diff --git a/apps/i2psnark/java/build.xml b/apps/i2psnark/java/build.xml
index 3065ed9bc..94dd809b6 100644
--- a/apps/i2psnark/java/build.xml
+++ b/apps/i2psnark/java/build.xml
@@ -99,14 +99,10 @@
         <copy todir="build/icons/.icons" >
             <fileset dir="../icons/" />
         </copy>
-        <copy todir="build/js/.js" >
-            <fileset dir="../js/" />
-        </copy>
         <war destfile="../i2psnark.war" webxml="../web.xml" >
           <!-- include only the web stuff, as of 0.7.12 the router will add i2psnark.jar to the classpath for the war -->
           <classes dir="./build/obj" includes="**/web/*.class" />
             <fileset dir="build/icons/" />
-            <fileset dir="build/js/" />
             <manifest>
                 <attribute name="Implementation-Version" value="${full.version}" />
                 <attribute name="Built-By" value="${build.built-by}" />
@@ -119,7 +115,7 @@
     
     <target name="warUpToDate">
         <uptodate property="war.uptodate" targetfile="../i2psnark.war" >
-            <srcfiles dir= "." includes="build/obj/org/klomp/snark/web/*.class ../icons/* ../js/* ../web.xml" />
+            <srcfiles dir= "." includes="build/obj/org/klomp/snark/web/*.class ../icons/* ../web.xml" />
         </uptodate>
     </target>
     
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 5e3aa5f2d..24094515c 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -158,6 +158,8 @@ public class I2PSnarkServlet extends Default {
             resp.setCharacterEncoding("UTF-8");
             resp.setContentType("text/html; charset=UTF-8");
             PrintWriter out = resp.getWriter();
+            //if (_log.shouldLog(Log.DEBUG))
+            //    _manager.addMessage((_context.clock().now() / 1000) + " xhr1 p=" + req.getParameter("p"));
             writeMessages(out);
             writeTorrents(out, req);
             return;
@@ -204,7 +206,8 @@ public class I2PSnarkServlet extends Default {
         
         String peerParam = req.getParameter("p");
         String peerString;
-        if (peerParam == null || !_manager.util().connected()) {
+        if (peerParam == null || (!_manager.util().connected()) ||
+            peerParam.replaceAll("[a-zA-Z0-9~=-]", "").length() > 0) {  // XSS
             peerString = "";
         } else {
             peerString = "?p=" + peerParam;
@@ -223,15 +226,20 @@ public class I2PSnarkServlet extends Default {
         int delay = 0;
         if (!isConfigure) {
             delay = _manager.getRefreshDelaySeconds();
-            if (delay > 0)
+            if (delay > 0) {
                 //out.write("<meta http-equiv=\"refresh\" content=\"" + delay + ";/i2psnark/" + peerString + "\">\n");
-                out.write("<script src=\"/i2psnark/.js/i2psnark.js\" type=\"text/javascript\"></script>\n");
+                out.write("<script src=\"/js/ajax.js\" type=\"text/javascript\"></script>\n" +
+                          "<script type=\"text/javascript\">\n"  +
+                          "function requestAjax1() { ajax(\"/i2psnark/.ajax/xhr1.html" + peerString + "\", \"mainsection\", " + (delay*1000) + "); }\n" +
+                          "function initAjax(delayMs) { setTimeout(requestAjax1, " + (delay*1000) +");  }\n"  +
+                          "</script>\n");
+            }
         }
         out.write(HEADER_A + _themePath + HEADER_B + "</head>\n");
         if (isConfigure || delay <= 0)
             out.write("<body>");
         else
-            out.write("<body onload=\"initAjax(" + (delay * 1000) + ")\">");
+            out.write("<body onload=\"initAjax()\">");
         out.write("<center>");
         if (isConfigure) {
             out.write("<div class=\"snarknavbar\"><a href=\"/i2psnark/\" title=\"");
@@ -304,7 +312,6 @@ public class I2PSnarkServlet extends Default {
         String peerParam = req.getParameter("p");
 
         List snarks = getSortedSnarks(req);
-        String uri = req.getRequestURI();
         boolean isForm = _manager.util().connected() || !snarks.isEmpty();
         if (isForm) {
             out.write("<form action=\"_post\" method=\"POST\">\n");
@@ -418,6 +425,7 @@ public class I2PSnarkServlet extends Default {
             out.write("&nbsp;");
         }
         out.write("</th></tr></thead>\n");
+        String uri = "/i2psnark/";
         for (int i = 0; i < snarks.size(); i++) {
             Snark snark = (Snark)snarks.get(i);
             boolean showDebug = "2".equals(peerParam);
diff --git a/apps/i2psnark/js/i2psnark.js b/apps/routerconsole/jsp/js/ajax.js
similarity index 71%
rename from apps/i2psnark/js/i2psnark.js
rename to apps/routerconsole/jsp/js/ajax.js
index ba0e3f911..dab3164a0 100644
--- a/apps/i2psnark/js/i2psnark.js
+++ b/apps/routerconsole/jsp/js/ajax.js
@@ -1,9 +1,8 @@
-//var page = "home";
-function ajax(url,target) {
+function ajax(url, target, refresh) {
   // native XMLHttpRequest object
   if (window.XMLHttpRequest) {
     req = new XMLHttpRequest();
-    req.onreadystatechange = function() {ajaxDone(target);};
+    req.onreadystatechange = function() {ajaxDone(url, target, refresh);};
     req.open("GET", url, true);
     req.send(null);
     // IE/Windows ActiveX version
@@ -15,10 +14,9 @@ function ajax(url,target) {
       req.send(null);
     }
   }
-  //setTimeout("ajax(page,'scriptoutput')", 5000);
 }
 
-function ajaxDone(target) {
+function ajaxDone(url, target, refresh) {
   // only if req is "loaded"
   if (req.readyState == 4) {
     // only if "OK"
@@ -30,8 +28,6 @@ function ajaxDone(target) {
       document.getElementById(target).innerHTML="<b>Router is down</b>";
       document.getElementById("lowersection").style.display="none";
     }
+    setTimeout(function() {ajax(url, target, refresh);}, refresh);
   }
 }
-
-function requestAjax1() { ajax("/i2psnark/.ajax/xhr1.html", "mainsection"); }
-function initAjax(delayMs) { setInterval(requestAjax1, delayMs);  }