diff --git a/3rdparty/MDB2/Schema/Writer.php b/3rdparty/MDB2/Schema/Writer.php
index 96dd2bed0f..3eaa39a207 100644
--- a/3rdparty/MDB2/Schema/Writer.php
+++ b/3rdparty/MDB2/Schema/Writer.php
@@ -80,6 +80,7 @@ class MDB2_Schema_Writer
     function __construct($valid_types = array())
     {
         $this->valid_types = $valid_types;
+    }
 
     // }}}
     // {{{ raiseError()
diff --git a/apps/contacts/ajax/contacts.php b/apps/contacts/ajax/contacts.php
index 37d396cd83..dbc9be5ca5 100644
--- a/apps/contacts/ajax/contacts.php
+++ b/apps/contacts/ajax/contacts.php
@@ -13,7 +13,7 @@ OCP\JSON::checkAppEnabled('contacts');
 $ids = OC_Contacts_Addressbook::activeIds(OCP\USER::getUser());
 $contacts = OC_Contacts_VCard::all($ids);
 $tmpl = new OCP\Template("contacts", "part.contacts");
-$tmpl->assign('contacts', $contacts);
+$tmpl->assign('contacts', $contacts, false);
 $page = $tmpl->fetchPage();
 
 OCP\JSON::success(array('data' => array( 'page' => $page )));
diff --git a/apps/contacts/ajax/editaddress.php b/apps/contacts/ajax/editaddress.php
index 969aeeba8f..2d7aba11b0 100644
--- a/apps/contacts/ajax/editaddress.php
+++ b/apps/contacts/ajax/editaddress.php
@@ -20,7 +20,18 @@ if($checksum) {
 	$line = OC_Contacts_App::getPropertyLineByChecksum($vcard, $checksum);
 	$element = $vcard->children[$line];
 	$adr = OC_Contacts_VCard::structureProperty($element);
-	$tmpl->assign('adr',$adr);
+	$types = array();
+	if(isset($adr['parameters']['TYPE'])) {
+		if(is_array($adr['parameters']['TYPE'])) {
+			$types = array_map('htmlspecialchars', $adr['parameters']['TYPE']);
+			$types = array_map('strtoupper', $types);
+		} else {
+			$types = array(strtoupper(htmlspecialchars($adr['parameters']['TYPE'])));
+		}
+	}
+	$tmpl->assign('types', $types, false);
+	$adr = array_map('htmlspecialchars', $adr['value']);
+	$tmpl->assign('adr', $adr, false);
 }
 
 $tmpl->assign('id',$id);
diff --git a/apps/contacts/ajax/editname.php b/apps/contacts/ajax/editname.php
index d06d416b7e..62cae894b6 100644
--- a/apps/contacts/ajax/editname.php
+++ b/apps/contacts/ajax/editname.php
@@ -28,8 +28,9 @@ if($id) {
 			$name = OC_Contacts_VCard::structureProperty($property);
 		}
 	}
-	$tmpl->assign('name',$name);
-	$tmpl->assign('id',$id);
+	$name = array_map('htmlspecialchars', $name['value']);
+	$tmpl->assign('name',$name, false);
+	$tmpl->assign('id',$id, false);
 } else {
 	bailOut(OC_Contacts_App::$l10n->t('Contact ID is missing.'));
 }
diff --git a/apps/contacts/index.php b/apps/contacts/index.php
index 74b7c43c55..bdb52c123c 100644
--- a/apps/contacts/index.php
+++ b/apps/contacts/index.php
@@ -66,7 +66,7 @@ $tmpl->assign('phone_types', $phone_types);
 $tmpl->assign('email_types', $email_types);
 $tmpl->assign('categories', $categories);
 $tmpl->assign('addressbooks', $addressbooks);
-$tmpl->assign('contacts', $contacts);
+$tmpl->assign('contacts', $contacts, false);
 $tmpl->assign('details', $details );
 $tmpl->assign('id',$id);
 $tmpl->printPage();
diff --git a/apps/contacts/templates/part.contacts.php b/apps/contacts/templates/part.contacts.php
index 00a61f72fd..5751750540 100644
--- a/apps/contacts/templates/part.contacts.php
+++ b/apps/contacts/templates/part.contacts.php
@@ -8,5 +8,5 @@
 		}
 	}
 ?>
-	<li role="button" book-id="<?php echo $contact['addressbookid']; ?>" data-id="<?php echo $contact['id']; ?>"><a href="index.php?id=<?php echo $contact['id']; ?>"><?php echo $display; ?></a></li>
+	<li role="button" book-id="<?php echo $contact['addressbookid']; ?>" data-id="<?php echo $contact['id']; ?>"><a href="index.php?id=<?php echo $contact['id']; ?>"><?php echo htmlspecialchars($display); ?></a></li>
 <?php endforeach; ?>
diff --git a/apps/contacts/templates/part.edit_address_dialog.php b/apps/contacts/templates/part.edit_address_dialog.php
index 7684795f34..d5ea95ba46 100644
--- a/apps/contacts/templates/part.edit_address_dialog.php
+++ b/apps/contacts/templates/part.edit_address_dialog.php
@@ -1,13 +1,9 @@
 <?php
 $adr = isset($_['adr'])?$_['adr']:array();
-$id = $_['id'];
-$types = array();
-foreach(isset($adr['parameters']['TYPE'])?array($adr['parameters']['TYPE']):array() as $type) {
-	$types[] = strtoupper($type);
-}
+$id = isset($_['id'])?$_['id']:array();
+$types = isset($_['types'])?$_['types']:array();
 ?>
 <div id="edit_address_dialog" title="<?php echo $l->t('Edit address'); ?>">
-<!-- ?php print_r($types); ? -->
 	<fieldset id="address">
 		<dl class="form">
 			<dt>
@@ -22,43 +18,43 @@ foreach(isset($adr['parameters']['TYPE'])?array($adr['parameters']['TYPE']):arra
 				<label class="label" for="adr_pobox"><?php echo $l->t('PO Box'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_pobox" name="value[ADR][0]" placeholder="<?php echo $l->t('PO Box'); ?>" value="<?php echo isset($adr['value'][0])?$adr['value'][0]:''; ?>">
+				<input type="text" id="adr_pobox" name="value[ADR][0]" placeholder="<?php echo $l->t('PO Box'); ?>" value="<?php echo isset($adr[0])?$adr[0]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_street"><?php echo $l->t('Street address'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_street" name="value[ADR][2]" placeholder="<?php echo $l->t('Street and number'); ?>" value="<?php echo isset($adr['value'][2])?$adr['value'][2]:''; ?>">
+				<input type="text" id="adr_street" name="value[ADR][2]" placeholder="<?php echo $l->t('Street and number'); ?>" value="<?php echo isset($adr[2])?$adr[2]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_extended"><?php echo $l->t('Extended'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_extended" name="value[ADR][1]" placeholder="<?php echo $l->t('Apartment number etc.'); ?>" value="<?php echo isset($adr['value'][1])?$adr['value'][1]:''; ?>">
+				<input type="text" id="adr_extended" name="value[ADR][1]" placeholder="<?php echo $l->t('Apartment number etc.'); ?>" value="<?php echo isset($adr[1])?$adr[1]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_city"><?php echo $l->t('City'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_city" name="value[ADR][3]" placeholder="<?php echo $l->t('City'); ?>" value="<?php echo isset($adr['value'][3])?$adr['value'][3]:''; ?>">
+				<input type="text" id="adr_city" name="value[ADR][3]" placeholder="<?php echo $l->t('City'); ?>" value="<?php echo isset($adr[3])?$adr[3]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_region"><?php echo $l->t('Region'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_region" name="value[ADR][4]" placeholder="<?php echo $l->t('E.g. state or province'); ?>" value="<?php echo isset($adr['value'][4])?$adr['value'][4]:''; ?>">
+				<input type="text" id="adr_region" name="value[ADR][4]" placeholder="<?php echo $l->t('E.g. state or province'); ?>" value="<?php echo isset($adr[4])?$adr[4]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_zipcode"><?php echo $l->t('Zipcode'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_zipcode" name="value[ADR][5]" placeholder="<?php echo $l->t('Postal code'); ?>" value="<?php echo isset($adr['value'][5])?$adr['value'][5]:''; ?>">
+				<input type="text" id="adr_zipcode" name="value[ADR][5]" placeholder="<?php echo $l->t('Postal code'); ?>" value="<?php echo isset($adr[5])?$adr[5]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_country"><?php echo $l->t('Country'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_country" name="value[ADR][6]" placeholder="<?php echo $l->t('Country'); ?>" value="<?php echo isset($adr['value'][6])?$adr['value'][6]:''; ?>">
+				<input type="text" id="adr_country" name="value[ADR][6]" placeholder="<?php echo $l->t('Country'); ?>" value="<?php echo isset($adr[6])?$adr[6]:''; ?>">
 			</dd>
 		</dl>
 	</fieldset>
diff --git a/apps/contacts/templates/part.edit_name_dialog.php b/apps/contacts/templates/part.edit_name_dialog.php
index be45f9a5b0..f984c232a3 100644
--- a/apps/contacts/templates/part.edit_name_dialog.php
+++ b/apps/contacts/templates/part.edit_name_dialog.php
@@ -22,7 +22,7 @@ $addressbooks = isset($_['addressbooks'])?$_['addressbooks']:null;
 		<?php }} ?>
 		<dt><label for="pre"><?php echo $l->t('Hon. prefixes'); ?></label></dt>
 		<dd>
-			<input name="pre" id="pre" value="<?php echo isset($name['value'][3]) ? $name['value'][3] : ''; ?>" type="text" list="prefixes" />
+			<input name="pre" id="pre" value="<?php echo isset($name[3]) ? $name[3] : ''; ?>" type="text" list="prefixes" />
 			<datalist id="prefixes">
 				<option value="<?php echo $l->t('Miss'); ?>">
 				<option value="<?php echo $l->t('Ms'); ?>">
@@ -33,14 +33,14 @@ $addressbooks = isset($_['addressbooks'])?$_['addressbooks']:null;
 			</datalist>
 		</dd>
 		<dt><label for="giv"><?php echo $l->t('Given name'); ?></label></dt>
-		<dd><input name="giv" id="giv" value="<?php echo isset($name['value'][1]) ? $name['value'][1] : ''; ?>" type="text" /></dd>
+		<dd><input name="giv" id="giv" value="<?php echo isset($name[1]) ? $name[1] : ''; ?>" type="text" /></dd>
 		<dt><label for="add"><?php echo $l->t('Additional names'); ?></label></dt>
-		<dd><input name="add" id="add" value="<?php echo isset($name['value'][2]) ? $name['value'][2] : ''; ?>" type="text" /></dd>
+		<dd><input name="add" id="add" value="<?php echo isset($name[2]) ? $name[2] : ''; ?>" type="text" /></dd>
 		<dt><label for="fam"><?php echo $l->t('Family name'); ?></label></dt>
-		<dd><input name="fam" id="fam" value="<?php echo isset($name['value'][0]) ? $name['value'][0] : ''; ?>" type="text" /></dd>
+		<dd><input name="fam" id="fam" value="<?php echo isset($name[0]) ? $name[0] : ''; ?>" type="text" /></dd>
 		<dt><label for="suf"><?php echo $l->t('Hon. suffixes'); ?></label></dt>
 		<dd>
-			<input name="suf" id="suf" value="<?php echo isset($name['value'][4]) ? $name['value'][4] : ''; ?>" type="text" list="suffixes" />
+			<input name="suf" id="suf" value="<?php echo isset($name[4]) ? $name[4] : ''; ?>" type="text" list="suffixes" />
 			<datalist id="suffixes">
 				<option value="<?php echo $l->t('J.D.'); ?>">
 				<option value="<?php echo $l->t('M.D.'); ?>">
diff --git a/apps/files_imageviewer/js/lightbox.js b/apps/files_imageviewer/js/lightbox.js
index 69cda7a0ec..31f08456d2 100644
--- a/apps/files_imageviewer/js/lightbox.js
+++ b/apps/files_imageviewer/js/lightbox.js
@@ -22,7 +22,7 @@ function viewImage(dir, file) {
 	if(file.indexOf('.psd')>0){//can't view those
 		return;
 	}
-	var location=OC.filePath('files','ajax','download.php')+'?files='+encodeURIComponent(file)+'&dir='+encodeURIComponent(dir);
+	var location=OC.filePath('files','ajax','download.php')+encodeURIComponent('?files='+encodeURIComponent(file)+'&dir='+encodeURIComponent(dir));
 	$.fancybox({
 		"href": location,
 		"title": file.replace(/</, "&lt;").replace(/>/, "&gt;"),