templates: fix javascript escaping

2022-01-27 21:51:50 +01:00
parent f90f71c529
commit b707cbe449
27 changed files with 105 additions and 102 deletions
--- a/website/agenda/planung/templates/assign-series.html
+++ b/website/agenda/planung/templates/assign-series.html
@@ -63,11 +63,11 @@
                <input type="hidden" name="studio_id" value="<TMPL_VAR .studio_id>">
                <input type="hidden" name="series_id" value="<TMPL_VAR .series_id>">	
                <button target="_blank"
-                    onclick="assign_series('<TMPL_VAR .project_id>', '<TMPL_VAR .studio_id>', $('#series_id').val());return false;"
+                    onclick="assign_series('<TMPL_VAR .project_id escape=js>', '<TMPL_VAR .studio_id escape=js>', $('#series_id').val());return false;"
                    style="float:left"
                >assign</button>
                <button target="_blank"
-                    onclick="unassign_series('<TMPL_VAR .project_id>', '<TMPL_VAR .studio_id>', $('#series_id').val());return false;"
+                    onclick="unassign_series('<TMPL_VAR .project_id escape=js>', '<TMPL_VAR .studio_id escape=js>', $('#series_id').val());return false;"
                    style="float:left"
                >unassign</button>
            </form>
--- a/website/agenda/planung/templates/assignments.html
+++ b/website/agenda/planung/templates/assignments.html
@@ -4,7 +4,7 @@
 	<script src="js/jquery.tablesorter.min.js"></script>
    <script src="js/image.js" type="text/javascript"></script>
    <script>
-        var event_id='<TMPL_VAR event_id>';
+        var event_id='<TMPL_VAR event_id escape=js>';
        <TMPL_IF .getBack>
            $(document).ready(
                function(){
@@ -113,7 +113,7 @@ found <TMPL_VAR sum_events> unassigned events for project <b><TMPL_VAR project_n
            <input type="hidden" name="event_ids" value="<TMPL_VAR .event_id>">	
            <input type="hidden" name="action" value="assign_events">
            <button target="_blank"
-                onclick="assign_series_events('<TMPL_VAR .project_id>', '<TMPL_VAR .studio_id>', $('#series_id').val());return false;"
+                onclick="assign_series_events('<TMPL_VAR .project_id escape=js>', '<TMPL_VAR .studio_id escape=js>', $('#series_id').val());return false;"
                style="float:left"
            >assign</button>
        </form>
--- a/website/agenda/planung/templates/comments.html
+++ b/website/agenda/planung/templates/comments.html
@@ -8,8 +8,8 @@
    <script src="js/comment.js" type="text/javascript"></script>
    <script src="js/page-leave-handler.js" type="text/javascript"></script>
    <script>
-        var region='<TMPL_VAR loc.region>';
-        var event_id='<TMPL_VAR event_id>';
+        var region='<TMPL_VAR loc.region escape=js>';
+        var event_id='<TMPL_VAR event_id escape=js>';
        var selectImageId='';
        <TMPL_IF .event_edited>
            $(document).ready(
@@ -53,7 +53,7 @@
            <div>
                <table class="event_comments"><tbody><tr>
                    <td class="event_show_comments" >
-                        <a href="#event_<TMPL_VAR id>_comments" onclick="showEventComments('<TMPL_VAR id>');return false;" title="zeige Kommentare">    
+                        <a href="#event_<TMPL_VAR id>_comments" onclick="showEventComments('<TMPL_VAR id escape=js>');return false;" title="zeige Kommentare">    
                            <TMPL_VAR comment_count> <TMPL_VAR .loc.label_comments>
                        </a>
                    </td>
--- a/website/agenda/planung/templates/default.html
+++ b/website/agenda/planung/templates/default.html
@@ -53,7 +53,7 @@
 <div><a href="user-stats.cgi?project_id=<TMPL_VAR project_id>&studio_id=<TMPL_VAR default_studio_id>&action=show-user-stats"><img src="image/activity.svg">&nbsp;<TMPL_VAR .loc.user-stats></a></div>
 </TMPL_IF>

-<div title="<TMPL_VAR .loc.profile>"><a href="user-settings.cgi?project_id=<TMPL_VAR project_id>&studio_id=<TMPL_VAR default_studio_id>"><img src="image/settings.svg">>&nbsp;<TMPL_VAR .loc.profile></a></div>
+<div title="<TMPL_VAR .loc.profile>"><a href="user-settings.cgi?project_id=<TMPL_VAR project_id>&studio_id=<TMPL_VAR default_studio_id>"><img src="image/settings.svg">&nbsp;<TMPL_VAR .loc.profile></a></div>

 <div title="<TMPL_VAR .loc.help>"><a href="help.cgi?project_id=<TMPL_VAR project_id>&studio_id=<TMPL_VAR default_studio_id>"><img src="image/help.svg">&nbsp;<TMPL_VAR .loc.help></a></div>

@@ -62,23 +62,20 @@
 </div>

 <div class="mobile">
-<img src="image/home.svg">
 <select id="studio_id" name="studio_id" onchange="set_studio($(this).val())">
 <TMPL_LOOP .presets.studios>
-<option value="<TMPL_VAR id>" <TMPL_IF selected> selected="selected"</TMPL_IF> ><TMPL_VAR name></option>
+<option value="<TMPL_VAR id>" <TMPL_IF selected> selected="selected"</TMPL_IF> ><img src="image/home.svg"><TMPL_VAR name></option>
 </TMPL_LOOP>
 </select>
-<img src="image/arrow-down.svg">
 </div>

 <div class="mobile">
-<img src="image/antenna.svg">
 <select id="project_id" name="project_id" onchange="set_project($(this).val())">
 <TMPL_LOOP .presets.projects>
-<option value="<TMPL_VAR project_id>" <TMPL_IF selected> selected="selected"</TMPL_IF> ><TMPL_VAR name></option>
+<option value="<TMPL_VAR project_id>" <TMPL_IF selected> selected="selected"</TMPL_IF> ><img src="image/home.svg">
+<TMPL_VAR name></option>
 </TMPL_LOOP>
 </select>
-<img src="image/arrow-down.svg">
 </div>

 <div><a href="/" ><img src="image/preview.svg">&nbsp;<TMPL_VAR .loc.preview></a></div>
--- a/website/agenda/planung/templates/edit-comment.html
+++ b/website/agenda/planung/templates/edit-comment.html
@@ -29,13 +29,13 @@
                <td>
                <TMPL_IF .allow.update_comment_status_read>
                    <button 
-                        onclick="setCommentStatusRead('<TMPL_VAR id>','<TMPL_VAR event_id>','<TMPL_IF received>unread</TMPL_IF><TMPL_IF unread>received</TMPL_IF>');return false;">
+                        onclick="setCommentStatusRead('<TMPL_VAR id escape=js>','<TMPL_VAR event_id escape=js>','<TMPL_IF received>unread</TMPL_IF><TMPL_IF unread>received</TMPL_IF>');return false;">
                        <TMPL_IF received><TMPL_VAR .loc.label_status_unread></TMPL_IF><TMPL_IF unread><TMPL_VAR .loc.label_status_read></TMPL_IF>
                    </button>
                </TMPL_IF>
                <TMPL_IF .allow.update_comment_status_lock>
                    <button
-                        onclick="setCommentStatusLock('<TMPL_VAR id>','<TMPL_VAR event_id>','<TMPL_IF blocked>show</TMPL_IF><TMPL_IF show>blocked</TMPL_IF>');return false;">
+                        onclick="setCommentStatusLock('<TMPL_VAR id escape=js>','<TMPL_VAR event_id escape=js>','<TMPL_IF blocked>show</TMPL_IF><TMPL_IF show>blocked</TMPL_IF>');return false;">
                        <TMPL_IF blocked><TMPL_VAR .loc.label_status_show></TMPL_IF><TMPL_IF show><TMPL_VAR .loc.label_status_hide></TMPL_IF>
                    </button>
                </TMPL_IF>
--- a/website/agenda/planung/templates/edit-event.html
+++ b/website/agenda/planung/templates/edit-event.html
@@ -15,8 +15,8 @@
    <script src="js/comment.js" type="text/javascript"></script>
    <script src="js/page-leave-handler.js" type="text/javascript"></script>
    <script>
-        var region='<TMPL_VAR loc.region>';
-        var event_id='<TMPL_VAR event_id>';
+        var region='<TMPL_VAR loc.region escape=js>';
+        var event_id='<TMPL_VAR event_id escape=js>';
        var selectImageId='';
        <TMPL_IF .forced_change>pageHasChangedCounter=1;</TMPL_IF>
        <TMPL_IF .event_edited>
@@ -29,7 +29,7 @@
        </TMPL_IF>
        $(document).ready(
            function(){
-                loadComments('<TMPL_VAR .event_id>', function(){
+                loadComments('<TMPL_VAR .event_id escape=js>', function(){
                    // initially hide comments
                    $('#event_<TMPL_VAR id>_comments').hide();
                    if ($('#comments table').length==0){
@@ -66,7 +66,7 @@
    <TMPL_IF series_id>
        <TMPL_IF .allow.read_series>
        <button 
-            onclick="view_series_details('<TMPL_VAR series_id>','<TMPL_VAR .studio_id>','<TMPL_VAR .project_id>')" 
+            onclick="view_series_details('<TMPL_VAR series_id escape=js>','<TMPL_VAR .studio_id escape=js>','<TMPL_VAR .project_id escape=js>')" 
            style="float:left"
            ><TMPL_VAR .loc.button_edit_series>
        </button>
@@ -160,7 +160,7 @@
    <TMPL_IF .allow.read_comment>
        <button id="showComment" 
            class="text"
-            onclick="showEventComments('<TMPL_VAR id>')"
+            onclick="showEventComments('<TMPL_VAR id escape=js>')"
        ><TMPL_VAR .loc.label_comments></button>
    </TMPL_IF>

@@ -178,7 +178,7 @@
            </div>

            <div class="panel-body">
-                <div onclick="selectOldEventFromSeries('rerunEventId','<TMPL_VAR start_date>'); updateCheckBox($(this).find('input:radio'),true);"
+                <div onclick="selectOldEventFromSeries('rerunEventId','<TMPL_VAR start_date escape=js>'); updateCheckBox($(this).find('input:radio'),true);"
                    class="option"
                >
                    <input type="radio" name="group" class="default"> 
@@ -477,7 +477,7 @@
            </td> 
            <td>
                <TMPL_IF .allow.update_event_field_image>
-                    <button onclick="selectImage('<TMPL_VAR series_name escape=HTML>', '<TMPL_VAR image ESCAPE=url>', 'event', '<TMPL_VAR .project_id>','<TMPL_VAR .studio_id>','<TMPL_VAR series_id>','<TMPL_VAR event_id>'); return false;"
+                    <button onclick="selectImage('<TMPL_VAR series_name escape=js>', '<TMPL_VAR image escape=js>', 'event', '<TMPL_VAR .project_id escape=js>','<TMPL_VAR .studio_id escape=js>','<TMPL_VAR series_id escape=js>','<TMPL_VAR event_id escape=js>'); return false;"
                        class="selectImage"
                    >
                        <img id="imagePreview" src="show-image.cgi?project_id=<TMPL_VAR project_id>&studio_id=<TMPL_VAR studio_id>&filename=<TMPL_VAR image>&type=icon">
@@ -555,13 +555,6 @@
                ><TMPL_VAR .loc.button_save></button>
            </TMPL_IF>
        </TMPL_IF>
-        <TMPL_IF .allow.delete_event>
-            <TMPL_UNLESS new_event>
-                <button type="submit" name="action" value="delete"
-                    onclick="leavePage();commitForm('event_<TMPL_VAR event_id>','delete','delete event');return false;"
-                ><TMPL_VAR .loc.button_delete></button>
-            </TMPL_UNLESS>
-        </TMPL_IF>
    </div>

    </TMPL_UNLESS>
@@ -571,7 +564,7 @@

 <TMPL_IF .allow.read_comment>
 <div id="comments" class="panel">
-    <button id="showComment" onclick="showEventComments('<TMPL_VAR id>')"><TMPL_VAR .loc.label_comments></button>
+    <button id="showComment" onclick="showEventComments('<TMPL_VAR id escape=js>')"><TMPL_VAR .loc.label_comments></button>
    <div class="event" id="event_<TMPL_VAR id>_comments" style="line-height:100%;display:none;"> </div>
 </div>
 </TMPL_IF>
--- a/website/agenda/planung/templates/edit-image.html
+++ b/website/agenda/planung/templates/edit-image.html
@@ -11,18 +11,18 @@ found no image
 <div id="imageEditor" class="editor">

    <TMPL_IF public>
-        <button onclick="assignImage('<TMPL_VAR filename escape=none>', '<TMPL_VAR .target>', '<TMPL_VAR .project_id>', '<TMPL_VAR .studio_id>', '<TMPL_VAR .series_id>', '<TMPL_VAR .event_id>', '<TMPL_VAR .pid>'); return false">
+        <button onclick="assignImage('<TMPL_VAR filename  escape=js>', '<TMPL_VAR .target escape=js>', '<TMPL_VAR .project_id escape=js>', '<TMPL_VAR .studio_id escape=js>', '<TMPL_VAR .series_id escape=js>', '<TMPL_VAR .event_id escape=js>', '<TMPL_VAR .pid escape=js>'); return false">
            <TMPL_VAR .label_assign_to_by_label>
        </button>

-        <button onclick="depublishImage('<TMPL_VAR id>', '<TMPL_VAR filename escape=none>'); return false;"><TMPL_VAR .loc.button_depublish></button>
+        <button onclick="depublishImage('<TMPL_VAR id escape=js>', '<TMPL_VAR filename  escape=js>'); return false;"><TMPL_VAR .loc.button_depublish></button>

    <TMPL_ELSE>
        <div class="warn"><TMPL_VAR .label_warn_not_public_by_label></div>
        <TMPL_IF missing_licence>
            <div class="warn"><TMPL_VAR .loc.label_warn_unknown_licence></div>
        <TMPL_ELSE>
-            <button onclick="publishImage('<TMPL_VAR id>', '<TMPL_VAR filename escape=none>'); return false;"><TMPL_VAR .loc.button_publish></button>
+            <button onclick="publishImage('<TMPL_VAR id escape=js>', '<TMPL_VAR filename  escape=js>'); return false;"><TMPL_VAR .loc.button_publish></button>
        </TMPL_IF>
    </TMPL_IF>

@@ -32,7 +32,7 @@ found no image
    <form id="save_img_<TMPL_VAR id>"
 	    method="post" 
 	    action="image.cgi" 
-	    onsubmit="saveImage('<TMPL_VAR id>','<TMPL_VAR filename>');return false;"
+	    onsubmit="saveImage('<TMPL_VAR id escape=js>','<TMPL_VAR filename escape=js>');return false;"
    >   

        <input type="hidden" name="project_id" value="<TMPL_VAR .project_id>">
@@ -54,7 +54,7 @@ found no image
        </TMPL_IF>

        <TMPL_IF name="delete_image">
-            <button onclick="askDeleteImage('img_<TMPL_VAR id escape=none>','<TMPL_VAR filename escape=none>');return false;"><TMPL_VAR .loc.button_delete></button>
+            <button onclick="askDeleteImage('img_<TMPL_VAR id escape=js>','<TMPL_VAR filename escape=js>');return false;"><TMPL_VAR .loc.button_delete></button>
        </TMPL_IF>

        <button onclick='$("#save_img_<TMPL_VAR id> #properties").show();return false;'><TMPL_VAR .loc.button_properties></button>
--- a/website/agenda/planung/templates/edit-series.html
+++ b/website/agenda/planung/templates/edit-series.html
@@ -4,8 +4,8 @@
 	<script src="js/jquery.tablesorter.min.js"></script>
    <script src="js/image.js" type="text/javascript"></script>
    <script>
-        var region='<TMPL_VAR loc.region>';
-        var event_id='<TMPL_VAR event_id>';
+        var region='<TMPL_VAR loc.region escape=js>';
+        var event_id='<TMPL_VAR event_id escape=js>';
        var selectImageId='';
        <TMPL_IF .forced_change>pageHasChangedCounter=1;</TMPL_IF>
        <TMPL_IF .getBack>
@@ -127,9 +127,9 @@
 			         <td>
                    <TMPL_IF .allow.read_image>
                        <button class="selectImage" 
-                            onclick="selectImage('<TMPL_VAR series_name escape=HTML>', '<TMPL_VAR image ESCAPE=url>', 'series', '<TMPL_VAR .project_id>','<TMPL_VAR .studio_id>','<TMPL_VAR series_id>'); return false;"
+                            onclick="selectImage('<TMPL_VAR series_name escape=js>', '<TMPL_VAR image escape=js>', 'series', '<TMPL_VAR .project_id escape=js>','<TMPL_VAR .studio_id escape=js>','<TMPL_VAR series_id escape=js>'); return false;"
                        >
-                            <img id="imagePreview" src="show-image.cgi?project_id=<TMPL_VAR .project_id>&studio_id=<TMPL_VAR .studio_id>&filename=<TMPL_VAR image>&type=icon">
+                            <img id="imagePreview" src="show-image.cgi?project_id=<TMPL_VAR .project_id>&studio_id=<TMPL_VAR .studio_id>&filename=<TMPL_VAR image escape=js>&type=icon">
                        </button>

                        <input type="hidden" name="series_image" value="<TMPL_VAR series_image>" > 
@@ -178,7 +178,7 @@
                    ><TMPL_VAR .loc.button_save_template></button>
 			    </TMPL_IF>
 			    <!--
-			    <button onclick="cancel_edit_series('<TMPL_VAR series_id>');return false;">cancel</button>
+			    <button onclick="cancel_edit_series('<TMPL_VAR series_id escape=js>');return false;">cancel</button>
 			    -->
 		    </div>
 	    </form>
@@ -302,7 +302,7 @@
 					<TMPL_IF .allow.delete_schedule>
 					<div class="cell delete"><br>
 					    <button type="submit" class="text" name="action" value="delete_schedule" 
-                            onclick="commitForm('schedule_<TMPL_VAR schedule_id>','delete_schedule','<TMPL_VAR .loc.button_delete_schedule>');return false;"
+                            onclick="commitForm('schedule_<TMPL_VAR schedule_id escape=js>','delete_schedule','<TMPL_VAR .loc.button_delete_schedule escape=js>');return false;"
                        ><TMPL_VAR .loc.button_delete_schedule></button>
                    </div>
 					</TMPL_IF>
@@ -454,7 +454,7 @@
 		<TMPL_LOOP events>
 			<tr id="event_<TMPL_VAR event_id>" style="cursor:pointer"
                <TMPL_IF .allow.update_event>
-                onclick="edit_event('<TMPL_VAR event_id>','<TMPL_VAR .series_id>','<TMPL_VAR .studio_id>','<TMPL_VAR .project_id>','hide_series')"
+                onclick="edit_event('<TMPL_VAR event_id escape=js>','<TMPL_VAR .series_id escape=js>','<TMPL_VAR .studio_id escape=js>','<TMPL_VAR .project_id escape=js>','hide_series')"
                </TMPL_IF>
            >
 			    <TMPL_IF .allow.read_image>
@@ -488,7 +488,7 @@
 		<TMPL_IF .allow.update_series>
 		<tr>
 		    <td>
-			    <button onclick="edit_series_members('<TMPL_VAR .series_id>')" style="float:left"
+			    <button onclick="edit_series_members('<TMPL_VAR .series_id escape=js>')" style="float:left"
 			    ><TMPL_VAR .loc.button_edit_member></button>
 		    </td>
 		    <td colspan="2">
@@ -535,7 +535,7 @@
 					<input type="hidden" name="user_id"    value="<TMPL_VAR user_id>">
 					<input type="hidden" name="action"     value="remove_user">
 					<button type="submit" value="remove user"
-                        onclick="commitForm('series_members_<TMPL_VAR .series_id>_<TMPL_VAR user_id>', 'remove_user', '<TMPL_VAR .loc.button_remove_member>'); return false;"
+                        onclick="commitForm('series_members_<TMPL_VAR .series_id escape=js>_<TMPL_VAR user_id escape=js>', 'remove_user', '<TMPL_VAR .loc.button_remove_member escape=js>'); return false;"
                    ><TMPL_VAR .loc.button_remove_member></button>
 				</form>
 			</div>
--- a/website/agenda/planung/templates/edit-user-roles.html
+++ b/website/agenda/planung/templates/edit-user-roles.html
@@ -60,9 +60,9 @@
 <div class="user">
 	<div id="header">
 		<div style="float:left;font-weight:bold;"><TMPL_VAR name></div>
-		<button onclick="edit_user('<TMPL_VAR id>')">edit</button>
+		<button onclick="edit_user('<TMPL_VAR id escape=js>')">edit</button>
 	</div>
-	<div id="view_<TMPL_VAR id>" class="view">
+	<div id="view_<TMPL_VAR id escape=js>" class="view">
 		<div class="label">name</div> 		<div><TMPL_VAR name> &nbsp;</div>
 		<div class="label">full name</div> 	<div><TMPL_VAR full_name> &nbsp;</div>
 		<div class="label">password</div> 	<div><TMPL_VAR password> &nbsp;</div>
@@ -77,7 +77,7 @@
 		<div class="label">password</div> 	<div><input type="password" name="password2"></div>
 		<div class="label">email</div> 		<div><input name="email" value="<TMPL_VAR email>"></div>
 		<div class="buttons">
-			<button onclick="cancel_edit_user('<TMPL_VAR id>');return false;">cancel</button>
+			<button onclick="cancel_edit_user('<TMPL_VAR id escape=js>');return false;">cancel</button>
 			<input type=submit name="action" value="save">
 			<div class="right"><input type=submit name="action" value="delete"></div>
 			<input type="hidden" name="id" value="<TMPL_VAR id>">	
@@ -88,7 +88,7 @@
 </TMPL_LOOP>

 <div style="clear:both" class="newuser">
-	<button onclick="add_user('<TMPL_VAR name>')">add user</button>
+	<button onclick="add_user('<TMPL_VAR name escape=js>')">add user</button>
 	<div id="edit_new" class="user editor" style="display:none">
 		<form method="post">
 		<div class="label">name</div> 		<div><input name="name" value="<TMPL_VAR name>"></div>
--- a/website/agenda/planung/templates/edit-work-time.html
+++ b/website/agenda/planung/templates/edit-work-time.html
@@ -8,7 +8,7 @@
 	<script src="js/jquery.tablesorter.min.js"></script>
 	
    <script>
-        var region='<TMPL_VAR loc.region>';
+        var region='<TMPL_VAR loc.region escape=js>';
        <TMPL_IF .getBack>
            $(document).ready(
                function(){
@@ -149,7 +149,7 @@
 			<TMPL_IF .allow.delete_schedule>
 			<div class="cell delete"><br>
 			    <button type="submit" name="action" value="delete_schedule" 
-                    onclick="commitForm('schedule_<TMPL_VAR schedule_id>','delete_schedule','<TMPL_VAR .loc.button_delete_schedule>');return false;"
+                    onclick="commitForm('schedule_<TMPL_VAR schedule_id escape=js>','delete_schedule','<TMPL_VAR .loc.button_delete_schedule escape=js>');return false;"
                ><TMPL_VAR .loc.button_delete_schedule></button>
            </div>
 			</TMPL_IF>
--- a/website/agenda/planung/templates/event-history.html
+++ b/website/agenda/planung/templates/event-history.html
@@ -30,7 +30,7 @@


 <script>
-    var region='<TMPL_VAR loc.region>';
+    var region='<TMPL_VAR loc.region escape=js>';
    $(function(){
 	    $('table').tablesorter({
 		    widgets        : ['zebra','filter'],
@@ -50,10 +50,10 @@
        }

        // forward to comparator
-        project_id='<TMPL_VAR .project_id>';
-        studio_id='<TMPL_VAR .studio_id>';
-        series_id='<TMPL_VAR series_id>';
-        event_id="<TMPL_VAR event_id>";
+        project_id='<TMPL_VAR .project_id escape=js>';
+        studio_id='<TMPL_VAR .studio_id escape=js>';
+        series_id='<TMPL_VAR series_id escape=js>';
+        event_id="<TMPL_VAR event_id escape=js>";
        if (project_id=='') return ;
        if (studio_id=='')  return ;
        if (event_id=='')   return ;
--- a/website/agenda/planung/templates/image.html
+++ b/website/agenda/planung/templates/image.html
@@ -74,8 +74,8 @@
        <div>
 	        <form id="image_manager" action="image.cgi">
 		        <input name="search" value="<TMPL_VAR search escape=none>" style="width:20em;">
-		        <input type="hidden" name="filename" value="<TMPL_VAR filename escape=none>">
-		        <button onclick="searchImage('<TMPL_VAR target>', '<TMPL_VAR .project_id>', '<TMPL_VAR .studio_id>', '<TMPL_VAR .series_id>', '<TMPL_VAR .event_id>', '<TMPL_VAR .pid>'); return false;"><TMPL_VAR .loc.button_search></button>
+		        <input type="hidden" name="filename" value="<TMPL_VAR filename escape=js>">
+		        <button onclick="searchImage('<TMPL_VAR target escape=js>', '<TMPL_VAR .project_id escape=js>', '<TMPL_VAR .studio_id escape=js>', '<TMPL_VAR .series_id escape=js>', '<TMPL_VAR .event_id escape=js>', '<TMPL_VAR .pid escape=js>'); return false;"><TMPL_VAR .loc.button_search></button>
 	        </form>
            <TMPL_VAR count> <TMPL_VAR .loc.label_search_hits><br />
            <div class="images" 
@@ -90,7 +90,7 @@
                <TMPL_LOOP images>
 	                <div class="image" 
 		                id="img_<TMPL_VAR id>" 
-		                style="background-image:url('show-image.cgi?project_id=<TMPL_VAR .project_id>&studio_id=<TMPL_VAR .studio_id>&type=icon&filename=<TMPL_VAR filename>')"
+		                style="background-image:url('show-image.cgi?project_id=<TMPL_VAR .project_id escape=js>&studio_id=<TMPL_VAR .studio_id escape=js>&type=icon&filename=<TMPL_VAR filename escape=js>')"
 		                title="<TMPL_VAR description>"
                        filename="<TMPL_VAR filename>"
 	                >
--- a/website/agenda/planung/templates/notify-events.html
+++ b/website/agenda/planung/templates/notify-events.html
@@ -44,8 +44,8 @@
 </style>

 <script>
-    var region='<TMPL_VAR loc.region>';
-    var event_id='<TMPL_VAR event_id>';
+    var region='<TMPL_VAR loc.region escape=js>';
+    var event_id='<TMPL_VAR event_id escape=js>';
    var selectImageId='';
    <TMPL_IF .event_edited>
        $(document).ready(
--- a/website/agenda/planung/templates/projects.html
+++ b/website/agenda/planung/templates/projects.html
@@ -1,14 +1,14 @@
 <script src="js/image.js" type="text/javascript"></script>

 <script type="text/javascript">
-    var region='<TMPL_VAR loc.region>';
+    var region='<TMPL_VAR loc.region escape=js>';
 </script>

 <h2><TMPL_VAR .loc.title></h2>

 <TMPL_IF .allow.create_project>
 <div style="clear:both" class="newproject">
-    <button onclick="add_project('<TMPL_VAR name>')"><TMPL_VAR .loc.button_add_project></button><br/>
+    <button onclick="add_project('<TMPL_VAR name escape=js>')"><TMPL_VAR .loc.button_add_project></button><br/>
    <div id="edit_new" class="panel project editor" style="clear:both;display:none">
        <form method="post">
            <input type="hidden" name="project_id" value="<TMPL_VAR .project_id>">
@@ -41,7 +41,7 @@
    <div class="panel-header">
        <div class="title"><TMPL_VAR title></div>
        <TMPL_IF .allow.update_project>
-            <button class="text" onclick="edit_project('<TMPL_VAR project_id>')"
+            <button class="text" onclick="edit_project('<TMPL_VAR project_id escape=js>')"
            ><TMPL_VAR .loc.button_edit></button>
        </TMPL_IF>
    </div>
@@ -62,7 +62,7 @@
                </TMPL_LOOP><br/>
                </td><td>
                <TMPL_IF .allow.update_project>
-                    <button onclick="edit_project_assignments('<TMPL_VAR project_id>')"
+                    <button onclick="edit_project_assignments('<TMPL_VAR project_id escape=js>')"
                        class="text" style="float:left"
                    ><TMPL_VAR .loc.button_change></button>
                </TMPL_IF>
@@ -94,7 +94,7 @@
                    <td>
                        <button 
                            class="selectImage"
-                            onclick="selectImage('<TMPL_VAR name escape=HTML>', '<TMPL_VAR image ESCAPE=url>', 'projects', '<TMPL_VAR .project_id>','<TMPL_VAR .studio_id>', null, null, '<TMPL_VAR pid>'); return false;"
+                            onclick="selectImage('<TMPL_VAR name escape=HTML escape=js>', '<TMPL_VAR image  escape=js>', 'projects', '<TMPL_VAR .project_id escape=js>','<TMPL_VAR .studio_id escape=js>', null, null, '<TMPL_VAR pid escape=js>'); return false;"
                        >
                            <img id="imagePreview" src="show-image.cgi?project_id=<TMPL_VAR .project_id>&studio_id=<TMPL_VAR .studio_id>&filename=<TMPL_VAR image>&type=icon">
                        </button>
@@ -110,7 +110,7 @@
                    <td>
                        <div class="right">
                            <button type=submit class="text" name="action" value="delete"
-                            onclick="commitForm('project_<TMPL_VAR project_id>','delete','<TMPL_VAR .loc.button_delete>');return false;"
+                            onclick="commitForm('project_<TMPL_VAR project_id>','delete','<TMPL_VAR .loc.button_delete escape=js>');return false;"
                            ><TMPL_VAR .loc.button_delete></button>
                        </div>
                    </td>
@@ -157,7 +157,7 @@
                            <input type="hidden" name="sid"        value="<TMPL_VAR sid>">
                            <input type="hidden" name="action"     value="unassign_studio">
                            <button type="submit" class="text"
-                                onclick="commitForm($(this).parent(),'unassign_studio','<TMPL_VAR .loc.button_unassign_studio>');return false;"
+                                onclick="commitForm($(this).parent(),'unassign_studio','<TMPL_VAR .loc.button_unassign_studio escape=js>');return false;"
                            ><TMPL_VAR .loc.button_unassign_studio></button>
                        </form>
                    </div>
--- a/website/agenda/planung/templates/select-event.html
+++ b/website/agenda/planung/templates/select-event.html
@@ -14,7 +14,7 @@
        <tr>
            <td class="label"><TMPL_VAR .loc.label_project> & <TMPL_VAR .loc.label_Studio></td>
            <td>
-                <select id="selectProjectStudio" onchange="updateEventSelection('<TMPL_VAR resultElemId>');return false;">
+                <select id="selectProjectStudio" onchange="updateEventSelection('<TMPL_VAR resultElemId escape=js>');return false;">
                    <option value="-1_-1"><TMPL_VAR .loc.label_all></option>
 <TMPL_LOOP studios><option value="<TMPL_VAR project_id>_<TMPL_VAR id>" <TMPL_IF selected>selected="selected"</TMPL_IF> ><TMPL_VAR project_name> - <TMPL_VAR name></option>
 </TMPL_LOOP>
@@ -29,7 +29,7 @@
        <tr>
            <td class="label"><TMPL_VAR .loc.label_series></td>
            <td>
-                <select id="selectSeries" onchange="updateEventSelection('<TMPL_VAR resultElemId>');return false;">
+                <select id="selectSeries" onchange="updateEventSelection('<TMPL_VAR resultElemId escape=js>');return false;">
                    <option value="-1"><TMPL_VAR .loc.label_select></option>
 <TMPL_LOOP series><option value="<TMPL_VAR series_id>" <TMPL_IF selected>selected="selected"</TMPL_IF>><TMPL_VAR series_name><TMPL_IF title> - <TMPL_VAR title></TMPL_IF></option>
 </TMPL_LOOP>
@@ -43,7 +43,7 @@
        <tr>
            <td class="label"><TMPL_VAR .loc.label_filter></td>
            <td>
-                <select id="year" onchange="updateEventSelection('<TMPL_VAR resultElemId>');return false;">
+                <select id="year" onchange="updateEventSelection('<TMPL_VAR resultElemId escape=js>');return false;">
                    <option value="-1"><TMPL_VAR .loc.label_year></option>
 <TMPL_LOOP years><option value="<TMPL_VAR year>" <TMPL_IF selected>selected="selected"</TMPL_IF>><TMPL_VAR year></option>
 </TMPL_LOOP>
@@ -57,7 +57,7 @@
    <tr>
        <td class="label"><TMPL_VAR .loc.label_event></td>
        <td>
-            <select id="eventId" onchange=selectEventAction('<TMPL_VAR resultElemId>')>
+            <select id="eventId" onchange=selectEventAction('<TMPL_VAR resultElemId escape=js>')>
                <option value="-1"><TMPL_VAR .loc.label_select></option>            
 <TMPL_LOOP events><option value="<TMPL_VAR id>" <TMPL_IF selected>selected="selected"</TMPL_IF>><TMPL_VAR start> - <TMPL_VAR full_title></option>
 </TMPL_LOOPS>
--- a/website/agenda/planung/templates/select-series.html
+++ b/website/agenda/planung/templates/select-series.html
@@ -15,7 +15,7 @@
        <tr>
            <td class="label"><TMPL_VAR .loc.label_project> & <TMPL_VAR .loc.label_Studio></td>
            <td>
-                <select id="selectProjectStudio" onchange="updateSeriesSelection('<TMPL_VAR resultElemId>');return false;">
+                <select id="selectProjectStudio" onchange="updateSeriesSelection('<TMPL_VAR resultElemId escape=js>');return false;">
                    <option value="-1_-1"><TMPL_VAR .loc.label_all></option>
 <TMPL_LOOP studios><option value="<TMPL_VAR project_id>_<TMPL_VAR id>" <TMPL_IF selected>selected="selected"</TMPL_IF> ><TMPL_VAR project_name> - <TMPL_VAR name></option>
 </TMPL_LOOP>
@@ -30,7 +30,7 @@
        <tr>
            <td class="label"><TMPL_VAR .loc.label_series></td>
            <td>
-                <select id="selectSeriesId" onchange="selectSeriesAction('<TMPL_VAR resultElemId>');return false;">
+                <select id="selectSeriesId" onchange="selectSeriesAction('<TMPL_VAR resultElemId escape=js>');return false;">
                    <option value="-1"><TMPL_VAR .loc.label_select></option>
 <TMPL_LOOP series><option value="<TMPL_VAR series_id>" <TMPL_IF selected>selected="selected"</TMPL_IF>><TMPL_VAR series_name><TMPL_IF title> - <TMPL_VAR title></TMPL_IF></option>
 </TMPL_LOOP>
--- a/website/agenda/planung/templates/series.html
+++ b/website/agenda/planung/templates/series.html
@@ -1,5 +1,5 @@
 <script>
-    var region='<TMPL_VAR loc.region>';
+    var region='<TMPL_VAR loc.region escape=js>';
 </script>

 <h2><TMPL_VAR .loc.title></h2>
@@ -9,7 +9,7 @@
 <!-- create a new series -->
 <TMPL_IF .allow.create_series>
 <div style="clear:both" class="newseries">
-	<button onclick="add_series('<TMPL_VAR series_name>')"><TMPL_VAR .loc.button_add_series></button>
+	<button onclick="add_series('<TMPL_VAR series_name escape=js>')"><TMPL_VAR .loc.button_add_series></button>
 	<div id="edit_new" class="editor" style="display:none;clear:both">
 		<form method="post" action="series.cgi">
 			<input type="hidden" name="project_id" value="<TMPL_VAR .project_id>">
@@ -38,7 +38,7 @@
 <div id="newSeries">
 <TMPL_LOOP newSeries>
 	<a 
-        onclick="view_series_details('<TMPL_VAR series_id>','<TMPL_VAR .studio_id>','<TMPL_VAR .project_id>')"
+        onclick="view_series_details('<TMPL_VAR series_id escape=js>','<TMPL_VAR .studio_id escape=js>','<TMPL_VAR .project_id escape=js>')"
        href="series.cgi?project_id=<TMPL_VAR .project_id>&studio_id=<TMPL_VAR .studio_id>&series_id=<TMPL_VAR series_id>&action=show"
    >
 		<b><TMPL_IF has_single_events><TMPL_VAR .loc.single_events><TMPL_ELSE><TMPL_VAR series_name></TMPL_IF></b> 
@@ -53,7 +53,7 @@

 <div id="oldSeries" style="display:none;">
 <TMPL_LOOP oldSeries>
-	<a onclick="view_series_details('<TMPL_VAR series_id>','<TMPL_VAR .studio_id>','<TMPL_VAR .project_id>')"
+	<a onclick="view_series_details('<TMPL_VAR series_id escape=js>','<TMPL_VAR .studio_id escape=js>','<TMPL_VAR .project_id escape=js>')"
        href="series.cgi?project_id=<TMPL_VAR .project_id>&studio_id=<TMPL_VAR .studio_id>&series_id=<TMPL_VAR series_id>&action=show"
    >
 		<b><TMPL_IF has_single_events><TMPL_VAR .loc.single_events><TMPL_ELSE><TMPL_VAR series_name></TMPL_IF></b> 
--- a/website/agenda/planung/templates/studio-timeslots.html
+++ b/website/agenda/planung/templates/studio-timeslots.html
@@ -4,7 +4,7 @@
 	}
 </style>
 <script>
-    var region='<TMPL_VAR loc.region>';
+    var region='<TMPL_VAR loc.region escape=js>';
 </script>

 <!-- view timeslot schedule and dates -->
@@ -66,7 +66,7 @@
 					<TMPL_IF .allow.delete_schedule>
 					<div class="cell">
                        <button class="text" type="submit" name="action" value="delete_schedule" 
-                            onclick="commitForm('form_schedule_<TMPL_VAR schedule_id>','delete_schedule','<TMPL_VAR .loc.button_delete>');return false;"
+                            onclick="commitForm('form_schedule_<TMPL_VAR schedule_id escape=js>','delete_schedule','<TMPL_VAR .loc.button_delete escape=js>');return false;"
                        ><TMPL_VAR .loc.button_delete></button> 
                    </div>
 					</TMPL_IF>
--- a/website/agenda/planung/templates/studios.html
+++ b/website/agenda/planung/templates/studios.html
@@ -1,13 +1,13 @@
 <script src="js/image.js" type="text/javascript"></script>
 <script type="text/javascript">
-    var region='<TMPL_VAR loc.region>';
+    var region='<TMPL_VAR loc.region escape=js>';
 </script>

 <h2><TMPL_VAR .loc.title></h2>

 <TMPL_IF .allow.update_studio>
 <div style="clear:both" class="newstudio">
-	<button onclick="add_studio('<TMPL_VAR name>')"><TMPL_VAR .loc.button_add_studio></button><br/>
+	<button onclick="add_studio('<TMPL_VAR name escape=js>')"><TMPL_VAR .loc.button_add_studio></button><br/>
 	<div id="edit_new" class="panel panel-body" style="clear:both;display:none">
 	    <form method="post">
 			<input type="hidden" name="project_id" value="<TMPL_VAR .project_id>">
@@ -38,7 +38,7 @@
 	</div>
 	<div class="panel-body">
 	    <TMPL_IF .allow.update_studio>
-		    <button onclick="edit_studio('<TMPL_VAR id>')"><TMPL_VAR .loc.button_edit></button>
+		    <button onclick="edit_studio('<TMPL_VAR id escape=js>')"><TMPL_VAR .loc.button_edit></button>
 	    </TMPL_IF>

        <TMPL_IF .allow.read_event>
@@ -76,11 +76,11 @@
                    <td>
                        <button 
                            class="selectImage"
-                            onclick="selectImage('<TMPL_VAR name escape=HTML>', '<TMPL_VAR image ESCAPE=url>', 'studio', '<TMPL_VAR .project_id>','<TMPL_VAR .studio_id>'); return false;"
+                            onclick="selectImage('<TMPL_VAR name escape=javascript>', '<TMPL_VAR image escape=javascript>', 'studio', '<TMPL_VAR .project_id escape=js>','<TMPL_VAR .studio_id escape=js>'); return false;"
                        >
-                            <img id="imagePreview" src="show-image.cgi?project_id=<TMPL_VAR .project_id>&studio_id=<TMPL_VAR .studio_id>&filename=<TMPL_VAR image>&type=icon">
+                            <img id="imagePreview" src="show-image.cgi?project_id=<TMPL_VAR .project_id escape=js>&studio_id=<TMPL_VAR .studio_id escape=js>&filename=<TMPL_VAR image escape=js>&type=icon">
                        </button>
-                        <input id="image_<TMPL_VAR id>" name="image" value="<TMPL_VAR image>" class="image" placeholder="<TMPL_VAR .loc.template_image>">
+                        <input id="image_<TMPL_VAR id escape=js>" name="image" value="<TMPL_VAR image escape=js>" class="image" placeholder="<TMPL_VAR .loc.template_image escape=js>">
                    </td>
                </tr>
 			    <tr>
@@ -88,7 +88,7 @@
 				    <td class="buttons">
 					    <button type=submit name="action" value="save"><TMPL_VAR .loc.button_save></button>
 				        <button type=submit class="text" name="action" value="delete"
-                        onclick="commitForm('studio_<TMPL_VAR id>','delete','<TMPL_VAR .loc.button_delete>');return false;"
+                        onclick="commitForm('studio_<TMPL_VAR id escape=js>','delete','<TMPL_VAR .loc.button_delete escape=js>');return false;"
                        ><TMPL_VAR .loc.button_delete></button>
 				    </td>
 			    </tr>
--- a/website/agenda/planung/templates/upload-audio-recordings.html
+++ b/website/agenda/planung/templates/upload-audio-recordings.html
@@ -71,7 +71,7 @@
    </tr>
    <TMPL_LOOP audio_recordings>
        <tr class="<TMPL_IF active>active<TMPL_ELSE>inactive</TMPL_IF>" >
-            <td><button onclick="playAudio('<TMPL_VAR path>');return false">play</button></td>
+            <td><button onclick="playAudio('<TMPL_VAR path escape=js>');return false">play</button></td>
            <td><TMPL_VAR path></td>
            <td><TMPL_VAR created_by></td>
            <td><TMPL_VAR created_at></td>
--- a/website/agenda/planung/templates/users.html
+++ b/website/agenda/planung/templates/users.html
@@ -81,7 +81,7 @@

 <TMPL_IF allow.create_user>
 <div style="clear:both" class="newuser">
-	<button onclick="add_user('<TMPL_VAR name>')"><TMPL_VAR .loc.button_add_user></button>
+	<button onclick="add_user('<TMPL_VAR name escape=js>')"><TMPL_VAR .loc.button_add_user></button>
 	<div id="edit_new" class="user editor panel" style="display:none">
 		<form method="post">
 		<table>
@@ -151,11 +151,11 @@

 	<td>
 		<TMPL_IF allow.update_user>
-			<button class="text" onclick="edit_user('<TMPL_VAR id>')"><TMPL_VAR .loc.button_edit_user></button>
+			<button class="text" onclick="edit_user('<TMPL_VAR id escape=js>')"><TMPL_VAR .loc.button_edit_user></button>
 		</TMPL_IF>

 		<TMPL_IF allow.update_user_role>
-			<button class="text" onclick="edit_roles('<TMPL_VAR id>')"><TMPL_VAR .loc.button_edit_roles></button>
+			<button class="text" onclick="edit_roles('<TMPL_VAR id escape=js>')"><TMPL_VAR .loc.button_edit_roles></button>
 		</TMPL_IF>
 		<!--	</div> -->
 	</td>
@@ -193,7 +193,7 @@
 					<TMPL_IF allow.delete_user>
 					<div class="right">
 					    <button type=submit name="action" value="delete"
-                        onclick="commitForm('user_<TMPL_VAR id>','delete','<TMPL_VAR .loc.button_delete_user>');return false;"
+                        onclick="commitForm('user_<TMPL_VAR id escape=js>','delete','<TMPL_VAR .loc.button_delete_user escape=js>');return false;"
                    ><TMPL_VAR .loc.button_delete_user></div>
 					</TMPL_IF>
 				</td>
--- a/website/agenda/templates/calendar.html
+++ b/website/agenda/templates/calendar.html
@@ -36,7 +36,7 @@
 <tr>
 <TMPL_COMMENT><th>Wo</th>
 </TMPL_COMMENT>
-<TMPL_LOOP weekdays><th><a href="<TMPL_VAR .local_base_url>/<TMPL_VAR .controllers.events>/<TMPL_VAR start_date>/<TMPL_VAR end_date>/<TMPL_VAR weekday>/" onclick="calcms.selectWeekdayEventListener('<TMPL_VAR start_date>','<TMPL_VAR end_date>','<TMPL_VAR weekday>');return false;"><TMPL_VAR "weekday_short_name"></a></th></TMPL_LOOP>
+<TMPL_LOOP weekdays><th><a href="<TMPL_VAR .local_base_url>/<TMPL_VAR .controllers.events>/<TMPL_VAR start_date>/<TMPL_VAR end_date>/<TMPL_VAR weekday>/" onclick="calcms.selectWeekdayEventListener('<TMPL_VAR start_date escape=js>','<TMPL_VAR end_date escape=js>','<TMPL_VAR weekday escape=js>');return false;"><TMPL_VAR "weekday_short_name"></a></th></TMPL_LOOP>
 </tr>

 </thead>
@@ -45,7 +45,7 @@
 <TMPL_LOOP week_and_days>
 <tr>
 <TMPL_COMMENT>
-<TMPL_LOOP week><th class="<TMPL_VAR class>"><a href="<TMPL_VAR .local_base_url>/<TMPL_VAR .controllers.events>/<TMPL_VAR from_date>/<TMPL_VAR till_date>/" title="Woche anzeigen" onclick="calcms.selectDateRangeEventListener('<TMPL_VAR from_date>','<TMPL_VAR till_date>');return false;" ><TMPL_VAR week_of_year></a></th></TMPL_LOOP>
+<TMPL_LOOP week><th class="<TMPL_VAR class>"><a href="<TMPL_VAR .local_base_url>/<TMPL_VAR .controllers.events>/<TMPL_VAR from_date>/<TMPL_VAR till_date>/" title="Woche anzeigen" onclick="calcms.selectDateRangeEventListener('<TMPL_VAR from_date escape=js>','<TMPL_VAR till_date escape=js>');return false;" ><TMPL_VAR week_of_year></a></th></TMPL_LOOP>
 </TMPL_COMMENT>
 <TMPL_LOOP days><td class="<TMPL_VAR class>"><a href="<TMPL_VAR .cache_base_url>/<TMPL_VAR .controllers.events>/<TMPL_VAR date>.html" title="<TMPL_VAR day>.<TMPL_VAR month>. zeigen"><TMPL_VAR day></a></td>
 </TMPL_LOOP></tr></TMPL_LOOP>
--- a/website/agenda/templates/categories.html
+++ b/website/agenda/templates/categories.html
@@ -19,7 +19,7 @@
 	<TMPL_UNLESS isEmpty>
 	<select id="calcms_category_<TMPL_VAR js_name escape=none>" name="category_<TMPL_VAR js_name escape=none>" 
 		title="Kategorien durchsuchen" 
-		onchange="calcms.selectCategory('<TMPL_VAR name>', jQuery(this).val())" 
+		onchange="calcms.selectCategory('<TMPL_VAR name escape=js>', jQuery(this).val())" 
 		style="display:none;"
 	>
 		<option value="">- Kategorie -</option>
--- a/website/agenda/templates/comments.html
+++ b/website/agenda/templates/comments.html
@@ -12,7 +12,7 @@
 	<a name="comments" />
 	<TMPL_IF allow.new_comments>
 		<a href="#comments" 
-		   onclick="calcms.showCommentForm('calcms_add_comment','','<TMPL_VAR event_id>','<TMPL_VAR event_start>');return false;"
+		   onclick="calcms.showCommentForm('calcms_add_comment','','<TMPL_VAR event_id escape=js>','<TMPL_VAR event_start escape=js>');return false;"
 		>Neuen Kommentar schreiben</a>
 	<div>
 		<div id="calcms_add_comment" style="display:none;visibility:hidden;" >&nbsp;</div>
@@ -40,7 +40,7 @@
 				<TMPL_IF allow.new_comments>
 					<span >
 						<a href="#calcms_add_comment_<TMPL_VAR id>_anchor"
-						   onclick="calcms.showCommentForm('calcms_add_comment_<TMPL_VAR id>','<TMPL_VAR id>','<TMPL_VAR event_id>','<TMPL_VAR event_start>');return false;"
+						   onclick="calcms.showCommentForm('calcms_add_comment_<TMPL_VAR id escape=js>','<TMPL_VAR id escape=js>','<TMPL_VAR event_id escape=js>','<TMPL_VAR event_start escape=js>');return false;"
 						>antworten</a>
 					</span>
 					<div id="calcms_add_comment_<TMPL_VAR id>">&nbsp;</div>
--- a/website/agenda/templates/event_details.html
+++ b/website/agenda/templates/event_details.html
@@ -80,7 +80,7 @@
 		<script>
 			jQuery(document).ready(
 				function() {
-					calcms.showCommentsByEventIdOrEventStart('<TMPL_VAR event_id>','<TMPL_VAR start_datetime>');
+					calcms.showCommentsByEventIdOrEventStart('<TMPL_VAR event_id escape=js>','<TMPL_VAR start_datetime escape=js>');
 				}
 			);
 		</script>
--- a/website/agenda/templates/event_playlist.html
+++ b/website/agenda/templates/event_playlist.html
@@ -9,18 +9,31 @@
 </head>

 <body>
+<style>
+
+div.event div.title{
+    display:grid;
+    grid-template-columns: 3ch 5ch 1ch 1fr; 
+}
+div.event div.title div{
+    display:inline;
+}
+</style>
+
 <TMPL_LOOP NAME=events>
 <a href="<TMPL_VAR cache_base_url>/<TMPL_VAR .controllers.event>/<TMPL_VAR event_id>.html#<TMPL_VAR event_uri escape=url>" 
 > 
-    <div id="event_playlist_<TMPL_VAR event_id>" class="event"  title="<TMPL_VAR full_title><TMPL_IF excerpt>. <TMPL_VAR excerpt></TMPL_IF>">
+    <div id="event_playlist_<TMPL_VAR event_id>" class="event"  title="<TMPL_VAR full_title><TMPL_IF excerpt>. <TMPL_VAR excerpt escape=url></TMPL_IF>">
 		<TMPL_COMMENT>
        <div class="icon">
            <img src="<TMPL_VAR icon>"></img>
        </div>
 		</TMPL_COMMENT>
        <div class="title">
-            <TMPL_VAR weekday_short_name> <TMPL_VAR start_time_name> - 
-            <TMPL_IF series_name><TMPL_VAR series_name><TMPL_ELSE><TMPL_VAR title></TMPL_IF>
+            <div><TMPL_VAR weekday_short_name></div>
+            <div><TMPL_VAR start_time_name></div>
+            <div>-</div>
+            <div><TMPL_IF series_name><TMPL_VAR series_name><TMPL_ELSE><TMPL_VAR title></TMPL_IF></div>
        </div>
    </div>
 </a>
--- a/website/agenda/templates/series_names.html
+++ b/website/agenda/templates/series_names.html
@@ -14,7 +14,7 @@
    id="calcms_series_name_<TMPL_VAR js_name escape=none>" 
    name="series_name_<TMPL_VAR js_name escape=none>" 
    title="Sendereihen durchsuchen" 
-    onchange="calcms.selectSeries('<TMPL_VAR name>', jQuery(this).val())" 
+    onchange="calcms.selectSeries('<TMPL_VAR name escape=js>', jQuery(this).val())" 
    style="display:none;"
 >