diff --git a/lib/controllers.js b/lib/controllers.js
index 7a12285..46e4687 100644
--- a/lib/controllers.js
+++ b/lib/controllers.js
@@ -33,8 +33,8 @@ async function getGroups(set) {
 	groupNames = groupNames.filter(groupName => groupName && !groups.isPrivilegeGroup(groupName));
 
 	return groupNames.map(groupName => ({
-		name: validator.escape(String(groupName)),
-		value: validator.escape(String(groupName)),
+		name: groupName,
+		value: groupName,
 	}));
 }
 
@@ -74,7 +74,7 @@ Controllers.renderChoices = async (req, res) => {
 		hasAuthn,
 		hasTotp,
 		hasBackupCodes,
-		next: validator.escape(req.query.next),
+		next: req.query.next,
 		title: '[[2factor:title]]',
 	});
 };
@@ -101,7 +101,7 @@ Controllers.renderTotpChallenge = async (req, res, next) => {
 		res.render('login-totp', {
 			single,
 			error: error[0],
-			next: validator.escape(req.query.next),
+			next: req.query.next,
 		});
 	}, error.length ? 2500 : undefined);
 };
@@ -131,13 +131,11 @@ Controllers.renderAuthnChallenge = async (req, res, next) => {
 		req.session.authRequest = authnOptions.challenge;
 	}
 
-	devices.forEach((d) => { d.name = validator.escape(d.name); });
-
 	res.render('login-authn', {
 		single,
 		authnOptions,
 		devices,
-		next: validator.escape(req.query.next),
+		next: req.query.next,
 	});
 };
 
@@ -180,7 +178,7 @@ Controllers.renderBackup = async (req, res, next) => {
 		res.render('login-backup', {
 			single,
 			error: error[0],
-			next: validator.escape(req.query.next),
+			next: req.query.next,
 		});
 	}, error.length ? 2500 : undefined);
 };
diff --git a/package.json b/package.json
index 11ba348..6fab85a 100644
--- a/package.json
+++ b/package.json
@@ -23,7 +23,7 @@
   },
   "readmeFilename": "README.md",
   "nbbpm": {
-    "compatibility": "^4.12.0"
+    "compatibility": "^4.14.0"
   },
   "dependencies": {
     "arraybuffer-to-string": "^1.0.2",
diff --git a/static/templates/admin/plugins/2factor.tpl b/static/templates/admin/plugins/2factor.tpl
index 898db42..3906578 100644
--- a/static/templates/admin/plugins/2factor.tpl
+++ b/static/templates/admin/plugins/2factor.tpl
@@ -19,26 +19,24 @@
 						[[2factor:admin.users.text]]
 					</p>
 
-					<!-- IF users.length -->
+					{{{ if users.length }}}
 					<ul class="user-list list-group list-group-horizontal">
-						<!-- BEGIN users -->
+						{{{ each users }}}
 						<li class="list-group-item">
 							<a href="{users.config.relative_path}/user/{users.userslug}">
-								<!-- IF ../picture -->
-								<img class="avatar" component="user/picture" style="--avatar-size: 32px;" src="{../picture}" itemprop="image" />
-								<!-- ELSE -->
-								<div class="avatar" component="user/picture" style="--avatar-size: 32px; background-color: {../icon:bgColor};">{../icon:text}</div>
-								<!-- END -->
+								{{buildAvatar(@value)}}
+							</a>
+							<a href="{users.config.relative_path}/user/{users.userslug}">
 								{users.username}
 							</a>
 						</li>
-						<!-- END users -->
+						{{{ end }}}
 					</ul>
-					<!-- ELSE -->
+					{{{ else }}}
 					<div class="alert alert-warning text-center">
 						<em>[[2factor:admin.users.none]]</em>
 					</div>
-					<!-- ENDIF users.length -->
+					{{{ end }}}
 				</div>
 
 				<div class="mb-4">