diff --git a/APPL/Shared/loadCalendar.asp b/APPL/Shared/loadCalendar.asp
index d7488633a9..b7057678f6 100644
--- a/APPL/Shared/loadCalendar.asp
+++ b/APPL/Shared/loadCalendar.asp
@@ -21,12 +21,15 @@ DOCTYPE_Disable = true;
 
 <%
 // Maak een kalender
-var cal_id = getFParam("cal_id");
-var label = getFParam("label", "");
+
+// De functie FCLTcalendar verwacht dat alle parameters htmlsafe zijn
+// Bij wijze van uitzondering forceren we dat hier
+var cal_id = safe.htmlattr(getFParam("cal_id"));
+var label = safe.htmlattr(getFParam("label", ""));
 var datum = getFParamDate("datum", new Date);
-var onChange = getFParam("onChange", "");
-var onChangeDate = getFParam("onChangeDate", "");
-var onChangeTime = getFParam("onChangeTime", "");
+var onChange = safe.htmlattr(getFParam("onChange", ""));
+var onChangeDate = safe.htmlattr(getFParam("onChangeDate", ""));
+var onChangeTime = safe.htmlattr(getFParam("onChangeTime", ""));
 var volgnr = getFParamInt("volgnr", -1);
 var calendars = getFParamInt("calendars", -1);
 var readonly = (getFParamInt("readonly", 0) == 1);
@@ -40,7 +43,7 @@ var maxPast = getFParamInt("maxPast", -1);
 var minFuture = getFParamInt("minFuture", -1);
 var minDate = getFParamDate("minDate", null);
 var maxDate = getFParamDate("maxDate", null);
-var addClass = getFParam("addClass", "");
+var addClass = safe.htmlattr(getFParam("addClass", ""));
 var hidden = (getFParamInt("hidden", 0) == 1);
 
 params = { datum: datum };