diff --git a/evennia/server/portal/webclient_ajax.py b/evennia/server/portal/webclient_ajax.py
index 87e73ef550..27ce79e42c 100644
--- a/evennia/server/portal/webclient_ajax.py
+++ b/evennia/server/portal/webclient_ajax.py
@@ -19,6 +19,7 @@ http://localhost:4001/webclient.)
 import json
 import re
 import time
+import cgi
 
 from twisted.web import server, resource
 from twisted.internet.task import LoopingCall
@@ -34,12 +35,12 @@ _RE_SCREENREADER_REGEX = re.compile(r"%s" % settings.SCREENREADER_REGEX_STRIP, r
 _SERVERNAME = settings.SERVERNAME
 _KEEPALIVE = 30  # how often to check keepalive
 
+
 # defining a simple json encoder for returning
 # django data to the client. Might need to
 # extend this if one wants to send more
 # complex database objects too.
 
-
 class LazyEncoder(json.JSONEncoder):
     def default(self, obj):
         if isinstance(obj, Promise):
@@ -157,7 +158,7 @@ class AjaxWebClient(resource.Resource):
             request (Request): Incoming request.
 
         """
-        csessid = request.args.get('csessid')[0]
+        csessid = cgi.escape(request.args['csessid'][0])
 
         remote_addr = request.getClientIP()
         host_string = "%s (%s:%s)" % (_SERVERNAME, request.getRequestHostname(), request.getHost().port)
@@ -189,7 +190,7 @@ class AjaxWebClient(resource.Resource):
         This is called by render_POST when the
         client is replying to the keepalive.
         """
-        csessid = request.args.get('csessid')[0]
+        csessid = cgi.escape(request.args['csessid'][0])
         self.last_alive[csessid] = (time.time(), False)
         return '""'
 
@@ -202,13 +203,12 @@ class AjaxWebClient(resource.Resource):
             request (Request): Incoming request.
 
         """
-        csessid = request.args.get('csessid')[0]
-
+        csessid = cgi.escape(request.args['csessid'][0])
         self.last_alive[csessid] = (time.time(), False)
         sess = self.sessionhandler.sessions_from_csessid(csessid)
         if sess:
             sess = sess[0]
-            cmdarray = json.loads(request.args.get('data')[0])
+            cmdarray = json.loads(cgi.escape(request.args.get('data')[0]))
             sess.sessionhandler.data_in(sess, **{cmdarray[0]: [cmdarray[1], cmdarray[2]]})
         return '""'
 
@@ -223,7 +223,7 @@ class AjaxWebClient(resource.Resource):
             request (Request): Incoming request.
 
         """
-        csessid = request.args.get('csessid')[0]
+        csessid = cgi.escape(request.args['csessid'][0])
         self.last_alive[csessid] = (time.time(), False)
 
         dataentries = self.databuffer.get(csessid, [])
@@ -244,7 +244,7 @@ class AjaxWebClient(resource.Resource):
             request (Request): Incoming request.
 
         """
-        csessid = request.args.get('csessid')[0]
+        csessid = cgi.escape(request.args['csessid'][0])
         try:
             sess = self.sessionhandler.sessions_from_csessid(csessid)[0]
             sess.sessionhandler.disconnect(sess)
@@ -266,6 +266,7 @@ class AjaxWebClient(resource.Resource):
 
         """
         dmode = request.args.get('mode', [None])[0]
+
         if dmode == 'init':
             # startup. Setup the server.
             return self.mode_init(request)
diff --git a/evennia/utils/eveditor.py b/evennia/utils/eveditor.py
index 7a2fbc9b70..d2955c6500 100644
--- a/evennia/utils/eveditor.py
+++ b/evennia/utils/eveditor.py
@@ -929,9 +929,9 @@ class EvEditor(object):
         nchars = len(buf)
 
         sep = self._sep
-        header = "|n" + sep * 10 + "Line Editor [%s]" % self._key + sep * (_DEFAULT_WIDTH - 20 - len(self._key))
+        header = "|n" + sep * 10 + "Line Editor [%s]" % self._key + sep * (_DEFAULT_WIDTH - 24 - len(self._key))
         footer = "|n" + sep * 10 +\
-                 "[l:%02i w:%03i c:%04i]" % (nlines, nwords, nchars) + sep * 12 + "(:h for help)" + sep * 28
+                 "[l:%02i w:%03i c:%04i]" % (nlines, nwords, nchars) + sep * 12 + "(:h for help)" + sep * (_DEFAULT_WIDTH - 54)
         if linenums:
             main = "\n".join("|b%02i|||n %s" % (iline + 1 + offset, raw(line)) for iline, line in enumerate(lines))
         else:
diff --git a/evennia/utils/evmenu.py b/evennia/utils/evmenu.py
index 3bb65be8da..8afd739513 100644
--- a/evennia/utils/evmenu.py
+++ b/evennia/utils/evmenu.py
@@ -1006,13 +1006,13 @@ class EvMenu(object):
                 else:
                     # add a default white color to key
                     table.append(" |lc%s|lt|w%s|n|le%s" % (raw_key, raw_key, desc_string))
+        ncols = (_MAX_TEXT_WIDTH // table_width_max)  # number of ncols
 
-        ncols = (_MAX_TEXT_WIDTH // table_width_max) + 1  # number of ncols
-
-        if ncols <= 0:
+        if ncols < 0:
             # no visible option at all
             return ""
 
+        ncols = ncols + 1 if ncols == 0 else ncols
         # get the amount of rows needed (start with 4 rows)
         nrows = 4
         while nrows * ncols < nlist: