diff --git a/SECURITY.md b/SECURITY.md
index c6f86607..3e5a965d 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -29,6 +29,9 @@ To receive fixes for security vulnerabilities it is required to always upgrade t
 | V 0.6.15      | Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo                           ||
 | V 0.6.15      | Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo       ||
 | V 0.6.15      | Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo                    ||
+| V 0.6.16      | JavaScript could get executed on authors page. Thanks to @alicaz                                                   ||
+| V 0.6.16      | Localhost can no longer be used to upload covers. Thanks to @scara31                                               ||
+| V 0.6.16      | Another case where public shelfs could be created without permission is prevented. Thanks to @ibarrionuevo         ||
 
 
 ## Staement regarding Log4j (CVE-2021-44228 and related)
diff --git a/cps/constants.py b/cps/constants.py
index 7fb973fc..0a964fb7 100644
--- a/cps/constants.py
+++ b/cps/constants.py
@@ -151,7 +151,7 @@ def selected_roles(dictionary):
 BookMeta = namedtuple('BookMeta', 'file_path, extension, title, author, cover, description, tags, series, '
                                   'series_id, languages, publisher')
 
-STABLE_VERSION = {'version': '0.6.16 Beta'}
+STABLE_VERSION = {'version': '0.6.17 Beta'}
 
 NIGHTLY_VERSION = {}
 NIGHTLY_VERSION[0] = '$Format:%H$'
diff --git a/cps/static/js/caliBlur.js b/cps/static/js/caliBlur.js
index 3203c255..f99779bd 100644
--- a/cps/static/js/caliBlur.js
+++ b/cps/static/js/caliBlur.js
@@ -270,7 +270,7 @@ if ($("body.book").length > 0) {
 
             if (position + $("#add-to-shelves").width() > $(window).width()) {
                 positionOff = position + $("#add-to-shelves").width() - $(window).width();
-                adsPosition = position - positionOff - 5
+                adsPosition = position - positionOff - 5;
                 $("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto;  top: " + topPos + "px");
             } else {
                 $("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto;  top: " + topPos + "px");
@@ -429,7 +429,7 @@ if($("body.advsearch").length > 0) {
 
           if (position + $("#add-to-shelves").width() > $(window).width()) {
               positionOff = position + $("#add-to-shelves").width() - $(window).width();
-              adsPosition = position - positionOff - 5
+              adsPosition = position - positionOff - 5;
               $("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto;  top: " + topPos + "px");
           } else {
               $("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto;  top: " + topPos + "px");
@@ -479,12 +479,12 @@ if ($.trim($("#add-to-shelves").html()).length === 0) {
     $("#add-to-shelf").addClass("empty-ul");
 }
 
-shelfLength = $("#add-to-shelves li").length
-emptyLength = 0
+shelfLength = $("#add-to-shelves li").length;
+emptyLength = 0;
 
 $("#add-to-shelves").on("click", "li a", function () {
     console.log("#remove-from-shelves change registered");
-    emptyLength++
+    emptyLength++;
 
     setTimeout(function () {
         if (emptyLength >= shelfLength) {
diff --git a/cps/static/js/details.js b/cps/static/js/details.js
index f559234e..6f99595d 100644
--- a/cps/static/js/details.js
+++ b/cps/static/js/details.js
@@ -59,10 +59,10 @@ $("#archived_cb").on("change", function() {
         )
     };
 
-    $("#shelf-actions").on("click", "[data-shelf-action]", function (e) {
+    $("#add-to-shelves, #remove-from-shelves").on("click", "[data-shelf-action]", function (e) {
         e.preventDefault();
         $.ajax({
-                url: this.href,
+                url: $(this).data('href'),
                 method:"post",
                 data: {csrf_token:$("input[name='csrf_token']").val()},
             })
@@ -72,7 +72,7 @@ $("#archived_cb").on("change", function() {
                     case "add":
                         $("#remove-from-shelves").append(
                             templates.remove({
-                                add: this.href,
+                                add: $this.data('href'),
                                 remove: $this.data("remove-href"),
                                 content: $("<div>").text(this.textContent).html()
                             })
@@ -82,7 +82,7 @@ $("#archived_cb").on("change", function() {
                         $("#add-to-shelves").append(
                             templates.add({
                                 add: $this.data("add-href"),
-                                remove: this.href,
+                                remove: $this.data('href'),
                                 content: $("<div>").text(this.textContent).html(),
                             })
                         );
diff --git a/cps/templates/detail.html b/cps/templates/detail.html
index 85f1c09d..ef47bccc 100644
--- a/cps/templates/detail.html
+++ b/cps/templates/detail.html
@@ -260,7 +260,7 @@
             {% for shelf in g.shelves_access %}
               {% if not shelf.id in books_shelfs and ( not shelf.is_public or g.user.role_edit_shelfs() ) %}
                 <li>
-                  <a href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
+                  <a data-href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                      data-remove-href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                      data-shelf-action="add"
                   >
@@ -275,7 +275,7 @@
           {% if books_shelfs %}
             {% for shelf in g.shelves_access %}
               {% if shelf.id in books_shelfs %}
-                <a href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
+                <a data-href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                    data-add-href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
                    class="btn btn-sm btn-default" role="button" data-shelf-action="remove"
                 >
@@ -309,13 +309,13 @@
 {% block js %}
 <script type="text/template" id="template-shelf-add">
   <li>
-    <a href="<%= add %>" data-remove-href="<%= remove %>" data-shelf-action="add">
+    <a data-href="<%= add %>" data-remove-href="<%= remove %>" data-shelf-action="add">
       <%= content %>
     </a>
   </li>
 </script>
 <script type="text/template" id="template-shelf-remove">
-  <a href="<%= remove %>" data-add-href="<%= add %>" class="btn btn-sm btn-default" data-shelf-action="remove">
+  <a data-href="<%= remove %>" data-add-href="<%= add %>" class="btn btn-sm btn-default" data-shelf-action="remove">
     <span class="glyphicon glyphicon-remove"></span> <%= content %>
   </a>
 </script>
diff --git a/cps/templates/search.html b/cps/templates/search.html
index 1a4162e9..a7ba5e68 100644
--- a/cps/templates/search.html
+++ b/cps/templates/search.html
@@ -9,6 +9,7 @@
       {% if g.user.is_authenticated %}
         {% if g.user.shelf.all() or g.shelves_access %}
           <div id="shelf-actions" class="btn-toolbar" role="toolbar">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
             <div class="btn-group" role="group" aria-label="Add to shelves">
               <button id="add-to-shelf" type="button" class="btn btn-primary btn-sm dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                 <span class="glyphicon glyphicon-list"></span> {{_('Add to shelf')}}