diff --git a/app/routes/profile.js b/app/routes/profile.js
index 4282d55cbf..ea73b1de21 100644
--- a/app/routes/profile.js
+++ b/app/routes/profile.js
@@ -20,10 +20,10 @@ function ProfileHandler (db) {
             // while the developer intentions were correct in encoding the user supplied input so it
             // doesn't end up as an XSS attack, the context is incorrect as it is encoding the firstname for HTML
             // while this same variable is also used in the context of a URL link element
-            doc.firstNameSafeString = ESAPI.encoder().encodeForHTML(doc.firstName)
+            doc.website = ESAPI.encoder().encodeForHTML(doc.website)
             // fix it by replacing the above with another template variable that is used for 
             // the context of a URL in a link header
-            // doc.doc.firstNameSafeURLString = ESAPI.encoder().encodeForURL(urlInput)
+            // doc.website = ESAPI.encoder().encodeForURL(doc.website)
 
             return res.render("profile", doc);
         });
diff --git a/app/views/profile.html b/app/views/profile.html
index 9110c7aafc..a0a342b20a 100644
--- a/app/views/profile.html
+++ b/app/views/profile.html
@@ -65,6 +65,11 @@ <h3 class="panel-title">Edit Profile</h3>
                         <label for="address">Address</label>
                         <input type="text" class="form-control" id="address" name="address" value="{{address}}" placeholder="Enter address">
                     </div>
+                    <div class="form-group">
+                        <label for="website">Website</label>
+                        <input type="text" class="form-control" id="website" name="website" value="{{website}}"
+                            placeholder="https://">
+                    </div>
                     <input type="hidden" name="_csrf" value="{{csrftoken}}" />
                     <button type="submit" class="btn btn-default" name="submit">Submit</button>