diff --git a/templates/feedback/index.html b/templates/feedback/index.html
index eeb2556e290d69642025a8dacc4d08d8589151c1..a1b63e31fe47026b4e57306ecb7a0f90d5d890f0 100644
--- a/templates/feedback/index.html
+++ b/templates/feedback/index.html
@@ -220,7 +220,7 @@
 					dataType: 'json',
 					data: $(this).serializeObject()
 				}).done(function() {
-					window.location.replace("{{ util.view_url('feedback/thanks') }}");
+					window.location.replace("{{ util.view_url('feedback/thanks', safe = False) }}");
 				});
 			});
 		});
diff --git a/templates/internal/macros.html b/templates/internal/macros.html
index f7830b49667c2ae586b0b79922d77b45c1c0e8e2..5e027a335cf9121c631022357bfa171a37f28645 100644
--- a/templates/internal/macros.html
+++ b/templates/internal/macros.html
@@ -1,40 +1,42 @@
 {# this file contains helper macros, not intended for rendering but import, imported as util in main templates. Note the whitespace control #}
 
-{% macro view_url(view_name, context = g.stop_id) -%}
-	{{ url_for('view', path = view_name, stopId = context, _external = True) }}
+{%- macro view_url(view_name, context = g.stop_id, safe = True) -%}
+	{% autoescape safe %}{{ url_for('view', path = view_name, stopId = context, _external = True) }}{% endautoescape %}
 {%- endmacro %}
 
-{% macro static_url(filename) -%}
-	{{ url_for('static', filename = filename, _external = True) }}
+{%- macro static_url(filename, safe = True) -%}
+	{% autoescape safe %}{{ url_for('static', filename = filename, _external = True) }}{% endautoescape %}
 {%- endmacro %}
 
-{% macro home_url(context = g.stop_id, lang = None) -%}
+{%- macro home_url(context = g.stop_id, lang = None, safe = True) -%}
+	{% autoescape safe -%}
 	{% if not lang -%}
 		{{ url_for('view', path = '', stopId = context, _external = True) }}
 	{%- else -%}
 		{{ url_for('view', path = '', stopId = context, lang = lang, _external = True) }}
 	{%- endif %}
+	{%- endautoescape %}
 {%- endmacro %}
 
-{# For format string documentation, see: http://babel.pocoo.org/en/latest/dates.html#pattern-syntax #}
-{% macro time_short(time) -%}
+{#- For format string documentation, see: http://babel.pocoo.org/en/latest/dates.html#pattern-syntax #}
+{%- macro time_short(time) -%}
 	{{ time | datetimeformat(format = 'HH:mm') }}
 {%- endmacro %}
 
-{% macro time_long(time) -%}
+{%- macro time_long(time) -%}
 	{{ time | timeformat(format = 'HH:mm:ss') }}
 {%- endmacro %}
 
-{% macro date(time) -%}
+{%- macro date(time) -%}
 	{{ time | datetimeformat }}
 {%- endmacro %}
 
-{% macro stop_name(full_name = True, context = stop_info) -%}
+{%- macro stop_name(full_name = True, context = stop_info) -%}
 	{% if full_name %}{% if context.stop_code %}{{ context.stop_code }}{% else %}{{ context.stop_id }}{% endif %} - {% endif %}{{ context.stop_name }}
 {%- endmacro %}
 
 {# assumes that schedule_row.headsign does not contain the trip/line short_name attribute already, true for Föli data but GTFS does not guarantee this  #}
-{% macro line_name(schedule_row, full_name = False) -%}
+{%- macro line_name(schedule_row, full_name = False) -%}
 	{% if not full_name or not schedule_row.route -%}
 		{% if schedule_row.route %}{{ schedule_row.route.short_name }} - {% endif %}{{ schedule_row.headsign }}
 	{%- else -%}
@@ -42,7 +44,7 @@
 	{%- endif %}
 {%- endmacro %}
 
-{% macro pagination(context) %}
+{%- macro pagination(context) %}
 {% if context -%}
 <nav>
 	<ul class="pagination pagination-lg pagination-foli justify-content-center">
@@ -60,4 +62,4 @@
 	</ul>
 </nav>
 {%- endif %}
-{% endmacro %}
+{% endmacro -%}
diff --git a/templates/map.html b/templates/map.html
index 6e2f3cbc3ee4736cc0492df3bbaa3d714fb5955e..d8bcc62c16f928c062f02260974d9d776c11919b 100644
--- a/templates/map.html
+++ b/templates/map.html
@@ -264,7 +264,7 @@
 			}
 
 			markers = {};
-			$.getJSON("{{ url_for('apiLocatorService', version = 1, stopId = stop_info.stop_id, type = 'nearby', _external = True) }}",
+			$.getJSON("{{ url_for('apiLocatorService', version = 1, stopId = stop_info.stop_id, type = 'nearby', _external = True)|safe }}",
 				function (data) {
 					console.log('found this many buses: ' + Object.keys(data).length);
 					$.each( data, function( key, value ) {
@@ -286,7 +286,7 @@
 			// mark the map as busy
 			mapUpdating = true;
 
-			$.getJSON("{{ url_for('apiLocatorService', version = 1, stopId = stop_info.stop_id, type = 'nearby', _external = True) }}",
+			$.getJSON("{{ url_for('apiLocatorService', version = 1, stopId = stop_info.stop_id, type = 'nearby', _external = True)|safe }}",
 				function (data) {
 					// poor man's locking
 					if (trackingLoop === null) {
@@ -350,7 +350,7 @@
 			// get information about the focused bus
 			var requestFocus = focusedMarker;
 			$.post(
-				"{{ url_for('apiBusInfo', version = 1, _external = True) }}",
+				"{{ url_for('apiBusInfo', version = 1, _external = True)|safe }}",
 				{ bus_id: requestFocus, get_shape: 1 },
 				function (data) {
 					// poor man's locking (the A in Ajax is for Asynchronous :))
@@ -403,7 +403,7 @@
 
 			var requestFocus = focusedMarker;
 			$.post(
-				"{{ url_for('apiBusInfo', version = 1, _external = True) }}",
+				"{{ url_for('apiBusInfo', version = 1, _external = True)|safe }}",
 				{ bus_id: requestFocus, get_shape: 0 },
 				function (data) {
 					// poor man's locking