-{{$item.id}}" title="{{$item.attend.2|escape}}" onclick="doLikeAction({{$item.id}},'attendmaybe');"><i class="fa fa-question" aria-hidden="true"><span class="sr-only">{{$item.attend.2}}</span></i></button>
 				</div>
 				{{/if}}
 
 				<div class="pull-right checkbox">
 					{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" id="checkbox-{{$item.id}}" class="item-select" value="{{$item.id}}" />
 					<label for="checkbox-{{$item.id}}"></label>
 				{{/if}}
 				</div>
diff --git a/view/theme/quattro/templates/contact_template.tpl b/view/theme/quattro/templates/contact_template.tpl
index 2d59a8a25..bc7bd5955 100644
--- a/view/theme/quattro/templates/contact_template.tpl
+++ b/view/theme/quattro/templates/contact_template.tpl
@@ -1,12 +1,12 @@
 
 <div class="contact-wrapper" id="contact-entry-wrapper-{{$id}}" >
-	{{if $contact.ignlnk}}<a href="{{$contact.ignlnk}}" title="{{$contact.ignore}}" class="icon drophide profile-match-ignore" onmouseout="imgdull(this);" onmouseover="imgbright(this);" onclick="return confirmDelete();" ></a>{{/if}}
+	{{if $contact.ignlnk}}<a href="{{$contact.ignlnk}}" title="{{$contact.ignore|escape}}" class="icon drophide profile-match-ignore" onmouseout="imgdull(this);" onmouseover="imgbright(this);" onclick="return confirmDelete();" ></a>{{/if}}
 	<div class="contact-photo-wrapper" >
 		<div class="contact-photo mframe" id="contact-entry-photo-{{$contact.id}}"
 		onmouseover="if (typeof t{{$contact.id}} != 'undefined') clearTimeout(t{{$contact.id}}); openMenu('contact-photo-menu-button-{{$contact.id}}')" 
 		onmouseout="t{{$contact.id}}=setTimeout('closeMenu(\'contact-photo-menu-button-{{$contact.id}}\'); closeMenu(\'contact-photo-menu-{{$contact.id}}\');',200)" >
 
-			<a href="{{$contact.url}}" title="{{$contact.img_hover}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" /></a>
+			<a href="{{$contact.url}}" title="{{$contact.img_hover|escape}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" /></a>
 
 			{{if $multiselect}}
 			<input type="checkbox" class="contact-select" name="contact_batch[]" value="{{$contact.id}}">
@@ -27,7 +27,7 @@
 			
 	</div>
 	<div class="contact-name" id="contact-entry-name-{{$contact.id}}" >
-		{{$contact.name}}
+		{{$contact.name|escape}}
 		{{if $contact.account_type}} <span class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</span>{{/if}}
 	</div>
 	{{if $contact.alt_text}}<div class="contact-details" id="contact-entry-rel-{{$contact.id}}" >{{$contact.alt_text}}</div>{{/if}}
@@ -37,7 +37,7 @@
 	{{if $contact.network}}<div class="contact-details" id="contact-entry-network-{{$contact.id}}" >{{$contact.network}}</div>{{/if}}
 
 	{{if $contact.connlnk}}
-	<div class="contact-entry-connect"><a href="{{$contact.connlnk}}" title="{{$contact.conntxt}}">{{$contact.conntxt}}</a></div>
+	<div class="contact-entry-connect"><a href="{{$contact.connlnk}}" title="{{$contact.conntxt|escape}}">{{$contact.conntxt|escape}}</a></div>
 	{{/if}}
 
 
diff --git a/view/theme/quattro/templates/events.tpl b/view/theme/quattro/templates/events.tpl
index 7a50498eb..0d3db2267 100644
--- a/view/theme/quattro/templates/events.tpl
+++ b/view/theme/quattro/templates/events.tpl
@@ -1,8 +1,6 @@
-
 {{$tabs}}
 <h2>{{$title}} <a class="actionbutton" href="{{$new_event.0}}" ><i class="icon add s10"></i> {{$new_event.1}}</a></h2>
 
-
 <div id="event-calendar-wrapper">
 	<a href="{{$previus.0}}" class="prevcal {{$previus.2}}"><div id="event-calendar-prev" class="icon s22 prev" title="{{$previus.1}}"></div></a>
 	{{$calendar}}
@@ -10,15 +8,13 @@
 </div>
 <div class="event-calendar-end"></div>
 
-
 {{foreach $events as $event}}
 	<div class="event">
 	{{if $event.is_first}}<hr /><a name="link-{{$event.j}}" ><div class="event-list-date">{{$event.d}}</div></a>{{/if}}
-	{{if $event.item.author_name}}<a href="{{$event.item.author_link}}" ><img src="{{$event.item.author_avatar}}" height="32" width="32" />{{$event.item.author_name}}</a>{{/if}}
+	{{if $event.item.author_name}}<a href="{{$event.item.author_link}}" ><img src="{{$event.item.author_avatar}}" height="32" width="32" />{{$event.item.author_name|escape}}</a>{{/if}}
 	{{$event.html}}
 	{{if $event.item.plink}}<a href="{{$event.plink.0}}" title="{{$event.plink.1}}" target="_blank" class="plink-event-link icon s22 remote-link"></a>{{/if}}
 	{{if $event.edit}}<a href="{{$event.edit.0}}" title="{{$event.edit.1}}" class="edit-event-link icon s22 pencil"></a>{{/if}}
 	</div>
 	<div class="clear"></div>
-
 {{/foreach}}
diff --git a/view/theme/quattro/templates/mail_conv.tpl b/view/theme/quattro/templates/mail_conv.tpl
index 89827cd31..f06d1cbcf 100644
--- a/view/theme/quattro/templates/mail_conv.tpl
+++ b/view/theme/quattro/templates/mail_conv.tpl
@@ -2,8 +2,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper"
-				<a href="{{$mail.profile_url}}" target="redir" title="{{$mail.from_name}}" class="contact-photo-link" id="wall-item-photo-link-{{$mail.id}}">
-					<img src="{{$mail.from_photo}}" class="contact-photo{{$mail.sparkle}}" id="wall-item-photo-{{$mail.id}}" alt="{{$mail.from_name}}" />
+				<a href="{{$mail.profile_url}}" target="redir" title="{{$mail.from_name|escape}}" class="contact-photo-link" id="wall-item-photo-link-{{$mail.id}}">
+					<img src="{{$mail.from_photo}}" class="contact-photo{{$mail.sparkle}}" id="wall-item-photo-{{$mail.id}}" alt="{{$mail.from_name|escape}}" />
 				</a>
 			</div>
 		</div>
@@ -23,16 +23,16 @@
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
 				<a href="{{$mail.from_url}}" target="redir"
-                                class="wall-item-name-link" title="{{$mail.from_addr}}"><span
-                                class="wall-item-name{{$mail.sparkle}}">{{$mail.from_name}}</span></a>
-                                <span class="wall-item-ago" title="{{$mail.date}}">{{$mail.ago}}</span>
+                                class="wall-item-name-link" title="{{$mail.from_addr|escape}}"><span
+                                class="wall-item-name{{$mail.sparkle}}">{{$mail.from_name|escape}}</span></a>
+                                <span class="wall-item-ago" title="{{$mail.date|escape}}">{{$mail.ago|escape}}</span>
 			</div>
 			
 			<div class="wall-item-actions-social">
 			</div>
 			
 			<div class="wall-item-actions-tools">
-				<a href="message/drop/{{$mail.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$mail.delete}}">{{$mail.delete}}</a>
+				<a href="message/drop/{{$mail.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$mail.delete|escape}}">{{$mail.delete|escape}}</a>
 			</div>
 			
 		</div>
@@ -47,14 +47,14 @@
 
 <div class="mail-conv-outside-wrapper">
 	<div class="mail-conv-sender" >
-		<a href="{{$mail.from_url}}" title="{{$mail.from_addr}}" class="mail-conv-sender-url" ><img class="mframe mail-conv-sender-photo{{$mail.sparkle}}" src="{{$mail.from_photo}}" heigth="80" width="80" alt="{{$mail.from_name}}" title="{{$mail.from_addr}}" /></a>
+		<a href="{{$mail.from_url}}" title="{{$mail.from_addr|escape}}" class="mail-conv-sender-url" ><img class="mframe mail-conv-sender-photo{{$mail.sparkle}}" src="{{$mail.from_photo}}" heigth="80" width="80" alt="{{$mail.from_name|escape}}" title="{{$mail.from_addr|escape}}" /></a>
 	</div>
 	<div class="mail-conv-detail" >
-		<div class="mail-conv-sender-name" >{{$mail.from_name}}</div>
+		<div class="mail-conv-sender-name" >{{$mail.from_name|escape}}</div>
 		<div class="mail-conv-date">{{$mail.date}}</div>
 		<div class="mail-conv-subject">{{$mail.subject}}</div>
 		<div class="mail-conv-body">{{$mail.body}}</div>
-	<div class="mail-conv-delete-wrapper" id="mail-conv-delete-wrapper-{{$mail.id}}" ><a href="message/drop/{{$mail.id}}" class="icon drophide delete-icon mail-list-delete-icon" onclick="return confirmDelete();" title="{{$mail.delete}}" id="mail-conv-delete-icon-{{$mail.id}}" class="mail-conv-delete-icon" onmouseover="imgbright(this);" onmouseout="imgdull(this);" ></a></div><div class="mail-conv-delete-end"></div>
+	<div class="mail-conv-delete-wrapper" id="mail-conv-delete-wrapper-{{$mail.id}}" ><a href="message/drop/{{$mail.id}}" class="icon drophide delete-icon mail-list-delete-icon" onclick="return confirmDelete();" title="{{$mail.delete|escape}}" id="mail-conv-delete-icon-{{$mail.id}}" class="mail-conv-delete-icon" onmouseover="imgbright(this);" onmouseout="imgdull(this);" ></a></div><div class="mail-conv-delete-end"></div>
 	<div class="mail-conv-outside-wrapper-end"></div>
 </div>
 </div>
diff --git a/view/theme/quattro/templates/profile_vcard.tpl b/view/theme/quattro/templates/profile_vcard.tpl
index d25234b73..f999f1f57 100644
--- a/view/theme/quattro/templates/profile_vcard.tpl
+++ b/view/theme/quattro/templates/profile_vcard.tpl
@@ -1,15 +1,15 @@
 <div class="vcard h-card">
 
 	<div class="tool">
-		<div class="fn label p-name">{{$profile.name}}</div>
+		<div class="fn label p-name">{{$profile.name|escape}}</div>
 		{{if $profile.edit}}
 			<div class="action">
-			<a class="icon s16 edit ttright" href="#" rel="#profiles-menu" title="{{$profile.edit.3}}"><span>{{$profile.edit.1}}</span></a>
+			<a class="icon s16 edit ttright" href="#" rel="#profiles-menu" title="{{$profile.edit.3|escape}}"><span>{{$profile.edit.1}}</span></a>
 			<ul id="profiles-menu" class="menu-popup">
 			{{if $profile.menu.entries}}
 				{{foreach $profile.menu.entries as $e}}
 				<li>
-					<a href="profiles/{{$e.id}}"><img src='{{$e.photo}}'>{{$e.profile_name}}</a>
+					<a href="profiles/{{$e.id}}"><img src='{{$e.photo}}'>{{$e.profile_name|escape}}</a>
 				</li>
 				{{/foreach}}
 			{{else}}
@@ -29,7 +29,7 @@
 	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
 
 	{{if $pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
-	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}" /></div>
+	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></div>
 
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
 
diff --git a/view/theme/quattro/templates/search_item.tpl b/view/theme/quattro/templates/search_item.tpl
index cf79b24c0..33bf5fbb8 100644
--- a/view/theme/quattro/templates/search_item.tpl
+++ b/view/theme/quattro/templates/search_item.tpl
@@ -1,7 +1,7 @@
 <div class="wall-item-decor">
-	{{if $item.star}}<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>{{/if}}
-	{{if $item.lock}}<span class="icon s22 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}">{{$item.lock}}</span>{{/if}}
-	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+	{{if $item.star}}<span class="icon s22 star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred|escape}}</span>{{/if}}
+	{{if $item.lock}}<span class="icon s22 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}">{{$item.lock|escape}}</span>{{/if}}
+	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 </div>
 
 <div class="wall-item-container {{$item.indent}}">
@@ -10,8 +10,8 @@
 			<div class="contact-photo-wrapper"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<a href="#" rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a>
 				<ul class="wall-item-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
@@ -39,40 +39,40 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a> <span class="wall-item-ago" title="{{$item.localtime}}">{{$item.ago}}</span>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a> <span class="wall-item-ago" title="{{$item.localtime|escape}}">{{$item.ago}}</span>
 			</div>
 
 			<div class="wall-item-actions-social">
 			{{if $item.star}}
-				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do}}">{{$item.star.do}}</a>
-				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo}}">{{$item.star.undo}}</a>
-				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger}}">{{$item.star.tagger}}</a>
+				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do|escape}}">{{$item.star.do}}</a>
+				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo|escape}}">{{$item.star.undo}}</a>
+				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger|escape}}">{{$item.star.tagger}}</a>
 			{{/if}}
 
 			{{if $item.vote}}
-				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active{{/if}}" title="{{$item.vote.like.0}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
-				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active{{/if}}" title="{{$item.vote.dislike.0}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
+				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active{{/if}}" title="{{$item.vote.like.0|escape}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
+				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active{{/if}}" title="{{$item.vote.dislike.0|escape}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
 			{{/if}}
 
 			{{if $item.vote.share}}
-				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
+				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
 			{{/if}}
 			</div>
 
 			<div class="wall-item-actions-tools">
 
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete}}</a>
 				{{/if}}
 				{{if $item.edpost}}
-					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}"></a>
+					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}"></a>
 				{{/if}}
 			</div>
 
@@ -84,7 +84,7 @@
 		<div class="wall-item-dislike" id="wall-item-dislike-{{$item.id}}">{{$item.dislike}}</div>
 		{{if $item.conv}}
 		<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 		</div>
 		{{/if}}
 	</div>
diff --git a/view/theme/quattro/templates/wall_item_tag.tpl b/view/theme/quattro/templates/wall_item_tag.tpl
index efcb52888..d9510da43 100644
--- a/view/theme/quattro/templates/wall_item_tag.tpl
+++ b/view/theme/quattro/templates/wall_item_tag.tpl
@@ -26,8 +26,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}">
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}">
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<ul class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
@@ -41,10 +41,10 @@
 		</div>
 			<div class="wall-item-tools">
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete}}</a>
 				{{/if}}
 			</div>
 	</div>
diff --git a/view/theme/quattro/templates/wall_thread.tpl b/view/theme/quattro/templates/wall_thread.tpl
index fda871b19..694557cca 100644
--- a/view/theme/quattro/templates/wall_thread.tpl
+++ b/view/theme/quattro/templates/wall_thread.tpl
@@ -41,7 +41,7 @@
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<a href="#" rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a>
 				<ul class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
@@ -52,7 +52,7 @@
 			{{if $item.owner_url}}
 			<div class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name}}" />
+					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
 			{{/if}}
@@ -71,7 +71,7 @@
 			{{foreach $item.hashtags as $tag}}
 				<span class="tag">{{$tag}}</span>
 			{{/foreach}}
-  			{{foreach $item.mentions as $tag}}
+			{{foreach $item.mentions as $tag}}
 				<span class="mention">{{$tag}}</span>
 			{{/foreach}}
 			{{foreach $item.folders as $cat}}
@@ -92,9 +92,9 @@
 				<a href="{{$item.profile_url}}" target="redir"
                                 title="{{$item.linktitle}}"
                                 class="wall-item-name-link"><span
-                                class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a>
+                                class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
                                 <span class="wall-item-ago" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span>
-				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a> {{$item.vwall}}
+				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
 				 {{/if}}
 			</div>
 
diff --git a/view/theme/quattro/templates/widget_forumlist.tpl b/view/theme/quattro/templates/widget_forumlist.tpl
index 35c54bc69..050c991cf 100644
--- a/view/theme/quattro/templates/widget_forumlist.tpl
+++ b/view/theme/quattro/templates/widget_forumlist.tpl
@@ -24,7 +24,7 @@ function showHideForumlist() {
 			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
 				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
 			</a>
-			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 	
@@ -34,7 +34,7 @@ function showHideForumlist() {
 			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
 				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
 			</a>
-			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 		{{/foreach}}
diff --git a/view/theme/vier/templates/ch_connectors.tpl b/view/theme/vier/templates/ch_connectors.tpl
index 2ca114807..9aa81740b 100644
--- a/view/theme/vier/templates/ch_connectors.tpl
+++ b/view/theme/vier/templates/ch_connectors.tpl
@@ -1,2 +1,2 @@
-<a href="{{$url}}/settings/connectors"><img alt="{{$alt_text}}" src="{{$photo}}" title="{{$alt_text}}"></a>
+<a href="{{$url}}/settings/connectors"><img alt="{{$alt_text|escape}}" src="{{$photo}}" title="{{$alt_text|escape}}"></a>
 
diff --git a/view/theme/vier/templates/ch_directory_item.tpl b/view/theme/vier/templates/ch_directory_item.tpl
index 6813e1186..9d25b3294 100644
--- a/view/theme/vier/templates/ch_directory_item.tpl
+++ b/view/theme/vier/templates/ch_directory_item.tpl
@@ -4,7 +4,7 @@
 	<div class="directory-photo-wrapper" id="directory-photo-wrapper-{{$id}}" > 
 		<div class="directory-photo" id="directory-photo-{{$id}}" >
 			<a href="{{$profile_link}}" class="directory-profile-link" id="directory-profile-link-{{$id}}" >
-				<img class="directory-photo-img" src="{{$photo}}" alt="{{$alt_text}}" title="{{$alt_text}}" />
+				<img class="directory-photo-img" src="{{$photo}}" alt="{{$alt_text|escape}}" title="{{$alt_text|escape}}" />
 			</a>
 		</div>
 	</div>
diff --git a/view/theme/vier/templates/comment_item.tpl b/view/theme/vier/templates/comment_item.tpl
index 3e72df6dc..af8fa4c9d 100644
--- a/view/theme/vier/templates/comment_item.tpl
+++ b/view/theme/vier/templates/comment_item.tpl
@@ -14,7 +14,7 @@
 				<input type="hidden" name="post_id_random" value="{{$rand_num}}" />
 
 				<div class="comment-edit-photo" id="comment-edit-photo-{{$id}}">
-					<a class="comment-edit-photo-link" href="{{$mylink}}" title="{{$mytitle}}"><img class="my-comment-photo" src="{{$myphoto}}" alt="{{$mytitle}}" title="{{$mytitle}}" /></a>
+					<a class="comment-edit-photo-link" href="{{$mylink}}" title="{{$mytitle|escape}}"><img class="my-comment-photo" src="{{$myphoto}}" alt="{{$mytitle|escape}}" title="{{$mytitle|escape}}" /></a>
 				</div>
 				<div class="comment-edit-photo-end"></div>
 				<textarea id="comment-edit-text-{{$id}}" class="comment-edit-text-empty" name="body" placeholder="{{$comment}}" onFocus="commentOpen(this,{{$id}});"></textarea>
@@ -31,14 +31,14 @@
 				<div class="comment-edit-submit-wrapper" id="comment-edit-submit-wrapper-{{$id}}" style="display: none;">
 
 				<div class="comment-edit-bb">
-	                                <a title="{{$edimg}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}"><i class="icon-picture"></i></a>
-	                                <a title="{{$edurl}}" data-role="insert-formatting" data-bbcode="url" data-id="{{$id}}"><i class="icon-link"></i></a>
-	                                <a title="{{$edvideo}}" data-role="insert-formatting" data-bbcode="video" data-id="{{$id}}"><i class="icon-film"></i></a>
+	                                <a title="{{$edimg|escape}}" data-role="insert-formatting" data-bbcode="img" data-id="{{$id}}"><i class="icon-picture"></i></a>
+	                                <a title="{{$edurl|escape}}" data-role="insert-formatting" data-bbcode="url" data-id="{{$id}}"><i class="icon-link"></i></a>
+	                                <a title="{{$edvideo|escape}}" data-role="insert-formatting" data-bbcode="video" data-id="{{$id}}"><i class="icon-film"></i></a>
 
-	                                <a title="{{$eduline}}" data-role="insert-formatting" data-bbcode="u" data-id="{{$id}}"><i class="icon-underline"></i></a>
-	                                <a title="{{$editalic}}" data-role="insert-formatting" data-bbcode="i" data-id="{{$id}}"><i class="icon-italic"></i></a>
-	                                <a title="{{$edbold}}" data-role="insert-formatting" data-bbcode="b" data-id="{{$id}}"><i class="icon-bold"></i></a>
-	                                <a title="{{$edquote}}" data-role="insert-formatting" data-bbcode="quote" data-id="{{$id}}"><i class="icon-quote-left"></i></a>
+	                                <a title="{{$eduline|escape}}" data-role="insert-formatting" data-bbcode="u" data-id="{{$id}}"><i class="icon-underline"></i></a>
+	                                <a title="{{$editalic|escape}}" data-role="insert-formatting" data-bbcode="i" data-id="{{$id}}"><i class="icon-italic"></i></a>
+	                                <a title="{{$edbold|escape}}" data-role="insert-formatting" data-bbcode="b" data-id="{{$id}}"><i class="icon-bold"></i></a>
+	                                <a title="{{$edquote|escape}}" data-role="insert-formatting" data-bbcode="quote" data-id="{{$id}}"><i class="icon-quote-left"></i></a>
 
                                 </div>
 					<input type="submit" onclick="post_comment({{$id}}); return false;" id="comment-edit-submit-{{$id}}" class="comment-edit-submit" name="submit" value="{{$submit}}" />
diff --git a/view/theme/vier/templates/contact_template.tpl b/view/theme/vier/templates/contact_template.tpl
index c4ed99caa..f36995e9c 100644
--- a/view/theme/vier/templates/contact_template.tpl
+++ b/view/theme/vier/templates/contact_template.tpl
@@ -5,8 +5,8 @@
 		<!-- onmouseover="if (typeof t{{$contact.id}} != 'undefined') clearTimeout(t{{$contact.id}}); openMenu('contact-photo-menu-button-{{$contact.id}}')" 
 		onmouseout="t{{$contact.id}}=setTimeout('closeMenu(\'contact-photo-menu-button-{{$contact.id}}\'); closeMenu(\'contact-photo-menu-{{$contact.id}}\');',200)" > -->
 
-			<!-- <a href="{{$contact.url}}" title="{{$contact.img_hover}}" /></a> -->
-			<img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" />
+			<!-- <a href="{{$contact.url}}" title="{{$contact.img_hover|escape}}" /></a> -->
+			<img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 
 			{{if $multiselect}}
 			<input type="checkbox" class="contact-select" name="contact_batch[]" value="{{$contact.id}}">
@@ -32,7 +32,7 @@
 	
 	<div class="contact-entry-desc">
 		<div class="contact-entry-name" id="contact-entry-name-{{$contact.id}}" >
-			{{$contact.name}}
+			{{$contact.name|escape}}
 			{{if $contact.account_type}} <span class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</span>{{/if}}
 		</div>
 		{{if $contact.alt_text}}<div class="contact-entry-details" id="contact-entry-rel-{{$contact.id}}" >{{$contact.alt_text}}</div>{{/if}}
diff --git a/view/theme/vier/templates/nav.tpl b/view/theme/vier/templates/nav.tpl
index 376fcdc31..70dee3755 100644
--- a/view/theme/vier/templates/nav.tpl
+++ b/view/theme/vier/templates/nav.tpl
@@ -14,42 +14,42 @@
 		</li>
 		{{if $nav.home}}
 			<li role="menuitem" id="nav-home-link" class="nav-menu {{$sel.home}}">
-				<a accesskey="p" class="{{$nav.home.2}} desktop-view" href="{{$nav.home.0}}" title="{{$nav.home.3}}" >{{$nav.home.1}}</a>
-				<a class="{{$nav.home.2}} mobile-view" href="{{$nav.home.0}}" title="{{$nav.home.3}}" ><i class="icon s22 icon-home"></i></a>
+				<a accesskey="p" class="{{$nav.home.2}} desktop-view" href="{{$nav.home.0}}" title="{{$nav.home.3|escape}}" >{{$nav.home.1}}</a>
+				<a class="{{$nav.home.2}} mobile-view" href="{{$nav.home.0}}" title="{{$nav.home.3|escape}}" ><i class="icon s22 icon-home"></i></a>
 				<span id="home-update" class="nav-notify"></span>
 			</li>
 		{{/if}}
 		{{if $nav.network}}
 			<li role="menuitem" id="nav-network-link" class="nav-menu {{$sel.network}}">
-				<a accesskey="n" class="{{$nav.network.2}} desktop-view" href="{{$nav.network.0}}" title="{{$nav.network.3}}" >{{$nav.network.1}}</a>
-				<a class="{{$nav.network.2}} mobile-view" href="{{$nav.network.0}}" title="{{$nav.network.3}}" ><i class="icon s22 icon-th"></i></a>
+				<a accesskey="n" class="{{$nav.network.2}} desktop-view" href="{{$nav.network.0}}" title="{{$nav.network.3|escape}}" >{{$nav.network.1}}</a>
+				<a class="{{$nav.network.2}} mobile-view" href="{{$nav.network.0}}" title="{{$nav.network.3|escape}}" ><i class="icon s22 icon-th"></i></a>
 				<span id="net-update" class="nav-notify"></span>
 			</li>
 		{{/if}}
 		{{if $nav.events}}
 			<li role="menuitem" id="nav-events-link" class="nav-menu {{$sel.events}}">
-				<a accesskey="e" class="{{$nav.events.2}} desktop-view" href="{{$nav.events.0}}" title="{{$nav.events.3}}" >{{$nav.events.1}}</a>
-				<a class="{{$nav.events.2}} mobile-view" href="{{$nav.events.0}}" title="{{$nav.events.3}}" ><i class="icon s22 icon-calendar"></i></a>
+				<a accesskey="e" class="{{$nav.events.2}} desktop-view" href="{{$nav.events.0}}" title="{{$nav.events.3|escape}}" >{{$nav.events.1}}</a>
+				<a class="{{$nav.events.2}} mobile-view" href="{{$nav.events.0}}" title="{{$nav.events.3|escape}}" ><i class="icon s22 icon-calendar"></i></a>
 			</li>
 		{{/if}}
 		{{if $nav.community}}
 			<li role="menuitem" id="nav-community-link" class="nav-menu {{$sel.community}}">
-				<a accesskey="c" class="{{$nav.community.2}} desktop-view" href="{{$nav.community.0}}" title="{{$nav.community.3}}" >{{$nav.community.1}}</a>
-				<a class="{{$nav.community.2}} mobile-view" href="{{$nav.community.0}}" title="{{$nav.community.3}}" ><i class="icon s22 icon-bullseye"></i></a>
+				<a accesskey="c" class="{{$nav.community.2}} desktop-view" href="{{$nav.community.0}}" title="{{$nav.community.3|escape}}" >{{$nav.community.1}}</a>
+				<a class="{{$nav.community.2}} mobile-view" href="{{$nav.community.0}}" title="{{$nav.community.3|escape}}" ><i class="icon s22 icon-bullseye"></i></a>
 			</li>
 		{{/if}}
 
 		<li role="menu" aria-haspopup="true" id="nav-site-linkmenu" class="nav-menu-icon"><a><span class="icon s22 icon-question"><span class="sr-only">{{$nav.help.3}}</span></span></a>
 			<ul id="nav-site-menu" class="menu-popup">
-				{{if $nav.help}} <li role="menuitem"><a class="{{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3}}" >{{$nav.help.1}}</a></li>{{/if}}
-				<li role="menuitem"><a class="{{$nav.about.2}}" href="{{$nav.about.0}}" title="{{$nav.about.3}}" >{{$nav.about.1}}</a></li>
-				{{if $nav.tos}}<a class="{{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3}}" >{{$nav.tos.1}}</a></li>{{/if}}
-				<li role="menuitem"><a class="{{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3}}" >{{$nav.directory.1}}</a></li>
+				{{if $nav.help}} <li role="menuitem"><a class="{{$nav.help.2}}" href="{{$nav.help.0}}" title="{{$nav.help.3|escape}}" >{{$nav.help.1}}</a></li>{{/if}}
+				<li role="menuitem"><a class="{{$nav.about.2}}" href="{{$nav.about.0}}" title="{{$nav.about.3|escape}}" >{{$nav.about.1}}</a></li>
+				{{if $nav.tos}}<a class="{{$nav.tos.2}}" href="{{$nav.tos.0}}" title="{{$nav.tos.3|escape}}" >{{$nav.tos.1}}</a></li>{{/if}}
+				<li role="menuitem"><a class="{{$nav.directory.2}}" href="{{$nav.directory.0}}" title="{{$nav.directory.3|escape}}" >{{$nav.directory.1}}</a></li>
 			</ul>
 		</li>
 
 		{{if $nav.notifications}}
-			<li role="menu" aria-haspopup="true" id="nav-notifications-linkmenu" class="nav-menu-icon"><a title="{{$nav.notifications.1}}"><span class="icon s22 icon-bell tilted-icon"><span class="sr-only">{{$nav.notifications.1}}</span></span></a>
+			<li role="menu" aria-haspopup="true" id="nav-notifications-linkmenu" class="nav-menu-icon"><a title="{{$nav.notifications.1|escape}}"><span class="icon s22 icon-bell tilted-icon"><span class="sr-only">{{$nav.notifications.1}}</span></span></a>
 				<span id="notify-update" class="nav-notify"></span>
 				<ul id="nav-notifications-menu" class="menu-popup">
 					<li role="menuitem" id="nav-notifications-mark-all"><a onclick="notifyMarkAll(); return false;">{{$nav.notifications.mark.1}}</a></li>
@@ -61,22 +61,22 @@
 
 		{{if $userinfo}}
 			<li role="menu" aria-haspopup="true" id="nav-user-linkmenu" class="nav-menu">
-				<a accesskey="u" title="{{$sitelocation}}"><img src="{{$userinfo.icon}}" alt="{{$userinfo.name}}"><span id="nav-user-linklabel">{{$userinfo.name}}</span><span id="intro-update" class="nav-notify"></span></a>
+				<a accesskey="u" title="{{$sitelocation|escape}}"><img src="{{$userinfo.icon}}" alt="{{$userinfo.name|escape}}"><span id="nav-user-linklabel">{{$userinfo.name|escape}}</span><span id="intro-update" class="nav-notify"></span></a>
 				<ul id="nav-user-menu" class="menu-popup">
-					{{if $nav.introductions}}<li role="menuitem"><a class="{{$nav.introductions.2}}" href="{{$nav.introductions.0}}" title="{{$nav.introductions.3}}" >{{$nav.introductions.1}}</a><span id="intro-update-li" class="nav-notify"></span></li>{{/if}}
-					{{if $nav.contacts}}<li role="menuitem"><a class="{{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3}}" >{{$nav.contacts.1}}</a></li>{{/if}}
-					{{if $nav.messages}}<li role="menuitem"><a class="{{$nav.messages.2}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3}}" >{{$nav.messages.1}}</a><span id="mail-update" class="nav-notify"></span></a></li>{{/if}}
-					{{if $nav.manage}}<li role="menuitem"><a class="{{$nav.manage.2}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3}}">{{$nav.manage.1}}</a></li>{{/if}}
-					{{if $nav.usermenu.1}}<li role="menuitem"><a class="{{$nav.usermenu.1.2}}" href="{{$nav.usermenu.1.0}}" title="{{$nav.usermenu.1.3}}">{{$nav.usermenu.1.1}}</a></li>{{/if}}
-					{{if $nav.settings}}<li role="menuitem"><a class="{{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3}}">{{$nav.settings.1}}</a></li>{{/if}}
-					{{if $nav.logout}}<li role="menuitem"><a class="menu-sep {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3}}" >{{$nav.logout.1}}</a></li>{{/if}}
+					{{if $nav.introductions}}<li role="menuitem"><a class="{{$nav.introductions.2}}" href="{{$nav.introductions.0}}" title="{{$nav.introductions.3|escape}}" >{{$nav.introductions.1}}</a><span id="intro-update-li" class="nav-notify"></span></li>{{/if}}
+					{{if $nav.contacts}}<li role="menuitem"><a class="{{$nav.contacts.2}}" href="{{$nav.contacts.0}}" title="{{$nav.contacts.3|escape}}" >{{$nav.contacts.1}}</a></li>{{/if}}
+					{{if $nav.messages}}<li role="menuitem"><a class="{{$nav.messages.2}}" href="{{$nav.messages.0}}" title="{{$nav.messages.3|escape}}" >{{$nav.messages.1}}</a><span id="mail-update" class="nav-notify"></span></a></li>{{/if}}
+					{{if $nav.manage}}<li role="menuitem"><a class="{{$nav.manage.2}}" href="{{$nav.manage.0}}" title="{{$nav.manage.3|escape}}">{{$nav.manage.1}}</a></li>{{/if}}
+					{{if $nav.usermenu.1}}<li role="menuitem"><a class="{{$nav.usermenu.1.2}}" href="{{$nav.usermenu.1.0}}" title="{{$nav.usermenu.1.3|escape}}">{{$nav.usermenu.1.1}}</a></li>{{/if}}
+					{{if $nav.settings}}<li role="menuitem"><a class="{{$nav.settings.2}}" href="{{$nav.settings.0}}" title="{{$nav.settings.3|escape}}">{{$nav.settings.1}}</a></li>{{/if}}
+					{{if $nav.logout}}<li role="menuitem"><a class="menu-sep {{$nav.logout.2}}" href="{{$nav.logout.0}}" title="{{$nav.logout.3|escape}}" >{{$nav.logout.1}}</a></li>{{/if}}
 				</ul>
 			</li>
 		{{/if}}
 
 		{{if $nav.login}}
 			<li role="menuitem" id="nav-login-link" class="nav-menu">
-				<a class="{{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3}}" >{{$nav.login.1}}</a>
+				<a class="{{$nav.login.2}}" href="{{$nav.login.0}}" title="{{$nav.login.3|escape}}" >{{$nav.login.1}}</a>
 			</li>
 		{{/if}}
 
@@ -96,13 +96,13 @@
 
 		{{if $nav.admin}}
 			<li role="menuitem" id="nav-admin-link" class="nav-menu">
-				<a accesskey="a" class="{{$nav.admin.2}} icon-sliders" href="{{$nav.admin.0}}" title="{{$nav.admin.3}}" ><span class="sr-only">{{$nav.admin.3}}</span></a>
+				<a accesskey="a" class="{{$nav.admin.2}} icon-sliders" href="{{$nav.admin.0}}" title="{{$nav.admin.3|escape}}" ><span class="sr-only">{{$nav.admin.3|escape}}</span></a>
 			</li>
 		{{/if}}
 
 		{{if $nav.apps}}
 			<li role="menu" aria-haspopup="true" id="nav-apps-link" class="nav-menu {{$sel.apps}}">
-				<a class=" {{$nav.apps.2}}" title="{{$nav.apps.3}}" >{{$nav.apps.1}}</a>
+				<a class=" {{$nav.apps.2}}" title="{{$nav.apps.3|escape}}" >{{$nav.apps.1}}</a>
 				<ul id="nav-apps-menu" class="menu-popup">
 					{{foreach $apps as $ap}}
 					<li role="menuitem">{{$ap}}</li>
diff --git a/view/theme/vier/templates/photo_item.tpl b/view/theme/vier/templates/photo_item.tpl
index bc77eaa9c..f696a683a 100644
--- a/view/theme/vier/templates/photo_item.tpl
+++ b/view/theme/vier/templates/photo_item.tpl
@@ -2,15 +2,15 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper">
-				<a href="{{$profile_url}}" target="redir" title="{{$linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$id}}">
-					<img src="{{$thumb}}" class="contact-photo{{$sparkle}}" id="wall-item-photo-{{$id}}" alt="{{$name}}" />
+				<a href="{{$profile_url}}" target="redir" title="{{$linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$id}}">
+					<img src="{{$thumb}}" class="contact-photo{{$sparkle}}" id="wall-item-photo-{{$id}}" alt="{{$name|escape}}" />
 				</a>
 			</div>
 		</div>
 		<div class="wall-item-actions-author">
-			<a href="{{$profile_url}}" target="redir" title="{{$linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$sparkle}}">{{$name}}</span></a>
+			<a href="{{$profile_url}}" target="redir" title="{{$linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$sparkle}}">{{$name|escape}}</span></a>
 			<span class="wall-item-ago">
-				{{if $plink}}<a class="link" title="{{$plink.title}}" href="{{$plink.href}}" style="color: #999">{{$ago}}</a>{{else}} {{$ago}} {{/if}}
+				{{if $plink}}<a class="link" title="{{$plink.title|escape}}" href="{{$plink.href}}" style="color: #999">{{$ago}}</a>{{else}} {{$ago}} {{/if}}
 				{{if $lock}}<span class="fakelink" style="color: #999" onclick="lockview(event,{{$id}});">{{$lock}}</span> {{/if}}
 			</span>
 		</div>
@@ -31,8 +31,8 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			<!-- {{if $plink}}<a title="{{$plink.title}}" href="{{$plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
-			{{if $conv}}<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title}}'><i class="icon-link icon-large"></i></a>{{/if}}
+			<!-- {{if $plink}}<a title="{{$plink.title|escape}}" href="{{$plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
+			{{if $conv}}<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title|escape}}'><i class="icon-link icon-large"></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 
@@ -40,31 +40,31 @@
 
 			<div class="wall-item-actions-social">
 			{{if $star}}
-				<a href="#" id="star-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classdo}}"  title="{{$star.do}}">{{$star.do}}</a>
-				<a href="#" id="unstar-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classundo}}"  title="{{$star.undo}}">{{$star.undo}}</a>
-				<a href="#" id="tagger-{{$id}}" onclick="itemTag({{$id}}); return false;" class="{{$star.classtagger}}" title="{{$star.tagger}}">{{$star.tagger}}</a>
+				<a href="#" id="star-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classdo}}"  title="{{$star.do|escape}}">{{$star.do}}</a>
+				<a href="#" id="unstar-{{$id}}" onclick="dostar({{$id}}); return false;"  class="{{$star.classundo}}"  title="{{$star.undo|escape}}">{{$star.undo}}</a>
+				<a href="#" id="tagger-{{$id}}" onclick="itemTag({{$id}}); return false;" class="{{$star.classtagger}}" title="{{$star.tagger|escape}}">{{$star.tagger}}</a>
 			{{/if}}
 
 			{{if $vote}}
-				<a href="#" id="like-{{$id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$vote.like.0}}" onclick="dolike({{$id}},'like'); return false">{{$vote.like.1}}</a>
-				<a href="#" id="dislike-{{$id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$vote.dislike.0}}" onclick="dolike({{$id}},'dislike'); return false">{{$vote.dislike.1}}</a>
+				<a href="#" id="like-{{$id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$vote.like.0|escape}}" onclick="dolike({{$id}},'like'); return false">{{$vote.like.1}}</a>
+				<a href="#" id="dislike-{{$id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$vote.dislike.0|escape}}" onclick="dolike({{$id}},'dislike'); return false">{{$vote.dislike.1}}</a>
 			{{/if}}
 
 			{{if $vote.share}}
-				<a href="#" id="share-{{$id}}" title="{{$vote.share.0}}" onclick="jotShare({{$id}}); return false">{{$vote.share.1}}</a>
+				<a href="#" id="share-{{$id}}" title="{{$vote.share.0|escape}}" onclick="jotShare({{$id}}); return false">{{$vote.share.1}}</a>
 			{{/if}}
 			</div>
 
 			<div class="wall-item-actions-tools">
 
 				{{if $drop.pagedrop}}
-					<input type="checkbox" title="{{$drop.select}}" name="itemselected[]" class="item-select" value="{{$id}}" />
+					<input type="checkbox" title="{{$drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$id}}" />
 				{{/if}}
 				{{if $drop.dropping}}
-					<a href="item/drop/{{$id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$drop.delete}}">{{$drop.delete}}</a>
+					<a href="item/drop/{{$id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$drop.delete|escape}}">{{$drop.delete}}</a>
 				{{/if}}
 				{{if $edpost}}
-					<a class="icon edit s16" href="{{$edpost.0}}" title="{{$edpost.1}}"></a>
+					<a class="icon edit s16" href="{{$edpost.0}}" title="{{$edpost.1|escape}}"></a>
 				{{/if}}
 			</div>
 
diff --git a/view/theme/vier/templates/photo_view.tpl b/view/theme/vier/templates/photo_view.tpl
index c252960c0..5a6613dd1 100644
--- a/view/theme/vier/templates/photo_view.tpl
+++ b/view/theme/vier/templates/photo_view.tpl
@@ -8,11 +8,11 @@
 |
 <a id="photo-toprofile-link" href="{{$tools.profile.0}}">{{$tools.profile.1}}</a>
 {{/if}}
-{{if $lock}} | <img src="images/lock_icon.gif" class="lockview" alt="{{$lock}}" onclick="lockview(event,'photo/{{$id}}');" /> {{/if}}
+{{if $lock}} | <img src="images/lock_icon.gif" class="lockview" alt="{{$lock|escape}}" onclick="lockview(event,'photo/{{$id}}');" /> {{/if}}
 </div>
 
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-photo-end"></div>
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/theme/vier/templates/profile_vcard.tpl b/view/theme/vier/templates/profile_vcard.tpl
index dfa341b26..6ba3119ca 100644
--- a/view/theme/vier/templates/profile_vcard.tpl
+++ b/view/theme/vier/templates/profile_vcard.tpl
@@ -1,7 +1,7 @@
 <div class="vcard h-card">
 
 	<div class="tool">
-		<div class="fn label p-name">{{$profile.name}}</div>
+		<div class="fn label p-name">{{$profile.name|escape}}</div>
 		{{if $profile.edit}}
 			<div class="action">
 				<a class="icon s16 edit ttright" href="{{$profile.edit.0}}" title="{{$profile.edit.3}}"><span>{{$profile.edit.1}}</span></a>
@@ -18,9 +18,9 @@
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
 	{{if $profile.picdate}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></a></div>
 	{{else}}
-		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name}}"></a></div>
+		<div id="profile-photo-wrapper"><a href="{{$profile.url}}"><img class="photo u-photo" src="{{$profile.photo}}" alt="{{$profile.name|escape}}"></a></div>
 	{{/if}}
 
 	{{if $account_type}}<div class="account-type">{{$account_type}}</div>{{/if}}
diff --git a/view/theme/vier/templates/search_item.tpl b/view/theme/vier/templates/search_item.tpl
index c1383ba43..c274ca3e3 100644
--- a/view/theme/vier/templates/search_item.tpl
+++ b/view/theme/vier/templates/search_item.tpl
@@ -1,9 +1,9 @@
 
 
 <div class="wall-item-decor">
-	{{if $item.star}}<span class="icon star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred}}">{{$item.star.starred}}</span>{{/if}}
-	{{if $item.lock}}<span class="icon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}">{{$item.lock}}</span>{{/if}}
-	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+	{{if $item.star}}<span class="icon star {{$item.isstarred}}" id="starred-{{$item.id}}" title="{{$item.star.starred|escape}}">{{$item.star.starred|escape}}</span>{{/if}}
+	{{if $item.lock}}<span class="icon lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}">{{$item.lock|escape}}</span>{{/if}}
+	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 </div>
 
 <div class="wall-item-container {{$item.indent}} {{$item.shiny}} ">
@@ -12,8 +12,8 @@
 			<div class="contact-photo-wrapper">
 				<!-- onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)"> -->
-				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				<!-- <a rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a> -->
 				<ul role="menu" aria-haspopup="true" class="wall-item-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
@@ -22,9 +22,9 @@
 			</div>
 		</div>
 		<div class="wall-item-actions-author">
-			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a>
+			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
 			<span class="wall-item-ago">
-				{{if $item.plink}}<a class="link" title="{{$item.plink.title}}" href="{{$item.plink.href}}" style="color: #999">{{$item.ago}}</a>{{else}} {{$item.ago}} {{/if}}
+				{{if $item.plink}}<a class="link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" style="color: #999">{{$item.ago}}</a>{{else}} {{$item.ago}} {{/if}}
 				{{if $item.lock}}<span class="fakelink" style="color: #999" onclick="lockview(event,{{$item.id}});">{{$item.lock}}</span> {{/if}}
 			</span>
 		</div>
@@ -46,8 +46,8 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			<!-- {{if $item.plink}}<a title="{{$item.plink.title}}" href="{{$item.plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
-			{{if $item.conv}}<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'><i class="icon-link icon-large"></i></a>{{/if}}
+			<!-- {{if $item.plink}}<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}"><i class="icon-link icon-large"></i></a>{{/if}} -->
+			{{if $item.conv}}<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'><i class="icon-link icon-large"></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 
@@ -55,31 +55,31 @@
 
 			<div class="wall-item-actions-social">
 			{{if $item.star}}
-				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do}}">{{$item.star.do}}</a>
-				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo}}">{{$item.star.undo}}</a>
-				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger}}">{{$item.star.tagger}}</a>
+				<a href="#" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}"  title="{{$item.star.do|escape}}">{{$item.star.do}}</a>
+				<a href="#" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo|escape}}">{{$item.star.undo}}</a>
+				<a href="#" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.star.classtagger}}" title="{{$item.star.tagger|escape}}">{{$item.star.tagger}}</a>
 			{{/if}}
 
 			{{if $item.vote}}
-				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
-				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
+				<a href="#" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0|escape}}" onclick="dolike({{$item.id}},'like'); return false">{{$item.vote.like.1}}</a>
+				<a href="#" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0|escape}}" onclick="dolike({{$item.id}},'dislike'); return false">{{$item.vote.dislike.1}}</a>
 			{{/if}}
 
 			{{if $item.vote.share}}
-				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
+				<a href="#" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}}); return false">{{$item.vote.share.1}}</a>
 			{{/if}}
 			</div>
 
 			<div class="wall-item-actions-tools">
 
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete|escape}}</a>
 				{{/if}}
 				{{if $item.edpost}}
-					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}"></a>
+					<a class="icon edit s16" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}"></a>
 				{{/if}}
 			</div>
 
diff --git a/view/theme/vier/templates/wall_item_tag.tpl b/view/theme/vier/templates/wall_item_tag.tpl
index be6b143b9..2c02036a0 100644
--- a/view/theme/vier/templates/wall_item_tag.tpl
+++ b/view/theme/vier/templates/wall_item_tag.tpl
@@ -27,8 +27,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper">
-				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
-					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<!-- <a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link" id="wall-item-photo-link-{{$item.id}}"></a> -->
+					<img src="{{$item.thumb}}" class="contact-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				<ul role="menu" aria-haspopup="true" class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
 				</ul>
@@ -41,10 +41,10 @@
 		</div>
 			<div class="wall-item-tools">
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete}}">{{$item.drop.delete}}</a>
+					<a href="item/drop/{{$item.id}}" onclick="return confirmDelete();" class="icon delete s16" title="{{$item.drop.delete|escape}}">{{$item.drop.delete}}</a>
 				{{/if}}
 			</div>
 	</div>
diff --git a/view/theme/vier/templates/wall_thread.tpl b/view/theme/vier/templates/wall_thread.tpl
index 8debce364..57ca699e3 100644
--- a/view/theme/vier/templates/wall_thread.tpl
+++ b/view/theme/vier/templates/wall_thread.tpl
@@ -19,7 +19,7 @@
 {{if $item.thread_level!=1}}<div class="children u-comment h-cite">{{/if}}
 
 <div aria-hidden="true" class="wall-item-decor">
-	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait}}" title="{{$item.wait}}" style="display: none;" />
+	<img id="like-rotator-{{$item.id}}" class="like-rotator" src="images/rotator.gif" alt="{{$item.wait|escape}}" title="{{$item.wait|escape}}" style="display: none;" />
 </div>
 
 {{if $item.thread_level<7}}
@@ -36,8 +36,8 @@
 	<div class="wall-item-item">
 		<div class="wall-item-info">
 			<div class="contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card">
-				<!-- <a aria-hidden="true" href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}"></a> -->
-					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name}}" />
+				<!-- <a aria-hidden="true" href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}"></a> -->
+					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				<ul role="menu" aria-haspopup="true" class="contact-menu menu-popup" id="wall-item-photo-menu-{{$item.id}}">
 				{{$item.item_photo_menu}}
 				</ul>
@@ -45,20 +45,20 @@
 			</div>
 			{{if $item.owner_url}}
 			<div aria-hidden="true" class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link u-url" id="wall-item-ownerphoto-link-{{$item.id}}">
-					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}} p-name u-photo" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name}}" />
+				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="contact-photo-link u-url" id="wall-item-ownerphoto-link-{{$item.id}}">
+					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}} p-name u-photo" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
 			{{/if}}
 		</div>
 		<div role="heading" aria-level="{{$item.thread_level}}" class="wall-item-actions-author">
-			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name}}</span></a>
-			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a>{{/if}}
+			<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
+			{{if $item.owner_url}}{{$item.via}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a>{{/if}}
 			<span class="wall-item-ago">
-				{{if $item.plink}}<a title="{{$item.plink.title}}" href="{{$item.plink.href}}" class="u-url" style="color: #999"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time></a>{{else}} <time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time> {{/if}}
+				{{if $item.plink}}<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="u-url" style="color: #999"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time></a>{{else}} <time class="dt-published" datetime="{{$item.localtime}}">{{$item.created}}</time> {{/if}}
 			</span>
-			{{if $item.lock}}<span class="icon s10 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock}}">{{$item.lock}}</span>{{/if}}
-			<span class="wall-item-network" title="{{$item.app}}">
+			{{if $item.lock}}<span class="icon s10 lock fakelink" onclick="lockview(event,{{$item.id}});" title="{{$item.lock|escape}}">{{$item.lock}}</span>{{/if}}
+			<span class="wall-item-network" title="{{$item.app|escape}}">
 				{{$item.network_name}}
 			</span>
 			<div class="wall-item-network-end"></div>
@@ -77,60 +77,60 @@
 			{{foreach $item.hashtags as $tag}}
 				<span class="tag">{{$tag}}</span>
 			{{/foreach}}
-  			{{foreach $item.mentions as $tag}}
+			{{foreach $item.mentions as $tag}}
 				<span class="mention">{{$tag}}</span>
 			{{/foreach}}
 		{{/if}}
 			{{foreach $item.folders as $cat}}
-				<span class="folder p-category">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="folder p-category">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 			{{foreach $item.categories as $cat}}
-				<span class="category p-category">{{$cat.name}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove}}">x</a>) {{/if}} </span>
+				<span class="category p-category">{{$cat.name|escape}}</a>{{if $cat.removeurl}} (<a href="{{$cat.removeurl}}" title="{{$remove|escape}}">x</a>) {{/if}} </span>
 			{{/foreach}}
 		</div>
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title}}</span></i></a>{{/if}}
+			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title}}</span></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-social">
 			{{if $item.threaded}}
 			{{/if}}
 			{{if $item.comment}}
-				<a role="button" id="comment-{{$item.id}}" class="fakelink togglecomment" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" title="{{$item.switchcomment}}"><i class="icon-commenting"><span class="sr-only">{{$item.switchcomment}}</span></i></a>
+				<a role="button" id="comment-{{$item.id}}" class="fakelink togglecomment" onclick="openClose('item-comments-{{$item.id}}'); commentExpand({{$item.id}});" title="{{$item.switchcomment|escape}}"><i class="icon-commenting"><span class="sr-only">{{$item.switchcomment}}</span></i></a>
 			{{/if}}
 
 			{{if $item.isevent}}
-				<a role="button" id="attendyes-{{$item.id}}"{{if $item.responses.attendyes.self}} class="active"{{/if}} title="{{$item.attend.0}}" onclick="dolike({{$item.id}},'attendyes'); return false;"><i class="icon-ok icon-large"><span class="sr-only">{{$item.attend.0}}</span></i></a>
-				<a role="button" id="attendno-{{$item.id}}"{{if $item.responses.attendno.self}} class="active"{{/if}} title="{{$item.attend.1}}" onclick="dolike({{$item.id}},'attendno'); return false;"><i class="icon-remove icon-large"><span class="sr-only">{{$item.attend.1}}</span></i></a>
-				<a role="button" id="attendmaybe-{{$item.id}}"{{if $item.responses.attendmaybe.self}} class="active"{{/if}} title="{{$item.attend.2}}" onclick="dolike({{$item.id}},'attendmaybe'); return false;"><i class="icon-question icon-large"><span class="sr-only">{{$item.attend.2}}</span></i></a>
+				<a role="button" id="attendyes-{{$item.id}}"{{if $item.responses.attendyes.self}} class="active"{{/if}} title="{{$item.attend.0|escape}}" onclick="dolike({{$item.id}},'attendyes'); return false;"><i class="icon-ok icon-large"><span class="sr-only">{{$item.attend.0}}</span></i></a>
+				<a role="button" id="attendno-{{$item.id}}"{{if $item.responses.attendno.self}} class="active"{{/if}} title="{{$item.attend.1|escape}}" onclick="dolike({{$item.id}},'attendno'); return false;"><i class="icon-remove icon-large"><span class="sr-only">{{$item.attend.1}}</span></i></a>
+				<a role="button" id="attendmaybe-{{$item.id}}"{{if $item.responses.attendmaybe.self}} class="active"{{/if}} title="{{$item.attend.2|escape}}" onclick="dolike({{$item.id}},'attendmaybe'); return false;"><i class="icon-question icon-large"><span class="sr-only">{{$item.attend.2}}</span></i></a>
 			{{/if}}
 
 			{{if $item.vote}}
 				{{if $item.vote.like}}
-				<a role="button" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0}}" onclick="dolike({{$item.id}},'like'); return false"><i class="icon-thumbs-up icon-large"><span class="sr-only">{{$item.vote.like.0}}</span></i></a>
+				<a role="button" id="like-{{$item.id}}"{{if $item.responses.like.self}} class="active"{{/if}} title="{{$item.vote.like.0|escape}}" onclick="dolike({{$item.id}},'like'); return false"><i class="icon-thumbs-up icon-large"><span class="sr-only">{{$item.vote.like.0}}</span></i></a>
 				{{/if}}{{if $item.vote.dislike}}
-				<a role="button" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0}}" onclick="dolike({{$item.id}},'dislike'); return false"><i class="icon-thumbs-down icon-large"><span class="sr-only">{{$item.vote.dislike.0}}</span></i></a>
+				<a role="button" id="dislike-{{$item.id}}"{{if $item.responses.dislike.self}} class="active"{{/if}} title="{{$item.vote.dislike.0|escape}}" onclick="dolike({{$item.id}},'dislike'); return false"><i class="icon-thumbs-down icon-large"><span class="sr-only">{{$item.vote.dislike.0}}</span></i></a>
 				{{/if}}
 			    {{if $item.vote.share}}
-				    <a role="button" id="share-{{$item.id}}" title="{{$item.vote.share.0}}" onclick="jotShare({{$item.id}}); return false"><i class="icon-retweet icon-large"><span class="sr-only">{{$item.vote.share.0}}</span></i></a>
+				    <a role="button" id="share-{{$item.id}}" title="{{$item.vote.share.0|escape}}" onclick="jotShare({{$item.id}}); return false"><i class="icon-retweet icon-large"><span class="sr-only">{{$item.vote.share.0}}</span></i></a>
 			    {{/if}}
 			{{/if}}
 
 			{{if $item.star}}
-				<a role="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}" title="{{$item.star.do}}"><i class="icon-star icon-large"><span class="sr-only">{{$item.star.do}}</span></i></a>
-				<a role="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo}}"><i class="icon-star-empty icon-large"><span class="sr-only">{{$item.star.undo}}</span></i></a>
+				<a role="button" id="star-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classdo}}" title="{{$item.star.do|escape}}"><i class="icon-star icon-large"><span class="sr-only">{{$item.star.do}}</span></i></a>
+				<a role="button" id="unstar-{{$item.id}}" onclick="dostar({{$item.id}}); return false;"  class="{{$item.star.classundo}}"  title="{{$item.star.undo|escape}}"><i class="icon-star-empty icon-large"><span class="sr-only">{{$item.star.undo}}</span></i></a>
 			{{/if}}
 			{{if $item.ignore}}
-				<a role="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classdo}}"  title="{{$item.ignore.do}}"><i class="icon-bell-slash icon-large"><span class="sr-only">{{$item.ignore.do}}</span></i></a>
-				<a role="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classundo}}"  title="{{$item.ignore.undo}}"><i class="icon-bell-slash-o icon-large"><span class="sr-only">{{$item.ignore.undo}}</span></i></a>
+				<a role="button" id="ignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classdo}}"  title="{{$item.ignore.do|escape}}"><i class="icon-bell-slash icon-large"><span class="sr-only">{{$item.ignore.do}}</span></i></a>
+				<a role="button" id="unignore-{{$item.id}}" onclick="doignore({{$item.id}}); return false;"  class="{{$item.ignore.classundo}}"  title="{{$item.ignore.undo|escape}}"><i class="icon-bell-slash-o icon-large"><span class="sr-only">{{$item.ignore.undo}}</span></i></a>
 			{{/if}}
 			{{if $item.tagger}}
-				<a role="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.tagger.class}}" title="{{$item.tagger.add}}"><i class="icon-tags icon-large"><span class="sr-only">{{$item.tagger.add}}</span></i></a>
+				<a role="button" id="tagger-{{$item.id}}" onclick="itemTag({{$item.id}}); return false;" class="{{$item.tagger.class}}" title="{{$item.tagger.add|escape}}"><i class="icon-tags icon-large"><span class="sr-only">{{$item.tagger.add}}</span></i></a>
 			{{/if}}
 			{{if $item.filer}}
-                                <a role="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}}); return false;" class="filer-item filer-icon" title="{{$item.filer}}"><i class="icon-folder-close icon-large"><span class="sr-only">{{$item.filer}}</span></i></a>
+                                <a role="button" id="filer-{{$item.id}}" onclick="itemFiler({{$item.id}}); return false;" class="filer-item filer-icon" title="{{$item.filer|escape}}"><i class="icon-folder-close icon-large"><span class="sr-only">{{$item.filer}}</span></i></a>
 			{{/if}}
 			</div>
 
@@ -142,13 +142,13 @@
 			<div class="wall-item-actions-tools">
 
 				{{if $item.drop.pagedrop}}
-					<input type="checkbox" title="{{$item.drop.select}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
+					<input type="checkbox" title="{{$item.drop.select|escape}}" name="itemselected[]" class="item-select" value="{{$item.id}}" />
 				{{/if}}
 				{{if $item.drop.dropping}}
-					<a role="button" href="item/drop/{{$item.id}}/{{$item.return}}" onclick="return confirmDelete();" title="{{$item.drop.delete}}"><i class="icon-trash icon-large"><span class="sr-only">{{$item.drop.delete}}</span></i></a>
+					<a role="button" href="item/drop/{{$item.id}}/{{$item.return}}" onclick="return confirmDelete();" title="{{$item.drop.delete|escape}}"><i class="icon-trash icon-large"><span class="sr-only">{{$item.drop.delete}}</span></i></a>
 				{{/if}}
 				{{if $item.edpost}}
-					<a role="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1}}"><i class="icon-edit icon-large"><span class="sr-only">{{$item.edpost.1}}</span></i></a>
+					<a role="button" href="{{$item.edpost.0}}" title="{{$item.edpost.1|escape}}"><i class="icon-edit icon-large"><span class="sr-only">{{$item.edpost.1}}</span></i></a>
 				{{/if}}
 			</div>
 
diff --git a/view/theme/vier/templates/widget_forumlist_right.tpl b/view/theme/vier/templates/widget_forumlist_right.tpl
index fe72ffcaf..8b2700e01 100644
--- a/view/theme/vier/templates/widget_forumlist_right.tpl
+++ b/view/theme/vier/templates/widget_forumlist_right.tpl
@@ -21,20 +21,20 @@ function showHideForumlist() {
 		{{if $forum.id <= $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-{{$forum.id}}" role="menuitem">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
-			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 	
 		{{if $forum.id > $visible_forums}}
 		<li class="forum-widget-entry forum-{{$forum.cid}}" id="forum-widget-entry-extended-{{$forum.id}}" role="menuitem" style="display: none;">
 			<span class="notify badge pull-right"></span>
-			<a href="{{$forum.external_url}}" title="{{$forum.link_desc}}" class="label sparkle" target="_blank">
-				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc}}" />
+			<a href="{{$forum.external_url}}" title="{{$forum.link_desc|escape}}" class="label sparkle" target="_blank">
+				<img class="forumlist-img" src="{{$forum.micro}}" alt="{{$forum.link_desc|escape}}" />
 			</a>
-			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name}}</a>
+			<a class="forum-widget-link {{if $forum.selected}}forum-selected{{/if}}" id="forum-widget-link-{{$forum.id}}" href="{{$forum.url}}" >{{$forum.name|escape}}</a>
 		</li>
 		{{/if}}
 		{{/foreach}}

From 56f21a4b89cef0c4c691096fe294abf356f1cfa9 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 19:26:46 +0000
Subject: [PATCH 2/7] Some more escaping

---
 mod/dirfind.php                                | 2 +-
 view/templates/contact_template.tpl            | 4 ++--
 view/theme/frio/templates/contact_template.tpl | 2 +-
 view/theme/frio/templates/mail_list.tpl        | 2 +-
 view/theme/frio/templates/wall_thread.tpl      | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mod/dirfind.php b/mod/dirfind.php
index 2609760e9..7f1a6691f 100644
--- a/mod/dirfind.php
+++ b/mod/dirfind.php
@@ -235,7 +235,7 @@ function dirfind_content(App $a, $prefix = "") {
 					'alt_text' => $alt_text,
 					'url' => Model\Contact::magicLink($jj->url),
 					'itemurl' => $itemurl,
-					'name' => htmlentities($jj->name),
+					'name' => $jj->name,
 					'thumb' => ProxyUtils::proxifyUrl($jj->photo, false, ProxyUtils::SIZE_THUMB),
 					'img_hover' => $jj->tags,
 					'conntxt' => $conntxt,
diff --git a/view/templates/contact_template.tpl b/view/templates/contact_template.tpl
index 06918533c..6845c6256 100644
--- a/view/templates/contact_template.tpl
+++ b/view/templates/contact_template.tpl
@@ -5,7 +5,7 @@
 		onmouseover="if (typeof t{{$contact.id}} != 'undefined') clearTimeout(t{{$contact.id}}); openMenu('contact-photo-menu-button-{{$contact.id}}')" 
 		onmouseout="t{{$contact.id}}=setTimeout('closeMenu(\'contact-photo-menu-button-{{$contact.id}}\'); closeMenu(\'contact-photo-menu-{{$contact.id}}\');',200)" >
 
-			<a href="{{$contact.url}}" title="{{$contact.img_hover}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name}}" /></a>
+			<a href="{{$contact.url}}" title="{{$contact.img_hover|escape}}" /><img src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" /></a>
 
 			{{if $multiselect}}
 			<input type="checkbox" class="contact-select" name="contact_batch[]" value="{{$contact.id}}">
@@ -31,7 +31,7 @@
 
 	<div class="contact-entry-desc">
 		<div class="contact-entry-name" id="contact-entry-name-{{$contact.id}}" >
-			{{$contact.name}}
+			{{$contact.name|escape}}
 			{{if $contact.account_type}} <span class="contact-entry-details" id="contact-entry-accounttype-{{$contact.id}}">({{$contact.account_type}})</span>{{/if}}
 		</div>
 		{{if $contact.alt_text}}<div class="contact-entry-details" id="contact-entry-rel-{{$contact.id}}" >{{$contact.alt_text}}</div>{{/if}}
diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index 4f07ad2b1..1b56a6b62 100644
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -220,7 +220,7 @@ We use this part to filter the contacts with jquery.textcomplete *}}
 			{{* The contact description (e.g. Name, Network, kind of connection and so on *}}
 			<div class="contact-entry-desc">
 				<div class="contact-entry-name" id="contact-entry-name-{$id}">
-					<h4 class="media-heading"><a href="{$url}">{$name}</a>
+					<h4 class="media-heading"><a href="{$url}">{$name|escape}</a>
 					{if $account_type} <small class="contact-entry-details" id="contact-entry-accounttype-{$id}">({$account_type})</small>{/if}
 					{if $account_type == 'Forum'}<i class="fa fa-comments-o" aria-hidden="true"></i>{/if}
 					{{* @todo this needs some changing in core because $contact.account_type contains a translated string which may notbe the same in every language *}}
diff --git a/view/theme/frio/templates/mail_list.tpl b/view/theme/frio/templates/mail_list.tpl
index 225fd71c1..e6a024f11 100644
--- a/view/theme/frio/templates/mail_list.tpl
+++ b/view/theme/frio/templates/mail_list.tpl
@@ -11,7 +11,7 @@
 			<div class="media-body">
 				<div class="text-muted time ago pull-right" title="{{$date}}">{{$ago}}</div>
 
-				<h4 class="media-heading">{{$from_name}}</h4>
+				<h4 class="media-heading">{{$from_name|escape}}</h4>
 				<div class="mail-list-subject"><a href="message/{{$id}}">{{$subject}}</a></div>
 				<a href="message/dropconv/{{$id}}" onclick="return confirmDelete();"  title="{{$delete}}" class="pull-right" onmouseover="imgbright(this);" onmouseout="imgdull(this);">
 				<i class="faded-icon fa fa-trash"></i>
diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index 961c241a1..f90b2f72a 100644
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -252,7 +252,7 @@ as the value of $top_child_total (this is done at the end of this file)
 			{{/if}}
 
 			{{if $item.title}}
-			<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h4><br /></span>
+			<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h4><br /></span>
 			{{/if}}
 
 			<div class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}" id="wall-item-body-{{$item.id}}">{{$item.body}}</div>

From 4ce320fc791f2ad4d848c45098214df92536ccde Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 19:48:26 +0000
Subject: [PATCH 3/7] Contact search is now escaped

---
 mod/acl.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mod/acl.php b/mod/acl.php
index cb378dc27..86eafe290 100644
--- a/mod/acl.php
+++ b/mod/acl.php
@@ -127,7 +127,7 @@ function acl_content(App $a)
 			$groups[] = [
 				'type'  => 'g',
 				'photo' => 'images/twopeople.png',
-				'name'  => htmlentities($g['name']),
+				'name'  => htmlspecialchars($g['name']),
 				'id'    => intval($g['id']),
 				'uids'  => array_map('intval', explode(',', $g['uids'])),
 				'link'  => '',
@@ -198,7 +198,7 @@ function acl_content(App $a)
 		foreach ($r as $g) {
 			$contacts[] = [
 				'photo'   => ProxyUtils::proxifyUrl($g['photo'], false, ProxyUtils::SIZE_MICRO),
-				'name'    => $g['name'],
+				'name'    => htmlspecialchars($g['name']),
 				'nick'    => defaults($g, 'addr', $g['url']),
 				'network' => $g['network'],
 				'link'    => $g['url'],
@@ -220,7 +220,7 @@ function acl_content(App $a)
 			$entry = [
 				'type'    => 'c',
 				'photo'   => ProxyUtils::proxifyUrl($g['micro'], false, ProxyUtils::SIZE_MICRO),
-				'name'    => htmlentities($g['name']),
+				'name'    => htmlspecialchars($g['name']),
 				'id'      => intval($g['id']),
 				'network' => $g['network'],
 				'link'    => $g['url'],
@@ -281,7 +281,7 @@ function acl_content(App $a)
 				$unknown_contacts[] = [
 					'type'    => 'c',
 					'photo'   => ProxyUtils::proxifyUrl($contact['micro'], false, ProxyUtils::SIZE_MICRO),
-					'name'    => htmlentities($contact['name']),
+					'name'    => htmlspecialchars($contact['name']),
 					'id'      => intval($contact['cid']),
 					'network' => $contact['network'],
 					'link'    => $contact['url'],

From 7381540039985b4046b4adac018263304111243e Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 20:04:01 +0000
Subject: [PATCH 4/7] Escaping the address field

---
 view/templates/admin/contactblock.tpl               | 4 ++--
 view/templates/hovercard.tpl                        | 2 +-
 view/templates/profile_vcard.tpl                    | 2 +-
 view/templates/remote_friends_common.tpl            | 4 ++--
 view/templates/search_item.tpl                      | 4 ++--
 view/templates/wall_thread.tpl                      | 2 +-
 view/theme/duepuntozero/templates/profile_vcard.tpl | 2 +-
 view/theme/quattro/templates/profile_vcard.tpl      | 2 +-
 view/theme/smoothly/templates/search_item.tpl       | 4 ++--
 view/theme/smoothly/templates/wall_thread.tpl       | 6 +++---
 view/theme/vier/templates/profile_vcard.tpl         | 2 +-
 11 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/view/templates/admin/contactblock.tpl b/view/templates/admin/contactblock.tpl
index c9bfc2efd..e3dfb52a1 100644
--- a/view/templates/admin/contactblock.tpl
+++ b/view/templates/admin/contactblock.tpl
@@ -33,8 +33,8 @@
 				<tr>
 					<td class="checkbox"><input type="checkbox" class="contacts_ckbx" id="id_contact_{{$contact.id}}" name="contacts[]" value="{{$contact.id}}"/></td>
 					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.nickname|escape}}"></td>
-					<td class="name">{{$contact.name}}</td>
-					<td class="addr">{{$contact.addr}}</td>
+					<td class="name">{{$contact.name|escaped}}</td>
+					<td class="addr">{{$contact.addr|escaped}}</td>
 					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname|escape}}" >{{$contact.url}}</a></td>
 				</tr>
 				{{/foreach}}
diff --git a/view/templates/hovercard.tpl b/view/templates/hovercard.tpl
index 74f270005..5487a4cd0 100644
--- a/view/templates/hovercard.tpl
+++ b/view/templates/hovercard.tpl
@@ -11,7 +11,7 @@
 					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name|escape}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
 				</div>
 				<div class="profile-details">
-					<span class="profile-addr">{{$profile.addr}}</span>
+					<span class="profile-addr">{{$profile.addr|escaped}}</span>
 					{{if $profile.network}}<span class="profile-network"> ({{$profile.network}})</span>{{/if}}
 				</div>
 				{{*{{if $profile.about}}<div class="profile-details profile-about">{{$profile.about}}</div>{{/if}}*}}
diff --git a/view/templates/profile_vcard.tpl b/view/templates/profile_vcard.tpl
index 6f8e86b29..fb7875641 100644
--- a/view/templates/profile_vcard.tpl
+++ b/view/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
diff --git a/view/templates/remote_friends_common.tpl b/view/templates/remote_friends_common.tpl
index 354c8e46a..f018727c0 100644
--- a/view/templates/remote_friends_common.tpl
+++ b/view/templates/remote_friends_common.tpl
@@ -6,12 +6,12 @@
 	<div class="profile-match-wrapper">
 		<div class="profile-match-photo">
 			<a href="{{$item.url}}">
-				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name}}" title="{{$item.name}}" />
+				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name|escaped}}" title="{{$item.name|escaped}}" />
 			</a>
 		</div>
 		<div class="profile-match-break"></div>
 		<div class="profile-match-name">
-			<a href="{{$item.url}}" title="{{$item.name}}">{{$item.name}}</a>
+			<a href="{{$item.url}}" title="{{$item.name|escaped}}">{{$item.name|escaped}}</a>
 		</div>
 		<div class="profile-match-end"></div>
 	</div>
diff --git a/view/templates/search_item.tpl b/view/templates/search_item.tpl
index fbcf770f1..462624957 100644
--- a/view/templates/search_item.tpl
+++ b/view/templates/search_item.tpl
@@ -7,7 +7,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -23,7 +23,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index 63a8364f8..113a93e8c 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -44,7 +44,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name}}</span></a> {{$item.vwall}}{{/if}}<br />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escaped}}</span></a> {{$item.vwall}}{{/if}}<br />
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime|escape:'html'}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
diff --git a/view/theme/duepuntozero/templates/profile_vcard.tpl b/view/theme/duepuntozero/templates/profile_vcard.tpl
index 505cf560e..311132b81 100644
--- a/view/theme/duepuntozero/templates/profile_vcard.tpl
+++ b/view/theme/duepuntozero/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></div>
diff --git a/view/theme/quattro/templates/profile_vcard.tpl b/view/theme/quattro/templates/profile_vcard.tpl
index f999f1f57..e62da464d 100644
--- a/view/theme/quattro/templates/profile_vcard.tpl
+++ b/view/theme/quattro/templates/profile_vcard.tpl
@@ -26,7 +26,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 
 	{{if $pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></div>
diff --git a/view/theme/smoothly/templates/search_item.tpl b/view/theme/smoothly/templates/search_item.tpl
index d441ebe2d..35820088b 100644
--- a/view/theme/smoothly/templates/search_item.tpl
+++ b/view/theme/smoothly/templates/search_item.tpl
@@ -6,7 +6,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -34,7 +34,7 @@
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/theme/smoothly/templates/wall_thread.tpl b/view/theme/smoothly/templates/wall_thread.tpl
index 5aaa9c4eb..f4c4154a0 100644
--- a/view/theme/smoothly/templates/wall_thread.tpl
+++ b/view/theme/smoothly/templates/wall_thread.tpl
@@ -15,7 +15,7 @@
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" title="{{$item.olinktitle}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name}}" /></a>
+				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escaped}}" /></a>
 			</div>
 			<div class="wall-item-arrowphoto-wrapper" ><img src="view/theme/smoothly/images/larrow.gif" alt="{{$item.wall}}" /></div>
 			{{/if}}
@@ -23,7 +23,7 @@
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
                     <ul>
@@ -47,7 +47,7 @@
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
 		<div class="wall-item-author">
 			<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link">
-			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name}}</span>
+			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span>
 			</a>
 			<div class="wall-item-ago">&bull;</div>
 			<div class="wall-item-ago" id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
diff --git a/view/theme/vier/templates/profile_vcard.tpl b/view/theme/vier/templates/profile_vcard.tpl
index 6ba3119ca..1733969aa 100644
--- a/view/theme/vier/templates/profile_vcard.tpl
+++ b/view/theme/vier/templates/profile_vcard.tpl
@@ -13,7 +13,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
 
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 

From 6075245b840a28e8c2d8976ddd624e59d3d2a81f Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 20:34:02 +0000
Subject: [PATCH 5/7] Much more escapes

---
 view/templates/admin/site.tpl                  |  6 +++---
 view/templates/birthdays_reminder.tpl          |  4 ++--
 view/templates/event_stream_item.tpl           |  6 +++---
 view/templates/events_reminder.tpl             |  4 ++--
 view/templates/files.tpl                       |  4 ++--
 view/templates/photo_album.tpl                 |  4 ++--
 view/templates/photo_top.tpl                   |  8 +++-----
 view/templates/photo_view.tpl                  |  2 +-
 view/templates/search_item.tpl                 |  8 ++++----
 view/templates/settings/display.tpl            |  2 +-
 view/templates/wall_thread.tpl                 |  2 +-
 view/theme/frio/templates/admin/site.tpl       |  6 +++---
 view/theme/frio/templates/photo_top.tpl        |  2 +-
 view/theme/frio/templates/photo_view.tpl       | 10 +++++-----
 view/theme/frio/templates/search_item.tpl      |  4 ++--
 view/theme/frio/templates/settings/display.tpl |  2 +-
 view/theme/frio/templates/theme_settings.tpl   |  2 +-
 view/theme/frio/templates/wall_thread.tpl      |  2 +-
 view/theme/quattro/templates/photo_item.tpl    |  4 ++--
 view/theme/quattro/templates/photo_view.tpl    |  2 +-
 view/theme/quattro/templates/search_item.tpl   |  4 ++--
 view/theme/quattro/templates/wall_thread.tpl   | 12 ++++++------
 view/theme/smoothly/templates/search_item.tpl  |  8 ++++----
 view/theme/smoothly/templates/wall_thread.tpl  | 10 +++++-----
 view/theme/vier/templates/communityhome.tpl    |  6 +++---
 view/theme/vier/templates/wall_thread.tpl      |  4 ++--
 26 files changed, 63 insertions(+), 65 deletions(-)

diff --git a/view/templates/admin/site.tpl b/view/templates/admin/site.tpl
index bf1d215ec..34b1e3b1b 100644
--- a/view/templates/admin/site.tpl
+++ b/view/templates/admin/site.tpl
@@ -39,7 +39,7 @@
 	});
 </script>
 <div id='adminpage'>
-	<h1>{{$title}} - {{$page}}</h1>
+	<h1>{{$title|escape}} - {{$page|escape}}</h1>
 
 	<form action="{{$baseurl}}/admin/site" method="post">
     <input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
@@ -145,7 +145,7 @@
 	{{include file="field_input.tpl" field=$dbclean_expire_conv}}
 	<div class="submit"><input type="submit" name="page_site" value="{{$submit|escape:'html'}}" /></div>
 
-	<h3>{{$worker_title}}</h3>
+	<h3>{{$worker_title|escape}}</h3>
 	{{include file="field_input.tpl" field=$maxloadavg}}
 	{{include file="field_input.tpl" field=$min_memory}}
 	{{include file="field_input.tpl" field=$worker_queues}}
@@ -155,7 +155,7 @@
 
 	<div class="submit"><input type="submit" name="page_site" value="{{$submit|escape:'html'}}" /></div>
 
-	<h3>{{$relay_title}}</h3>
+	<h3>{{$relay_title|escape}}</h3>
 	{{include file="field_checkbox.tpl" field=$relay_subscribe}}
 	{{include file="field_input.tpl" field=$relay_server}}
 	{{include file="field_checkbox.tpl" field=$relay_directly}}
diff --git a/view/templates/birthdays_reminder.tpl b/view/templates/birthdays_reminder.tpl
index 6aa51d470..9261ff8d3 100644
--- a/view/templates/birthdays_reminder.tpl
+++ b/view/templates/birthdays_reminder.tpl
@@ -1,10 +1,10 @@
 
 {{if $count}}
 <div id="birthday-notice" class="birthday-notice fakelink {{$classtoday}}" onclick="openClose('birthday-wrapper');">{{$event_reminders}} ({{$count}})</div>
-<div id="birthday-wrapper" style="display: none;" ><div id="birthday-title">{{$event_title}}</div>
+<div id="birthday-wrapper" style="display: none;" ><div id="birthday-title">{{$event_title|escape}}</div>
 <div id="birthday-title-end"></div>
 {{foreach $events as $event}}
-<div class="birthday-list" id="birthday-{{$event.id}}"> <a href="{{$event.link}}">{{$event.title}}</a> {{$event.date}} </div>
+<div class="birthday-list" id="birthday-{{$event.id}}"> <a href="{{$event.link}}">{{$event.title|escape}}</a> {{$event.date}} </div>
 {{/foreach}}
 </div>
 {{/if}}
diff --git a/view/templates/event_stream_item.tpl b/view/templates/event_stream_item.tpl
index 15975c5d5..af9a55494 100644
--- a/view/templates/event_stream_item.tpl
+++ b/view/templates/event_stream_item.tpl
@@ -1,16 +1,16 @@
 
 <div class="vevent">
-	<div class="summary event-summary">{{$title}}</div>
+	<div class="summary event-summary">{{$title|escape}}</div>
 
 	<div class="event-start">
 		<span class="event-label">{{$dtstart_label}}</span>&nbsp;
-		<span class="dtstart" title="{{$dtstart_title}}">{{$dtstart_dt}}</span>
+		<span class="dtstart" title="{{$dtstart_title|escape}}">{{$dtstart_dt}}</span>
 	</div>
 
 	{{if $finish}}
 	<div class="event-end">
 		<span class="event-label">{{$dtend_label}}</span>&nbsp;
-		<span class="dtend" title="{{$dtend_title}}">{{$dtend_dt}}</span>
+		<span class="dtend" title="{{$dtend_title|escape}}">{{$dtend_dt}}</span>
 	</div>
 	{{/if}}
 
diff --git a/view/templates/events_reminder.tpl b/view/templates/events_reminder.tpl
index 2fcb1908d..08278954c 100644
--- a/view/templates/events_reminder.tpl
+++ b/view/templates/events_reminder.tpl
@@ -1,10 +1,10 @@
 
 {{if $count}}
 <div id="event-notice" class="birthday-notice fakelink {{$classtoday}}" onclick="openClose('event-wrapper');">{{$event_reminders}} ({{$count}})</div>
-<div id="event-wrapper" style="display: none;" ><div id="event-title">{{$event_title}}</div>
+<div id="event-wrapper" style="display: none;" ><div id="event-title">{{$event_title|escape}}</div>
 <div id="event-title-end"></div>
 {{foreach $events as $event}}
-<div class="event-list" id="event-{{$event.id}}"> <a class="ajax-popupbox" href="events/?id={{$event.id}}">{{$event.title}}</a> - {{$event.date}} </div>
+<div class="event-list" id="event-{{$event.id}}"> <a class="ajax-popupbox" href="events/?id={{$event.id}}">{{$event.title|escape}}</a> - {{$event.date}} </div>
 {{/foreach}}
 </div>
 {{/if}}
diff --git a/view/templates/files.tpl b/view/templates/files.tpl
index a2a337bd7..b622bb3e1 100644
--- a/view/templates/files.tpl
+++ b/view/templates/files.tpl
@@ -1,4 +1,4 @@
 {{foreach $items as $item }}
-<p>{{$item.title}}  ({{$item.mime}}) ({{$item.filename}})</p>
+<p>{{$item.title|escape}}  ({{$item.mime|escape}}) ({{$item.filename|escape}})</p>
 {{/foreach}}
-{{include "paginate.tpl"}}
\ No newline at end of file
+{{include "paginate.tpl"}}
diff --git a/view/templates/photo_album.tpl b/view/templates/photo_album.tpl
index d3e7ca487..08df8f756 100644
--- a/view/templates/photo_album.tpl
+++ b/view/templates/photo_album.tpl
@@ -10,8 +10,8 @@
 
 {{foreach $photos as $photo}}
 <div class="photo-album-image-wrapper" id="photo-album-image-wrapper-{{$photo.id}}">
-	<a href="{{$photo.link}}" class="photo-album-photo-link" id="photo-album-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-		<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title}}" class="photo-album-photo lframe resize{{$photo.twist}}" id="photo-album-photo-{{$photo.id}}" />
+	<a href="{{$photo.link}}" class="photo-album-photo-link" id="photo-album-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
+		<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown}}{{/if}}" title="{{$photo.title|escape}}" class="photo-album-photo lframe resize{{$photo.twist}}" id="photo-album-photo-{{$photo.id}}" />
 		<p class='caption'>{{$photo.desc}}</p>		
 	</a>
 </div>
diff --git a/view/templates/photo_top.tpl b/view/templates/photo_top.tpl
index b5fc51a23..0dd8c4e99 100644
--- a/view/templates/photo_top.tpl
+++ b/view/templates/photo_top.tpl
@@ -1,9 +1,7 @@
-
-
 <div class="photo-top-image-wrapper lframe" id="photo-top-image-wrapper-{{$photo.id}}">
-	<a href="{{$photo.link}}" class="photo-top-photo-link" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
-		<img src="{{$photo.src}}" alt="{{$photo.alt}}" title="{{$photo.title}}" class="photo-top-photo{{$photo.twist}}" id="photo-top-photo-{{$photo.id}}" />
+	<a href="{{$photo.link}}" class="photo-top-photo-link" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
+		<img src="{{$photo.src}}" alt="{{$photo.alt|escape}}" title="{{$photo.title|escape}}" class="photo-top-photo{{$photo.twist}}" id="photo-top-photo-{{$photo.id}}" />
 	</a>
-	<div class="photo-top-album-name"><a href="{{$photo.album.link}}" class="photo-top-album-link" title="{{$photo.album.alt}}" >{{$photo.album.name}}</a></div>
+	<div class="photo-top-album-name"><a href="{{$photo.album.link}}" class="photo-top-album-link" title="{{$photo.album.alt|escape}}" >{{$photo.album.name|escape}}</a></div>
 </div>
 
diff --git a/view/templates/photo_view.tpl b/view/templates/photo_view.tpl
index b85a1c2f5..8fa3de61d 100644
--- a/view/templates/photo_view.tpl
+++ b/view/templates/photo_view.tpl
@@ -12,7 +12,7 @@
 </div>
 
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-photo-end"></div>
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/templates/search_item.tpl b/view/templates/search_item.tpl
index 462624957..c004fe74c 100644
--- a/view/templates/search_item.tpl
+++ b/view/templates/search_item.tpl
@@ -6,7 +6,7 @@
 			<div class="wall-item-photo-wrapper" id="wall-item-photo-wrapper-{{$item.id}}" 
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -23,12 +23,12 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}">{{$item.ago}}</div>
 				
 		</div>			
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 			{{if $item.has_cats}}
@@ -54,7 +54,7 @@
 
 	<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 	{{if $item.conv}}
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 	{{/if}}
 	</div>
 
diff --git a/view/templates/settings/display.tpl b/view/templates/settings/display.tpl
index ff3e4fba6..e1a012380 100644
--- a/view/templates/settings/display.tpl
+++ b/view/templates/settings/display.tpl
@@ -21,7 +21,7 @@
 {{include file="field_checkbox.tpl" field=$infinite_scroll}}
 {{include file="field_checkbox.tpl" field=$bandwidth_saver}}
 {{include file="field_checkbox.tpl" field=$smart_threading}}
-<h2>{{$calendar_title}}</h2>
+<h2>{{$calendar_title|escape}}</h2>
 {{include file="field_select.tpl" field=$first_day_of_week}}
 
 
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index 113a93e8c..6108b80c6 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -48,7 +48,7 @@
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime|escape:'html'}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" ><span class="e-content">{{$item.body}}<span>
 			<div class="body-tag">
diff --git a/view/theme/frio/templates/admin/site.tpl b/view/theme/frio/templates/admin/site.tpl
index 10afecb66..77ae1d532 100644
--- a/view/theme/frio/templates/admin/site.tpl
+++ b/view/theme/frio/templates/admin/site.tpl
@@ -54,7 +54,7 @@
 <link rel="stylesheet" href="view/theme/frio/css/mod_admin.css" type="text/css" media="screen"/>
 
 <div id='adminpage' class="adminpage generic-page-wrapper">
-	<h1>{{$title}} - {{$page}}</h1>
+	<h1>{{$title|escape}} - {{$page}}</h1>
 	<form action="{{$baseurl}}/admin/site" method="post">
 		<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
 		<input type='hidden' name='active_panel' value=''>
@@ -293,7 +293,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="admin-settings-worker">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#admin-settings" href="#admin-settings-worker-collapse" aria-expanded="false" aria-controls="admin-settings-worker-collapse">
-							{{$worker_title}}
+							{{$worker_title|escape}}
 						</a>
 					</h4>
 				</div>
@@ -319,7 +319,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="admin-relay-corporate">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#admin-settings" href="#admin-settings-relay-collapse" aria-expanded="false" aria-controls="admin-settings-relay-collapse">
-							{{$relay_title}}
+							{{$relay_title|escape}}
 						</a>
 					</h4>
 				</div>
diff --git a/view/theme/frio/templates/photo_top.tpl b/view/theme/frio/templates/photo_top.tpl
index fed29937e..c64f9b89b 100644
--- a/view/theme/frio/templates/photo_top.tpl
+++ b/view/theme/frio/templates/photo_top.tpl
@@ -1,4 +1,4 @@
-<a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title}}">
+<a href="{{$photo.link}}" id="photo-top-photo-link-{{$photo.id}}" title="{{$photo.title|escape}}">
 	<img src="{{$photo.src}}" alt="{{if $photo.album.name}}{{$photo.album.name|escape}}{{elseif $photo.desc}}{{$photo.desc|escape}}{{elseif $photo.alt}}{{$photo.alt|escape}}{{else}}{{$photo.unknown|escape}}{{/if}}" title="{{$photo.title|escape}}" id="photo-top-photo-{{$photo.id}}" />
 </a>
 
diff --git a/view/theme/frio/templates/photo_view.tpl b/view/theme/frio/templates/photo_view.tpl
index f8d12e133..e540a03f9 100644
--- a/view/theme/frio/templates/photo_view.tpl
+++ b/view/theme/frio/templates/photo_view.tpl
@@ -5,24 +5,24 @@
 
 <div id="photo-view-{{$id}}" class="generic-page-wrapper">
 	<div class="pull-left" id="photo-edit-link-wrap">
-		<a class="page-action faded-icon" id="photo-album-link" href="{{$album.0}}" title="{{$album.1}}" data-toggle="tooltip">
+		<a class="page-action faded-icon" id="photo-album-link" href="{{$album.0}}" title="{{$album.1|escape}}" data-toggle="tooltip">
 			<i class="fa fa-folder-open"></i>&nbsp;{{$album.1}}
 		</a>
 	</div>
 	<div class="pull-right" id="photo-edit-link-wrap">
 		{{if $tools}}
 		<span class="icon-padding"> </span>
-		<a id="photo-edit-link" href="{{$tools.edit.0}}" title="{{$tools.edit.1}}" data-toggle="tooltip">
+		<a id="photo-edit-link" href="{{$tools.edit.0}}" title="{{$tools.edit.1|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-pencil"></i>
 		</a>
 		<span class="icon-padding"> </span>
-		<a id="photo-toprofile-link" href="{{$tools.profile.0}}" title="{{$tools.profile.1}}" data-toggle="tooltip">
+		<a id="photo-toprofile-link" href="{{$tools.profile.0}}" title="{{$tools.profile.1|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-user"></i>
 		</a>
 		{{/if}}
 		{{if $lock}}
 		<span class="icon-padding"> </span>
-		<a id="photo-lock-link" onclick="lockview(event,'photo/{{$id}}');" title="{{$lock}}" data-toggle="tooltip">
+		<a id="photo-lock-link" onclick="lockview(event,'photo/{{$id}}');" title="{{$lock|escape}}" data-toggle="tooltip">
 			<i class="page-action faded-icon fa fa-lock"></i>
 		</a>
 		{{/if}}
@@ -33,7 +33,7 @@
 		<div id="photo-photo">
 			{{* The photo *}}
 			<div class="photo-container">
-				<a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
+				<a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" alt="{{$photo.filename|escape}}"/></a>
 			</div>
 
 			{{* Overlay buttons for previous and next photo *}}
diff --git a/view/theme/frio/templates/search_item.tpl b/view/theme/frio/templates/search_item.tpl
index 88a0d2a0e..f31b7b7a4 100644
--- a/view/theme/frio/templates/search_item.tpl
+++ b/view/theme/frio/templates/search_item.tpl
@@ -52,7 +52,7 @@
 
 						{{if $item.subthread}}
 						<li role="menuitem">
-							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title}}</button>
+							<button type="button" id="subthread-{{$item.id}}" onclick="{{$item.subthread.action}}" class="btn-link" title="{{$item.subthread.title|escape}}"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{$item.subthread.title|escape}}</button>
 						</li>
 						{{/if}}
 
@@ -129,7 +129,7 @@
 				{{/if}}
 
 				{{if $item.title}}
-				<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}}">{{$item.title}}</a></h4><br /></span>
+				<span class="wall-item-title" id="wall-item-title-{{$item.id}}"><h4 class="media-heading"><a href="{{$item.plink.href}}" class="{{$item.sparkle}}">{{$item.title|escape}}</a></h4><br /></span>
 				{{/if}}
 
 				<div class="wall-item-body" id="wall-item-body-{{$item.id}}">{{$item.body}}</div>
diff --git a/view/theme/frio/templates/settings/display.tpl b/view/theme/frio/templates/settings/display.tpl
index cc36762dc..70307c440 100644
--- a/view/theme/frio/templates/settings/display.tpl
+++ b/view/theme/frio/templates/settings/display.tpl
@@ -89,7 +89,7 @@
 				<div class="section-subtitle-wrapper" role="tab" id="calendar-settings-title">
 					<h4>
 						<a class="accordion-toggle collapsed" data-toggle="collapse" data-parent="#settings" href="#calendar-settings-content" aria-expanded="false" aria-controls="calendar-settings-content">
-							{{$calendar_title}}
+							{{$calendar_title|escape}}
 						</a>
 					</h4>
 				</div>
diff --git a/view/theme/frio/templates/theme_settings.tpl b/view/theme/frio/templates/theme_settings.tpl
index 50a8934d1..9b8322a85 100644
--- a/view/theme/frio/templates/theme_settings.tpl
+++ b/view/theme/frio/templates/theme_settings.tpl
@@ -25,7 +25,7 @@
 {{if $background_image}}{{include file="field_fileinput.tpl" field=$background_image}}{{/if}}
 
 <div id="frio_bg_image_options" style="display: none;">
-	<label>{{$bg_image_options_title}}:</label>
+	<label>{{$bg_image_options_title|escape}}:</label>
 {{foreach $bg_image_options as $options}}
 	{{include file="field_radio.tpl" field=$options}}
 {{/foreach}}
diff --git a/view/theme/frio/templates/wall_thread.tpl b/view/theme/frio/templates/wall_thread.tpl
index f90b2f72a..77fdf8dae 100644
--- a/view/theme/frio/templates/wall_thread.tpl
+++ b/view/theme/frio/templates/wall_thread.tpl
@@ -91,7 +91,7 @@ as the value of $top_child_total (this is done at the end of this file)
 				<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="dropdownMenuTools-{{$item.id}}">
 					{{if $item.plink}}	{{*link to the original source of the item *}}
 					<li role="menuitem">
-						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title}}</a>
+						<a title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}" class="navicon plink u-url"><i class="fa fa-external-link" aria-hidden="true"></i> {{$item.plink.title|escape}}</a>
 					</li>
 					{{/if}}
 
diff --git a/view/theme/quattro/templates/photo_item.tpl b/view/theme/quattro/templates/photo_item.tpl
index 6dfacdb78..e37a7242c 100644
--- a/view/theme/quattro/templates/photo_item.tpl
+++ b/view/theme/quattro/templates/photo_item.tpl
@@ -24,7 +24,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $plink}}<a class="icon s16 link" title="{{$plink.title}}" href="{{$plink.href}}">{{$plink.title}}</a>{{/if}}
+			{{if $plink}}<a class="icon s16 link" title="{{$plink.title|escape}}" href="{{$plink.href}}">{{$plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
@@ -69,7 +69,7 @@
 		<div class="wall-item-dislike" id="wall-item-dislike-{{$id}}">{{$dislike}}</div>
 		{{if $conv}}
 		<div class="wall-item-conv" id="wall-item-conv-{{$id}}" >
-			<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title}}'>{{$conv.title}}</a>
+			<a href='{{$conv.href}}' id='context-{{$id}}' title='{{$conv.title|escape}}'>{{$conv.title|escape}}</a>
 		</div>
 		{{/if}}
 	</div>
diff --git a/view/theme/quattro/templates/photo_view.tpl b/view/theme/quattro/templates/photo_view.tpl
index f4a780a0a..f41fd9a96 100644
--- a/view/theme/quattro/templates/photo_view.tpl
+++ b/view/theme/quattro/templates/photo_view.tpl
@@ -10,7 +10,7 @@
 {{if $lock}} | <img src="images/lock_icon.gif" class="lockview" alt="{{$lock}}" onclick="lockview(event,'photo/{{$id}}');" /> {{/if}}
 </div>
 
-<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title}}"><img src="{{$photo.src}}" /></a></div>
+<div id="photo-photo"><a href="{{$photo.href}}" title="{{$photo.title|escape}}"><img src="{{$photo.src}}" /></a></div>
 {{if $prevlink}}<div id="photo-prev-link"><a href="{{$prevlink.0}}">{{$prevlink.1}}</a></div>{{/if}}
 {{if $nextlink}}<div id="photo-next-link"><a href="{{$nextlink.0}}">{{$nextlink.1}}</a></div>{{/if}}
 <div id="photo-caption">{{$desc}}</div>
diff --git a/view/theme/quattro/templates/search_item.tpl b/view/theme/quattro/templates/search_item.tpl
index 33bf5fbb8..8e7b9ee28 100644
--- a/view/theme/quattro/templates/search_item.tpl
+++ b/view/theme/quattro/templates/search_item.tpl
@@ -22,7 +22,7 @@
 			<div class="wall-item-location">{{$item.location}}</div>
 		</div>
 		<div class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}">{{$item.title|escape}}</a></h2>{{/if}}
 			<div class="wall-item-body">{{$item.body}}</div>
 		</div>
 	</div>
@@ -39,7 +39,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="">
-			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
diff --git a/view/theme/quattro/templates/wall_thread.tpl b/view/theme/quattro/templates/wall_thread.tpl
index 694557cca..cc6ab7d62 100644
--- a/view/theme/quattro/templates/wall_thread.tpl
+++ b/view/theme/quattro/templates/wall_thread.tpl
@@ -40,7 +40,7 @@
 			<div class="contact-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
 				onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="contact-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
 					<img src="{{$item.thumb}}" class="contact-photo {{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" alt="{{$item.name|escape}}" />
 				</a>
 				<a href="#" rel="#wall-item-photo-menu-{{$item.id}}" class="contact-photo-menu-button icon s16 menu" id="wall-item-photo-menu-button-{{$item.id}}">menu</a>
@@ -51,7 +51,7 @@
 			</div>
 			{{if $item.owner_url}}
 			<div class="contact-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+				<a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="contact-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
 					<img src="{{$item.owner_photo}}" class="contact-photo {{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" alt="{{$item.owner_name|escape}}" />
 				</a>
 			</div>
@@ -59,7 +59,7 @@
 			<div class="wall-item-location">{{$item.location}}</div>
 		</div>
 		<div class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h2>{{/if}}
 			<span class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}">{{$item.body}}</span>
 		</div>
 	</div>
@@ -85,16 +85,16 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a class="icon s16 link{{$item.sparkle}} u-url" title="{{$item.plink.title}}" href="{{$item.plink.href}}">{{$item.plink.title}}</a>{{/if}}
+			{{if $item.plink}}<a class="icon s16 link{{$item.sparkle}} u-url" title="{{$item.plink.title|escape}}" href="{{$item.plink.href}}">{{$item.plink.title|escape}}</a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-author">
 				<a href="{{$item.profile_url}}" target="redir"
-                                title="{{$item.linktitle}}"
+                                title="{{$item.linktitle|escape}}"
                                 class="wall-item-name-link"><span
                                 class="wall-item-name{{$item.sparkle}}">{{$item.name|escape}}</span></a>
                                 <span class="wall-item-ago" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></span>
-				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
+				 {{if $item.owner_url}}<br/>{{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}
 				 {{/if}}
 			</div>
 
diff --git a/view/theme/smoothly/templates/search_item.tpl b/view/theme/smoothly/templates/search_item.tpl
index 35820088b..46cbff692 100644
--- a/view/theme/smoothly/templates/search_item.tpl
+++ b/view/theme/smoothly/templates/search_item.tpl
@@ -5,7 +5,7 @@
 			<div class="wall-item-photo-wrapper mframe" id="wall-item-photo-wrapper-{{$item.id}}" 
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -29,12 +29,12 @@
 			<div class="wall-item-delete-end"></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
-			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}">{{$item.ago}}</div>
 				
 		</div>			
@@ -45,7 +45,7 @@
 
 	<div class="wall-item-conv" id="wall-item-conv-{{$item.id}}" >
 	{{if $item.conv}}
-			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title}}'>{{$item.conv.title}}</a>
+			<a href='{{$item.conv.href}}' id='context-{{$item.id}}' title='{{$item.conv.title|escape}}'>{{$item.conv.title|escape}}</a>
 	{{/if}}
 	</div>
 	<div class="wall-item-wrapper-end"></div>
diff --git a/view/theme/smoothly/templates/wall_thread.tpl b/view/theme/smoothly/templates/wall_thread.tpl
index f4c4154a0..b62b077e2 100644
--- a/view/theme/smoothly/templates/wall_thread.tpl
+++ b/view/theme/smoothly/templates/wall_thread.tpl
@@ -14,7 +14,7 @@
 		<div class="wall-item-info{{if $item.owner_url}} wallwall{{/if}}" id="wall-item-info-{{$item.id}}">
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
-				<a href="{{$item.owner_url}}" title="{{$item.olinktitle}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
+				<a href="{{$item.owner_url}}" title="{{$item.olinktitle|escape}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
 				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escaped}}" /></a>
 			</div>
 			<div class="wall-item-arrowphoto-wrapper" ><img src="view/theme/smoothly/images/larrow.gif" alt="{{$item.wall}}" /></div>
@@ -22,7 +22,7 @@
 			<div class="wall-item-photo-wrapper mframe{{if $item.owner_url}} wwfrom{{/if}} p-author h-card" id="wall-item-photo-wrapper-{{$item.id}}"
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
 				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
@@ -46,7 +46,7 @@
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
 		<div class="wall-item-author">
-			<a href="{{$item.profile_url}}" title="{{$item.linktitle}}" class="wall-item-name-link">
+			<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link">
 			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span>
 			</a>
 			<div class="wall-item-ago">&bull;</div>
@@ -56,7 +56,7 @@
 		<div>
 		<hr class="line-dots">
 		</div>
-			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title}}</div>
+			<div class="wall-item-title p-name" id="wall-item-title-{{$item.id}}">{{$item.title|escape}}</div>
 			<div class="wall-item-title-end"></div>
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" ><span class="e-content">{{$item.body}}</span>
 				<div class="body-tag">
@@ -99,7 +99,7 @@
 
 			{{if $item.plink}}
 			<div class="wall-item-links-wrapper">
-				<a href="{{$item.plink.href}}" title="{{$item.plink.title}}" target="external-link" class="icon remote-link u-url"></a>
+				<a href="{{$item.plink.href}}" title="{{$item.plink.title|escape}}" target="external-link" class="icon remote-link u-url"></a>
 			</div>
 			{{/if}}
 
diff --git a/view/theme/vier/templates/communityhome.tpl b/view/theme/vier/templates/communityhome.tpl
index b32b63804..94e2312d0 100644
--- a/view/theme/vier/templates/communityhome.tpl
+++ b/view/theme/vier/templates/communityhome.tpl
@@ -6,7 +6,7 @@
 
 {{if $comunity_profiles_title}}
 <div id="right_profiles" class="widget">
-<h3>{{$comunity_profiles_title}}</h3>
+<h3>{{$comunity_profiles_title|escape}}</h3>
 <div id='lastusers-wrapper' class='items-wrapper'>
 {{foreach $comunity_profiles_items as $i}}
 	{{$i}}
@@ -44,7 +44,7 @@
 
 {{if $lastusers_title}}
 <div id="right_lastusers" class="widget">
-<h3>{{$lastusers_title}}</h3>
+<h3>{{$lastusers_title|escape}}</h3>
 <div id='lastusers-wrapper' class='items-wrapper'>
 {{foreach $lastusers_items as $i}}
 	{{$i}}
@@ -55,7 +55,7 @@
 {{/if}}
 
 {{if $activeusers_title}}
-<h3>{{$activeusers_title}}</h3>
+<h3>{{$activeusers_title|escape}}</h3>
 <div class='items-wrapper'>
 {{foreach $activeusers_items as $i}}
 	{{$i}}
diff --git a/view/theme/vier/templates/wall_thread.tpl b/view/theme/vier/templates/wall_thread.tpl
index 57ca699e3..d99061798 100644
--- a/view/theme/vier/templates/wall_thread.tpl
+++ b/view/theme/vier/templates/wall_thread.tpl
@@ -65,7 +65,7 @@
 		</div>
 
 		<div itemprop="description" class="wall-item-content">
-			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title}}</a></h2>{{/if}}
+			{{if $item.title}}<h2><a href="{{$item.plink.href}}" class="{{$item.sparkle}} p-name">{{$item.title|escape}}</a></h2>{{/if}}
 			<span class="wall-item-body e-content {{if !$item.title}}p-name{{/if}}">{{$item.body}}</span>
 		</div>
 	</div>
@@ -91,7 +91,7 @@
 	</div>
 	<div class="wall-item-bottom">
 		<div class="wall-item-links">
-			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title}}</span></i></a>{{/if}}
+			{{if $item.plink}}<a role="button" title="{{$item.plink.orig_title|escape}}" href="{{$item.plink.orig}}"><i class="icon-link icon-large"><span class="sr-only">{{$item.plink.orig_title|escape}}</span></i></a>{{/if}}
 		</div>
 		<div class="wall-item-actions">
 			<div class="wall-item-actions-social">

From 73528fa279ad940ae6c9f39e0da0814498e5f92f Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 20:40:30 +0000
Subject: [PATCH 6/7] Some correction

---
 view/templates/admin/contactblock.tpl               | 4 ++--
 view/templates/hovercard.tpl                        | 2 +-
 view/templates/profile_vcard.tpl                    | 2 +-
 view/templates/remote_friends_common.tpl            | 4 ++--
 view/templates/search_item.tpl                      | 4 ++--
 view/templates/wall_thread.tpl                      | 2 +-
 view/theme/duepuntozero/templates/profile_vcard.tpl | 2 +-
 view/theme/quattro/templates/profile_vcard.tpl      | 2 +-
 view/theme/smoothly/templates/search_item.tpl       | 4 ++--
 view/theme/smoothly/templates/wall_thread.tpl       | 6 +++---
 view/theme/vier/templates/profile_vcard.tpl         | 2 +-
 11 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/view/templates/admin/contactblock.tpl b/view/templates/admin/contactblock.tpl
index e3dfb52a1..3afeb5355 100644
--- a/view/templates/admin/contactblock.tpl
+++ b/view/templates/admin/contactblock.tpl
@@ -33,8 +33,8 @@
 				<tr>
 					<td class="checkbox"><input type="checkbox" class="contacts_ckbx" id="id_contact_{{$contact.id}}" name="contacts[]" value="{{$contact.id}}"/></td>
 					<td><img class="icon" src="{{$contact.micro}}" alt="{{$contact.nickname|escape}}" title="{{$contact.nickname|escape}}"></td>
-					<td class="name">{{$contact.name|escaped}}</td>
-					<td class="addr">{{$contact.addr|escaped}}</td>
+					<td class="name">{{$contact.name|escape}}</td>
+					<td class="addr">{{$contact.addr|escape}}</td>
 					<td class="addr"><a href="{{$contact.url}}" title="{{$contact.nickname|escape}}" >{{$contact.url}}</a></td>
 				</tr>
 				{{/foreach}}
diff --git a/view/templates/hovercard.tpl b/view/templates/hovercard.tpl
index 5487a4cd0..ec87591b9 100644
--- a/view/templates/hovercard.tpl
+++ b/view/templates/hovercard.tpl
@@ -11,7 +11,7 @@
 					<h4 class="left-align1"><a href="{{$profile.url}}">{{$profile.name|escape}}</a></h4>{{if $profile.account_type}}<span>{{$profile.account_type}}</span>{{/if}}
 				</div>
 				<div class="profile-details">
-					<span class="profile-addr">{{$profile.addr|escaped}}</span>
+					<span class="profile-addr">{{$profile.addr|escape}}</span>
 					{{if $profile.network}}<span class="profile-network"> ({{$profile.network}})</span>{{/if}}
 				</div>
 				{{*{{if $profile.about}}<div class="profile-details profile-about">{{$profile.about}}</div>{{/if}}*}}
diff --git a/view/templates/profile_vcard.tpl b/view/templates/profile_vcard.tpl
index fb7875641..14e1a0373 100644
--- a/view/templates/profile_vcard.tpl
+++ b/view/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 
diff --git a/view/templates/remote_friends_common.tpl b/view/templates/remote_friends_common.tpl
index f018727c0..f5f43360a 100644
--- a/view/templates/remote_friends_common.tpl
+++ b/view/templates/remote_friends_common.tpl
@@ -6,12 +6,12 @@
 	<div class="profile-match-wrapper">
 		<div class="profile-match-photo">
 			<a href="{{$item.url}}">
-				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name|escaped}}" title="{{$item.name|escaped}}" />
+				<img src="{{$item.photo}}" width="80" height="80" alt="{{$item.name|escape}}" title="{{$item.name|escape}}" />
 			</a>
 		</div>
 		<div class="profile-match-break"></div>
 		<div class="profile-match-name">
-			<a href="{{$item.url}}" title="{{$item.name|escaped}}">{{$item.name|escaped}}</a>
+			<a href="{{$item.url}}" title="{{$item.name|escape}}">{{$item.name|escape}}</a>
 		</div>
 		<div class="profile-match-end"></div>
 	</div>
diff --git a/view/templates/search_item.tpl b/view/templates/search_item.tpl
index c004fe74c..a97574b7b 100644
--- a/view/templates/search_item.tpl
+++ b/view/templates/search_item.tpl
@@ -7,7 +7,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -23,7 +23,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/templates/wall_thread.tpl b/view/templates/wall_thread.tpl
index 6108b80c6..6f54d024d 100644
--- a/view/templates/wall_thread.tpl
+++ b/view/templates/wall_thread.tpl
@@ -44,7 +44,7 @@
 			</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escaped}}</span></a> {{$item.vwall}}{{/if}}<br />
+				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span></a>{{if $item.owner_url}} {{$item.to}} <a href="{{$item.owner_url}}" target="redir" title="{{$item.olinktitle|escape:'html'}}" class="wall-item-name-link"><span class="wall-item-name{{$item.osparkle}}" id="wall-item-ownername-{{$item.id}}">{{$item.owner_name|escape}}</span></a> {{$item.vwall}}{{/if}}<br />
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}" title="{{$item.localtime|escape:'html'}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
 		</div>
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
diff --git a/view/theme/duepuntozero/templates/profile_vcard.tpl b/view/theme/duepuntozero/templates/profile_vcard.tpl
index 311132b81..31afc71fe 100644
--- a/view/theme/duepuntozero/templates/profile_vcard.tpl
+++ b/view/theme/duepuntozero/templates/profile_vcard.tpl
@@ -3,7 +3,7 @@
 
 	<div class="fn label p-name">{{$profile.name|escape}}</div>
 	
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 	
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}"></div>
diff --git a/view/theme/quattro/templates/profile_vcard.tpl b/view/theme/quattro/templates/profile_vcard.tpl
index e62da464d..a316f58aa 100644
--- a/view/theme/quattro/templates/profile_vcard.tpl
+++ b/view/theme/quattro/templates/profile_vcard.tpl
@@ -26,7 +26,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 
 	{{if $pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 	<div id="profile-photo-wrapper"><img class="photo u-photo" width="175" height="175" src="{{$profile.photo}}?rev={{$profile.picdate}}" alt="{{$profile.name|escape}}" /></div>
diff --git a/view/theme/smoothly/templates/search_item.tpl b/view/theme/smoothly/templates/search_item.tpl
index 46cbff692..2c9e62193 100644
--- a/view/theme/smoothly/templates/search_item.tpl
+++ b/view/theme/smoothly/templates/search_item.tpl
@@ -6,7 +6,7 @@
 				 onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')" 
 				 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" target="redir" title="{{$item.linktitle|escape}}" class="wall-item-photo-link" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}}" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
 				<div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
 					<ul>
@@ -34,7 +34,7 @@
 			<div class="wall-item-body" id="wall-item-body-{{$item.id}}" >{{$item.body}}</div>
 		</div>
 		<div class="wall-item-author">
-				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span></a>
+				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link"><span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span></a>
 				<div class="wall-item-ago"  id="wall-item-ago-{{$item.id}}">{{$item.ago}}</div>
 				
 		</div>			
diff --git a/view/theme/smoothly/templates/wall_thread.tpl b/view/theme/smoothly/templates/wall_thread.tpl
index b62b077e2..616c20f4d 100644
--- a/view/theme/smoothly/templates/wall_thread.tpl
+++ b/view/theme/smoothly/templates/wall_thread.tpl
@@ -15,7 +15,7 @@
 			{{if $item.owner_url}}
 			<div class="wall-item-photo-wrapper mframe wwto" id="wall-item-ownerphoto-wrapper-{{$item.id}}" >
 				<a href="{{$item.owner_url}}" title="{{$item.olinktitle|escape}}" class="wall-item-photo-link" id="wall-item-ownerphoto-link-{{$item.id}}">
-				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escaped}}" /></a>
+				<img src="{{$item.owner_photo}}" class="wall-item-photo{{$item.osparkle}}" id="wall-item-ownerphoto-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.owner_name|escape}}" /></a>
 			</div>
 			<div class="wall-item-arrowphoto-wrapper" ><img src="view/theme/smoothly/images/larrow.gif" alt="{{$item.wall}}" /></div>
 			{{/if}}
@@ -23,7 +23,7 @@
 				onmouseover="if (typeof t{{$item.id}} != 'undefined') clearTimeout(t{{$item.id}}); openMenu('wall-item-photo-menu-button-{{$item.id}}')"
                 onmouseout="t{{$item.id}}=setTimeout('closeMenu(\'wall-item-photo-menu-button-{{$item.id}}\'); closeMenu(\'wall-item-photo-menu-{{$item.id}}\');',200)">
 				<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-photo-link u-url" id="wall-item-photo-link-{{$item.id}}">
-				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escaped}}" /></a>
+				<img src="{{$item.thumb}}" class="wall-item-photo{{$item.sparkle}} p-name u-photo" id="wall-item-photo-{{$item.id}}" style="height: 80px; width: 80px;" alt="{{$item.name|escape}}" /></a>
 				<span onclick="openClose('wall-item-photo-menu-{{$item.id}}');" class="fakelink wall-item-photo-menu-button" id="wall-item-photo-menu-button-{{$item.id}}">menu</span>
                 <div class="wall-item-photo-menu" id="wall-item-photo-menu-{{$item.id}}">
                     <ul>
@@ -47,7 +47,7 @@
 		<div class="wall-item-content" id="wall-item-content-{{$item.id}}" >
 		<div class="wall-item-author">
 			<a href="{{$item.profile_url}}" title="{{$item.linktitle|escape}}" class="wall-item-name-link">
-			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escaped}}</span>
+			<span class="wall-item-name{{$item.sparkle}}" id="wall-item-name-{{$item.id}}" >{{$item.name|escape}}</span>
 			</a>
 			<div class="wall-item-ago">&bull;</div>
 			<div class="wall-item-ago" id="wall-item-ago-{{$item.id}}" title="{{$item.localtime}}"><time class="dt-published" datetime="{{$item.localtime}}">{{$item.ago}}</time></div>
diff --git a/view/theme/vier/templates/profile_vcard.tpl b/view/theme/vier/templates/profile_vcard.tpl
index 1733969aa..a46441695 100644
--- a/view/theme/vier/templates/profile_vcard.tpl
+++ b/view/theme/vier/templates/profile_vcard.tpl
@@ -13,7 +13,7 @@
 		{{/if}}
 	</div>
 
-	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escaped}}</div>{{/if}}
+	{{if $profile.addr}}<div class="p-addr">{{$profile.addr|escape}}</div>{{/if}}
 
 	{{if $profile.pdesc}}<div class="title">{{$profile.pdesc}}</div>{{/if}}
 

From 069c92049a99f78baa494f8be3bb014f194e86d1 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Sun, 25 Nov 2018 23:49:40 +0000
Subject: [PATCH 7/7] Just some misspelling

---
 view/theme/frio/templates/contact_template.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/view/theme/frio/templates/contact_template.tpl b/view/theme/frio/templates/contact_template.tpl
index 1b56a6b62..604f8d7e5 100644
--- a/view/theme/frio/templates/contact_template.tpl
+++ b/view/theme/frio/templates/contact_template.tpl
@@ -9,7 +9,7 @@
 					<img class="contact-photo media-object xl" src="{{$contact.thumb}}" {{$contact.sparkle}} alt="{{$contact.name|escape}}" />
 				</div>
 
-				{{* For very small displays we use a drobdown menu for contact relating actions *}}
+				{{* For very small displays we use a dropdown menu for contact relating actions *}}
 				<button type="button" class="btn btn-link dropdown-toggle visible-xs" id="contact-photo-menu-button-{{$contact.id}}" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
 					{{* use a smaller picture on very small displays (e.g. mobiles) *}}
 					<div class="contact-photo-image-wrapper visible-xs">