diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php
index e0ff25145575407e09e062b40f57e462e99c5c2d..f277c51274f3e8e4f9c5f03814f07367c7a8fcf2 100644
--- a/interface/lib/classes/tform_actions.inc.php
+++ b/interface/lib/classes/tform_actions.inc.php
@@ -287,7 +287,7 @@ class tform_actions {
 		global $app, $conf;
 
 		$app->tpl->setVar("error", "<li>".$app->tform->errorMessage."</li>");
-		$app->tpl->setVar($this->dataRecord);
+		$app->tpl->setVar($this->dataRecord, null, true);
 		$this->onShow();
 	}
 
diff --git a/interface/lib/classes/tpl.inc.php b/interface/lib/classes/tpl.inc.php
index 2104cf61a5f50ea4dbd3e2bd52eb19c496158496..37814cd0c61a114ad6e4b9ccf3c91db7349608ee 100644
--- a/interface/lib/classes/tpl.inc.php
+++ b/interface/lib/classes/tpl.inc.php
@@ -226,21 +226,26 @@ if (!defined('vlibTemplateClassLoaded')) {
 		 * using the keys as variable names and the values as variable values.
 		 * @param mixed $k key to define variable name
 		 * @param mixed $v variable to assign to $k
+		 * @param bool $encode if set to true use htmlentities on values
 		 * @return boolean true/false
 		 * @access public
 		 */
-		public function setVar($k, $v = null)
+		public function setVar($k, $v = null, $encode = false)
 		{
+			global $app;
+			
 			if (is_array($k)) {
 				foreach($k as $key => $value){
 					$key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key);
 					if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) {
+						if($encode == true) $value = $app->functions->htmlentities($value);
 						$this->_vars[$key] = $value;
 					}
 				}
 			} else {
 				if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) {
 					if ($this->OPTIONS['CASELESS']) $k = strtolower($k);
+					if($encode == true) $value = $app->functions->htmlentities($);
 					$this->_vars[trim($k)] = $v;
 				} else {
 					return false;
diff --git a/interface/web/admin/directive_snippets_edit.php b/interface/web/admin/directive_snippets_edit.php
index de803581e07d373a23bfce05e490772d041788b4..b12da0a79bf28f000b0c11103db13482557608ad 100644
--- a/interface/web/admin/directive_snippets_edit.php
+++ b/interface/web/admin/directive_snippets_edit.php
@@ -70,9 +70,9 @@ class page_action extends tform_actions {
 		if($this->id > 0){
 			if($this->dataRecord['master_directive_snippets_id'] > 0){
 				$is_master = true;
-				$app->tpl->setVar("name", $this->dataRecord['name']);
-				$app->tpl->setVar("type", $this->dataRecord['type']);
-				$app->tpl->setVar("snippet", $this->dataRecord['snippet']);
+				$app->tpl->setVar("name", $this->dataRecord['name'], true);
+				$app->tpl->setVar("type", $this->dataRecord['type'], true);
+				$app->tpl->setVar("snippet", $this->dataRecord['snippet'], true);
 			}
 		}
 		$app->tpl->setVar("is_master", $is_master);
diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php
index 4d588ef8e032ab1e0bfd3ae270aacb6bc8292d85..289ef2ab3833389e32bd5fac131d76a2b9b91433 100644
--- a/interface/web/dns/dns_slave_edit.php
+++ b/interface/web/dns/dns_slave_edit.php
@@ -149,7 +149,7 @@ class page_action extends tform_actions {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php
index 6faefac3903ec588d400fa2b8bb48e69a612ac35..8764301c1dcd291c6655226e2abd32a7aae203c5 100644
--- a/interface/web/dns/dns_soa_edit.php
+++ b/interface/web/dns/dns_soa_edit.php
@@ -217,7 +217,7 @@ class page_action extends tform_actions {
 	if($this->id > 0) {
 		//* we are editing a existing record
 		$app->tpl->setVar("edit_disabled", 1);
-		$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+		$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 
 		$datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id);
 		if(is_array($datalog) && !empty($datalog)){
diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php
index 7565752bd31c575d38731fe09af55c191ba81c70..e648b94c3bf1d39104dde3bcb45aba7242c930bb 100644
--- a/interface/web/mail/mail_domain_edit.php
+++ b/interface/web/mail/mail_domain_edit.php
@@ -204,7 +204,7 @@ class page_action extends tform_actions {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php
index 1419627529253adf23bba5bdfb5f00ba0de749d5..a0c9e021739ce66fb4df63d907fa44070ae3227d 100644
--- a/interface/web/mail/mail_mailinglist_edit.php
+++ b/interface/web/mail/mail_mailinglist_edit.php
@@ -124,9 +124,9 @@ class page_action extends tform_actions {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("listname_value", $this->dataRecord["listname"]);
-			$app->tpl->setVar("domain_value", $this->dataRecord["domain"]);
-			$app->tpl->setVar("email_value", $this->dataRecord["email"]);
+			$app->tpl->setVar("listname_value", $this->dataRecord["listname"], true);
+			$app->tpl->setVar("domain_value", $this->dataRecord["domain"], true);
+			$app->tpl->setVar("email_value", $this->dataRecord["email"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php
index 87d3be66bbf2f4a21b0dbf12d7de76f5ab3cf34d..b6e84bf33f0e083ef467a3c755b1b33666925b1f 100644
--- a/interface/web/mail/mail_user_edit.php
+++ b/interface/web/mail/mail_user_edit.php
@@ -121,7 +121,7 @@ class page_action extends tform_actions {
 		if($this->dataRecord['autoresponder_subject'] == '') {
 			$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
 		} else {
-			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
+			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
 		}
 
 		$app->uses('getconf');
diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php
index 39132011148a73989d67a73cc7057e234f65bb2d..499882454cea5efb25f2bbe7ad509a49e1be5834 100644
--- a/interface/web/mail/xmpp_domain_edit.php
+++ b/interface/web/mail/xmpp_domain_edit.php
@@ -211,7 +211,7 @@ class page_action extends tform_actions {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/mailuser/mail_user_autoresponder_edit.php b/interface/web/mailuser/mail_user_autoresponder_edit.php
index 8007c0fd814ee934db7d7b08f43d18321fcffc41..d93151bf24094f72829e2da89dcfb5321b6ee413 100644
--- a/interface/web/mailuser/mail_user_autoresponder_edit.php
+++ b/interface/web/mailuser/mail_user_autoresponder_edit.php
@@ -84,7 +84,7 @@ class page_action extends tform_actions {
 		if($this->dataRecord['autoresponder_subject'] == '') {
 			$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
 		} else {
-			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
+			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
 		}
 
 		parent::onShowEnd();
diff --git a/interface/web/sites/cron_edit.php b/interface/web/sites/cron_edit.php
index a8326493cad61e5537b3ed134fab4a737c3d8cdd..62f338f33f30f6e60502cd9e02398fb2f7e961e8 100644
--- a/interface/web/sites/cron_edit.php
+++ b/interface/web/sites/cron_edit.php
@@ -73,7 +73,7 @@ class page_action extends tform_actions {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
+			$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php
index 213063ae89bdb70c495e630a345caa52e73987cc..7af4b4351fcf7bda8dab5899e25147c4047ab072 100644
--- a/interface/web/sites/database_edit.php
+++ b/interface/web/sites/database_edit.php
@@ -143,22 +143,22 @@ class page_action extends tform_actions {
 
 		if ($this->dataRecord['database_name'] != ""){
 			/* REMOVE the restriction */
-			$app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix));
+			$app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix), true);
 		}
 
 		if($this->dataRecord['database_name'] == "") {
 			$app->tpl->setVar("database_name_prefix", $dbname_prefix);
 		} else {
-			$app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']));
+			$app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']), true);
 		}
 
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$edit_disabled = @($_SESSION["s"]["user"]["typ"] == 'admin')? 0 : 1; //* admin can change the database-name
 			$app->tpl->setVar("edit_disabled", $edit_disabled);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
-			$app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"]);
-			$app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
+			$app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"], true);
+			$app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php
index e7bfa611a937be481efde7ae8ba7a8308cbaf01c..6f6e887ccaca234c7c40f2cf5951fa8629fdd5ff 100644
--- a/interface/web/sites/database_user_edit.php
+++ b/interface/web/sites/database_user_edit.php
@@ -118,13 +118,13 @@ class page_action extends tform_actions {
 
 		if ($this->dataRecord['database_user'] != ""){
 			/* REMOVE the restriction */
-			$app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix));
+			$app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix), true);
 		}
 
 		if($this->dataRecord['database_user'] == "") {
 			$app->tpl->setVar("database_user_prefix", $dbuser_prefix);
 		} else {
-			$app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']));
+			$app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']), true);
 		}
 
 		parent::onShowEnd();
diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php
index 9de400ce0392fcff585fe6450621d8c15b6d3d14..a98e447796d91a9a2c0f27e362b537e080cc1b4d 100644
--- a/interface/web/sites/ftp_user_edit.php
+++ b/interface/web/sites/ftp_user_edit.php
@@ -79,13 +79,13 @@ class page_action extends tform_actions {
 
 		if ($this->dataRecord['username'] != ""){
 			/* REMOVE the restriction */
-			$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix));
+			$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix), true);
 		}
 
 		if($this->dataRecord['username'] == "") {
 			$app->tpl->setVar("username_prefix", $ftpuser_prefix);
 		} else {
-			$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']));
+			$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']), true);
 		}
 
 		parent::onShowEnd();
diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php
index 77c4509b44e7e2c56c5ca72d80e16d3d30b2198e..2f0a029890b1f373e4572585fbe7ea861ead560c 100644
--- a/interface/web/sites/shell_user_edit.php
+++ b/interface/web/sites/shell_user_edit.php
@@ -79,19 +79,19 @@ class page_action extends tform_actions {
 
 		if ($this->dataRecord['username'] != ""){
 			/* REMOVE the restriction */
-			$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix));
+			$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix), true);
 		}
 
 		if($this->dataRecord['username'] == "") {
 			$app->tpl->setVar("username_prefix", $shelluser_prefix);
 		} else {
-			$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']));
+			$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']), true);
 		}
 
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
+			$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/sites/web_childdomain_edit.php b/interface/web/sites/web_childdomain_edit.php
index 6ef98f901fb864083d41b9feb64bd102edab4f67..622d0d0790cae9ef8d48e4d8efb9eb1cce3e3574 100644
--- a/interface/web/sites/web_childdomain_edit.php
+++ b/interface/web/sites/web_childdomain_edit.php
@@ -144,7 +144,7 @@ class page_action extends tform_actions {
 				$this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]);
 			}
 		}
-		if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"]);
+		if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true);
 
 		$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
 		if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php
index 023f8db0c52938f467b5c3eb5c8ba6d61e9420c5..f04dc019e31232be5ae5d858f39df2d138c4de49 100644
--- a/interface/web/sites/web_vhost_domain_edit.php
+++ b/interface/web/sites/web_vhost_domain_edit.php
@@ -761,8 +761,8 @@ class page_action extends tform_actions {
 			$app->tpl->setVar("edit_disabled", 1);
 			$app->tpl->setVar('fixed_folder', 'y');
 			if($this->_vhostdomain_type == 'domain') {
-				$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
-				$app->tpl->setVar("document_root", $this->dataRecord["document_root"]);
+				$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
+				$app->tpl->setVar("document_root", $this->dataRecord["document_root"], true);
 			}
 			else $app->tpl->setVar('server_id_value', $parent_domain['server_id']);
 		} else {
@@ -820,7 +820,7 @@ class page_action extends tform_actions {
 			if($this->dataRecord["type"] == 'vhostsubdomain') $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]);
 		}
 		
-		if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"]);
+		if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true);
 
 		// check for configuration errors in sys_datalog
 		if($this->id > 0) {
diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php
index 73e47eb7a98d5ef6e847614384eb9df1d11aea38..e94625fd9d0122a253b4b151e7119e3aa09645ae 100644
--- a/interface/web/sites/webdav_user_edit.php
+++ b/interface/web/sites/webdav_user_edit.php
@@ -78,19 +78,19 @@ class page_action extends tform_actions {
 
 		if ($this->dataRecord['username'] != "") {
 			/* REMOVE the restriction */
-			$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix));
+			$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix), true);
 		}
 
 		if($this->dataRecord['username'] == "") {
 			$app->tpl->setVar("username_prefix", $webdavuser_prefix);
 		} else {
-			$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']));
+			$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']), true);
 		}
 
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
+			$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}
diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php
index 2a5b12f3d712886143a05b65acdfbed536afcad1..8109859ecef09107cded1d5b976ccec92fa789f6 100644
--- a/interface/web/vm/openvz_vm_edit.php
+++ b/interface/web/vm/openvz_vm_edit.php
@@ -198,8 +198,8 @@ class page_action extends tform_actions {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
-			$app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
+			$app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}