From deb9b62c7f839f5e41aa4d620bcdac5f9321a8a3 Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Mon, 23 Sep 2019 14:22:00 +0100
Subject: [PATCH] Enforce escaping on all template content

---
 Build.PL                                      |   1 +
 share/config.yml                              |   4 +
 share/views/admintask.tt                      |  16 +--
 .../views/ajax/admintask/duplicatedevices.tt  |  10 +-
 share/views/ajax/admintask/jobqueue.tt        |   4 +-
 share/views/ajax/admintask/nodemonitor.tt     |   8 +-
 share/views/ajax/admintask/orphaned.tt        |  12 +-
 share/views/ajax/admintask/pseudodevice.tt    |  10 +-
 share/views/ajax/admintask/slowdevices.tt     |   2 +-
 share/views/ajax/admintask/timedoutdevices.tt |   2 +-
 share/views/ajax/admintask/topology.tt        |  12 +-
 .../ajax/admintask/undiscoveredneighbors.tt   |   6 +-
 share/views/ajax/admintask/userlog.tt         |   2 +-
 share/views/ajax/admintask/users.tt           |   8 +-
 share/views/ajax/datatabledefaults.tt         |   4 +-
 share/views/ajax/device/addresses.tt          |   6 +-
 share/views/ajax/device/details.tt            |  44 +++----
 share/views/ajax/device/modules.tt            |  10 +-
 share/views/ajax/device/netmap.tt             |  10 +-
 share/views/ajax/device/ports.tt              |  34 +++---
 share/views/ajax/device/vlans.tt              |   6 +-
 share/views/ajax/report/apchanneldist.tt      |   2 +-
 share/views/ajax/report/apclients.tt          |   6 +-
 .../views/ajax/report/apradiochannelpower.tt  |   6 +-
 share/views/ajax/report/deviceaddrnodns.tt    |   4 +-
 share/views/ajax/report/devicebylocation.tt   |  12 +-
 share/views/ajax/report/devicednsmismatch.tt  |   4 +-
 share/views/ajax/report/devicepoestatus.tt    |  32 ++---
 share/views/ajax/report/duplexmismatch.tt     |   6 +-
 share/views/ajax/report/halfduplex.tt         |   4 +-
 .../views/ajax/report/inventorybymodelbyos.tt |   4 +-
 share/views/ajax/report/ipinventory.tt        |   8 +-
 share/views/ajax/report/moduleinventory.tt    |  20 ++--
 share/views/ajax/report/netbios.tt            |  10 +-
 share/views/ajax/report/nodemultiips.tt       |   6 +-
 share/views/ajax/report/nodesdiscovered.tt    |   6 +-
 share/views/ajax/report/nodevendor.tt         |  12 +-
 share/views/ajax/report/portadmindown.tt      |   4 +-
 share/views/ajax/report/portblocking.tt       |   4 +-
 share/views/ajax/report/portmultinodes.tt     |   4 +-
 share/views/ajax/report/portssid.tt           |   6 +-
 share/views/ajax/report/portutilization.tt    |   4 +-
 share/views/ajax/report/portvlanmismatch.tt   |  10 +-
 share/views/ajax/report/subnets.tt            |   2 +-
 share/views/ajax/report/vlaninventory.tt      |   6 +-
 share/views/ajax/search/device.tt             |   4 +-
 share/views/ajax/search/node_by_ip.tt         |  46 +++----
 share/views/ajax/search/node_by_mac.tt        |  32 ++---
 share/views/ajax/search/port.tt               |   4 +-
 share/views/ajax/search/vlan.tt               |  14 +--
 share/views/ajax/statistics.tt                |   2 +-
 share/views/device.tt                         |  18 +--
 share/views/index.tt                          |  12 +-
 share/views/inventory.tt                      |   8 +-
 share/views/js/admintask.js                   |   2 +-
 share/views/js/common.js                      |  42 +++----
 share/views/js/device.js                      |   2 +-
 share/views/js/report.js                      |   2 +-
 share/views/js/search.js                      |   2 +-
 share/views/layouts/main.tt                   | 112 +++++++++---------
 share/views/password.tt                       |   2 +-
 share/views/report.tt                         |  20 ++--
 share/views/search.tt                         |  16 +--
 share/views/sidebar/device/netmap.tt          |   6 +-
 share/views/sidebar/device/ports.tt           |   8 +-
 share/views/sidebar/report/ipinventory.tt     |   4 +-
 share/views/sidebar/report/moduleinventory.tt |   2 +-
 share/views/sidebar/report/netbios.tt         |   2 +-
 share/views/sidebar/report/nodesdiscovered.tt |   2 +-
 share/views/sidebar/report/nodevendor.tt      |   2 +-
 share/views/sidebar/report/portmultinodes.tt  |   2 +-
 share/views/sidebar/report/portssid.tt        |   2 +-
 share/views/sidebar/report/portutilization.tt |   6 +-
 share/views/sidebar/report/subnets.tt         |   2 +-
 share/views/sidebar/search/device.tt          |   2 +-
 share/views/sidebar/search/node.tt            |   4 +-
 share/views/sidebar/search/port.tt            |   2 +-
 77 files changed, 392 insertions(+), 387 deletions(-)

diff --git a/Build.PL b/Build.PL
index 5097b335..7c05c67b 100644
--- a/Build.PL
+++ b/Build.PL
@@ -81,6 +81,7 @@ Module::Build->new(
     'SQL::Abstract' => '1.85',
     'SQL::Translator' => '0.11024',
     'Template' => '2.24',
+    'Template::AutoFilter' => '0',
     'Template::Plugin::CSV' => '0.04',
     'Template::Plugin::Number::Format' => '1.02',
     'Term::ReadLine' => '0',
diff --git a/share/config.yml b/share/config.yml
index b9466243..8420d0b1 100644
--- a/share/config.yml
+++ b/share/config.yml
@@ -483,11 +483,15 @@ show_errors: false
 logger: 'console'
 engines:
   netdisco_template_toolkit:
+    subclass: 'Template::AutoFilter'
     encoding: 'utf8'
     start_tag: '[%'
     end_tag: '%]'
+    ANYCASE: 1
+    ABSOLUTE: 1
     PRE_CHOMP: 1
     INCLUDE_PATH: []
+    AUTO_FILTER: 'html_entity'
 layout: 'main'
 plugins:
   Swagger:
diff --git a/share/views/admintask.tt b/share/views/admintask.tt
index 23d8faaa..435e7fe6 100644
--- a/share/views/admintask.tt
+++ b/share/views/admintask.tt
@@ -9,14 +9,14 @@
         rel="tooltip" data-placement="left" data-offset="5" data-title="Unpin Sidebar" data-container="body"></i>
 
       <div class="tab-content">
-        <div id="[% task.tag %]_search" class="tab-pane active">
-          <form id="[% task.tag %]_form" class="nd_sidebar-form form-stacked"
-              method="get" action="[% uri_for('/admin') %]">
+        <div id="[% task.tag | html_entity %]_search" class="tab-pane active">
+          <form id="[% task.tag | html_entity %]_form" class="nd_sidebar-form form-stacked"
+              method="get" action="[% uri_for('/admin') | none %]">
             [% TRY %]
-            <script type="text/javascript">has_sidebar["[% task.tag %]"] = 1;</script>
+            <script type="text/javascript">has_sidebar["[% task.tag | html_entity %]"] = 1;</script>
             [% INCLUDE "sidebar/admintask/${task.tag}.tt" %]
             [% CATCH %]
-            <script type="text/javascript">has_sidebar["[% task.tag %]"] = 0;</script>
+            <script type="text/javascript">has_sidebar["[% task.tag | html_entity %]"] = 0;</script>
             [% END %]
           </form>
         </div> <!-- /tab-pane -->
@@ -26,8 +26,8 @@
 
   <div class="content">
     <ul id="nd_search-results" class="nav nav-tabs">
-      <li class="active"><a id="[% task.tag %]_link" class="nd_single-tab"
-        href="#[% task.tag %]_pane">[% task.label %]</a></li>
+      <li class="active"><a id="[% task.tag | html_entity %]_link" class="nd_single-tab"
+        href="#[% task.tag | html_entity %]_pane">[% task.label | html_entity %]</a></li>
       [% IF task.tag == 'jobqueue' %]
       <span id="nd_device-name">
         <a class="nd_adminbutton" name="delall" href="#"><i class="icon-trash text-error"></i></a>
@@ -49,7 +49,7 @@
       [% END %]
     </ul>
     <div class="tab-content">
-      <div class="tab-pane active" id="[% task.tag %]_pane"></div>
+      <div class="tab-pane active" id="[% task.tag | html_entity %]_pane"></div>
   </div>
 </div>
 
diff --git a/share/views/ajax/admintask/duplicatedevices.tt b/share/views/ajax/admintask/duplicatedevices.tt
index 71c71790..44315131 100644
--- a/share/views/ajax/admintask/duplicatedevices.tt
+++ b/share/views/ajax/admintask/duplicatedevices.tt
@@ -21,7 +21,7 @@
     [% SET count = count + 1 %]
     <tr>
       <td class="nd_center-cell"><a class="nd_linkcell"
-        href="[% uri_for('/device') %]?tab=details&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
+        href="[% uri_for('/device') | none %]?tab=details&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
         [% row.dns | html_entity %]</td>
       <td class="nd_center-cell">[% row.contact  | html_entity %]</td>
       <td class="nd_center-cell">[% row.location | html_entity %]</td>
@@ -33,15 +33,15 @@
 
       <td class="nd_center-cell">
         <button class="btn btn-danger btn-small"
-          data-toggle="modal" data-target="#nd_devdel-[% count %]" type="button">
+          data-toggle="modal" data-target="#nd_devdel-[% count | html_entity %]" type="button">
           <i class="icon-trash text-danger"></i>
         </button>
 
-        <div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
-          role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
+        <div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
+          role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
           <div class="modal-header">
             <button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
-            <h3 id="nd_devdel-label-[% count %]">Confirm Delete: [% row.ip || row.dns | html_entity %]</h3>
+            <h3 id="nd_devdel-label-[% count | html_entity %]">Confirm Delete: [% row.ip || row.dns | html_entity %]</h3>
           </div>
           <div class="modal-body">
             <blockquote>
diff --git a/share/views/ajax/admintask/jobqueue.tt b/share/views/ajax/admintask/jobqueue.tt
index cfcf7d52..f7f26391 100644
--- a/share/views/ajax/admintask/jobqueue.tt
+++ b/share/views/ajax/admintask/jobqueue.tt
@@ -37,9 +37,9 @@
       [% END %]
       <td class="nd_center-cell">
         [% IF row.action == 'discover' AND row.status == 'error' %]
-        <a href="[% uri_for('/') %]?device=[% row.device | uri %]">[% row.device | html_entity %]</a>
+        <a href="[% uri_for('/') | none %]?device=[% row.device | uri %]">[% row.device | html_entity %]</a>
         [% ELSE %]
-        <a href="[% uri_for('/device') %]?q=[% row.device | uri %]">[% row.target.dns || row.device | html_entity %]</a>
+        <a href="[% uri_for('/device') | none %]?q=[% row.device | uri %]">[% row.target.dns || row.device | html_entity %]</a>
         [% END %]
       </td>
       <td class="nd_center-cell">[% row.port | html_entity %]</td>
diff --git a/share/views/ajax/admintask/nodemonitor.tt b/share/views/ajax/admintask/nodemonitor.tt
index c72287b7..617deb56 100644
--- a/share/views/ajax/admintask/nodemonitor.tt
+++ b/share/views/ajax/admintask/nodemonitor.tt
@@ -48,13 +48,13 @@
         <button class="btn nd_adminbutton" name="update" type="submit"><i class="icon-save text-warning"></i></button>
 
         <button class="btn" data-toggle="modal"
-          data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
+          data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>
 
-        <div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
-          role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
+        <div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
+          role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
           <div class="modal-header">
             <button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
-            <h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
+            <h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
           </div>
           <div class="modal-body">
             <blockquote>
diff --git a/share/views/ajax/admintask/orphaned.tt b/share/views/ajax/admintask/orphaned.tt
index 4b225b43..bcc2ecc0 100644
--- a/share/views/ajax/admintask/orphaned.tt
+++ b/share/views/ajax/admintask/orphaned.tt
@@ -22,11 +22,11 @@
         <tbody>
           [% FOREACH row IN orphans %]
           <tr>
-            <td><a href="[% uri_for('/device') %]?q=[% row.ip | uri %]">
+            <td><a href="[% uri_for('/device') | none %]?q=[% row.ip | uri %]">
             [% row.dns || row.name || row.ip | html_entity %]</a></td>
             <td>
               [% IF row.location %]
-                <a href="[% search_device %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
+                <a href="[% search_device | none %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
                  [% row.location | html_entity %]</a>
               [% ELSE %]
                 [Not Set]
@@ -55,12 +55,12 @@
   [% NEXT IF count == 1 %]
   <div class="accordion-group">
       <div class="accordion-heading"> 
-          <a class="accordion-toggle" data-toggle="collapse" data-target="#collapse-[% count %]" href="#collapse-[% count %]">
+          <a class="accordion-toggle" data-toggle="collapse" data-target="#collapse-[% count | html_entity %]" href="#collapse-[% count | html_entity %]">
             <i class="icon-chevron-up"></i> &nbsp;
               Orphaned Network: [% count - 1 | html_entity  %] Size: [% network.size | html_entity  %] Devices
           </a>
       </div>
-    <div id="collapse-[% count %]" class="accordion-body collapse">
+    <div id="collapse-[% count | html_entity %]" class="accordion-body collapse">
       <div class="accordion-inner">
       <table class="table table-bordered table-condensed">
         <thead>
@@ -75,11 +75,11 @@
         <tbody>
         [% FOREACH row IN network %]
           <tr>
-            <td><a href="[% uri_for('/device') %]?tab=netmap&q=[% row.ip | uri %]&firstsearch=on">
+            <td><a href="[% uri_for('/device') | none %]?tab=netmap&q=[% row.ip | uri %]&firstsearch=on">
             [% row.dns || row.name || row.ip | html_entity %]</a></td>
             <td>
               [% IF row.location %]
-                <a href="[% search_device %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
+                <a href="[% search_device | none %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
                  [% row.location | html_entity %]</a>
               [% ELSE %]
                 [Not Set]
diff --git a/share/views/ajax/admintask/pseudodevice.tt b/share/views/ajax/admintask/pseudodevice.tt
index 7416eace..6df21506 100644
--- a/share/views/ajax/admintask/pseudodevice.tt
+++ b/share/views/ajax/admintask/pseudodevice.tt
@@ -27,7 +27,7 @@
     [% SET count = count + 1 %]
     <tr>
       <td class="nd_center-cell"><a class="nd_linkcell"
-        href="[% uri_for('/device') %]?q=[% row.ip | uri %]">[% row.dns | html_entity %]</a></td>
+        href="[% uri_for('/device') | none %]?q=[% row.ip | uri %]">[% row.dns | html_entity %]</a></td>
       <td class="nd_center-cell">[% row.ip | html_entity %]</td>
       <td class="nd_center-cell">
         <input data-form="update" name="ports" type="number" value="[% row.port_count | html_entity %]">
@@ -43,13 +43,13 @@
         <button class="btn nd_adminbutton" name="update" type="submit"><i class="icon-save text-warning"></i></button>
 
         <button class="btn" data-toggle="modal"
-          data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
+          data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>
 
-        <div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
-          role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
+        <div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
+          role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
           <div class="modal-header">
             <button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
-            <h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
+            <h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
           </div>
           <div class="modal-body">
             <blockquote>
diff --git a/share/views/ajax/admintask/slowdevices.tt b/share/views/ajax/admintask/slowdevices.tt
index dfb84385..75b17204 100644
--- a/share/views/ajax/admintask/slowdevices.tt
+++ b/share/views/ajax/admintask/slowdevices.tt
@@ -16,7 +16,7 @@
     <tr>
       <td class="nd_center-cell">[% row.action.ucfirst | html_entity %]</td>
       <td class="nd_center-cell"><a class="nd_linkcell"
-        href="[% uri_for('/device') %]?q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
+        href="[% uri_for('/device') | none %]?q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
       <td class="nd_center-cell">[% row.started  | html_entity %]</td>
       <td class="nd_center-cell">[% row.finished | html_entity %]</td>
       <td class="nd_center-cell">[% row.elapsed  | html_entity %]</td>
diff --git a/share/views/ajax/admintask/timedoutdevices.tt b/share/views/ajax/admintask/timedoutdevices.tt
index 3046c154..7ba78853 100644
--- a/share/views/ajax/admintask/timedoutdevices.tt
+++ b/share/views/ajax/admintask/timedoutdevices.tt
@@ -17,7 +17,7 @@
     <tr>
       <td class="nd_center-cell">[% row.backend | html_entity %]</td>
       <td class="nd_center-cell"><a class="nd_linkcell"
-        href="[% uri_for('/search') %]?tab=node&q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
+        href="[% uri_for('/search') | none %]?tab=node&q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
       <td class="nd_center-cell">[% row.dns | html_entity %]</td>
       <td class="nd_center-cell">[% row.deferrals | html_entity %]</td>
       <td class="nd_center-cell">[% row.last_defer | html_entity %]</td>
diff --git a/share/views/ajax/admintask/topology.tt b/share/views/ajax/admintask/topology.tt
index fb5f49fe..d98d9271 100644
--- a/share/views/ajax/admintask/topology.tt
+++ b/share/views/ajax/admintask/topology.tt
@@ -42,22 +42,22 @@
     [% WHILE (row = results.next) %]
     [% SET count = count + 1 %]
     <tr>
-      <td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') %]?q=[% row.device1.ip | uri %]">
+      <td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') | none %]?q=[% row.device1.ip | uri %]">
         [% (row.device1.dns || row.device1.name || row.device1.ip) | html_entity %]</a>
       </td>
       <td class="nd_center-cell">[% row.port1 | html_entity %]</td>
-      <td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') %]?q=[% row.device2.ip | uri %]">
+      <td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') | none %]?q=[% row.device2.ip | uri %]">
         [% (row.device2.dns || row.device2.name || row.device2.ip) | html_entity %]</a></td>
       <td class="nd_center-cell">[% row.port2 | html_entity %]</td>
       <td class="nd_center-cell">
         <button class="btn" data-toggle="modal"
-          data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
+          data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>
 
-        <div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
-          role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
+        <div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
+          role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
           <div class="modal-header">
             <button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
-            <h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
+            <h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
           </div>
           <div class="modal-body">
             <blockquote>
diff --git a/share/views/ajax/admintask/undiscoveredneighbors.tt b/share/views/ajax/admintask/undiscoveredneighbors.tt
index b61925c8..6908c081 100644
--- a/share/views/ajax/admintask/undiscoveredneighbors.tt
+++ b/share/views/ajax/admintask/undiscoveredneighbors.tt
@@ -11,14 +11,14 @@
     [% FOREACH row IN results %]
     [% NEXT IF NOT row.remote_ip %]
     <tr>
-      <td nowrap><a href="[% device_ports %]&q=[% row.ip | uri %]">
+      <td nowrap><a href="[% device_ports | none %]&q=[% row.ip | uri %]">
               [% row.dns || row.name || row.ip | html_entity %]</a><br>
-          <a href="[% device_ports %]&q=[% row.ip | uri %]&f=[% row.port | uri %]">
+          <a href="[% device_ports | none %]&q=[% row.ip | uri %]&f=[% row.port | uri %]">
               [% row.port | html_entity %]</a>
           [% IF row.port_description %]<br>[% row.port_description | html_entity %][% END %]
           [% IF row.comment %]<br>&quot;<em>[% row.comment | html_entity %]</em>&quot;[% END %]
       </td>
-      <td nowrap><a href="[% search_node %]&q=[% row.remote_ip | uri %]">
+      <td nowrap><a href="[% search_node | none %]&q=[% row.remote_ip | uri %]">
           [% row.remote_ip | html_entity %]</a><br>
           [% row.remote_port | html_entity %]</td>
       <td>[% row.remote_id | html_entity %]<br>
diff --git a/share/views/ajax/admintask/userlog.tt b/share/views/ajax/admintask/userlog.tt
index 65bc50e4..02a943db 100644
--- a/share/views/ajax/admintask/userlog.tt
+++ b/share/views/ajax/admintask/userlog.tt
@@ -19,7 +19,7 @@ $(document).ready(function() {
   $('#aul-data-table').dataTable( {
     "serverSide": true,
     "order": [[ 0, "desc" ]],
-    "ajax": "[% uri_for('/ajax/control/admin/userlog/data') %]",
+    "ajax": "[% uri_for('/ajax/control/admin/userlog/data') | none %]",
     "columns": [{
       "data": 'creation',
       "className": "nd_center-cell",
diff --git a/share/views/ajax/admintask/users.tt b/share/views/ajax/admintask/users.tt
index f5fbfa05..809eeec6 100644
--- a/share/views/ajax/admintask/users.tt
+++ b/share/views/ajax/admintask/users.tt
@@ -66,13 +66,13 @@
         <button class="btn nd_adminbutton" name="update" type="submit"><i class="icon-save text-warning"></i></button>
 
         <button class="btn" data-toggle="modal"
-          data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
+          data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>
 
-        <div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
-          role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
+        <div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
+          role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
           <div class="modal-header">
             <button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
-            <h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
+            <h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
           </div>
           <div class="modal-body">
             <blockquote>
diff --git a/share/views/ajax/datatabledefaults.tt b/share/views/ajax/datatabledefaults.tt
index 86276817..c7717269 100644
--- a/share/views/ajax/datatabledefaults.tt
+++ b/share/views/ajax/datatabledefaults.tt
@@ -1,8 +1,8 @@
 
     "processing": true
     ,"stateSave": true
-    ,"pageLength": [% settings.table_pagesize %]
-    ,"lengthMenu": [% table_showrecordsmenu %]
+    ,"pageLength": [% settings.table_pagesize | none %]
+    ,"lengthMenu": [% table_showrecordsmenu | none %]
     ,"dom": '<"top"l<"nd_datatables-pager"p>f>rit<"bottom"><"clear">'
     ,"language": {
       "search": '_INPUT_'
diff --git a/share/views/ajax/device/addresses.tt b/share/views/ajax/device/addresses.tt
index 3ab62a3b..00ed919c 100644
--- a/share/views/ajax/device/addresses.tt
+++ b/share/views/ajax/device/addresses.tt
@@ -14,7 +14,7 @@
 $(document).ready(function() {
   var table = $('#da-data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'alias',
@@ -31,7 +31,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
@@ -42,7 +42,7 @@ $(document).ready(function() {
       }, {
         "data": 'subnet',
         "render": function(data, type, row, meta) {
-          return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '&ip=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '&ip=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }
     ],
diff --git a/share/views/ajax/device/details.tt b/share/views/ajax/device/details.tt
index 049c9c96..cc6e7a27 100644
--- a/share/views/ajax/device/details.tt
+++ b/share/views/ajax/device/details.tt
@@ -3,7 +3,7 @@
   <tbody>
     <tr>
       <td>System Name</td>
-      <td>[% d.name %]</td>
+      <td>[% d.name | html_entity %]</td>
     </tr>
     <tr>
       <td>Location
@@ -13,13 +13,13 @@
       </td>
       [% IF user_can_port_control %]
       <td class="nd_editable-cell" contenteditable="true"
-        data-field="location" data-for-device="[% d.ip %]">
+        data-field="location" data-for-device="[% d.ip | html_entity %]">
           [% d.location | html_entity %]
       </td>
       [% ELSE %]
       <td>
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.location | uri %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.location | uri %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
       </td>
       [% END %]
     </tr>
@@ -42,20 +42,20 @@
       <td>Vendor / Model</td>
       <td>
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.vendor | uri %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.vendor | uri %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
         /
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.model | uri %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.model | uri %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
       </td>
     </tr>
     <tr>
       <td>OS / Version</td>
       <td>
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.os | uri %]&os=[% d.os | uri %]">[% d.os | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.os | uri %]&os=[% d.os | uri %]">[% d.os | html_entity %]</a>
         /
         <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.os_ver | uri %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.os_ver | uri %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
       </td>
     </tr>
     <tr>
@@ -70,7 +70,7 @@
     [% FOREACH config IN settings._extra_device_details %]
     <tr>
       <td>
-          [% config.label %]
+          [% config.label | html_entity %]
       </td>
       <td>
           [% TRY %]
@@ -104,13 +104,13 @@
     <tr>
       <td>Layers</td>
       <td>
-        [% d.layers.substr(7,1) ? '<span class="badge badge-success">1</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(6,1) ? '<span class="badge badge-success">2</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(5,1) ? '<span class="badge badge-success">3</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(4,1) ? '<span class="badge badge-success">4</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(3,1) ? '<span class="badge badge-success">5</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(2,1) ? '<span class="badge badge-success">6</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(1,1) ? '<span class="badge badge-success">7</span>' : '<span class="badge">&nbsp;</span>' %]
+        [% (d.layers.substr(7,1) ? '<span class="badge badge-success">1</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(6,1) ? '<span class="badge badge-success">2</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(5,1) ? '<span class="badge badge-success">3</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(4,1) ? '<span class="badge badge-success">4</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(3,1) ? '<span class="badge badge-success">5</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(2,1) ? '<span class="badge badge-success">6</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(1,1) ? '<span class="badge badge-success">7</span>' : '<span class="badge">&nbsp;</span>') | none %]
       </td>
     </tr>
     <tr>
@@ -139,7 +139,7 @@
         [% UNLESS m.module == 1 %]
           <br/>
         [% END %]
-        Module [% m.module %]: [% m.status | html_entity %], [% m.poe_capable_ports %] power-capable ports, [% m.poe_powered_ports %] powered ([% m.poe_disabled_ports %] admin disabled, [% m.poe_errored_ports %] errors), [% m.poe_power_committed %]/[% m.power %] watts committed.
+        Module [% m.module | html_entity %]: [% m.status | html_entity %], [% m.poe_capable_ports | html_entity %] power-capable ports, [% m.poe_powered_ports | html_entity %] powered ([% m.poe_disabled_ports | html_entity %] admin disabled, [% m.poe_errored_ports | html_entity %] errors), [% m.poe_power_committed | html_entity %]/[% m.power | html_entity %] watts committed.
       [% END %]
       </td>
     </tr>
@@ -153,16 +153,16 @@
       <td>[% d.vtp_domain | html_entity %]</td>
     </tr>
     [% IF user_has_role('admin') %]
-    <tr data-for-device="[% d.ip %]">
+    <tr data-for-device="[% d.ip | html_entity %]">
       <td>Admin Tasks</td>
       <td>
-        <input type="hidden" data-form="discover" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="discover" value="[% d.ip | html_entity %]" name="device"/>
         <button class="btn btn-info btn-small nd_adminbutton" name="discover">Discover</button>
-        <input type="hidden" data-form="arpnip" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="arpnip" value="[% d.ip | html_entity %]" name="device"/>
         <button class="btn btn-info btn-small nd_adminbutton" name="arpnip">Arpnip</button>
-        <input type="hidden" data-form="macsuck" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="macsuck" value="[% d.ip | html_entity %]" name="device"/>
         <button class="btn btn-info btn-small nd_adminbutton" name="macsuck">Macsuck</button>
-        <input type="hidden" data-form="nbtstat" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="nbtstat" value="[% d.ip | html_entity %]" name="device"/>
         <button class="btn btn-info btn-small nd_adminbutton" name="nbtstat">NBTstat</button>
 
         <button class="btn btn-danger btn-small pull-right"
@@ -187,7 +187,7 @@
               <input id="nd_devdel-archive" type="checkbox" data-form="delete" name="archive">
               <h4 class="nd_unbolden">Archive Nodes</h4>
             </label>
-            <input type="hidden" data-form="delete" value="[% d.ip %]" name="device"/>
+            <input type="hidden" data-form="delete" value="[% d.ip | html_entity %]" name="device"/>
           </div>
           <div class="modal-footer">
             <button class="btn btn-success" data-dismiss="modal" aria-hidden="true">Cancel</button>
diff --git a/share/views/ajax/device/modules.tt b/share/views/ajax/device/modules.tt
index 834864e5..9c36fe82 100644
--- a/share/views/ajax/device/modules.tt
+++ b/share/views/ajax/device/modules.tt
@@ -20,9 +20,9 @@
 [%- ELSE -%]
 <span><i class="icon-leaf"></i>&nbsp;
 [%- END -%]
- <a href="[% uri_for('/report/moduleinventory') %]?description=[% nodes.$item.module.description | uri %]">[% nodes.$item.module.description -%]</a>
+ <a href="[% uri_for('/report/moduleinventory') | none %]?description=[% nodes.$item.module.description | uri %]">[% nodes.$item.module.description -%]</a>
 [%- IF nodes.$item.module.name -%]
- <a href="[% uri_for('/report/moduleinventory') %]?name=[% nodes.$item.module.name | uri %]">([% nodes.$item.module.name %])</a>
+ <a href="[% uri_for('/report/moduleinventory') | none %]?name=[% nodes.$item.module.name | uri %]">([% nodes.$item.module.name %])</a>
 [%- END -%]
 [%- IF nodes.$item.module.fw_ver -%]
  fw: [% nodes.$item.module.fw_ver %]
@@ -34,13 +34,13 @@
  sw: [% nodes.$item.module.sw_ver %]
 [%- END -%]
 [%- IF nodes.$item.module.serial -%]
- <a href="[% uri_for('/report/moduleinventory') %]?serial=[% nodes.$item.module.serial | uri %]">[serial: [% nodes.$item.module.serial %]]</a>
+ <a href="[% uri_for('/report/moduleinventory') | none %]?serial=[% nodes.$item.module.serial | uri %]">[serial: [% nodes.$item.module.serial %]]</a>
 [%- END -%]
 [%- IF nodes.$item.module.type -%]
- / <a href="[% uri_for('/report/moduleinventory') %]?type=[% nodes.$item.module.type | uri %]">[% nodes.$item.module.type %]</a>
+ / <a href="[% uri_for('/report/moduleinventory') | none %]?type=[% nodes.$item.module.type | uri %]">[% nodes.$item.module.type %]</a>
 [%- END -%]
 [%- IF nodes.$item.module.model -%]
- / <a href="[% uri_for('/report/moduleinventory') %]?model=[% nodes.$item.module.model | uri %]">[% nodes.$item.module.model %]</a>
+ / <a href="[% uri_for('/report/moduleinventory') | none %]?model=[% nodes.$item.module.model | uri %]">[% nodes.$item.module.model %]</a>
 [%- END -%]
 [%- IF nodes.$item.module.fru -%]
  <b>[FRU]</b>
diff --git a/share/views/ajax/device/netmap.tt b/share/views/ajax/device/netmap.tt
index a2a0c255..a2bd8f45 100644
--- a/share/views/ajax/device/netmap.tt
+++ b/share/views/ajax/device/netmap.tt
@@ -5,7 +5,7 @@
 // ************ retrieve network map *************
 // ***********************************************
 
-$.getJSON('[% uri_for('/ajax/data/device/netmap') %]?[% my_query %]', function(mapdata) {
+$.getJSON('[% uri_for('/ajax/data/device/netmap') | none %]?[% my_query | none %]', function(mapdata) {
 
   jQuery(document).ready(function() {
     window.graph = netGobrechtsD3Force('netmap_pane')
@@ -22,7 +22,7 @@ $.getJSON('[% uri_for('/ajax/data/device/netmap') %]?[% my_query %]', function(m
       .showLinkDirection(false)
       .colorScheme('color10')
       //.preventLabelOverlappingOnForceEnd(
-      //  (mapdata['newnodes'] && ('[% params.mapshow %]' == 'neighbors'))
+      //  (mapdata['newnodes'] && ('[% params.mapshow | html_entity %]' == 'neighbors'))
       //  ? true : false
       //)
       .nodeEventToStopPinMode('none')
@@ -158,9 +158,9 @@ $.getJSON('[% uri_for('/ajax/data/device/netmap') %]?[% my_query %]', function(m
     graph.start(mapdata);
 
     // about a second after render starts, zoom in a bit
-    if ('[% params.mapshow %]' == 'neighbors') {
+    if ('[% params.mapshow | html_entity %]' == 'neighbors') {
       setTimeout(function() {
-        //if ('[% params.dynamicsize %]' == 'on') {
+        //if ('[% params.dynamicsize | html_entity %]' == 'on') {
         //  graph.zoomToFit();
         //} else {
           var node = graph.nodeDataById( graph['nd2']['centernode'] );
@@ -215,7 +215,7 @@ function spin(selection, duration) {
 function saveMapPositions() {
   graph.inspect().main.nodes.each(function(n) { n.fixed = true });
   $.post(
-    '[% uri_for('/ajax/data/device/netmappositions') %]'
+    '[% uri_for('/ajax/data/device/netmappositions') | none %]'
     ,$("#nd_vlan-entry, #nd_hgroup-select, #nd_lgroup-select, #nq, input[name='mapshow']").serialize()
       + '&positions=' + JSON.stringify(graph.positions())
   );
diff --git a/share/views/ajax/device/ports.tt b/share/views/ajax/device/ports.tt
index 1db59f70..d2298c9b 100644
--- a/share/views/ajax/device/ports.tt
+++ b/share/views/ajax/device/ports.tt
@@ -11,7 +11,7 @@
         [% IF (item.name == 'c_port' OR item.name == 'c_descr' OR item.name == 'c_name') %]
           [% th_class = ' class="portsort"' %]
         [% END %]
-        <th[% th_class %]>
+        <th[% th_class | html_entity %]>
           [% IF item.name == 'c_neighbors' %]
           [% IF params.c_nodes %]
           Connected Nodes &amp; Devices
@@ -84,7 +84,7 @@
       <td nowrap data-order="[% row.port | html_entity %]" data-filter="[% row.port | html_entity %]">
       [% END %]
         <a class="nd_log-icon"
-          href="[% uri_for('/report/portlog') %]?q=[% device.ip | uri %]&f=[% row.port | uri %]">
+          href="[% uri_for('/report/portlog') | none %]?q=[% device.ip | uri %]&f=[% row.port | uri %]">
           <i class="icon-file-text-alt"
             rel="tooltip" data-placement="top" data-offset="3"
             data-animation="" data-title="View Port Log"></i>
@@ -110,13 +110,13 @@
         </span>
       [% END %]
       [% END %]
-        <a class="nd_this-port-only nd_port-only-first" href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.port | uri %]&prefer=port">
+        <a class="nd_this-port-only nd_port-only-first" href="[% device_ports | none %]&q=[% params.q | uri %]&f=[% row.port | uri %]&prefer=port">
           [% IF row.is_master %]
             <small><i class="icon-group muted"></i></small>&nbsp;
           [% END %]
         [% row.port | html_entity %]</a>
         [% IF row.slave_of %]<br/>
-          <a class="nd_this-port-only" href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.slave_of | uri %]&prefer=port">
+          <a class="nd_this-port-only" href="[% device_ports | none %]&q=[% params.q | uri %]&f=[% row.slave_of | uri %]&prefer=port">
           [% row.slave_of | html_entity %]</a>
         [% END %]
       </td>
@@ -204,7 +204,7 @@
       <td>
         [% IF row.vlan AND row.vlan > 0 %]
         <a class="nd_linkcell"
-          href="[% uri_for('/search') %]?tab=vlan&q=[% row.vlan | uri %]">
+          href="[% uri_for('/search') | none %]?tab=vlan&q=[% row.vlan | uri %]">
             [% row.vlan | html_entity %]</a>
         [% END %]
       </td>
@@ -229,7 +229,7 @@
                 <div class="nd_collapsing nd_collapse-pre-hidden">' _ output %]
             [% SET output = output _ '</div>' %]
           [% END %]
-          [% output %]
+          [% output | none %]
         [% ELSE %]
         <i class="icon-asterisk text-warning"></i> ([% vlans.$portname.vlan_count %] is too many to list)
         [% END %]
@@ -292,16 +292,16 @@
             [% ELSIF row.remote_is_wap %]
               <i class="icon-rss"></i>&nbsp;
             [% END %]
-            <a href="[% device_ports %]&q=[% row.get_column('neighbor_ip') | uri %]">
+            <a href="[% device_ports | none %]&q=[% row.get_column('neighbor_ip') | uri %]">
                 [% row.get_column('neighbor_dns').remove(settings.domain_suffix) || row.get_column('neighbor_ip') | html_entity %]</a>
             [% IF row.remote_port and has_snmp(row.remote_type) %]
                 -
-                <a href="[% device_ports %]&q=[% row.get_column('neighbor_ip') | uri %]&f=[% row.remote_port | uri %]&prefer=port">
+                <a href="[% device_ports | none %]&q=[% row.get_column('neighbor_ip') | uri %]&f=[% row.remote_port | uri %]&prefer=port">
                     [% row.remote_port | html_entity %]</a>
             [% END %]
             <br/>
             [% IF params.n_inventory and row.remote_inventory %]
-              [% row.remote_inventory %]<br/>
+              [% row.remote_inventory | html_entity %]<br/>
             [% END %]
             [% IF params.n_detailed_inventory and (row.remote_id or row.remote_type) %]
               ([% 'id: '_ row.remote_id IF row.remote_id %]
@@ -314,14 +314,14 @@
             [% ELSIF row.remote_is_wap %]
               <i class="icon-rss"></i>&nbsp;
             [% END %]
-            <a href="[% search_node %]&q=[% row.remote_ip | uri %]">
+            <a href="[% search_node | none %]&q=[% row.remote_ip | uri %]">
               [% row.remote_ip | html_entity %]
               [% IF row.remote_port and has_snmp(row.remote_type) %]
                 - [% row.remote_port | html_entity %]
               [% END %]
             </a><br/>
             [% IF params.n_inventory and row.remote_inventory %]
-              [% row.remote_inventory %]<br/>
+              [% row.remote_inventory | html_entity %]<br/>
             [% END %]
             [% IF params.n_detailed_inventory and (row.remote_id or row.remote_type) %]
               ([% 'id: '_ row.remote_id IF row.remote_id %]
@@ -336,7 +336,7 @@
           [% '<br/>' IF (row.remote_ip OR row.is_uplink) OR NOT loop.first %]
           [% '<i class="icon-book"></i>&nbsp; ' IF NOT node.active %]
           [% '<i class="icon-signal"></i>&nbsp;' IF node.wireless.defined %]
-          <a href="[% search_node %]&q=[% node.net_mac.$mac_format_call | uri %]">
+          <a href="[% search_node | none %]&q=[% node.net_mac.$mac_format_call | uri %]">
             [% node.net_mac.$mac_format_call | html_entity %]</a>
           [% IF (node.vlan > 0) && (node.vlan != row.vlan) %]
             (on vlan [% node.vlan | html_entity %])
@@ -361,23 +361,23 @@
             <br/>&nbsp; [% '<i class="icon-book"></i>&nbsp; ' IF NOT ip.active %]
               [% SET dns = ip.dns %]
               [% IF dns %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% dns %] ([% ip.ip | html_entity %])</a>
+              <a href="[% search_node | none %]&q=[% ip.ip | uri %]">[% dns | html_entity %] ([% ip.ip | html_entity %])</a>
               [% ELSE %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
+              <a href="[% search_node | none %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
               [% END %]
             [% END %]
           [% END %]
           [% IF params.n_netbios %]
             [% FOREACH nbt IN node.netbios %]
-            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\<a href="[% uri_for('/report/netbios') %]?domain=[% nbt.domain | uri %]" title="Nodes in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
-            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
+            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\<a href="[% uri_for('/report/netbios') | none %]?domain=[% nbt.domain | uri %]" title="Nodes in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node | none %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
+            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node | none %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
             [% END %]
           [% END %]
         [% END %]
         [% END %]
         [% IF user_can_port_control AND params.c_admin %]
         <a class="nd_log-icon"
-          href="[% uri_for('/admin/topology') %]?dev1=[% device.ip | uri %]&port1=[% row.port | uri %]">
+          href="[% uri_for('/admin/topology') | none %]?dev1=[% device.ip | uri %]&port1=[% row.port | uri %]">
           <i class="icon-link text-warning"
             rel="tooltip" data-placement="top" data-offset="3"
             data-animation="" data-title="Manual Topology"></i>
diff --git a/share/views/ajax/device/vlans.tt b/share/views/ajax/device/vlans.tt
index aa8f795f..7affa5ba 100644
--- a/share/views/ajax/device/vlans.tt
+++ b/share/views/ajax/device/vlans.tt
@@ -11,17 +11,17 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'vlan',
         "render": function(data, type, row, meta) {
-          return '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + data + '</a>';
+          return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + data + '</a>';
         }
       }, {
         "data": 'description',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/search') %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% uri_for('/search') | none %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }
     ],
diff --git a/share/views/ajax/report/apchanneldist.tt b/share/views/ajax/report/apchanneldist.tt
index 5dd9b556..d6012312 100644
--- a/share/views/ajax/report/apchanneldist.tt
+++ b/share/views/ajax/report/apchanneldist.tt
@@ -12,7 +12,7 @@ $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
     "order": [[ 1, "desc" ]],
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'channel'
diff --git a/share/views/ajax/report/apclients.tt b/share/views/ajax/report/apclients.tt
index bcfef160..56a54b53 100644
--- a/share/views/ajax/report/apclients.tt
+++ b/share/views/ajax/report/apclients.tt
@@ -16,13 +16,13 @@ $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
     "order": [[ 5, "desc" ]],
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'ip',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% uri_for('/device') %]?tab=details&q=' + encodeURIComponent(row.ip) + '">'
+            '<a href="[% uri_for('/device') | none %]?tab=details&q=' + encodeURIComponent(row.ip) + '">'
             + he.encode(row.dns || row.name || row.ip) + '</a>' :
           data;
         }
@@ -41,7 +41,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
diff --git a/share/views/ajax/report/apradiochannelpower.tt b/share/views/ajax/report/apradiochannelpower.tt
index 6faf2299..f85a9bf6 100644
--- a/share/views/ajax/report/apradiochannelpower.tt
+++ b/share/views/ajax/report/apradiochannelpower.tt
@@ -25,7 +25,7 @@ function groupString(d) {
     "use strict";
     var s = '';
     s = s + 'Device: ';
-    s = s + '<a href="[% uri_for('/device') %]?tab=details&q=' + encodeURIComponent(d.ip) + '">';
+    s = s + '<a href="[% uri_for('/device') | none %]?tab=details&q=' + encodeURIComponent(d.ip) + '">';
     s = s + he.encode(d.dns || d.device_name || d.ip);
     if (d.dns || d.device_name) {
         s = s + ' (' +  he.encode(d.ip) + ') ';
@@ -39,7 +39,7 @@ function groupString(d) {
 $(document).ready(function() {
   var table = $('#data-table').DataTable({
     "serverSide": true,
-    "ajax": "[% uri_for('/ajax/content/report/apradiochannelpower/data') %]",
+    "ajax": "[% uri_for('/ajax/content/report/apradiochannelpower/data') | none %]",
     "order": [[ 0, 'asc' ]],
     "columns": [
       {
@@ -59,7 +59,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
diff --git a/share/views/ajax/report/deviceaddrnodns.tt b/share/views/ajax/report/deviceaddrnodns.tt
index 08b7c4da..4d65e37d 100644
--- a/share/views/ajax/report/deviceaddrnodns.tt
+++ b/share/views/ajax/report/deviceaddrnodns.tt
@@ -13,11 +13,11 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [{
         "data": 'ip',
         "render": function(data, type, row, meta) {
-          return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.name || row.ip) + '</a>';
+          return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.name || row.ip) + '</a>';
         }
       }, {
         "data": 'alias',
diff --git a/share/views/ajax/report/devicebylocation.tt b/share/views/ajax/report/devicebylocation.tt
index f60a3464..4f519a2a 100644
--- a/share/views/ajax/report/devicebylocation.tt
+++ b/share/views/ajax/report/devicebylocation.tt
@@ -15,13 +15,13 @@ $(document).ready(function() {
     var table = $('#data-table').dataTable({
         "deferRender": true,
         "order": [[ 0, "asc" ], [2, "asc"], [ 3, "asc" ], [4, "asc"]],
-        "data": [% results %],
+        "data": [% results | none %],
         "columns": [
            {
                 "data": 'location',
                 "render": function(data, type, row, meta) {
                   if (data) {
-                    return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '&location=' + encodeURIComponent(data) + '">' + he.encode(data) + '</a>';
+                    return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '&location=' + encodeURIComponent(data) + '">' + he.encode(data) + '</a>';
 
                   } else {
                     return '[Not Set]';
@@ -30,22 +30,22 @@ $(document).ready(function() {
             }, {
                 "data": 'ip',
                 "render": function(data, type, row, meta) {
-                    return '<a href="[% uri_for('/device') %]?q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.ip) + '</a>';
+                    return '<a href="[% uri_for('/device') | none %]?q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.ip) + '</a>';
                 }
             }, {
                 "data": 'name',
                 "render": function(data, type, row, meta) {
-                    return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+                    return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
                 }
             }, {
                 "data": 'vendor',
                 "render": function(data, type, row, meta) {
-                    return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+                    return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
                 }
             }, {
                 "data": 'model',
                 "render": function(data, type, row, meta) {
-                    return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+                    return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
                 }
             }
         ],
diff --git a/share/views/ajax/report/devicednsmismatch.tt b/share/views/ajax/report/devicednsmismatch.tt
index 06fd51b2..2ee7586e 100644
--- a/share/views/ajax/report/devicednsmismatch.tt
+++ b/share/views/ajax/report/devicednsmismatch.tt
@@ -14,12 +14,12 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'ip',
         "render": function(data, type, row, meta) {
-            return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '">' + he.encode(row.name || row.ip) + '</a>';
+            return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(row.name || row.ip) + '</a>';
           }
       }, {
         "data": 'dns',
diff --git a/share/views/ajax/report/devicepoestatus.tt b/share/views/ajax/report/devicepoestatus.tt
index 3ff2d9a5..e819debc 100644
--- a/share/views/ajax/report/devicepoestatus.tt
+++ b/share/views/ajax/report/devicepoestatus.tt
@@ -20,20 +20,20 @@
   <tbody>
     [% FOREACH row IN results %]
     <tr>
-      <td>[% row.ip %]</td>
-      <td>[% row.dns %]</td>
-      <td>[% row.name %]</td>
-      <td>[% row.model %]</td>
-      <td>[% row.location %]</td>
-      <td>[% row.module %]</td>
-      <td class="nd_center-cell">[% row.power %]</td>
-      <td class="nd_center-cell">[% row.status %]</td>
-      <td class="nd_center-cell">[% row.poe_capable_ports %]</td>
-      <td class="nd_center-cell">[% row.poe_powered_ports %]</td>
-      <td class="nd_center-cell">[% row.poe_disabled_ports %]</td>
-      <td class="nd_center-cell">[% row.poe_errored_ports %]</td>
-      <td class="nd_center-cell">[% row.poe_power_committed %]</td>
-      <td class="nd_center-cell">[% row.poe_power_delivering %]</td>
+      <td>[% row.ip | html_entity %]</td>
+      <td>[% row.dns | html_entity %]</td>
+      <td>[% row.name | html_entity %]</td>
+      <td>[% row.model | html_entity %]</td>
+      <td>[% row.location | html_entity %]</td>
+      <td>[% row.module | html_entity %]</td>
+      <td class="nd_center-cell">[% row.power | html_entity %]</td>
+      <td class="nd_center-cell">[% row.status | html_entity %]</td>
+      <td class="nd_center-cell">[% row.poe_capable_ports | html_entity %]</td>
+      <td class="nd_center-cell">[% row.poe_powered_ports | html_entity %]</td>
+      <td class="nd_center-cell">[% row.poe_disabled_ports | html_entity %]</td>
+      <td class="nd_center-cell">[% row.poe_errored_ports | html_entity %]</td>
+      <td class="nd_center-cell">[% row.poe_power_committed | html_entity %]</td>
+      <td class="nd_center-cell">[% row.poe_power_delivering | html_entity %]</td>
     </tr>
     [% END %]
   </tbody>
@@ -51,7 +51,7 @@ function groupString(d) {
     "use strict";
     var s = '';
     s = s + 'Device: ';
-    s = s + '<a href="[% uri_for('/device') %]?tab=details&q=' + encodeURIComponent(d.ip) + '">';
+    s = s + '<a href="[% uri_for('/device') | none %]?tab=details&q=' + encodeURIComponent(d.ip) + '">';
     s = s + he.encode(d.dns || d.name || d.ip);
     if (d.dns || d.name) {
         s = s + ' (' +  he.encode(d.ip) + ') ';
@@ -65,7 +65,7 @@ function groupString(d) {
 $(document).ready(function() {
     var table = $('#data-table').DataTable({
     "serverSide": true,
-    "ajax": "[% uri_for('/ajax/content/report/devicepoestatus/data') %]",
+    "ajax": "[% uri_for('/ajax/content/report/devicepoestatus/data') | none %]",
     "order": [[ 0, 'asc' ]],
     "columns": [
       {
diff --git a/share/views/ajax/report/duplexmismatch.tt b/share/views/ajax/report/duplexmismatch.tt
index 7d36bfd2..be29e4d4 100644
--- a/share/views/ajax/report/duplexmismatch.tt
+++ b/share/views/ajax/report/duplexmismatch.tt
@@ -15,7 +15,7 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'left_ip',
@@ -27,7 +27,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.left_dns || row.left_ip) + '&f=' + encodeURIComponent(data) + '&c_duplex=on">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.left_dns || row.left_ip) + '&f=' + encodeURIComponent(data) + '&c_duplex=on">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
@@ -45,7 +45,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.right_dns || row.right_ip) + '&f=' + encodeURIComponent(data) + '&c_duplex=on">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.right_dns || row.right_ip) + '&f=' + encodeURIComponent(data) + '&c_duplex=on">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
diff --git a/share/views/ajax/report/halfduplex.tt b/share/views/ajax/report/halfduplex.tt
index 8816d758..103638ab 100644
--- a/share/views/ajax/report/halfduplex.tt
+++ b/share/views/ajax/report/halfduplex.tt
@@ -13,7 +13,7 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'ip',
@@ -25,7 +25,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_duplex=on">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_duplex=on">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
diff --git a/share/views/ajax/report/inventorybymodelbyos.tt b/share/views/ajax/report/inventorybymodelbyos.tt
index 52d82732..331a2897 100644
--- a/share/views/ajax/report/inventorybymodelbyos.tt
+++ b/share/views/ajax/report/inventorybymodelbyos.tt
@@ -10,13 +10,13 @@
     [% FOREACH row IN results %]
     <tr>
       <td>
-        <a href="[% search_device %]&q=[% row.model | uri %]&vendor=[% row.vendor | uri %]&model=[% row.model | uri %]">
+        <a href="[% search_device | none %]&q=[% row.model | uri %]&vendor=[% row.vendor | uri %]&model=[% row.model | uri %]">
             [% row.vendor.ucfirst | html_entity %]&nbsp;[% row.model | html_entity %]</a>
             [% IF row.os %] running &quot;[% row.os | html_entity %]&quot;[% END %]
       </td>
       <td>
         <a class="nd_linkcell"
-          href="[% search_device %]&q=[% row.os_ver | uri %]&vendor=[% row.vendor | uri %]&model=[% row.model | uri %]&os=[% row.os | uri %]&os_ver=[% row.os_ver | uri %]&matchall=on">
+          href="[% search_device | none %]&q=[% row.os_ver | uri %]&vendor=[% row.vendor | uri %]&model=[% row.model | uri %]&os=[% row.os | uri %]&os_ver=[% row.os_ver | uri %]&matchall=on">
             [% row.os_ver | html_entity %]</a>
       </td>
       <td>[% row.os_ver_count | html_entity %]</td>
diff --git a/share/views/ajax/report/ipinventory.tt b/share/views/ajax/report/ipinventory.tt
index bf48181f..8ff1aab0 100644
--- a/share/views/ajax/report/ipinventory.tt
+++ b/share/views/ajax/report/ipinventory.tt
@@ -13,7 +13,7 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'ip',
@@ -21,12 +21,12 @@ $(document).ready(function() {
           var cell_str = he.encode(data);
           if (type == 'display') {
             if (row.time_last && row.node) {
-              cell_str = '<a href="[% search_node %]&q=' + encodeURIComponent(data)
+              cell_str = '<a href="[% search_node | none %]&q=' + encodeURIComponent(data)
                 + (row.active ? '' : '&archived=on') + '">' + he.encode(data)
                 + (row.active ? '' : '&nbsp;<i class="icon-book text-warning"></i>&nbsp;') + '</a>';
             }
             else if (row.time_last) {
-              cell_str = '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '">' + he.encode(data) + '</a>';
+              cell_str = '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(data) + '</a>';
             }
           }
           return cell_str;
@@ -36,7 +36,7 @@ $(document).ready(function() {
         "render": function(data, type, row, meta) {
           var cell_str = he.encode(data || '');
           if (type == 'display' && data && row.time_last) {
-            cell_str = '<a href="[% search_node %]&q=' + encodeURIComponent(data)
+            cell_str = '<a href="[% search_node | none %]&q=' + encodeURIComponent(data)
               + (row.active ? '' : '&archived=on') + '">' + he.encode(data)
               + (row.active ? '' : '&nbsp;<i class="icon-book text-warning"></i>&nbsp;') + '</a>';
           }
diff --git a/share/views/ajax/report/moduleinventory.tt b/share/views/ajax/report/moduleinventory.tt
index a22a4ac0..25978ee9 100644
--- a/share/views/ajax/report/moduleinventory.tt
+++ b/share/views/ajax/report/moduleinventory.tt
@@ -34,42 +34,42 @@ $(document).ready(function() {
     "serverSide": true,
     "searching": false,
     "order": [[ 0, "desc" ]],
-    "ajax": "[% uri_for('/ajax/content/report/moduleinventory/data') %]?[% url(params('query').hash) %]",
+    "ajax": "[% uri_for('/ajax/content/report/moduleinventory/data') | none %]?[% url(params('query').hash) | none %]",
     "columns": [
       {
       "data": 'ip',
       "render": function(data, type, row, meta) {
-        return '<a href="[% uri_for('/device') %]?tab=modules&q=' + encodeURIComponent(data) + '">' + he.encode(row.device.dns || row.device.name || row.ip) + '</a>';
+        return '<a href="[% uri_for('/device') | none %]?tab=modules&q=' + encodeURIComponent(data) + '">' + he.encode(row.device.dns || row.device.name || row.ip) + '</a>';
         }
       }, {
         "data": 'description',
         "render": function(data, type, row, meta) {
-          return '<a href="[% report_moduleinventory %]&description=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% report_moduleinventory | none %]&description=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'name',
         "render": function(data, type, row, meta) {
-          return '<a href="[% report_moduleinventory %]&name=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% report_moduleinventory | none %]&name=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'class',
         "render": function(data, type, row, meta) {
-          return '<a href="[% report_moduleinventory %]&class=' + encodeURIComponent(data) + '">' + he.encode(capitalizeFirstLetter(data + '')) + '</a>';
+          return '<a href="[% report_moduleinventory | none %]&class=' + encodeURIComponent(data) + '">' + he.encode(capitalizeFirstLetter(data + '')) + '</a>';
         }
       }, {
         "data": 'type',
         "render": function(data, type, row, meta) {
-          return '<a href="[% report_moduleinventory %]&type=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% report_moduleinventory | none %]&type=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'model',
         "render": function(data, type, row, meta) {
-          return '<a href="[% report_moduleinventory %]&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% report_moduleinventory | none %]&model=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'serial',
         "render": function(data, type, row, meta) {
-          return '<a href="[% report_moduleinventory %]&serial=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% report_moduleinventory | none %]&serial=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'hw_ver',
@@ -90,12 +90,12 @@ $(document).ready(function() {
     ],
     [% ELSE %]
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'class',
         "render": function(data, type, row, meta) {
-          return '<a href="[% report_moduleinventory %]&class=' + encodeURIComponent(data) + '">' + he.encode(capitalizeFirstLetter(data + '')) + '</a>';
+          return '<a href="[% report_moduleinventory | none %]&class=' + encodeURIComponent(data) + '">' + he.encode(capitalizeFirstLetter(data + '')) + '</a>';
         }
       }, {
         "data": 'count',
diff --git a/share/views/ajax/report/netbios.tt b/share/views/ajax/report/netbios.tt
index 81205920..1edc520b 100644
--- a/share/views/ajax/report/netbios.tt
+++ b/share/views/ajax/report/netbios.tt
@@ -29,7 +29,7 @@ $(document).ready(function() {
     [% IF opt %]
     "serverSide": true,
     "order": [[ 0, "desc" ]],
-    "ajax": "[% uri_for('/ajax/content/report/netbios/data') %]?[% url(params('query').hash) %]",
+    "ajax": "[% uri_for('/ajax/content/report/netbios/data') | none %]?[% url(params('query').hash) | none %]",
     "columns": [
       {
         "data": 'domain',
@@ -39,7 +39,7 @@ $(document).ready(function() {
       }, {
         "data": 'mac',
         "render": function(data, type, row, meta) {
-          return '<a href="[% search_node %]&q=' + encodeURIComponent(data) + '">' + he.encode(data.toUpperCase()) + '</a>';
+          return '<a href="[% search_node | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(data.toUpperCase()) + '</a>';
         }
       }, {
         "data": 'nbname',
@@ -48,7 +48,7 @@ $(document).ready(function() {
           if (row.domain) {
             prefix = '\\\\' + row.domain + '\\';
           }
-          return he.encode(prefix) + '<a href="[% search_node %]&q=' + encodeURIComponent(data) + '">' + he.encode(data) + '</a>';
+          return he.encode(prefix) + '<a href="[% search_node | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(data) + '</a>';
         }
       }, {
         "data": 'nbuser',
@@ -70,12 +70,12 @@ $(document).ready(function() {
     "order": [[0, "asc"], [5, "desc"]],
     [% ELSE %]
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [    
       {
         "data": 'domain',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/report/netbios') %]?domain=' + encodeURIComponent(data || 'blank') + '">' + he.encode(data || '(Blank Domain)') + '</a>';
+          return '<a href="[% uri_for('/report/netbios') | none %]?domain=' + encodeURIComponent(data || 'blank') + '">' + he.encode(data || '(Blank Domain)') + '</a>';
         }
       }, {
         "data": 'count',
diff --git a/share/views/ajax/report/nodemultiips.tt b/share/views/ajax/report/nodemultiips.tt
index 1348d067..208a9467 100644
--- a/share/views/ajax/report/nodemultiips.tt
+++ b/share/views/ajax/report/nodemultiips.tt
@@ -15,12 +15,12 @@ $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
     "order": [[ 3, "desc" ]],
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'mac',
         "render": function(data, type, row, meta) {
-          return '<a href="[% search_node %]&q=' + encodeURIComponent(data) + '">' + he.encode(data.toUpperCase()) + '</a>';
+          return '<a href="[% search_node | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(data.toUpperCase()) + '</a>';
         }
       }, {
         "data": 'vendor',
@@ -30,7 +30,7 @@ $(document).ready(function() {
       }, {
         "data": 'port',
         "render": function(data, type, row, meta) {
-          return '<a href="[% device_ports %]&q=' + encodeURIComponent(row.switch) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(row.dns || row.name || row.switch) + '(' + he.encode(data) + ')</a>';
+          return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.switch) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(row.dns || row.name || row.switch) + '(' + he.encode(data) + ')</a>';
         }
       }, {
         "data": 'ip_count',
diff --git a/share/views/ajax/report/nodesdiscovered.tt b/share/views/ajax/report/nodesdiscovered.tt
index 841d17f2..ac98cef3 100644
--- a/share/views/ajax/report/nodesdiscovered.tt
+++ b/share/views/ajax/report/nodesdiscovered.tt
@@ -15,7 +15,7 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'ip',
@@ -27,7 +27,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&c_nodes=on&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&c_nodes=on&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
@@ -38,7 +38,7 @@ $(document).ready(function() {
       }, {
         "data": 'remote_ip',
         "render": function(data, type, row, meta) {
-          return '<a href="[% search_node %]&q=' + encodeURIComponent(data || '') + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% search_node | none %]&q=' + encodeURIComponent(data || '') + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'remote_port',
diff --git a/share/views/ajax/report/nodevendor.tt b/share/views/ajax/report/nodevendor.tt
index bbfcd0e8..f189cb81 100644
--- a/share/views/ajax/report/nodevendor.tt
+++ b/share/views/ajax/report/nodevendor.tt
@@ -29,7 +29,7 @@ $(document).ready(function() {
     [% IF opt %]
     "serverSide": true,
     "order": [[ 0, "desc" ]],
-    "ajax": "[% uri_for('/ajax/content/report/nodevendor/data') %]?[% url(params('query').hash) %]",
+    "ajax": "[% uri_for('/ajax/content/report/nodevendor/data') | none %]?[% url(params('query').hash) | none %]",
     "columns": [
       {
         "data": 'mac',
@@ -38,17 +38,17 @@ $(document).ready(function() {
           if (row.active) {
             icon = '';
           }
-          return '<a href="[% search_node %]&q=' + encodeURIComponent(data) + '">' + he.encode(data.toUpperCase()) + icon + '</a>';
+          return '<a href="[% search_node | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(data.toUpperCase()) + icon + '</a>';
         }
       }, {
         "data": 'oui.abbrev',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/report/nodevendor') %]?vendor=' + encodeURIComponent(row.oui.abbrev || 'blank') + '">' + he.encode(row.oui.company ||'(Unknown Vendor)') + '</a>';
+          return '<a href="[% uri_for('/report/nodevendor') | none %]?vendor=' + encodeURIComponent(row.oui.abbrev || 'blank') + '">' + he.encode(row.oui.company ||'(Unknown Vendor)') + '</a>';
         }
       }, {
         "data": 'port',
         "render": function(data, type, row, meta) {
-          return '<a href="[% device_ports %]&q=' + encodeURIComponent(row.switch) + '&f=' + encodeURIComponent(data) + '&c_nodes=on&n_ssid=on">' + he.encode(row.device.dns || row.device.name || row.switch) + '(' + he.encode(data) + ')</a>';
+          return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.switch) + '&f=' + encodeURIComponent(data) + '&c_nodes=on&n_ssid=on">' + he.encode(row.device.dns || row.device.name || row.switch) + '(' + he.encode(data) + ')</a>';
         }
       }, {
         // Included for filtering
@@ -66,12 +66,12 @@ $(document).ready(function() {
     ],
     [% ELSE %]
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [    
       {
         "data": 'vendor',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/report/nodevendor') %]?vendor=' + encodeURIComponent(row.abbrev || 'blank') + '">' + he.encode(row.vendor ||'(Unknown Vendor)') + '</a>';
+          return '<a href="[% uri_for('/report/nodevendor') | none %]?vendor=' + encodeURIComponent(row.abbrev || 'blank') + '">' + he.encode(row.vendor ||'(Unknown Vendor)') + '</a>';
         }
       }, {
         "data": 'count',
diff --git a/share/views/ajax/report/portadmindown.tt b/share/views/ajax/report/portadmindown.tt
index 207be63a..3d85e6ca 100644
--- a/share/views/ajax/report/portadmindown.tt
+++ b/share/views/ajax/report/portadmindown.tt
@@ -25,7 +25,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
@@ -42,7 +42,7 @@ $(document).ready(function() {
         }
       }
     ],
-    "data": [% results %],
+    "data": [% results | none %],
 [% INCLUDE 'ajax/datatabledefaults.tt' -%]
   });
 });
diff --git a/share/views/ajax/report/portblocking.tt b/share/views/ajax/report/portblocking.tt
index 7632eb3d..50370e13 100644
--- a/share/views/ajax/report/portblocking.tt
+++ b/share/views/ajax/report/portblocking.tt
@@ -14,7 +14,7 @@ $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
     "order": [[ 0, "asc" ], [1, "asc"]],
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'ip',
@@ -26,7 +26,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
diff --git a/share/views/ajax/report/portmultinodes.tt b/share/views/ajax/report/portmultinodes.tt
index 30ccb6ad..b34aa5e9 100644
--- a/share/views/ajax/report/portmultinodes.tt
+++ b/share/views/ajax/report/portmultinodes.tt
@@ -14,7 +14,7 @@ $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
     "order": [[ 3, "desc" ]],
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'ip',
@@ -26,7 +26,7 @@ $(document).ready(function() {
         "type": 'portsort',
         "render": function(data, type, row, meta) {
           return type === 'display' ?
-            '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
+            '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '&c_nodes=on">' + he.encode(data || '') + '</a>' :
             he.encode(data || '');
         }
       }, {
diff --git a/share/views/ajax/report/portssid.tt b/share/views/ajax/report/portssid.tt
index 6aaf5a4e..4fdf52e8 100644
--- a/share/views/ajax/report/portssid.tt
+++ b/share/views/ajax/report/portssid.tt
@@ -27,13 +27,13 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     [% IF opt %]
     "columns": [
       {
       "data": 'ip',
       "render": function(data, type, row, meta) {
-        return '<a href="[% device_ports %]&q=' + encodeURIComponent(data) + '&f=' + encodeURIComponent(row.port.port) + '&c_nodes=on&n_ssid=on">' + he.encode(row.device.dns || row.device.name || row.ip) + '(' + he.encode(row.port.port) + ')</a>';
+        return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(data) + '&f=' + encodeURIComponent(row.port.port) + '&c_nodes=on&n_ssid=on">' + he.encode(row.device.dns || row.device.name || row.ip) + '(' + he.encode(row.port.port) + ')</a>';
         }
       }, {
         "data": 'broadcast',
@@ -64,7 +64,7 @@ $(document).ready(function() {
       {
         "data": 'ssid',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/report/portssid') %]?ssid=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% uri_for('/report/portssid') | none %]?ssid=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'broadcast',
diff --git a/share/views/ajax/report/portutilization.tt b/share/views/ajax/report/portutilization.tt
index 7900e4ee..eaf51243 100644
--- a/share/views/ajax/report/portutilization.tt
+++ b/share/views/ajax/report/portutilization.tt
@@ -14,12 +14,12 @@
 $(document).ready(function() {
     var table = $('#data-table').dataTable({
         "deferRender": true,
-        "data": [% results %],
+        "data": [% results | none %],
         "columns": [
            {
                 "data": 'ip',
                 "render": function(data, type, row, meta) {
-                    return '<a href="[% device_ports %]&q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.ip) + '</a>';
+                    return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.ip) + '</a>';
                 }
             }, {
                 "data": 'port_count',
diff --git a/share/views/ajax/report/portvlanmismatch.tt b/share/views/ajax/report/portvlanmismatch.tt
index 80a17501..ddb5affa 100644
--- a/share/views/ajax/report/portvlanmismatch.tt
+++ b/share/views/ajax/report/portvlanmismatch.tt
@@ -15,31 +15,31 @@
 $(document).ready(function() {
     var table = $('#data-table').dataTable({
         "deferRender": true,
-        "data": [% results %],
+        "data": [% results | none %],
         "columns": [
                {
                 "data": 'left_device',
                 "render": function(data, type, row, meta) {
-                    return '<a href="[% device_ports %]&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>'; }
+                    return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>'; }
             }, {
               "data": 'left_port',
               "type": 'portsort',
               "render": function(data, type, row, meta) {
                 return type === 'display' ?
-                  '<a href="[% device_ports %]&q=' + encodeURIComponent(row.left_device) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
+                  '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.left_device) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
                   he.encode(data || ''); }
             }, {
                 "data": 'left_vlans'
             }, {
                 "data": 'right_device',
                 "render": function(data, type, row, meta) {
-                    return '<a href="[% device_ports %]&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>'; }
+                    return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>'; }
             }, {
               "data": 'right_port',
               "type": 'portsort',
               "render": function(data, type, row, meta) {
                 return type === 'display' ?
-                  '<a href="[% device_ports %]&q=' + encodeURIComponent(row.right_device) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
+                  '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.right_device) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
                   he.encode(data || ''); }
             }, {
                 "data": 'right_vlans'
diff --git a/share/views/ajax/report/subnets.tt b/share/views/ajax/report/subnets.tt
index 4f03b2bd..793e48a5 100644
--- a/share/views/ajax/report/subnets.tt
+++ b/share/views/ajax/report/subnets.tt
@@ -11,7 +11,7 @@
   <tbody>
     [% FOREACH row IN results %]
     <tr>
-      <td class="nd_center-cell"><a href="[% uri_for('/report/ipinventory') %]?subnet=[% row.subnet | uri %]&daterange=[% params.daterange | uri %]&age_invert=[% params.age_invert | uri %]&limit=[% row.subnet_size | uri %]">
+      <td class="nd_center-cell"><a href="[% uri_for('/report/ipinventory') | none %]?subnet=[% row.subnet | uri %]&daterange=[% params.daterange | uri %]&age_invert=[% params.age_invert | uri %]&limit=[% row.subnet_size | uri %]">
                [% row.subnet | html_entity %]</a></td>
       <td class="nd_center-cell">[% row.subnet_size | format_number %]</td>
       <td class="nd_center-cell">[% row.active | format_number %]</td>
diff --git a/share/views/ajax/report/vlaninventory.tt b/share/views/ajax/report/vlaninventory.tt
index 88c041b9..1aca8675 100644
--- a/share/views/ajax/report/vlaninventory.tt
+++ b/share/views/ajax/report/vlaninventory.tt
@@ -13,17 +13,17 @@
 $(document).ready(function() {
   var table = $('#data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [
       {
         "data": 'vlan',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/search') %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + data + '</a>';
+          return '<a href="[% uri_for('/search') | none %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + data + '</a>';
         }
       }, {
         "data": 'description',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/search') %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
+          return '<a href="[% uri_for('/search') | none %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'dcount',
diff --git a/share/views/ajax/search/device.tt b/share/views/ajax/search/device.tt
index eda4a479..c2069446 100644
--- a/share/views/ajax/search/device.tt
+++ b/share/views/ajax/search/device.tt
@@ -18,11 +18,11 @@
 $(document).ready(function() {
   var table = $('#ds-data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [{
         "data": 'ip',
         "render": function(data, type, row, meta) {
-          return '<a href="[% uri_for('/device') %]?q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.name || row.ip) + '</a>';
+          return '<a href="[% uri_for('/device') | none %]?q=' + encodeURIComponent(data) + '">' + he.encode(row.dns || row.name || row.ip) + '</a>';
         }
       }, {
         "data": 'location',
diff --git a/share/views/ajax/search/node_by_ip.tt b/share/views/ajax/search/node_by_ip.tt
index 1548bf81..3f2f6525 100644
--- a/share/views/ajax/search/node_by_ip.tt
+++ b/share/views/ajax/search/node_by_ip.tt
@@ -16,16 +16,16 @@
     [% WHILE (row = macs.next) %]
     [% IF row.nbname %]
     <tr>
-      <td>MAC: <a href="[% search_node %]&q=[% row.net_mac.$mac_format_call | uri %]">
+      <td>MAC: <a href="[% search_node | none %]&q=[% row.net_mac.$mac_format_call | uri %]">
           [% row.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% row.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% row.oui.abbrev | uri %]">
         [% row.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>NetBIOS</td>
-      <td class="nd_linkcell nd_center-cell">\\<a href="[% uri_for('/report/netbios') %]?domain=[% row.domain | uri %]" title="Devices in this Domain">[% row.domain | html_entity %]</a>\<a href="[% search_node %]&q=[% row.nbname | uri %]">[% row.nbname | html_entity %]</a>
-        <br>[% row.nbuser || '[No User]' | html_entity %]@<a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
+      <td class="nd_linkcell nd_center-cell">\\<a href="[% uri_for('/report/netbios') | none %]?domain=[% row.domain | uri %]" title="Devices in this Domain">[% row.domain | html_entity %]</a>\<a href="[% search_node | none %]&q=[% row.nbname | uri %]">[% row.nbname | html_entity %]</a>
+        <br>[% row.nbuser || '[No User]' | html_entity %]@<a href="[% search_node | none %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
       </td>
       [% IF params.stamps %]
       <td>[% row.time_first_stamp | html_entity %]</td>
@@ -34,16 +34,16 @@
     </tr>
     [% ELSE %]
     <tr>
-      <td>MAC: <a href="[% search_node %]&q=[% row.net_mac.$mac_format_call | uri %]">
+      <td>MAC: <a href="[% search_node | none %]&q=[% row.net_mac.$mac_format_call | uri %]">
           [% row.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% row.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% row.oui.abbrev | uri %]">
         [% row.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>IP &rarr; MAC</td>
       <td class="nd_center-cell">
-        <a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
+        <a href="[% search_node | none %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
         [% '&nbsp;<i class="icon-book text-warning"></i>&nbsp;' IF NOT row.active %]
         [% ' (' _ row.dns.remove(settings.domain_suffix) _ ')' IF row.dns %]
       </td>
@@ -55,16 +55,16 @@
     [% END %]
     [% FOREACH nbt IN row.netbios %]
     <tr>
-      <td>MAC: <a href="[% search_node %]&q=[% nbt.net_mac.$mac_format_call | uri %]">
+      <td>MAC: <a href="[% search_node | none %]&q=[% nbt.net_mac.$mac_format_call | uri %]">
           [% nbt.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% nbt.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% nbt.oui.abbrev | uri %]">
         [% nbt.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>NetBIOS</td>
-      <td class="nd_linkcell nd_center-cell">\\<a href="[% uri_for('/report/netbios') %]?domain=[% nbt.domain | uri %]" title="Devices in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
-        <br>[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
+      <td class="nd_linkcell nd_center-cell">\\<a href="[% uri_for('/report/netbios') | none %]?domain=[% nbt.domain | uri %]" title="Devices in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node | none %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
+        <br>[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node | none %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
       </td>
       [% IF params.stamps %]
       <td>[% date.format(nbt.time_first) | html_entity %]</td>
@@ -74,16 +74,16 @@
     [% END %]
     [% FOREACH ni IN row.nodeips %]
     <tr>
-      <td>MAC: <a href="[% search_node %]&q=[% ni.net_mac.$mac_format_call | uri %]">
+      <td>MAC: <a href="[% search_node | none %]&q=[% ni.net_mac.$mac_format_call | uri %]">
           [% ni.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% ni.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% ni.oui.abbrev | uri %]">
         [% ni.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>IP &rarr; MAC</td>
       <td class="nd_center-cell">
-        <a href="[% search_node %]&q=[% ni.ip | uri %]">[% ni.ip | html_entity %]</a>
+        <a href="[% search_node | none %]&q=[% ni.ip | uri %]">[% ni.ip | html_entity %]</a>
         [% '&nbsp;<i class="icon-book text-warning"></i>&nbsp;' IF NOT ni.active %]
         [% ' (' _ ni.dns.remove(settings.domain_suffix) _ ')' IF ni.dns %]
       </td>
@@ -95,23 +95,23 @@
     [% END %]
     [% FOREACH node IN row.node_sightings(archive_filter) %]
     <tr>
-      <td>MAC: <a href="[% search_node %]&q=[% node.net_mac.$mac_format_call | uri %]">
+      <td>MAC: <a href="[% search_node | none %]&q=[% node.net_mac.$mac_format_call | uri %]">
           [% node.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% node.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% node.oui.abbrev | uri %]">
         [% node.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>Switch Port</td>
       <td class="nd_center-cell">
         <a class="nd_linkcell"
-          href="[% device_ports %]&q=[% node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on&prefer=port">
+          href="[% device_ports | none %]&q=[% node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on&prefer=port">
           [% node.switch | html_entity %] - [% node.port | html_entity %]
         [% '&nbsp;<i class="icon-book text-warning"></i>' IF NOT node.active %]</a>
         [% IF node.device.dns AND node.device_port AND node.device_port.name %]
           ([% node.device.dns | html_entity %] - [% node.device_port.name | html_entity %])
         [% END %]
-            on vlan [% node.vlan %]
+            on vlan [% node.vlan | html_entity %]
       </td>
       [% IF params.stamps %]
       <td>[% node.time_first_stamp | html_entity %]</td>
@@ -120,10 +120,10 @@
     </tr>
       [% FOREACH wlan IN node.wireless %]
       <tr>
-        <td>MAC: <a href="[% search_node %]&q=[% wlan.net_mac.$mac_format_call | uri %]">
+        <td>MAC: <a href="[% search_node | none %]&q=[% wlan.net_mac.$mac_format_call | uri %]">
             [% wlan.net_mac.$mac_format_call | html_entity %]</a>
         [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% wlan.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% wlan.oui.abbrev | uri %]">
         [% wlan.oui.company | html_entity %]</a> )
         [% END %]
         </td>
@@ -143,16 +143,16 @@
     [% END %]
     [% FOREACH nodeip IN row.ip_aliases(archive_filter) %]
     <tr>
-      <td>MAC: <a href="[% search_node %]&q=[% nodeip.net_mac.$mac_format_call | uri %]">
+      <td>MAC: <a href="[% search_node | none %]&q=[% nodeip.net_mac.$mac_format_call | uri %]">
           [% nodeip.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% nodeip.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% nodeip.oui.abbrev | uri %]">
         [% nodeip.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>MAC &rarr; IP</td>
       <td class="nd_center-cell">
-        <a href="[% search_node %]&q=[% nodeip.ip | uri %]">[% nodeip.ip | html_entity %]</a>
+        <a href="[% search_node | none %]&q=[% nodeip.ip | uri %]">[% nodeip.ip | html_entity %]</a>
         [% '&nbsp;<i class="icon-book text-warning"></i>&nbsp;' IF NOT nodeip.active %]
         [% ' (' _ nodeip.dns.remove(settings.domain_suffix) _ ')' IF nodeip.dns %]
       </td>
diff --git a/share/views/ajax/search/node_by_mac.tt b/share/views/ajax/search/node_by_mac.tt
index 3440ba4d..d81d1d7a 100644
--- a/share/views/ajax/search/node_by_mac.tt
+++ b/share/views/ajax/search/node_by_mac.tt
@@ -15,15 +15,15 @@
     [% WHILE (row = ips.next) %]
     <tr>
       <td>
-          MAC: <a href="[% search_node %]&q=[% row.net_mac.$mac_format_call | uri %]">
+          MAC: <a href="[% search_node | none %]&q=[% row.net_mac.$mac_format_call | uri %]">
             [% row.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% row.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% row.oui.abbrev | uri %]">
         [% row.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>MAC &rarr; IP</td>
-      <td class="nd_center-cell"><a href="[% search_node %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
+      <td class="nd_center-cell"><a href="[% search_node | none %]&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
         [% '&nbsp;<i class="icon-book text-warning"></i>&nbsp;' IF NOT row.active %]
         [% ' (' _ row.dns.remove(settings.domain_suffix) _ ')' IF row.dns %]
       </td>
@@ -36,22 +36,22 @@
     [% WHILE (node = sightings.next) %]
     <tr>
       <td>
-        MAC: <a href="[% search_node %]&q=[% node.net_mac.$mac_format_call | uri %]">
+        MAC: <a href="[% search_node | none %]&q=[% node.net_mac.$mac_format_call | uri %]">
             [% node.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% node.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% node.oui.abbrev | uri %]">
         [% node.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>Switch Port</td>
       <td class="nd_center-cell">
-            <a href="[% device_ports %]&q=[% node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on&prefer=port">
+            <a href="[% device_ports | none %]&q=[% node.switch | uri %]&f=[% node.port | uri %]&c_nodes=on&c_neighbors=on&prefer=port">
             [% node.switch | html_entity %] - [% node.port | html_entity %]</a>
         [% '&nbsp;<i class="icon-book text-warning"></i>&nbsp;' IF NOT node.active %]
         [% IF node.device.dns AND node.device_port AND node.device_port.name %]
           ([% node.device.dns | html_entity %] - [% node.device_port.name | html_entity %])
         [% END %]
-            on vlan [% node.vlan %]
+            on vlan [% node.vlan | html_entity %]
       </td>
       [% IF params.stamps %]
       <td>[% node.time_first_stamp | html_entity %]</td>
@@ -62,15 +62,15 @@
     [% WHILE (port = ports.next) %]
     <tr>
       <td>
-        MAC: <a href="[% search_node %]&q=[% port.net_mac.$mac_format_call | uri %]">[% port.net_mac.$mac_format_call | html_entity %]</a>
+        MAC: <a href="[% search_node | none %]&q=[% port.net_mac.$mac_format_call | uri %]">[% port.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% port.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% port.oui.abbrev | uri %]">
         [% port.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>Switch Port</td>
       <td class="nd_center-cell">
-            <a href="[% device_ports %]&q=[% port.ip | uri %]&f=[% port.port | uri %]&c_mac=on&c_nodes=on&c_neighbors=on">
+            <a href="[% device_ports | none %]&q=[% port.ip | uri %]&f=[% port.port | uri %]&c_mac=on&c_nodes=on&c_neighbors=on">
             [% port.ip | html_entity %] - [% port.descr | html_entity %]</a>
         [% IF port.device.dns AND port.name %]
           ([% port.device.dns | html_entity %] - [% port.name | html_entity %])
@@ -85,15 +85,15 @@
     [% WHILE (nbt = netbios.next) %]
     <tr>
       <td>
-        MAC: <a href="[% search_node %]&q=[% nbt.net_mac.$mac_format_call | uri %]">[% nbt.net_mac.$mac_format_call | html_entity %]</a>
+        MAC: <a href="[% search_node | none %]&q=[% nbt.net_mac.$mac_format_call | uri %]">[% nbt.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% nbt.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% nbt.oui.abbrev | uri %]">
         [% nbt.oui.company | html_entity %]</a> )
       [% END %]
       </td>
       <td>NetBIOS</td>
-      <td class="nd_center-cell">\\<a href="[% uri_for('/report/netbios') %]?domain=[% nbt.domain | uri %]" title="Devices in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
-        <br>[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
+      <td class="nd_center-cell">\\<a href="[% uri_for('/report/netbios') | none %]?domain=[% nbt.domain | uri %]" title="Devices in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node | none %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
+        <br>[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node | none %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
       </td>
       [% IF params.stamps %]
       <td>[% nbt.time_first_stamp | html_entity %]</td>
@@ -104,9 +104,9 @@
     [% WHILE (wlan = wireless.next) %]
     <tr>
       <td>
-        MAC: <a href="[% search_node %]&q=[% wlan.net_mac.$mac_format_call | uri %]">[% wlan.net_mac.$mac_format_call | html_entity %]</a>
+        MAC: <a href="[% search_node | none %]&q=[% wlan.net_mac.$mac_format_call | uri %]">[% wlan.net_mac.$mac_format_call | html_entity %]</a>
       [% IF params.show_vendor %]
-        ( <a href="[% uri_for('/report/nodevendor') %]?vendor=[% wlan.oui.abbrev | uri %]">
+        ( <a href="[% uri_for('/report/nodevendor') | none %]?vendor=[% wlan.oui.abbrev | uri %]">
         [% wlan.oui.company | html_entity %]</a> )
       [% END %]
       </td>
diff --git a/share/views/ajax/search/port.tt b/share/views/ajax/search/port.tt
index 99635b8d..4d47ee73 100644
--- a/share/views/ajax/search/port.tt
+++ b/share/views/ajax/search/port.tt
@@ -15,7 +15,7 @@
 $(document).ready(function() {
   var table = $('#ps-data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columnDefs": [
         { "sortable": false, "targets": 0 },
         { "searchable": false, "targets": 0 },
@@ -49,7 +49,7 @@ $(document).ready(function() {
           if (row.device.dns || row.device.name) {
             ddns = '<br>(' + he.encode(row.device.dns || row.device.name)  + ')';
           }
-          return '<a href="[% device_ports %]&q=' + encodeURIComponent(data)
+          return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(data)
             + '&f=' + encodeURIComponent(row.port) + '">' + he.encode(data)
             + ' [' + he.encode(row.port) + ']</a>' + ddns;
         }
diff --git a/share/views/ajax/search/vlan.tt b/share/views/ajax/search/vlan.tt
index aa81060d..c37407ae 100644
--- a/share/views/ajax/search/vlan.tt
+++ b/share/views/ajax/search/vlan.tt
@@ -15,36 +15,36 @@
 $(document).ready(function() {
   var table = $('#vs-data-table').dataTable({
     "deferRender": true,
-    "data": [% results %],
+    "data": [% results | none %],
     "columns": [{
         "data": 'vlans.vlan',
         "render": function(data, type, row, meta) {
-          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + data + '</a>';
+          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + data + '</a>';
         }
       }, {
         "data": 'ip',
         "render": function(data, type, row, meta) {
-          return '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(row.dns || row.ip) + '</a>';
+          return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(row.dns || row.ip) + '</a>';
         }
       }, {
         "data": 'vlans.description',
         "render": function(data, type, row, meta) {
-          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
+          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'model',
         "render": function(data, type, row, meta) {
-          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
+          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'os',
         "render": function(data, type, row, meta) {
-          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
+          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
         }
       }, {
         "data": 'vendor',
         "render": function(data, type, row, meta) {
-          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
+          return '<a class="nd_linkcell nd_stealth-link" href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(row.vlans.vlan) + '">' + he.encode(data || '') + '</a>';
         }
       }
     ],
diff --git a/share/views/ajax/statistics.tt b/share/views/ajax/statistics.tt
index 99caf531..4af85424 100644
--- a/share/views/ajax/statistics.tt
+++ b/share/views/ajax/statistics.tt
@@ -29,7 +29,7 @@
               <th>[% stats.ip_table_count | format_number %] IPs logged, of which [% stats.ip_active_count | format_number %] are active</th>
             </tr>
             <tr>
-              <th>Statistics last generated on [% stats.day %]</th>
+              <th>Statistics last generated on [% stats.day | html_entity %]</th>
             </tr>
           </tbody>
         </table>
diff --git a/share/views/device.tt b/share/views/device.tt
index 17a4bff4..165d402b 100644
--- a/share/views/device.tt
+++ b/share/views/device.tt
@@ -13,18 +13,18 @@
       </a>
       <div class="tab-content">
         [% FOREACH tab IN settings._device_tabs %]
-        <div id="[% tab.tag %]_search" class="tab-pane [% 'active' IF params.tab == tab.tag %]">
-          <form id="[% tab.tag %]_form" class="nd_sidebar-form form-stacked"
-              method="get" action="[% uri_for('/device') %]">
-            <input name="tab" value="[% tab.tag %]" type="hidden"/>
+        <div id="[% tab.tag | html_entity %]_search" class="tab-pane [% 'active' IF params.tab == tab.tag %]">
+          <form id="[% tab.tag | html_entity %]_form" class="nd_sidebar-form form-stacked"
+              method="get" action="[% uri_for('/device') | none %]">
+            <input name="tab" value="[% tab.tag | html_entity %]" type="hidden"/>
             [% TRY %]
-            <script type="text/javascript">has_sidebar["[% tab.tag %]"] = 1;</script>
+            <script type="text/javascript">has_sidebar["[% tab.tag | html_entity %]"] = 1;</script>
             [% INCLUDE "sidebar/device/${tab.tag}.tt" %]
             [% CATCH %]
-            <!-- no "[% tab.tag %]" search options -->
+            <!-- no "[% tab.tag | html_entity %]" search options -->
             <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
             <input name="f" value="[% params.f | html_entity %]" type="hidden"/>
-            <script type="text/javascript">has_sidebar["[% tab.tag %]"] = 0;</script>
+            <script type="text/javascript">has_sidebar["[% tab.tag | html_entity %]"] = 0;</script>
             [% END %]
           </form>
         </div> <!-- /tab-pane -->
@@ -36,7 +36,7 @@
   <div class="content">
     <ul id="nd_search-results" class="nav nav-tabs">
       [% FOREACH tab IN settings._device_tabs %]
-      <li[% ' class="active"' IF params.tab == tab.tag %]><a id="[% tab.tag %]_link" href="#[% tab.tag %]_pane">[% tab.label %]</a></li>
+      <li[% ' class="active"' IF params.tab == tab.tag %]><a id="[% tab.tag | html_entity %]_link" href="#[% tab.tag | html_entity %]_pane">[% tab.label | html_entity %]</a></li>
       [% END %]
       <span id="nd_device-name">
         [% display_name | html_entity %]
@@ -47,7 +47,7 @@
     </ul>
     <div class="tab-content">
       [% FOREACH tab IN settings._device_tabs %]
-      <div class="tab-pane[% ' active' IF params.tab == tab.tag %]" id="[% tab.tag %]_pane"></div>
+      <div class="tab-pane[% ' active' IF params.tab == tab.tag %]" id="[% tab.tag | html_entity %]_pane"></div>
       [% END %]
   </div>
 </div>
diff --git a/share/views/index.tt b/share/views/index.tt
index 0744ed2b..74d29b27 100644
--- a/share/views/index.tt
+++ b/share/views/index.tt
@@ -36,13 +36,13 @@
         <h2>Welcome to Netdisco</h2>
         <small>Netdisco is an Open Source management tool designed for network administrators.</small>
         [% IF NOT session.logged_in_user %]
-        <form class="nd_login-form" method="post" action="[% uri_for('/login') %]">
+        <form class="nd_login-form" method="post" action="[% uri_for('/login') | none %]">
           <div class="form-horizontal">
             <input id='loginuser' placeholder="Username" class="span2" name="username" type="text" required="required"/>
             <input placeholder="Password" class="span2" name="password" type="password" required="required"/>
             <button type="submit" class="btn btn-info">Log In</button>
             [% IF settings.login_logo %]
-            <img src="[% settings.login_logo %]" alt="Login Logo" />
+            <img src="[% settings.login_logo | none %]" alt="Login Logo" />
             [% END %]
           </div>
           [% IF params.return_url %]
@@ -51,7 +51,7 @@
         </form>
         [% ELSE %]
           <p></p> <p></p>
-          <form class="" method="get" action="[% uri_for('/search') %]">
+          <form class="" method="get" action="[% uri_for('/search') | none %]">
             <div class="form-horizontal">
               <input placeholder="Find Anything" class="span4" id="nqbody" name="q" type="text" autocomplete="off"/>
               <input name="firstsearch" type="hidden" value="on">
@@ -70,9 +70,9 @@
             </div>
           </form>
           [% IF user_has_role('admin') %]
-          <form class="nd_login-form" method="post" action="[% uri_for('/admin/discover') %]">
+          <form class="nd_login-form" method="post" action="[% uri_for('/admin/discover') | none %]">
             <div class="form-horizontal">
-              <input placeholder="Device hostname or IP" class="span4" name="device" value="[% params.device %]" type="text"/>
+              <input placeholder="Device hostname or IP" class="span4" name="device" value="[% params.device | html_entity %]" type="text"/>
               <input type="hidden" name="extra" value="with-nodes"/>
               <button type="submit" class="btn btn-info">Discover</button>
             </div>
@@ -113,7 +113,7 @@
     $('.nd_chevron').toggleClass('icon-chevron-up icon-chevron-down');
 
     if (! stats_loaded) {
-      $('#nd_stats').load("[% uri_for('/ajax/content/statistics') %]", function(r,s,x) {
+      $('#nd_stats').load("[% uri_for('/ajax/content/statistics') | none %]", function(r,s,x) {
         if (s == "error") {
           $('#nd_stats_status').addClass('alert-error')
             .html('<i class="icon-warning-sign"></i> Failed to retrieve system information.');
diff --git a/share/views/inventory.tt b/share/views/inventory.tt
index 8109b40b..c7cd8082 100644
--- a/share/views/inventory.tt
+++ b/share/views/inventory.tt
@@ -18,14 +18,14 @@
             <th>
               [% IF platform.vendor %]
               <a class="nd_linkcell"
-                href="[% search_device %]&q=[% platform.vendor | uri %]&vendor=[% platform.vendor | uri %]">
+                href="[% search_device | none %]&q=[% platform.vendor | uri %]&vendor=[% platform.vendor | uri %]">
                   [% platform.vendor | html_entity %]</a>
               [% ELSE %]unknown[% END %]
             </th>
             <th>
               [% IF platform.model %]
               <a class="nd_linkcell"
-                href="[% search_device %]&q=[% platform.model | uri %]&model=[% platform.model | uri %]">
+                href="[% search_device | none %]&q=[% platform.model | uri %]&model=[% platform.model | uri %]">
                   [% platform.model | html_entity %]</a>
               [% ELSE %]unknown[% END %]
             </th>
@@ -52,14 +52,14 @@
             <th>
               [% IF release.os %]
               <a class="nd_linkcell"
-                href="[% search_device %]&q=[% release.os | uri %]&os=[% release.os | uri %]">
+                href="[% search_device | none %]&q=[% release.os | uri %]&os=[% release.os | uri %]">
                   [% release.os | html_entity %]</a>
               [% ELSE %]unknown[% END %]
             </th>
             <th>
               [% IF release.os_ver %]
               <a class="nd_linkcell"
-                href="[% search_device %]&q=[% release.os_ver | uri %]&os_ver=[% release.os_ver | uri %]">
+                href="[% search_device | none %]&q=[% release.os_ver | uri %]&os_ver=[% release.os_ver | uri %]">
                   [% release.os_ver | html_entity %]</a>
               [% ELSE %]unknown[% END %]
             </th>
diff --git a/share/views/js/admintask.js b/share/views/js/admintask.js
index 4f5dc0d9..7d443d75 100644
--- a/share/views/js/admintask.js
+++ b/share/views/js/admintask.js
@@ -78,7 +78,7 @@
 
   // on load, establish global delegations for now and future
   $(document).ready(function() {
-    var tab = '[% task.tag %]'
+    var tab = '[% task.tag | html_entity %]'
     var target = '#' + tab + '_pane';
 
     // get all devices on device input focus
diff --git a/share/views/js/common.js b/share/views/js/common.js
index 8d91f4d7..24c68d4e 100644
--- a/share/views/js/common.js
+++ b/share/views/js/common.js
@@ -73,11 +73,11 @@
     // search tabs
     [% FOREACH tab IN settings._search_tabs %]
     $('[% "#${tab.tag}_form" %]').submit(function (event) {
-      var pgtitle = update_page_title('[% tab.tag %]');
-      copy_navbar_to_sidebar('[% tab.tag %]');
-      update_browser_history('[% tab.tag %]', pgtitle, '');
-      update_csv_download_link('search', '[% tab.tag %]', '[% tab.provides_csv %]');
-      do_search(event, '[% tab.tag %]');
+      var pgtitle = update_page_title('[% tab.tag | html_entity %]');
+      copy_navbar_to_sidebar('[% tab.tag | html_entity %]');
+      update_browser_history('[% tab.tag | html_entity %]', pgtitle, '');
+      update_csv_download_link('search', '[% tab.tag | html_entity %]', '[% tab.provides_csv | html_entity %]');
+      do_search(event, '[% tab.tag | html_entity %]');
     });
     [% END %]
     [% END %]
@@ -86,25 +86,25 @@
     // device tabs
     [% FOREACH tab IN settings._device_tabs %]
     $('[% "#${tab.tag}_form" %]').submit(function (event) {
-      var pgtitle = update_page_title('[% tab.tag %]');
-      copy_navbar_to_sidebar('[% tab.tag %]');
-      update_browser_history('[% tab.tag %]', pgtitle, '');
-      update_csv_download_link('device', '[% tab.tag %]', '[% tab.provides_csv %]');
+      var pgtitle = update_page_title('[% tab.tag | html_entity %]');
+      copy_navbar_to_sidebar('[% tab.tag | html_entity %]');
+      update_browser_history('[% tab.tag | html_entity %]', pgtitle, '');
+      update_csv_download_link('device', '[% tab.tag | html_entity %]', '[% tab.provides_csv | html_entity %]');
 
       [% IF tab.tag == 'ports' %]
       // form reset icon on ports tab
-      $('#nd_sidebar-reset-link').attr('href', uri_base + '/device?tab=[% tab.tag %]&reset=on&firstsearch=on&' +
+      $('#nd_sidebar-reset-link').attr('href', uri_base + '/device?tab=[% tab.tag | html_entity %]&reset=on&firstsearch=on&' +
         $('#ports_form')
           .find('input[name="q"],input[name="f"],input[name="partial"],input[name="invert"]')
           .serialize());
 
       [% ELSIF tab.tag == 'netmap' %]
       // form reset icon on netmap tab
-      $('#nd_sidebar-reset-link').attr('href', uri_base + '/device?tab=[% tab.tag %]&reset=on&firstsearch=on&' +
+      $('#nd_sidebar-reset-link').attr('href', uri_base + '/device?tab=[% tab.tag | html_entity %]&reset=on&firstsearch=on&' +
         $('#netmap_form').find('input[name="q"]').serialize());
       [% END %]
 
-      do_search(event, '[% tab.tag %]');
+      do_search(event, '[% tab.tag | html_entity %]');
     });
     [% END %]
     [% END %]
@@ -112,28 +112,28 @@
     [% IF report %]
     // for the report pages
     $('[% "#${report.tag}_form" %]').submit(function (event) {
-      var pgtitle = update_page_title('[% report.tag %]');
-      update_browser_history('[% report.tag %]', pgtitle, '1');
-      update_csv_download_link('report', '[% report.tag %]', '1');
-      do_search(event, '[% report.tag %]');
+      var pgtitle = update_page_title('[% report.tag | html_entity %]');
+      update_browser_history('[% report.tag | html_entity %]', pgtitle, '1');
+      update_csv_download_link('report', '[% report.tag | html_entity %]', '1');
+      do_search(event, '[% report.tag | html_entity %]');
     });
     [% END -%]
 
     [% IF task %]
     // for the admin pages
     $('[% "#${task.tag}_form" %]').submit(function (event) {
-      update_page_title('[% task.tag %]');
-      update_csv_download_link('admin', '[% task.tag %]', '1');
-      do_search(event, '[% task.tag %]');
+      update_page_title('[% task.tag | html_entity %]');
+      update_csv_download_link('admin', '[% task.tag | html_entity %]', '1');
+      do_search(event, '[% task.tag | html_entity %]');
     });
     [% END %]
 
     // on page load, load the content for the active tab
     [% IF params.tab %]
     [% IF params.tab == 'ipinventory' OR params.tab == 'subnets' %]
-      $('#[% params.tab %]_submit').click();
+      $('#[% params.tab | html_entity %]_submit').click();
     [% ELSE %]
-      $('#[% params.tab %]_form').trigger("submit");
+      $('#[% params.tab | html_entity %]_form').trigger("submit");
     [% END %]
     [% END %]
   });
diff --git a/share/views/js/device.js b/share/views/js/device.js
index a39438af..428b51e3 100644
--- a/share/views/js/device.js
+++ b/share/views/js/device.js
@@ -27,7 +27,7 @@
 
   // on load, establish global delegations for now and future
   $(document).ready(function() {
-    var tab = '[% tab.tag %]'
+    var tab = '[% tab.tag | html_entity %]'
     var target = '#' + tab + '_pane';
     var portfilter = $('#ports_form').find("input[name=f]");
 
diff --git a/share/views/js/report.js b/share/views/js/report.js
index b77112e0..728ed6df 100644
--- a/share/views/js/report.js
+++ b/share/views/js/report.js
@@ -18,7 +18,7 @@
   // on load, check initial Report Options form state,
   // and on each change to the form fields
   $(document).ready(function() {
-    var tab = '[% report.tag %]'
+    var tab = '[% report.tag | html_entity %]'
     var target = '#' + tab + '_pane';
 
     // sidebar form fields should change colour and have trash icon
diff --git a/share/views/js/search.js b/share/views/js/search.js
index 9dcd1681..c920d62a 100644
--- a/share/views/js/search.js
+++ b/share/views/js/search.js
@@ -14,7 +14,7 @@
 
   // on load, establish global delegations for now and future
   $(document).ready(function() {
-    var tab = '[% tab.tag %]'
+    var tab = '[% tab.tag | html_entity %]'
     var target = '#' + tab + '_pane';
 
     // sidebar form fields should change colour and have bin/copy icon
diff --git a/share/views/layouts/main.tt b/share/views/layouts/main.tt
index c3ecac2f..39f0351f 100644
--- a/share/views/layouts/main.tt
+++ b/share/views/layouts/main.tt
@@ -3,8 +3,8 @@
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
   <meta http-equiv="Content-type" content="text/html; charset=[% settings.charset | html_entity %]" />
-  <link rel="shortcut icon" href="[% uri_base %]/images/favicon.ico" type="image/x-icon">
-  <link rel="icon" href="[% uri_base %]/images/favicon.ico" type="image/x-icon">
+  <link rel="shortcut icon" href="[% uri_base | none %]/images/favicon.ico" type="image/x-icon">
+  <link rel="icon" href="[% uri_base | none %]/images/favicon.ico" type="image/x-icon">
   <title>Netdisco</title>
 
   <!-- HTML5 shim, for IE6-8 support of HTML elements -->
@@ -12,60 +12,60 @@
     <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
   <![endif]-->
 
-  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery-latest.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery-latest.min.js"></script>
 <!--  <script type="text/javascript" src="http://code.jquery.com/jquery-migrate-1.1.1.js"></script> -->
-  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery-ui.custom.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery-history.js"></script>
-<!--  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery.cookie.js"></script> -->
-  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery-deserialize.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/bootstrap.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/bootstrap2-toggle.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/underscore.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery.qtip.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/d3-3.5.17.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/d3-force-network-chart.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/toastr.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery.floatThead.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/daterangepicker.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/moment.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/jquery.dataTables.min.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/dataTables.bootstrap.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/dataTables.ip-address-detect.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/dataTables.ip-address-sort.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/he.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/natural.js"></script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/portsort.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery-ui.custom.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery-history.js"></script>
+<!--  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery.cookie.js"></script> -->
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery-deserialize.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/bootstrap.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/bootstrap2-toggle.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/underscore.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery.qtip.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/d3-3.5.17.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/d3-force-network-chart.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/toastr.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery.floatThead.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/daterangepicker.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/moment.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/jquery.dataTables.min.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/dataTables.bootstrap.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/dataTables.ip-address-detect.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/dataTables.ip-address-sort.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/he.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/natural.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/portsort.js"></script>
 
   <script type="text/javascript">
-    var uri_base = '[% uri_base %]';
-    var nd_check_userlog = '[% settings.check_userlog %]';
+    var uri_base = '[% uri_base | none %]';
+    var nd_check_userlog = '[% settings.check_userlog | html_entity %]';
   </script>
-  <script type="text/javascript" src="[% uri_base %]/javascripts/netdisco.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/netdisco.js"></script>
 
   [% IF user_has_role('port_control') %]
-  <script type="text/javascript" src="[% uri_base %]/javascripts/netdisco_portcontrol.js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/javascripts/netdisco_portcontrol.js"></script>
   [% END %]
 
   [% FOREACH add_js IN settings._additional_javascript %]
-  <script type="text/javascript" src="[% uri_base %]/plugin/[% add_js %]/[% add_js %].js"></script>
+  <script type="text/javascript" src="[% uri_base | none %]/plugin/[% add_js | none %]/[% add_js | none %].js"></script>
   [% END %]
 
-  <link rel="stylesheet" href="[% uri_base %]/css/bootstrap.min.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/bootstrap2-toggle.min.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/awesome-bootstrap-checkbox.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/jquery.qtip.min.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/smoothness/jquery-ui.custom.min.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/font-awesome.min.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/toastr.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/d3-force-network-chart.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/netdisco.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/bootstrap-tree.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/daterangepicker-bs2.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/dataTables.bootstrap.css"/>
-  <link rel="stylesheet" href="[% uri_base %]/css/nd_print.css" media="print"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/bootstrap.min.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/bootstrap2-toggle.min.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/awesome-bootstrap-checkbox.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/jquery.qtip.min.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/smoothness/jquery-ui.custom.min.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/font-awesome.min.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/toastr.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/d3-force-network-chart.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/netdisco.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/bootstrap-tree.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/daterangepicker-bs2.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/dataTables.bootstrap.css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/css/nd_print.css" media="print"/>
 
   [% FOREACH add_css IN settings._additional_css %]
-  <link rel="stylesheet" href="[% uri_base %]/plugin/[% add_css %]/[% add_css %].css"/>
+  <link rel="stylesheet" href="[% uri_base | none %]/plugin/[% add_css | none %]/[% add_css | none %].css"/>
   [% END %]
 </head>
 
@@ -73,12 +73,12 @@
 <div class="navbar navbar-inverse navbar-fixed-top">
   <div class="navbar-inner">
     <div class="container">
-      <a class="brand" href="[% uri_for('/') %]">Netdisco</a>
+      <a class="brand" href="[% uri_for('/') | none %]">Netdisco</a>
       [% IF session.logged_in_user %]
       <ul class="nav">
         [% FOREACH ni IN settings._navbar_items %]
         <li[% ' class="active"' IF vars.nav == ni.tag %]>
-          <a href="[% uri_for(ni.path) %]">[% ni.label | html_entity %]</a>
+          <a href="[% uri_for(ni.path) | none %]">[% ni.label | html_entity %]</a>
         </li>
         [% END %]
         [% IF settings._reports.size %]
@@ -106,32 +106,32 @@
           <a href="#" class="dropdown-toggle" data-toggle="dropdown">Admin <b class="caret"></b></a>
           <ul class="dropdown-menu">
           <li>
-            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/discoverall') %]">
+            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/discoverall') | none %]">
               <button type="submit" class="btn btn-link nd_btn-link">Discover All</button>
             </form>
           </li>
           <li>
-            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/arpwalk') %]">
+            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/arpwalk') | none %]">
               <button type="submit" class="btn btn-link nd_btn-link">Arpnip All</button>
             </form>
           </li>
           <li>
-            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/macwalk') %]">
+            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/macwalk') | none %]">
               <button type="submit" class="btn btn-link nd_btn-link">Macsuck All</button>
             </form>
           </li>
           <li>
-            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/nbtwalk') %]">
+            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/nbtwalk') | none %]">
               <button type="submit" class="btn btn-link nd_btn-link">NBTstat All</button>
             </form>
           </li>
           <li>
-            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/expire') %]">
+            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/expire') | none %]">
               <button type="submit" class="btn btn-link nd_btn-link">Run Expire Job</button>
             </form>
           </li>
           <li>
-            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/stats') %]">
+            <form method="post" class="nd_inline-form" action="[% uri_for('/admin/stats') | none %]">
               <button type="submit" class="btn btn-link nd_btn-link">Update Statistics</button>
             </form>
           </li>
@@ -146,9 +146,9 @@
         </li> <!-- /dropdown -->
         [% END %]
       </ul>
-      <form class="navbar-search pull-left" method="get" action="[% uri_for('/search') %]">
+      <form class="navbar-search pull-left" method="get" action="[% uri_for('/search') | none %]">
         <input placeholder="Find Anything" class="search-query span3"
-          id="nq" name="q" value="[% display_name %]" type="text" autocomplete="off"/>
+          id="nq" name="q" value="[% display_name | html_entity %]" type="text" autocomplete="off"/>
         <input name="firstsearch" type="hidden" value="on">
         <div class="btn-group nd_navbar-search-group">
           <button class="btn btn-inverse nd_navbar-search-icon">
@@ -182,10 +182,10 @@
           </a>
           <ul class="dropdown-menu">
           [% IF NOT ( user_has_role('ldap') OR user_has_role('radius') ) %]
-            <li><a href="[% uri_for('/password') %]">Change Password</a></li>
+            <li><a href="[% uri_for('/password') | none %]">Change Password</a></li>
           [% END %]
           [% IF NOT settings.no_auth %]
-            <li><a href="[% uri_for('/logout') %]">Log Out</a></li>
+            <li><a href="[% uri_for('/logout') | none %]">Log Out</a></li>
           [% END %]
           </ul>
         </li> <!-- /dropdown -->
@@ -195,7 +195,7 @@
   </div>
 </div>
 
-[% content %]
+[% content | none %]
 
 <script type="text/javascript">
 [%+ INCLUDE 'js/common.js' -%]
diff --git a/share/views/password.tt b/share/views/password.tt
index f8444219..6091dc29 100644
--- a/share/views/password.tt
+++ b/share/views/password.tt
@@ -15,7 +15,7 @@
       [% END %]
       <div class="hero-unit">
         <h2>Change Password</h2>
-        <form class="nd_login-form" method="post" action="[% uri_for('/password') %]">
+        <form class="nd_login-form" method="post" action="[% uri_for('/password') | none %]">
           <div class="form-horizontal">
             <input placeholder="Current Password" class="span2" name="old" type="password" required="required"/><br/>
             <input placeholder="New Password" class="span2" name="new" type="password" required="required"/>
diff --git a/share/views/report.tt b/share/views/report.tt
index 16792d92..505cce47 100644
--- a/share/views/report.tt
+++ b/share/views/report.tt
@@ -9,14 +9,14 @@
         rel="tooltip" data-placement="left" data-offset="5" data-title="Unpin Sidebar" data-container="body"></i>
 
       <div class="tab-content">
-        <div id="[% report.tag %]_search" class="tab-pane active">
-          <form id="[% report.tag %]_form" class="nd_sidebar-form form-stacked"
-              method="get" action="[% uri_for('/report') %]">
+        <div id="[% report.tag | html_entity %]_search" class="tab-pane active">
+          <form id="[% report.tag | html_entity %]_form" class="nd_sidebar-form form-stacked"
+              method="get" action="[% uri_for('/report') | none %]">
             [% TRY %]
-            <script type="text/javascript">has_sidebar["[% report.tag %]"] = 1;</script>
+            <script type="text/javascript">has_sidebar["[% report.tag | html_entity %]"] = 1;</script>
             [% INCLUDE "sidebar/report/${report.tag}.tt" %]
             [% CATCH %]
-            <script type="text/javascript">has_sidebar["[% report.tag %]"] = 0;</script>
+            <script type="text/javascript">has_sidebar["[% report.tag | html_entity %]"] = 0;</script>
             [% INCLUDE "sidebar/report/generic_report.tt" %]
             [% END %]
           </form>
@@ -27,13 +27,13 @@
 
   <div class="content">
     <ul id="nd_search-results" class="nav nav-tabs">
-      <li class="active"><a id="[% report.tag %]_link" class="nd_single-tab"
-        href="#[% report.tag %]_pane">[% report.label %]</a></li>
+      <li class="active"><a id="[% report.tag | html_entity %]_link" class="nd_single-tab"
+        href="#[% report.tag | html_entity %]_pane">[% report.label | html_entity %]</a></li>
       [% IF report.tag == 'portlog' %]
       <span id="nd_device-name">
-        <a href="[% device_ports %]&q=[% params.q | uri %]">[% params.q %]</a>
+        <a href="[% device_ports | none %]&q=[% params.q | uri %]">[% params.q | html_entity %]</a>
         -
-        <a href="[% device_ports %]&q=[% params.q | uri %]&f=[% params.f | uri %]">[% params.f %]</a>
+        <a href="[% device_ports | none %]&q=[% params.q | uri %]&f=[% params.f | uri %]">[% params.f | html_entity %]</a>
       </span>
       [% ELSIF report.provides_csv %]
       <span id="nd_device-name">
@@ -44,7 +44,7 @@
       [% END %]
     </ul>
     <div class="tab-content">
-      <div class="tab-pane active" id="[% report.tag %]_pane"></div>
+      <div class="tab-pane active" id="[% report.tag | html_entity %]_pane"></div>
   </div>
 </div>
 
diff --git a/share/views/search.tt b/share/views/search.tt
index cac087d3..cca080bf 100644
--- a/share/views/search.tt
+++ b/share/views/search.tt
@@ -9,16 +9,16 @@
         rel="tooltip" data-placement="left" data-offset="5" data-title="Pin Sidebar" data-container="body"></i>
       <div class="tab-content">
         [% FOREACH tab IN settings._search_tabs %]
-        <div id="[% tab.tag %]_search" class="tab-pane [% 'active' IF params.tab == tab.tag %]">
-          <form id="[% tab.tag %]_form" class="nd_sidebar-form form-stacked" method="get" action="[% uri_for('/search') %]">
-            <input name="tab" value="[% tab.tag %]" type="hidden"/>
+        <div id="[% tab.tag | html_entity %]_search" class="tab-pane [% 'active' IF params.tab == tab.tag %]">
+          <form id="[% tab.tag | html_entity %]_form" class="nd_sidebar-form form-stacked" method="get" action="[% uri_for('/search') | none %]">
+            <input name="tab" value="[% tab.tag | html_entity %]" type="hidden"/>
             [% TRY %]
-            <script type="text/javascript">has_sidebar["[% tab.tag %]"] = 1;</script>
+            <script type="text/javascript">has_sidebar["[% tab.tag | html_entity %]"] = 1;</script>
             [% INCLUDE "sidebar/search/${tab.tag}.tt" %]
             [% CATCH %]
-            <!-- no "[% tab.tag %]" search options -->
+            <!-- no "[% tab.tag | html_entity %]" search options -->
             <input name="q" value="[% params.q | html_entity %]" type="hidden"/>
-            <script type="text/javascript">has_sidebar["[% tab.tag %]"] = 0;</script>
+            <script type="text/javascript">has_sidebar["[% tab.tag | html_entity %]"] = 0;</script>
             [% END %]
           </form>
         </div> <!-- /tab-pane -->
@@ -30,7 +30,7 @@
   <div class="content">
     <ul id="nd_search-results" class="nav nav-tabs">
       [% FOREACH tab IN settings._search_tabs %]
-      <li[% ' class="active"' IF params.tab == tab.tag %]><a id="[% tab.tag %]_link" href="#[% tab.tag %]_pane">[% tab.label %]</a></li>
+      <li[% ' class="active"' IF params.tab == tab.tag %]><a id="[% tab.tag | html_entity %]_link" href="#[% tab.tag | html_entity %]_pane">[% tab.label | html_entity %]</a></li>
       [% END %]
       <span id="nd_device-name">
         <a id="nd_csv-download" href="#" download="netdisco.csv">
@@ -40,7 +40,7 @@
     </ul>
     <div class="tab-content">
       [% FOREACH tab IN settings._search_tabs %]
-      <div class="tab-pane[% ' active' IF params.tab == tab.tag %]" id="[% tab.tag %]_pane"></div>
+      <div class="tab-pane[% ' active' IF params.tab == tab.tag %]" id="[% tab.tag | html_entity %]_pane"></div>
       [% END %]
   </div>
 </div>
diff --git a/share/views/sidebar/device/netmap.tt b/share/views/sidebar/device/netmap.tt
index e7e08db9..a72c3d25 100644
--- a/share/views/sidebar/device/netmap.tt
+++ b/share/views/sidebar/device/netmap.tt
@@ -82,7 +82,7 @@
               rel="tooltip" data-placement="left" data-offset="5" data-title="Host Groups">
               [% FOREACH opt IN hgroup_list.pairs %]
               <option[% ' selected="selected"' IF hgroup_lkp.exists(opt.key) %]
-                value="[% opt.key %]">[% opt.value | html_entity %]</option>
+                value="[% opt.key | html_entity %]">[% opt.value | html_entity %]</option>
               [% END %]
             </select>
             [% END %]
@@ -92,7 +92,7 @@
               rel="tooltip" data-placement="left" data-offset="5" data-title="Device Locations">
               [% FOREACH loc IN lgroup_list %]
               <option[% ' selected="selected"' IF lgroup_lkp.exists(loc) %]
-                value="[% loc %]">[% loc | html_entity %]</option>
+                value="[% loc | html_entity %]">[% loc | html_entity %]</option>
               [% END %]
             </select>
             [% END %]
@@ -132,6 +132,6 @@
 
             </div>
 
-            <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info">
                 <i class="icon-pencil icon-large pull-left nd_navbar-icon"></i>
             Redraw Map</button>
diff --git a/share/views/sidebar/device/ports.tt b/share/views/sidebar/device/ports.tt
index 9184345f..f893b7ae 100644
--- a/share/views/sidebar/device/ports.tt
+++ b/share/views/sidebar/device/ports.tt
@@ -89,7 +89,7 @@
                     <em class="muted">MAC address format:</em><br/>
                     <select id="nd_mac-format" name="mac_format">
                       [% FOREACH format IN [ 'IEEE', 'Cisco', 'Microsoft', 'Sun' ] %]
-                      <option[% ' selected="selected"' IF vars.sidebar_defaults.device_ports.mac_format == format %]>[% format %]</option>
+                      <option[% ' selected="selected"' IF vars.sidebar_defaults.device_ports.mac_format == format %]>[% format | html_entity %]</option>
                       [% END %]
                     </select>
                   </li>
@@ -116,12 +116,12 @@
                     <em class="muted">Mark as Free if Down for:</em><br/>
                     <select id="nd_days-select" name="age_num">
                       [% FOREACH count IN [1..31] %]
-                      <option[% ' selected="selected"' IF vars.sidebar_defaults.device_ports.age_num == count %]>[% count %]</option>
+                      <option[% ' selected="selected"' IF vars.sidebar_defaults.device_ports.age_num == count %]>[% count | html_entity %]</option>
                       [% END %]
                     </select>
                     <select id="nd_age-select" name="age_unit">
                       [% FOREACH unit IN [ 'days', 'weeks', 'months', 'years' ] %]
-                      <option[% ' selected="selected"' IF vars.sidebar_defaults.device_ports.age_unit == unit %]>[% unit %]</option>
+                      <option[% ' selected="selected"' IF vars.sidebar_defaults.device_ports.age_unit == unit %]>[% unit | html_entity %]</option>
                       [% END %]
                     </select>
                   </li>
@@ -140,7 +140,7 @@
               </div>
             </div>
             <div class="btn-group">
-              <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info nd_sidebar-btn-drop">
+              <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info nd_sidebar-btn-drop">
                 <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Update View</button>
               <button class="btn btn-info dropdown-toggle nd_sidebar-btn-drop-drop" data-toggle="dropdown">
                 <span class="caret"></span>
diff --git a/share/views/sidebar/report/ipinventory.tt b/share/views/sidebar/report/ipinventory.tt
index b8ddb524..02c622f3 100644
--- a/share/views/sidebar/report/ipinventory.tt
+++ b/share/views/sidebar/report/ipinventory.tt
@@ -37,7 +37,7 @@
                     <select id="nd_mac-format" class="nd_side-select" name="limit">
                       [% FOREACH size IN [ '32', '64', '128', '256', '512', '1024', '2048', '4096', '8192' ] %]
                       <option[% ' selected="selected"' IF (params.limit == size OR (NOT params.limit AND size == 2048)) %]>
-                        [% size %]</option>
+                        [% size | html_entity %]</option>
                       [% END %]
                     </select>
                   </li>
@@ -55,6 +55,6 @@
               </div>
             </fieldset>
 
-            <button id="[% report.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% report.tag | html_entity %]_submit" type="submit" class="btn btn-info">
              <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search IPs</button>
 
diff --git a/share/views/sidebar/report/moduleinventory.tt b/share/views/sidebar/report/moduleinventory.tt
index 0414ba9a..49cb754f 100644
--- a/share/views/sidebar/report/moduleinventory.tt
+++ b/share/views/sidebar/report/moduleinventory.tt
@@ -74,5 +74,5 @@
               </label>
             </div>
             </fieldset>
-            <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info">
               <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Modules</button>
diff --git a/share/views/sidebar/report/netbios.tt b/share/views/sidebar/report/netbios.tt
index 4544aefe..48bbe73a 100644
--- a/share/views/sidebar/report/netbios.tt
+++ b/share/views/sidebar/report/netbios.tt
@@ -14,6 +14,6 @@
               </select>
             </div>
 
-            <button id="[% report.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% report.tag | html_entity %]_submit" type="submit" class="btn btn-info">
              <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search NetBIOS</button>
 
diff --git a/share/views/sidebar/report/nodesdiscovered.tt b/share/views/sidebar/report/nodesdiscovered.tt
index 4969ab74..5ffc8b6b 100644
--- a/share/views/sidebar/report/nodesdiscovered.tt
+++ b/share/views/sidebar/report/nodesdiscovered.tt
@@ -48,5 +48,5 @@
                 <span class="nd_searchcheckbox uneditable-input">Match All Options</span>
               </label>
             </div>
-            <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info">
               <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Nodes</button>
diff --git a/share/views/sidebar/report/nodevendor.tt b/share/views/sidebar/report/nodevendor.tt
index 83eac4ee..ff0963a0 100644
--- a/share/views/sidebar/report/nodevendor.tt
+++ b/share/views/sidebar/report/nodevendor.tt
@@ -35,6 +35,6 @@
                 </div>
             </fieldset>
 
-            <button id="[% report.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% report.tag | html_entity %]_submit" type="submit" class="btn btn-info">
              <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Vendors</button>
 
diff --git a/share/views/sidebar/report/portmultinodes.tt b/share/views/sidebar/report/portmultinodes.tt
index ff59ed21..c78f03e4 100644
--- a/share/views/sidebar/report/portmultinodes.tt
+++ b/share/views/sidebar/report/portmultinodes.tt
@@ -5,6 +5,6 @@
                 name="vlan" value="[% params.vlan | html_entity %]" type="text"
                 rel="tooltip" data-placement="left" data-offset="5" data-title="VLAN"/>
             </div>
-            <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info">
                 <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Ports</button>
 
diff --git a/share/views/sidebar/report/portssid.tt b/share/views/sidebar/report/portssid.tt
index 05707147..e242d9e5 100644
--- a/share/views/sidebar/report/portssid.tt
+++ b/share/views/sidebar/report/portssid.tt
@@ -10,6 +10,6 @@
               </select>
             </div>
 
-            <button id="[% report.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% report.tag | html_entity %]_submit" type="submit" class="btn btn-info">
              <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search SSID</button>
 
diff --git a/share/views/sidebar/report/portutilization.tt b/share/views/sidebar/report/portutilization.tt
index 2dc17336..962e9cd5 100644
--- a/share/views/sidebar/report/portutilization.tt
+++ b/share/views/sidebar/report/portutilization.tt
@@ -4,16 +4,16 @@
               <em class="muted">Mark as Free if Down for:</em><br/>
               <select id="nd_days-select" name="age_num">
                 [% FOREACH count IN [1..31] %]
-                <option[% ' selected="selected"' IF vars.sidebar_defaults.report_portutilization.age_num == count %]>[% count %]</option>
+                <option[% ' selected="selected"' IF vars.sidebar_defaults.report_portutilization.age_num == count %]>[% count | html_entity %]</option>
                 [% END %]
               </select>
               <select id="nd_age-select" name="age_unit">
                 [% FOREACH unit IN [ 'days', 'weeks', 'months', 'years' ] %]
-                <option[% ' selected="selected"' IF vars.sidebar_defaults.report_portutilization.age_unit == unit %]>[% unit %]</option>
+                <option[% ' selected="selected"' IF vars.sidebar_defaults.report_portutilization.age_unit == unit %]>[% unit | html_entity %]</option>
                 [% END %]
               </select>
             </div>
 
-            <button id="[% report.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% report.tag | html_entity %]_submit" type="submit" class="btn btn-info">
              <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Run Report</button>
 
diff --git a/share/views/sidebar/report/subnets.tt b/share/views/sidebar/report/subnets.tt
index 55314be6..9bbfe0b6 100644
--- a/share/views/sidebar/report/subnets.tt
+++ b/share/views/sidebar/report/subnets.tt
@@ -28,5 +28,5 @@
               </div>
             </fieldset>
 
-            <button id="[% report.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% report.tag | html_entity %]_submit" type="submit" class="btn btn-info">
              <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Subnets</button>
diff --git a/share/views/sidebar/search/device.tt b/share/views/sidebar/search/device.tt
index fe1775f5..b6d948c3 100644
--- a/share/views/sidebar/search/device.tt
+++ b/share/views/sidebar/search/device.tt
@@ -95,5 +95,5 @@
                 <span class="nd_searchcheckbox uneditable-input">Match All Options</span>
               </label>
             </div>
-            <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info">
               <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Devices</button>
diff --git a/share/views/sidebar/search/node.tt b/share/views/sidebar/search/node.tt
index fbc6e84b..80560d31 100644
--- a/share/views/sidebar/search/node.tt
+++ b/share/views/sidebar/search/node.tt
@@ -65,10 +65,10 @@
               <em class="muted">MAC address format:</em><br/>
               <select id="nd_node-mac-format" name="mac_format">
                 [% FOREACH format IN [ 'IEEE', 'Cisco', 'Microsoft', 'Sun' ] %]
-                <option[% ' selected="selected"' IF vars.sidebar_defaults.search_node.mac_format == format %]>[% format %]</option>
+                <option[% ' selected="selected"' IF vars.sidebar_defaults.search_node.mac_format == format %]>[% format | html_entity %]</option>
                 [% END %]
               </select>
             </div>
-            <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info">
               <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Nodes</button>
 
diff --git a/share/views/sidebar/search/port.tt b/share/views/sidebar/search/port.tt
index b30ad5c6..92dd491f 100644
--- a/share/views/sidebar/search/port.tt
+++ b/share/views/sidebar/search/port.tt
@@ -28,5 +28,5 @@
                 <span class="nd_searchcheckbox uneditable-input">Ethernet Only</span>
               </label>
             </div>
-            <button id="[% tab.tag %]_submit" type="submit" class="btn btn-info">
+            <button id="[% tab.tag | html_entity %]_submit" type="submit" class="btn btn-info">
               <i class="icon-search icon-large pull-left nd_navbar-icon"></i> Search Ports</button>