diff --git a/src/Umbraco.Web.UI/umbraco/dialogs/editMacro.aspx b/src/Umbraco.Web.UI/umbraco/dialogs/editMacro.aspx
index c9225ac7c1..75a7ef40e0 100644
--- a/src/Umbraco.Web.UI/umbraco/dialogs/editMacro.aspx
+++ b/src/Umbraco.Web.UI/umbraco/dialogs/editMacro.aspx
@@ -17,7 +17,7 @@
                 Umbraco.Dialogs.EditMacro.getInstance().init({
                     useAspNetMasterPages: <%=UmbracoConfig.For.UmbracoSettings().Templates.UseAspNetMasterPages.ToString().ToLower() %>,
                     codeEditorElementId: "<%=Request.CleanForXss("objectId") %>",
-                    renderingEngine: "<%=Request.GetItemAsString("renderingEngine", "Mvc")%>",
+                    renderingEngine: "<%=Request.CleanForXss("renderingEngine", "Mvc")%>",
                     macroAlias: '<%= _macroAlias %>'
                 });
             });
diff --git a/src/Umbraco.Web/HttpRequestExtensions.cs b/src/Umbraco.Web/HttpRequestExtensions.cs
index d7f9e409c8..b099ce69ee 100644
--- a/src/Umbraco.Web/HttpRequestExtensions.cs
+++ b/src/Umbraco.Web/HttpRequestExtensions.cs
@@ -10,74 +10,75 @@ namespace Umbraco.Web
 	/// Extension methods for the HttpRequest and HttpRequestBase objects
 	/// </summary>
 	public static class HttpRequestExtensions
-	{
+    {
         /// <summary>
         /// Extracts the value from the query string and cleans it to prevent xss attacks.
         /// </summary>
         /// <param name="request"></param>
         /// <param name="key"></param>
+        /// <param name="valueIfNotFound"></param>
         /// <returns></returns>        
-        public static string CleanForXss(this HttpRequest request, string key)
+        public static string CleanForXss(this HttpRequest request, string key, string valueIfNotFound = "")
         {
-            var item = request.GetItemAsString(key);
+            var item = request.GetItemAsString(key, valueIfNotFound);
             return item.CleanForXss();
         }
 
-		/// <summary>
-		/// Safely get a request item as string, if the item does not exist, an empty string is returned.
-		/// </summary>
-		/// <param name="request"></param>
-		/// <param name="key"></param>
-		/// <param name="valueIfNotFound">The value to return if the key is not found in the collection</param>
-		/// <returns></returns>
-		public static string GetItemAsString(this HttpRequest request, string key, string valueIfNotFound = "")
-		{
-			return new HttpRequestWrapper(request).GetItemAsString(key, valueIfNotFound);
-		}
+        /// <summary>
+        /// Safely get a request item as string, if the item does not exist, an empty string is returned.
+        /// </summary>
+        /// <param name="request"></param>
+        /// <param name="key"></param>
+        /// <param name="valueIfNotFound">The value to return if the key is not found in the collection</param>
+        /// <returns></returns>
+        public static string GetItemAsString(this HttpRequest request, string key, string valueIfNotFound = "")
+        {
+            return new HttpRequestWrapper(request).GetItemAsString(key, valueIfNotFound);
+        }
 
-		/// <summary>
-		/// Safely get a request item as string, if the item does not exist, an empty string is returned.
-		/// </summary>
-		/// <param name="request"></param>
-		/// <param name="key"></param>
-		/// <param name="valueIfNotFound">The value to return if the key is not found in the collection</param>
-		/// <returns></returns>
-		public static string GetItemAsString(this HttpRequestBase request, string key, string valueIfNotFound = "")
-		{
-			var val = request[key];
-			return !val.IsNullOrWhiteSpace() ? val : valueIfNotFound;
-		}
+        /// <summary>
+        /// Safely get a request item as string, if the item does not exist, an empty string is returned.
+        /// </summary>
+        /// <param name="request"></param>
+        /// <param name="key"></param>
+        /// <param name="valueIfNotFound">The value to return if the key is not found in the collection</param>
+        /// <returns></returns>
+        public static string GetItemAsString(this HttpRequestBase request, string key, string valueIfNotFound = "")
+        {
+            var val = request[key];
+            return !val.IsNullOrWhiteSpace() ? val : valueIfNotFound;
+        }
 
-		/// <summary>
-		/// Safely get the item from the query string and convert it to type 'T', otherwise will return default(T).
-		/// </summary>
-		/// <typeparam name="T"></typeparam>
-		/// <param name="request"></param>
-		/// <param name="key"></param>
-		/// <returns></returns>
-		public static T GetItemAs<T>(this HttpRequestBase request, string key)
-		{
-			var val = request[key];
-			var whitespaceCheck = !val.IsNullOrWhiteSpace() ? val : string.Empty;
-			if (whitespaceCheck.IsNullOrWhiteSpace())
-				return (T) typeof (T).GetDefaultValue();
-			var attempt = val.TryConvertTo<T>();
-			if (attempt.Success)
-				return attempt.Result;
-			return (T)typeof(T).GetDefaultValue();
-		}
+        /// <summary>
+        /// Safely get the item from the query string and convert it to type 'T', otherwise will return default(T).
+        /// </summary>
+        /// <typeparam name="T"></typeparam>
+        /// <param name="request"></param>
+        /// <param name="key"></param>
+        /// <returns></returns>
+        public static T GetItemAs<T>(this HttpRequestBase request, string key)
+        {
+            var val = request[key];
+            var whitespaceCheck = !val.IsNullOrWhiteSpace() ? val : string.Empty;
+            if (whitespaceCheck.IsNullOrWhiteSpace())
+                return (T)typeof(T).GetDefaultValue();
+            var attempt = val.TryConvertTo<T>();
+            if (attempt.Success)
+                return attempt.Result;
+            return (T)typeof(T).GetDefaultValue();
+        }
 
-		/// <summary>
-		/// Safely get the item from the query string and convert it to type 'T', otherwise will return default(T).
-		/// </summary>
-		/// <typeparam name="T"></typeparam>
-		/// <param name="request"></param>
-		/// <param name="key"></param>
-		/// <returns></returns>
-		public static T GetItemAs<T>(this HttpRequest request, string key)
-		{
-			return new HttpRequestWrapper(request).GetItemAs<T>(key);
-		}
+        /// <summary>
+        /// Safely get the item from the query string and convert it to type 'T', otherwise will return default(T).
+        /// </summary>
+        /// <typeparam name="T"></typeparam>
+        /// <param name="request"></param>
+        /// <param name="key"></param>
+        /// <returns></returns>
+        public static T GetItemAs<T>(this HttpRequest request, string key)
+        {
+            return new HttpRequestWrapper(request).GetItemAs<T>(key);
+        }
 
-	}
+    }
 }