diff --git a/apps/contacts/ajax/contacts.php b/apps/contacts/ajax/contacts.php
index 37d396cd83a1bbca67fc83b6c8ad65e498b0026b..dbc9be5ca565484435c1e56e9fa993c57b597c59 100644
--- a/apps/contacts/ajax/contacts.php
+++ b/apps/contacts/ajax/contacts.php
@@ -13,7 +13,7 @@ OCP\JSON::checkAppEnabled('contacts');
 $ids = OC_Contacts_Addressbook::activeIds(OCP\USER::getUser());
 $contacts = OC_Contacts_VCard::all($ids);
 $tmpl = new OCP\Template("contacts", "part.contacts");
-$tmpl->assign('contacts', $contacts);
+$tmpl->assign('contacts', $contacts, false);
 $page = $tmpl->fetchPage();
 
 OCP\JSON::success(array('data' => array( 'page' => $page )));
diff --git a/apps/contacts/ajax/editaddress.php b/apps/contacts/ajax/editaddress.php
index 969aeeba8f440b70c0842abad981acd18ff69104..2d7aba11b0ef9dc4b5d8bbf7fb86d173e1cc3d47 100644
--- a/apps/contacts/ajax/editaddress.php
+++ b/apps/contacts/ajax/editaddress.php
@@ -20,7 +20,18 @@ if($checksum) {
 	$line = OC_Contacts_App::getPropertyLineByChecksum($vcard, $checksum);
 	$element = $vcard->children[$line];
 	$adr = OC_Contacts_VCard::structureProperty($element);
-	$tmpl->assign('adr',$adr);
+	$types = array();
+	if(isset($adr['parameters']['TYPE'])) {
+		if(is_array($adr['parameters']['TYPE'])) {
+			$types = array_map('htmlspecialchars', $adr['parameters']['TYPE']);
+			$types = array_map('strtoupper', $types);
+		} else {
+			$types = array(strtoupper(htmlspecialchars($adr['parameters']['TYPE'])));
+		}
+	}
+	$tmpl->assign('types', $types, false);
+	$adr = array_map('htmlspecialchars', $adr['value']);
+	$tmpl->assign('adr', $adr, false);
 }
 
 $tmpl->assign('id',$id);
diff --git a/apps/contacts/index.php b/apps/contacts/index.php
index 74b7c43c556c19f53256c433170ad8fbbc5a18af..bdb52c123cef6032339c3167b202b64231b34449 100644
--- a/apps/contacts/index.php
+++ b/apps/contacts/index.php
@@ -66,7 +66,7 @@ $tmpl->assign('phone_types', $phone_types);
 $tmpl->assign('email_types', $email_types);
 $tmpl->assign('categories', $categories);
 $tmpl->assign('addressbooks', $addressbooks);
-$tmpl->assign('contacts', $contacts);
+$tmpl->assign('contacts', $contacts, false);
 $tmpl->assign('details', $details );
 $tmpl->assign('id',$id);
 $tmpl->printPage();
diff --git a/apps/contacts/templates/part.contacts.php b/apps/contacts/templates/part.contacts.php
index 00a61f72fdd9ce578db6146e9db3e8d58cc4b794..57517505405fdd63c640d293feb312d41d58dd9d 100644
--- a/apps/contacts/templates/part.contacts.php
+++ b/apps/contacts/templates/part.contacts.php
@@ -8,5 +8,5 @@
 		}
 	}
 ?>
-	<li role="button" book-id="<?php echo $contact['addressbookid']; ?>" data-id="<?php echo $contact['id']; ?>"><a href="index.php?id=<?php echo $contact['id']; ?>"><?php echo $display; ?></a></li>
+	<li role="button" book-id="<?php echo $contact['addressbookid']; ?>" data-id="<?php echo $contact['id']; ?>"><a href="index.php?id=<?php echo $contact['id']; ?>"><?php echo htmlspecialchars($display); ?></a></li>
 <?php endforeach; ?>
diff --git a/apps/contacts/templates/part.edit_address_dialog.php b/apps/contacts/templates/part.edit_address_dialog.php
index 7684795f3488ac77b0277a9a2e24e7cb25de68bf..d5ea95ba465f580d1b0841ffbb5717cc68020a3c 100644
--- a/apps/contacts/templates/part.edit_address_dialog.php
+++ b/apps/contacts/templates/part.edit_address_dialog.php
@@ -1,13 +1,9 @@
 <?php
 $adr = isset($_['adr'])?$_['adr']:array();
-$id = $_['id'];
-$types = array();
-foreach(isset($adr['parameters']['TYPE'])?array($adr['parameters']['TYPE']):array() as $type) {
-	$types[] = strtoupper($type);
-}
+$id = isset($_['id'])?$_['id']:array();
+$types = isset($_['types'])?$_['types']:array();
 ?>
 <div id="edit_address_dialog" title="<?php echo $l->t('Edit address'); ?>">
-<!-- ?php print_r($types); ? -->
 	<fieldset id="address">
 		<dl class="form">
 			<dt>
@@ -22,43 +18,43 @@ foreach(isset($adr['parameters']['TYPE'])?array($adr['parameters']['TYPE']):arra
 				<label class="label" for="adr_pobox"><?php echo $l->t('PO Box'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_pobox" name="value[ADR][0]" placeholder="<?php echo $l->t('PO Box'); ?>" value="<?php echo isset($adr['value'][0])?$adr['value'][0]:''; ?>">
+				<input type="text" id="adr_pobox" name="value[ADR][0]" placeholder="<?php echo $l->t('PO Box'); ?>" value="<?php echo isset($adr[0])?$adr[0]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_street"><?php echo $l->t('Street address'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_street" name="value[ADR][2]" placeholder="<?php echo $l->t('Street and number'); ?>" value="<?php echo isset($adr['value'][2])?$adr['value'][2]:''; ?>">
+				<input type="text" id="adr_street" name="value[ADR][2]" placeholder="<?php echo $l->t('Street and number'); ?>" value="<?php echo isset($adr[2])?$adr[2]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_extended"><?php echo $l->t('Extended'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_extended" name="value[ADR][1]" placeholder="<?php echo $l->t('Apartment number etc.'); ?>" value="<?php echo isset($adr['value'][1])?$adr['value'][1]:''; ?>">
+				<input type="text" id="adr_extended" name="value[ADR][1]" placeholder="<?php echo $l->t('Apartment number etc.'); ?>" value="<?php echo isset($adr[1])?$adr[1]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_city"><?php echo $l->t('City'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_city" name="value[ADR][3]" placeholder="<?php echo $l->t('City'); ?>" value="<?php echo isset($adr['value'][3])?$adr['value'][3]:''; ?>">
+				<input type="text" id="adr_city" name="value[ADR][3]" placeholder="<?php echo $l->t('City'); ?>" value="<?php echo isset($adr[3])?$adr[3]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_region"><?php echo $l->t('Region'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_region" name="value[ADR][4]" placeholder="<?php echo $l->t('E.g. state or province'); ?>" value="<?php echo isset($adr['value'][4])?$adr['value'][4]:''; ?>">
+				<input type="text" id="adr_region" name="value[ADR][4]" placeholder="<?php echo $l->t('E.g. state or province'); ?>" value="<?php echo isset($adr[4])?$adr[4]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_zipcode"><?php echo $l->t('Zipcode'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_zipcode" name="value[ADR][5]" placeholder="<?php echo $l->t('Postal code'); ?>" value="<?php echo isset($adr['value'][5])?$adr['value'][5]:''; ?>">
+				<input type="text" id="adr_zipcode" name="value[ADR][5]" placeholder="<?php echo $l->t('Postal code'); ?>" value="<?php echo isset($adr[5])?$adr[5]:''; ?>">
 			</dd>
 			<dt>
 				<label class="label" for="adr_country"><?php echo $l->t('Country'); ?></label>
 			</dt>
 			<dd>
-				<input type="text" id="adr_country" name="value[ADR][6]" placeholder="<?php echo $l->t('Country'); ?>" value="<?php echo isset($adr['value'][6])?$adr['value'][6]:''; ?>">
+				<input type="text" id="adr_country" name="value[ADR][6]" placeholder="<?php echo $l->t('Country'); ?>" value="<?php echo isset($adr[6])?$adr[6]:''; ?>">
 			</dd>
 		</dl>
 	</fieldset>