diff --git a/Netdisco/Changes b/Netdisco/Changes
index 56204e7b..03a77bfe 100644
--- a/Netdisco/Changes
+++ b/Netdisco/Changes
@@ -12,9 +12,10 @@
   * Use Path::Class for path and file name construction consistently
   * Avoid use of DNS when looking up devices in DB by IP
 
-  [BIG FIXES]
+  [BUG FIXES]
 
   * Search by device port MAC no longer fatal
+  * URI and HTML escape template variables
 
 2.005000_002 - 2013-02-10
 
diff --git a/Netdisco/share/views/ajax/device/addresses.tt b/Netdisco/share/views/ajax/device/addresses.tt
index 8fba4a97..5c54aa64 100644
--- a/Netdisco/share/views/ajax/device/addresses.tt
+++ b/Netdisco/share/views/ajax/device/addresses.tt
@@ -11,13 +11,13 @@
   </tbody>
     [% WHILE (row = results.next) %]
     <tr>
-      <td>[% row.alias %]</a>
-      <td>[% row.dns %]</a>
+      <td>[% row.alias | html_entity %]</a>
+      <td>[% row.dns | html_entity %]</a>
       <td class="center_cell"><a class="nd_linkcell"
-        href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.port | uri %]">[% row.port %]</a></td>
-      <td>[% row.device_port.name %]</td>
+        href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.port | uri %]">[% row.port | html_entity %]</a></td>
+      <td>[% row.device_port.name | html_entity %]</td>
       <td><a class="nd_linkcell"
-        href="[% search_device %]&ip=[% row.subnet | uri %]">[% row.subnet %]</a></td>
+        href="[% search_device %]&ip=[% row.subnet | uri %]">[% row.subnet | html_entity %]</a></td>
     </tr>
     [% END %]
   </tbody>
diff --git a/Netdisco/share/views/ajax/device/details.tt b/Netdisco/share/views/ajax/device/details.tt
index 11d49860..2bd1a0f1 100644
--- a/Netdisco/share/views/ajax/device/details.tt
+++ b/Netdisco/share/views/ajax/device/details.tt
@@ -13,12 +13,12 @@
       [% IF vars.user.port_control %]
       <td class="nd_editable_cell" contenteditable="true"
         data-field="location" data-for-device="[% d.ip %]">
-          [% d.location %]
+          [% d.location | html_entity %]
       </td>
       [% ELSE %]
       <td>
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&location=[% d.location | uri %]">[% d.location %]</a>
+        href="[% search_device %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
       </td>
       [% END %]
     </tr>
@@ -30,68 +30,68 @@
       </td>
       [% IF vars.user.port_control %]
       <td class="nd_editable_cell" contenteditable="true"
-        data-field="contact" data-for-device="[% d.ip %]">
-          [% d.contact %]
+        data-field="contact" data-for-device="[% d.ip | html_entity %]">
+          [% d.contact | html_entity %]
       </td>
       [% ELSE %]
-      <td>[% d.contact %]</td>
+      <td>[% d.contact | html_entity %]</td>
       [% END %]
     </tr>
     <tr>
       <td>Vendor / Model</td>
       <td>
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&vendor=[% d.vendor | uri %]">[% d.vendor %]</a>
+        href="[% search_device %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
         /
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&model=[% d.model | uri %]">[% d.model %]</a>
+        href="[% search_device %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
       </td>
     </tr>
     <tr>
       <td>OS / Version</td>
-      <td>[% d.os %] /
+      <td>[% d.os | html_entity %] /
         <a rel="tooltip" data-placement="top" data-offset="5"
           data-title="Find Similar Devices"
-          href="[% search_device %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver %]</a>
+          href="[% search_device %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
       </td>
     </tr>
     <tr>
       <td>Serial Number</td>
-      <td>[% d.serial %]</td>
+      <td>[% d.serial | html_entity %]</td>
     </tr>
     <tr>
       <td>Description</td>
-      <td>[% d.description.replace(', ',",<br/>") %]</td>
+      <td>[% d.description | html_entity | html_line_break %]</td>
     </tr>
     <tr>
       <td>Uptime</td>
-      <td>[% d.uptime_age %]</td>
+      <td>[% d.uptime_age | html_entity %]</td>
     </tr>
     <tr>
       <td>Last Discover</td>
-      <td>[% d.last_discover_stamp %]</td>
+      <td>[% d.last_discover_stamp | html_entity %]</td>
     </tr>
     <tr>
       <td>Last Arpnip</td>
-      <td>[% d.last_arpnip_stamp %]</td>
+      <td>[% d.last_arpnip_stamp | html_entity %]</td>
     </tr>
     <tr>
       <td>Last Macsuck</td>
-      <td>[% d.last_macsuck_stamp %]</td>
+      <td>[% d.last_macsuck_stamp | html_entity %]</td>
     </tr>
     <tr>
       <td>Hardware Status</td>
-      <td>Fan: [% d.fan %]
-        <br/>PS1 [[% d.ps1_type %]]: [% d.ps1_status %]
-        <br/>PS2 [[% d.ps2_type %]]: [% d.ps2_status %]</td>
+      <td>Fan: [% d.fan | html_entity %]
+        <br/>PS1 [[% d.ps1_type | html_entity %]]: [% d.ps1_status | html_entity %]
+        <br/>PS2 [[% d.ps2_type | html_entity %]]: [% d.ps2_status | html_entity %]</td>
     </tr>
     <tr>
       <td>MAC Address</td>
-      <td>[% d.mac %]</td>
+      <td>[% d.mac | html_entity %]</td>
     </tr>
     <tr>
       <td>VTP Domain</td>
-      <td>[% d.vtp_domain %]</td>
+      <td>[% d.vtp_domain | html_entity %]</td>
     </tr>
   </tbody>
 </table>
diff --git a/Netdisco/share/views/ajax/device/ports.tt b/Netdisco/share/views/ajax/device/ports.tt
index fb6a27ee..c854ea72 100644
--- a/Netdisco/share/views/ajax/device/ports.tt
+++ b/Netdisco/share/views/ajax/device/ports.tt
@@ -6,7 +6,7 @@
       [% NEXT IF item.name == 'c_admin' %]
       [% NEXT IF item.name == 'c_nodes' AND params.c_nodes AND params.c_neighbors %]
         [% NEXT UNLESS params.${item.name} %]
-        <th[% ' class="center_cell"' IF NOT loop.first %]>[% item.label %]</th>
+        <th[% ' class="center_cell"' IF NOT loop.first %]>[% item.label | html_entity %]</th>
       [% END %]
     </tr>
   </thead>
@@ -29,13 +29,13 @@
       [% IF vars.user.port_control AND params.c_admin %]
       [% IF row.up_admin == 'up' %]
       <td nowrap class="nd_editable_cell" data-action="down"
-        data-field="c_port" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+        data-field="c_port" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
         <i class="icon-hand-down nd_hand_icon"
           rel="tooltip" data-placement="top" data-offset="3"
           data-animation="" data-title="Click to Disable"></i>
       [% ELSE %]
       <td nowrap class="nd_editable_cell" data-action="up"
-        data-field="c_port" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+        data-field="c_port" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
         <i class="icon-hand-up nd_hand_icon"
           rel="tooltip" data-placement="top" data-offset="3"
           data-animation="" data-title="Click to Enable"></i>
@@ -72,7 +72,7 @@
       [% IF params.c_name %]
       [% IF vars.user.port_control AND params.c_admin %]
       <td nowrap class="center_cell nd_editable_cell" contenteditable="true"
-          data-field="c_name" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+          data-field="c_name" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
       <i class="icon-edit nd_edit_icon"></i>
       [% ELSE %]
       <td nowrap class="center_cell">
@@ -98,7 +98,7 @@
       [% IF params.c_vlan %]
       [% IF vars.user.port_control AND params.c_admin %]
       <td class="center_cell nd_editable_cell" contenteditable="true"
-        data-field="c_vlan" data-for-device="[% device %]" data-for-port="[% row.port | html_entity %]">
+        data-field="c_vlan" data-for-device="[% device | html_entity %]" data-for-port="[% row.port | html_entity %]">
       <i class="icon-edit nd_edit_icon"></i>
       <div class="nd_editable_cell_content">
         [% IF row.vlan %][% row.vlan | html_entity %][% END %]
@@ -140,7 +140,7 @@
           [% IF row.power.admin == 'true' %]
             [% IF vars.user.port_control AND params.c_admin %]
               <td nowrap data-action="false"
-                data-field="c_power" data-for-device="[% device %]"
+                data-field="c_power" data-for-device="[% device | html_entity %]"
                 data-for-port="[% row.port | html_entity %]">
 
                 <i class="icon-off nd_power_icon nd_power_on"
@@ -152,15 +152,15 @@
             [% END %]
                 <span>
                 [% IF row.power.power > 0 %]
-                  [% row.power.power %]&nbsp;mW
+                  [% row.power.power | html_entity %]&nbsp;mW
                 [% ELSE %]
-                  ([% row.power.status %])
+                  ([% row.power.status | html_entity %])
                 [% END %]
                 </span>
           [% ELSE %]
             [% IF vars.user.port_control AND params.c_admin %]
               <td nowrap data-action="true"
-                data-field="c_power" data-for-device="[% device %]"
+                data-field="c_power" data-for-device="[% device | html_entity %]"
                 data-for-port="[% row.port | html_entity %]">
 
                 <i class="icon-off nd_power_icon"
@@ -183,29 +183,29 @@
           [% IF row.neighbor %]
           <a href="[% uri_for('/device',
                 self_options) %]&q=[% row.neighbor.dns || row.neighbor.ip | uri %]&f=[% row.remote_port | uri %]">
-            [% row.neighbor.dns.remove(settings.domain_suffix) || row.neighbor.ip %]
+            [% row.neighbor.dns.remove(settings.domain_suffix) || row.neighbor.ip | html_entity %]
             ([% row.remote_port | html_entity %])</a>
           [% ELSE %]
           <span class="label label-important">N</span>
           <a href="[% search_node %]&q=[% row.remote_ip | uri %]">
-            [% row.remote_ip %] (port: [% row.remote_port %]
-            id: [% (row.remote_type _ ' / ') IF row.remote_type %][% row.remote_id %])</a>
+            [% row.remote_ip | html_entity %] (port: [% row.remote_port | html_entity %]
+            id: [% (row.remote_type _ ' / ') IF row.remote_type %][% row.remote_id | html_entity %])</a>
           [% END %]
         [% END %]
         [% IF params.c_nodes %]
         [% FOREACH node IN row.$nodes %]
           [% '<br/>' IF row.remote_ip OR NOT loop.first %]
           [% '<span class="label label-warning">A</span> &nbsp;' IF NOT node.active %]
-          <a href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac %]</a>
+          <a href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac | html_entity %]</a>
           [% ' (' _ node.time_last_age _ ')' IF params.n_age %]
           [% IF params.n_ip %]
             [% FOREACH ip IN node.ips %]
             <br/>&nbsp; [% '<span class="label label-warning">A</span> &nbsp;' IF NOT ip.active %]
               [% SET dns = ip.dns %]
               [% IF dns %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% dns %] ([% ip.ip %])</a>
+              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% dns %] ([% ip.ip | html_entity %])</a>
               [% ELSE %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% ip.ip %]</a>
+              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
               [% END %]
             [% END %]
           [% END %]
diff --git a/Netdisco/share/views/ajax/search/device.tt b/Netdisco/share/views/ajax/search/device.tt
index f9315b65..10e3f560 100644
--- a/Netdisco/share/views/ajax/search/device.tt
+++ b/Netdisco/share/views/ajax/search/device.tt
@@ -14,15 +14,14 @@
   </tbody>
     [% WHILE (row = results.next) %]
     <tr>
-      <td><a href="[% uri_for('/device') %]?q=[% row.dns || row.ip %]">[% row.dns || row.ip %]</a></td>
-      <td>[% row.contact %]</td>
-      <td>[% row.location %]</td>
-      <td>[% row.name %]</td>
-      <!-- <td>[% row.description.substr(0, 100) %][% ' &hellip;' IF row.description.length > 100 %]</td> -->
-      <td>[% row.model %]</td>
-      <td>[% row.os_ver %]</td>
-      <td>[% row.ip %]</td>
-      <td>[% row.serial %]</td>
+      <td><a href="[% uri_for('/device') %]?q=[% row.dns || row.ip | uri %]">[% row.dns || row.ip | html_entity %]</a></td>
+      <td>[% row.contact | html_entity %]</td>
+      <td>[% row.location | html_entity %]</td>
+      <td>[% row.name | html_entity %]</td>
+      <td>[% row.model | html_entity %]</td>
+      <td>[% row.os_ver | html_entity %]</td>
+      <td>[% row.ip | html_entity %]</td>
+      <td>[% row.serial | html_entity %]</td>
     </tr>
     [% END %]
   </tbody>
diff --git a/Netdisco/share/views/ajax/search/node_by_ip.tt b/Netdisco/share/views/ajax/search/node_by_ip.tt
index b4794be1..896ab5a9 100644
--- a/Netdisco/share/views/ajax/search/node_by_ip.tt
+++ b/Netdisco/share/views/ajax/search/node_by_ip.tt
@@ -17,18 +17,18 @@
     [% WHILE (row = macs.next) %]
     <tr>
       <td><a class="nd_linkcell"
-        href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac %]</a></td>
+        href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac | html_entity %]</a></td>
       [% IF params.vendor %]
-      <td>[% row.oui.company %]</td>
+      <td>[% row.oui.company | html_entity %]</td>
       [% END %]
       <td>IP &rarr; MAC</td>
-      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip %]</a>
+      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
         [% ' <span class="label label-warning">A</span>' IF NOT row.active %]
         [% ' (' _ row.dns.remove(settings.domain_suffix) _ ')' IF row.dns %]
       </td>
       [% IF params.stamps %]
-      <td>[% row.time_first_stamp %]</td>
-      <td>[% row.time_last_stamp %]</td>
+      <td>[% row.time_first_stamp | html_entity %]</td>
+      <td>[% row.time_last_stamp | html_entity %]</td>
       [% END %]
     </tr>
     [% FOREACH node IN row.node_sightings(archive_filter) %]
@@ -39,16 +39,16 @@
       [% END %]
       <td>Switch Port</td>
       <td><a class="nd_linkcell"
-          href="[% device_ports %]&q=[% node.device.dns || node.switch %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on">
-          [% node.switch %] - [% node.port %]</a>
+          href="[% device_ports %]&q=[% node.device.dns || node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on">
+          [% node.switch | html_entity %] - [% node.port | html_entity %]</a>
         [% ' <span class="label label-warning">A</span>' IF NOT node.active %]
         [% IF node.device.dns AND node.device_port AND node.device_port.name %]
-          ([% node.device.dns %] - [% node.device_port.name %])
+          ([% node.device.dns | html_entity %] - [% node.device_port.name | html_entity %])
         [% END %]
       </td>
       [% IF params.stamps %]
-      <td>[% node.time_first_stamp %]</td>
-      <td>[% node.time_last_stamp %]</td>
+      <td>[% node.time_first_stamp | html_entity %]</td>
+      <td>[% node.time_last_stamp | html_entity %]</td>
       [% END %]
     </tr>
     [% END %]
@@ -59,13 +59,13 @@
       <td>&nbsp;</td>
       [% END %]
       <td>MAC &rarr; IP</td>
-      <td><a href="[% search_node %]&q=[% nodeip.ip | uri %]">[% nodeip.ip %]</a>
+      <td><a href="[% search_node %]&q=[% nodeip.ip | uri %]">[% nodeip.ip | html_entity %]</a>
         [% ' <span class="label label-warning">A</span>' IF NOT nodeip.active %]
         [% ' (' _ nodeip.dns.remove(settings.domain_suffix) _ ')' IF nodeip.dns %]
       </td>
       [% IF params.stamps %]
-      <td>[% nodeip.time_first_stamp %]</td>
-      <td>[% nodeip.time_last_stamp %]</td>
+      <td>[% nodeip.time_first_stamp | html_entity %]</td>
+      <td>[% nodeip.time_last_stamp | html_entity %]</td>
       [% END %]
     </tr>
     [% END %]
diff --git a/Netdisco/share/views/ajax/search/node_by_mac.tt b/Netdisco/share/views/ajax/search/node_by_mac.tt
index c9463bce..63638d80 100644
--- a/Netdisco/share/views/ajax/search/node_by_mac.tt
+++ b/Netdisco/share/views/ajax/search/node_by_mac.tt
@@ -20,7 +20,7 @@
       <td>
         [% IF first_row %]
         <a class="nd_linkcell"
-          href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac %]</a>
+          href="[% search_node %]&q=[% row.mac | uri %]">[% row.mac | html_entity %]</a>
         [% ELSE %]
         &nbsp;
         [% END %]
@@ -28,20 +28,20 @@
       [% IF params.vendor %]
       <td>
         [% IF first_row %]
-        [% row.oui.company %]
+        [% row.oui.company | html_entity %]
         [% ELSE %]
         &nbsp;
         [% END %]
       </td>
       [% END %]
       <td>MAC &rarr; IP</td>
-      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip %]</a>
+      <td><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
         [% ' <span class="label label-warning">A</span>' IF NOT row.active %]
         [% ' (' _ row.dns.remove(settings.domain_suffix) _ ')' IF row.dns %]
       </td>
       [% IF params.stamps %]
-      <td>[% row.time_first_stamp %]</td>
-      <td>[% row.time_last_stamp %]</td>
+      <td>[% row.time_first_stamp | html_entity %]</td>
+      <td>[% row.time_last_stamp | html_entity %]</td>
       [% END %]
     </tr>
     [% SET first_row = 0 %]
@@ -51,7 +51,7 @@
       <td>
         [% IF first_row %]
         <a class="nd_linkcell"
-          href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac %]</a>
+          href="[% search_node %]&q=[% node.mac | uri %]">[% node.mac | html_entity %]</a>
         [% ELSE %]
         &nbsp;
         [% END %]
@@ -59,7 +59,7 @@
       [% IF params.vendor %]
       <td>
         [% IF first_row %]
-        [% node.oui.company %]
+        [% node.oui.company | html_entity %]
         [% ELSE %]
         &nbsp;
         [% END %]
@@ -67,16 +67,16 @@
       [% END %]
       <td>Switch Port</td>
       <td><a class="nd_linkcell"
-            href="[% device_ports %]&q=[% node.device.dns || node.switch %]&f=[% node.port %]&c_nodes=on&c_neighbors=on">
-            [% node.switch %] - [% node.port %]</a>
+            href="[% device_ports %]&q=[% node.device.dns || node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on">
+            [% node.switch | html_entity %] - [% node.port | html_entity %]</a>
         [% ' <span class="label label-warning">A</span>' IF NOT node.active %]
         [% IF node.device.dns AND node.device_port AND node.device_port.name %]
-          ([% node.device.dns %] - [% node.device_port.name %])
+          ([% node.device.dns | html_entity %] - [% node.device_port.name | html_entity %])
         [% END %]
       </td>
       [% IF params.stamps %]
-      <td>[% node.time_first_stamp %]</td>
-      <td>[% node.time_last_stamp %]</td>
+      <td>[% node.time_first_stamp | html_entity %]</td>
+      <td>[% node.time_last_stamp | html_entity %]</td>
       [% END %]
     </tr>
     [% SET first_row = 0 %]
@@ -86,7 +86,7 @@
       <td>
         [% IF first_row %]
         <a class="nd_linkcell"
-          href="[% search_node %]&q=[% port.mac | uri %]">[% port.mac %]</a>
+          href="[% search_node %]&q=[% port.mac | uri %]">[% port.mac | html_entity %]</a>
         [% ELSE %]
         &nbsp;
         [% END %]
@@ -94,7 +94,7 @@
       [% IF params.vendor %]
       <td>
         [% IF first_row %]
-        [% port.oui.company %]
+        [% port.oui.company | html_entity %]
         [% ELSE %]
         &nbsp;
         [% END %]
@@ -102,15 +102,15 @@
       [% END %]
       <td>Switch Port</td>
       <td><a class="nd_linkcell"
-            href="[% device_ports %]&q=[% port.device.dns || port.ip %]&f=[% port.port %]&c_mac=on&c_nodes=on&c_neighbors=on">
-            [% port.ip %] - [% port.descr %]</a>
+            href="[% device_ports %]&q=[% port.device.dns || port.ip | uri %]&f=[% port.port | uri %]&c_mac=on&c_nodes=on&c_neighbors=on">
+            [% port.ip | html_entity %] - [% port.descr | html_entity %]</a>
         [% IF port.device.dns AND port.name %]
-          ([% port.device.dns %] - [% port.name %])
+          ([% port.device.dns | html_entity %] - [% port.name | html_entity %])
         [% END %]
       </td>
       [% IF params.stamps %]
-      <td>[% port.creation %]</td>
-      <td>[% port.creation %]</td>
+      <td>[% port.creation | html_entity %]</td>
+      <td>[% port.creation | html_entity %]</td>
       [% END %]
     </tr>
     [% SET first_row = 0 %]
diff --git a/Netdisco/share/views/ajax/search/port.tt b/Netdisco/share/views/ajax/search/port.tt
index cfec8d08..5d0acef7 100644
--- a/Netdisco/share/views/ajax/search/port.tt
+++ b/Netdisco/share/views/ajax/search/port.tt
@@ -10,12 +10,13 @@
   </tbody>
     [% WHILE (row = results.next) %]
     <tr>
-      <td>[% row.name %]</td>
-      <td><a href="[% device_ports %]&q=[% row.device.dns || row.ip %]&f=[% row.port %]">[% row.ip %] [ [% row.port %] ]</a>
+      <td>[% row.name | html_entity %]</td>
+      <td><a href="[% device_ports %]&q=[% row.device.dns || row.ip | uri %]&f=[% row.port | uri %]">
+        [% row.ip | html_entity %] [ [% row.port | html_entity %] ]</a>
         [% ' (' _ row.device.dns _ ')' IF row.device.dns %]
       </td>
-      <td>[% row.descr %]</td>
-      <td>[% row.vlan %]</td>
+      <td>[% row.descr | html_entity %]</td>
+      <td>[% row.vlan | html_entity %]</td>
     </tr>
     [% END %]
   </tbody>
diff --git a/Netdisco/share/views/ajax/search/vlan.tt b/Netdisco/share/views/ajax/search/vlan.tt
index 262308e5..1e6e663a 100644
--- a/Netdisco/share/views/ajax/search/vlan.tt
+++ b/Netdisco/share/views/ajax/search/vlan.tt
@@ -13,17 +13,17 @@
     [% WHILE (row = results.next) %]
     <tr>
       <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.vlan.vlan %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.vlan.vlan | html_entity %]</a></td>
       <td><a class="nd_linkcell"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.dns || row.ip %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.dns || row.ip | html_entity %]</a></td>
       <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.vlan.description %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.vlan.description | html_entity %]</a></td>
       <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.model %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.model | html_entity %]</a></td>
       <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.os %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.os | html_entity %]</a></td>
       <td><a class="nd_linkcell nd_stealthlink"
-        href="[% device_ports %]&q=[% row.dns || row.ip %]&f=[% row.vlan.vlan %]">[% row.vendor %]</a></td>
+        href="[% device_ports %]&q=[% row.dns || row.ip | uri %]&f=[% row.vlan.vlan | uri %]">[% row.vendor | html_entity %]</a></td>
     </tr>
     [% END %]
   </tbody>
diff --git a/Netdisco/share/views/device.tt b/Netdisco/share/views/device.tt
index 08da8cba..18584a61 100644
--- a/Netdisco/share/views/device.tt
+++ b/Netdisco/share/views/device.tt
@@ -29,8 +29,8 @@
             <script type="text/javascript">has_sidebar["[% tab.id %]"] = 1;</script>
             [% CATCH %]
             <!-- no "[% tab.id %]" search options -->
-            <input name="q" value="[% params.q %]" type="hidden"/>
-            <input name="f" value="[% params.f %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
+            <input name="f" value="[% params.f | html_entity %]" type="hidden"/>
             <script type="text/javascript">has_sidebar["[% tab.id %]"] = 0;</script>
             [% END %]
           </form>
@@ -45,7 +45,7 @@
       [% FOREACH tab IN settings.device_tabs %]
       <li[% ' class="active"' IF params.tab == tab.id %]><a id="[% tab.id %]_link" href="#[% tab.id %]_pane">[% tab.label %]</a></li>
       [% END %]
-      <span id="nd_device_name">[% d.dns || d.name %]</span>
+      <span id="nd_device_name">[% d.dns || d.name | html_entity %]</span>
     </ul>
     <div class="tab-content">
       [% FOREACH tab IN settings.device_tabs %]
diff --git a/Netdisco/share/views/index.tt b/Netdisco/share/views/index.tt
index 640b2a6b..cbf034c2 100644
--- a/Netdisco/share/views/index.tt
+++ b/Netdisco/share/views/index.tt
@@ -37,7 +37,7 @@
             <button type="submit" class="btn btn-info">Log In</button>
           </div>
           [% IF vars.requested_path %]
-          <input type="hidden" name="path" value="[% vars.requested_path %]"/>
+          <input type="hidden" name="path" value="[% vars.requested_path | html_entity %]"/>
           [% END %]
         </form>
         [% ELSE %]
diff --git a/Netdisco/share/views/inventory.tt b/Netdisco/share/views/inventory.tt
index 8f3fc9c4..41f379c7 100644
--- a/Netdisco/share/views/inventory.tt
+++ b/Netdisco/share/views/inventory.tt
@@ -17,15 +17,15 @@
           <tr>
             <th>
               <a class="nd_linkcell"
-                href="[% search_device %]&vendor=[% platform.vendor %]">
-                  [% platform.vendor %]</a>
+                href="[% search_device %]&vendor=[% platform.vendor | uri %]">
+                  [% platform.vendor | html_entity %]</a>
             </th>
             <th>
               <a class="nd_linkcell"
-                href="[% search_device %]&model=[% platform.model %]">
-                  [% platform.model %]</a>
+                href="[% search_device %]&model=[% platform.model | uri %]">
+                  [% platform.model | html_entity %]</a>
             </th>
-            <th>[% platform.get_column('count') %]</th>
+            <th>[% platform.get_column('count') | html_entity %]</th>
           </tr>
           [% END %]
         </tbody>
@@ -45,13 +45,13 @@
           [% FOREACH release IN releases.all %]
           [% NEXT UNLESS (release.os AND release.os_ver) %]
           <tr>
-            <th>[% release.os %]</th>
+            <th>[% release.os | html_entity %]</th>
             <th>
               <a class="nd_linkcell"
-                href="[% search_device %]&os_ver=[% release.os_ver %]">
-                  [% release.os_ver %]</a>
+                href="[% search_device %]&os_ver=[% release.os_ver | uri %]">
+                  [% release.os_ver | html_entity %]</a>
             </th>
-            <th>[% release.get_column('count') %]</th>
+            <th>[% release.get_column('count') | html_entity %]</th>
           </tr>
           [% END %]
         </tbody>
diff --git a/Netdisco/share/views/layouts/main.tt b/Netdisco/share/views/layouts/main.tt
index 8a1dee70..2d4f1725 100644
--- a/Netdisco/share/views/layouts/main.tt
+++ b/Netdisco/share/views/layouts/main.tt
@@ -2,7 +2,7 @@
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-  <meta http-equiv="Content-type" content="text/html; charset=[% settings.charset %]" />
+  <meta http-equiv="Content-type" content="text/html; charset=[% settings.charset | html_entity %]" />
   <link rel="shortcut icon" href="#" />
   <title>Netdisco</title>
 
@@ -54,7 +54,7 @@
       <ul class="nav">
         [% FOREACH ni IN settings.navbar_items %]
         <li[% ' class="active"' IF vars.nav == ni.id %]>
-          <a href="[% uri_for(ni.path) %]">[% ni.label %]</a>
+          <a href="[% uri_for(ni.path) %]">[% ni.label | html_entity %]</a>
         </li>
         [% END %]
         [% IF more_dd.size %]
@@ -63,7 +63,7 @@
             More <b class="caret"></b></a>
           <ul class="dropdown-menu">
             [% FOREACH title IN more_dd.keys.sort %]
-            <li><a href="[% uri_for(more_dd.$title) %]">[% title %]</a></li>
+            <li><a href="[% uri_for(more_dd.$title) %]">[% title | html_entity %]</a></li>
             [% END %]
           </ul>
         </li> <!-- /dropdown -->
@@ -85,10 +85,10 @@
           [% ELSE %]
             <i class="icon-user"></i>
           [% END %]
-            [% session.user %] <b class="caret"></b></a>
+            [% session.user | html_entity %] <b class="caret"></b></a>
           <ul class="dropdown-menu">
             [% FOREACH item IN user_dd %]
-            <li><a href="[% uri_for(item.link) %]">[% item.title %]</a></li>
+            <li><a href="[% uri_for(item.link) %]">[% item.title | html_entity %]</a></li>
             [% END %]
           </ul>
         </li> <!-- /dropdown -->
diff --git a/Netdisco/share/views/search.tt b/Netdisco/share/views/search.tt
index 0e4a6a4f..e98039a3 100644
--- a/Netdisco/share/views/search.tt
+++ b/Netdisco/share/views/search.tt
@@ -17,7 +17,7 @@
             <script type="text/javascript">has_sidebar["[% tab.id %]"] = 1;</script>
             [% CATCH %]
             <!-- no "[% tab.id %]" search options -->
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
             <script type="text/javascript">has_sidebar["[% tab.id %]"] = 0;</script>
             [% END %]
           </form>
diff --git a/Netdisco/share/views/sidebar/device/ports.tt b/Netdisco/share/views/sidebar/device/ports.tt
index f939277b..5dba23ae 100644
--- a/Netdisco/share/views/sidebar/device/ports.tt
+++ b/Netdisco/share/views/sidebar/device/ports.tt
@@ -1,11 +1,11 @@
 
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
             <div class="clearfix">
               <a class="field_clear_icon" href="#"
                 rel="tooltip" data-placement="top" data-offset="3" data-title="Show all Ports">
                 <img src="[% uri_base %]/images/tango_sweep.png"/></a>
               <input id="nd_port_query" placeholder="Port, Name or VLAN"
-                name="f" value="[% params.f %]" type="text"
+                name="f" value="[% params.f | html_entity %]" type="text"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="Filter by Port, Name or VLAN"/>
             </div>
             <div class="clearfix">
@@ -55,12 +55,12 @@
                   [% NEXT IF item.name == 'c_admin' AND NOT vars.user.port_control %]
                   <li>
                     <label class="checkbox">
-                      <input type="checkbox" id="[% item.name %]"
-                        name="[% item.name %]"[% ' checked="checked"' IF params.${item.name} %] />
+                      <input type="checkbox" id="[% item.name | html_entity %]"
+                        name="[% item.name | html_entity %]"[% ' checked="checked"' IF params.${item.name} %] />
                       [% IF item.name == 'c_admin' %]
-                        <span class="label label-info">[% item.label %]</span>
+                        <span class="label label-info">[% item.label | html_entity %]</span>
                       [% ELSE %]
-                        [% item.label %]
+                        [% item.label | html_entity %]
                       [% END %]
                     </label>
                   </li>
@@ -110,9 +110,9 @@
                   [% FOREACH item IN vars.connected_properties %]
                   <li>
                     <label class="checkbox">
-                      <input type="checkbox" id="[% item.name %]"
-                        name="[% item.name %]"[% ' checked="checked"' IF params.${item.name} %] />
-                      [% item.label %]
+                      <input type="checkbox" id="[% item.name | html_entity %]"
+                        name="[% item.name | html_entity %]"[% ' checked="checked"' IF params.${item.name} %] />
+                      [% item.label | html_entity %]
                     </label>
                   </li>
                   [% END %]
diff --git a/Netdisco/share/views/sidebar/search/device.tt b/Netdisco/share/views/sidebar/search/device.tt
index da12d85b..d19bb62d 100644
--- a/Netdisco/share/views/sidebar/search/device.tt
+++ b/Netdisco/share/views/sidebar/search/device.tt
@@ -1,12 +1,12 @@
 
             <p class="nd_sidebar_title"><em>Device Search Options</em></p>
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
             <div class="clearfix">
               <i data-btn-for="dns" class="field_copy_icon icon-copy icon-large"></i>
               <i id="dns_clear_btn" data-btn-for="dns"
                 class="field_clear_icon icon-trash icon-large"></i>
               <input class="nd_side_input" placeholder="DNS"
-                type="text" name="dns" value="[% params.dns %]"
+                type="text" name="dns" value="[% params.dns | html_entity %]"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="DNS"/>
             </div>
             <div class="clearfix">
@@ -14,7 +14,7 @@
               <i id="ip_clear_btn" data-btn-for="ip"
                 class="field_clear_icon icon-trash icon-large"></i>
               <input class="nd_side_input" placeholder="IP Address"
-                type="text" name="ip" value="[% params.ip %]"
+                type="text" name="ip" value="[% params.ip | html_entity %]"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="IP Address"/>
             </div>
             <div class="clearfix">
@@ -22,7 +22,7 @@
               <i id="name_clear_btn" data-btn-for="name"
                 class="field_clear_icon icon-trash icon-large"></i>
               <input class="nd_side_input" placeholder="System Name"
-                type="text" name="name" value="[% params.name %]"
+                type="text" name="name" value="[% params.name | html_entity %]"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="System Name"/>
             </div>
             <div class="clearfix">
@@ -30,7 +30,7 @@
               <i id="location_clear_btn" data-btn-for="location"
                 class="field_clear_icon icon-trash icon-large"></i>
               <input class="nd_side_input" placeholder="Location"
-                type="text" name="location" value="[% params.location %]"
+                type="text" name="location" value="[% params.location | html_entity %]"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="Location"/>
             </div>
             <div class="clearfix">
@@ -38,7 +38,7 @@
               <i id="description_clear_btn" data-btn-for="description"
                 class="field_clear_icon icon-trash icon-large"></i>
               <input class="nd_side_input" placeholder="Description"
-                type="text" name="description" value="[% params.description %]"
+                type="text" name="description" value="[% params.description | html_entity %]"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="Description"/>
             </div>
             <div class="clearfix">
@@ -46,7 +46,7 @@
                 multiple="on" name="model"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="Model"/>
                 [% FOREACH opt IN model_list %]
-                <option[% ' selected="selected"' IF model_lkp.exists(opt) %]>[% opt %]</option>
+                <option[% ' selected="selected"' IF model_lkp.exists(opt) %]>[% opt | html_entity %]</option>
                 [% END %]
               </select>
             </div>
@@ -55,7 +55,7 @@
                 multiple="on" name="os_ver"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="OS Release"/>
                 [% FOREACH opt IN os_ver_list %]
-                <option[% ' selected="selected"' IF os_ver_lkp.exists(opt) %]>[% opt %]</option>
+                <option[% ' selected="selected"' IF os_ver_lkp.exists(opt) %]>[% opt | html_entity %]</option>
                 [% END %]
               </select>
             </div>
@@ -64,7 +64,7 @@
                 multiple="on" name="vendor"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="Vendor"/>
                 [% FOREACH opt IN vendor_list %]
-                <option[% ' selected="selected"' IF vendor_lkp.exists(opt) %]>[% opt %]</option>
+                <option[% ' selected="selected"' IF vendor_lkp.exists(opt) %]>[% opt | html_entity %]</option>
                 [% END %]
               </select>
             </div>
diff --git a/Netdisco/share/views/sidebar/search/node.tt b/Netdisco/share/views/sidebar/search/node.tt
index 4aac3142..58f32eb4 100644
--- a/Netdisco/share/views/sidebar/search/node.tt
+++ b/Netdisco/share/views/sidebar/search/node.tt
@@ -1,6 +1,6 @@
 
             <p class="nd_sidebar_title"><em>Node Search Options</em></p>
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
             <div class="clearfix input-prepend">
               <label class="add-on">
                 <input type="checkbox" id="stamps"
diff --git a/Netdisco/share/views/sidebar/search/port.tt b/Netdisco/share/views/sidebar/search/port.tt
index 1c3f0ef0..53c667f0 100644
--- a/Netdisco/share/views/sidebar/search/port.tt
+++ b/Netdisco/share/views/sidebar/search/port.tt
@@ -1,6 +1,6 @@
 
             <p class="nd_sidebar_title"><em>Port Search Options</em></p>
-            <input name="q" value="[% params.q %]" type="hidden"/>
+            <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
             <div class="clearfix input-prepend">
               <label class="add-on">
                 <input type="checkbox" id="partial"
diff --git a/TODO b/TODO
index 80ff5edb..8969d24d 100644
--- a/TODO
+++ b/TODO
@@ -9,10 +9,8 @@ FRONTEND
   - drop topo file support and use DB only
 * update inventory to use bootstrap accordion
 * UI plugins add template include path
-* logging from web app
 * reports page
 * reports plugin(s)
-* URI escape TT substitutions
 * (jeneric) device module tab
 
 
@@ -25,12 +23,15 @@ DAEMON
 CORE
 ====
 
+* ditch ~/bin
 * pseudo-device support
 * VRF support
 * docs notes
+  - start release notes page
   - plackup -R option
   - localenv
   - Try::Tiny
   - Role::Tiny
   - before and before_template hooks
   - running from git clone of netdisco-ng
+  - plackup --path for relocating