diff --git a/eveai_app/views/document_views.py b/eveai_app/views/document_views.py
index ba1e08b..9bdf3a3 100644
--- a/eveai_app/views/document_views.py
+++ b/eveai_app/views/document_views.py
@@ -119,7 +119,7 @@ def edit_catalog(catalog_id):
     catalog = Catalog.query.get_or_404(catalog_id)
     tenant_id = session.get('tenant').get('id')
 
-    form = EditCatalogForm(request.form, obj=catalog)
+    form = EditCatalogForm(obj=catalog)
     full_config = cache_manager.catalogs_config_cache.get_config(catalog.type)
     if request.method == 'POST' and form.validate_on_submit():
         form.populate_obj(catalog)
@@ -190,7 +190,7 @@ def edit_processor(processor_id):
         processor.catalog = None
 
     # Create form instance with the processor
-    form = EditProcessorForm(request.form, obj=processor)
+    form = EditProcessorForm(obj=processor)
 
     full_config = cache_manager.processors_config_cache.get_config(processor.type)
     form.add_dynamic_fields("configuration", full_config, processor.configuration)
@@ -290,7 +290,7 @@ def edit_retriever(retriever_id):
     retriever = Retriever.query.get_or_404(retriever_id)
 
     # Create form instance with the retriever
-    form = EditRetrieverForm(request.form, obj=retriever)
+    form = EditRetrieverForm(obj=retriever)
 
     retriever_config = cache_manager.retrievers_config_cache.get_config(retriever.type, retriever.type_version)
     form.add_dynamic_fields("configuration", retriever_config, retriever.configuration)
@@ -575,7 +575,7 @@ def edit_document(document_id):
 @roles_accepted('Super User', 'Partner Admin', 'Tenant Admin')
 def edit_document_version(document_version_id):
     doc_vers = DocumentVersion.query.get_or_404(document_version_id)
-    form = EditDocumentVersionForm(request.form, obj=doc_vers)
+    form = EditDocumentVersionForm(obj=doc_vers)
 
     doc_vers = DocumentVersion.query.get_or_404(document_version_id)
     catalog_id = doc_vers.document.catalog_id
diff --git a/eveai_app/views/interaction_forms.py b/eveai_app/views/interaction_forms.py
index fb2c7cc..6d3c234 100644
--- a/eveai_app/views/interaction_forms.py
+++ b/eveai_app/views/interaction_forms.py
@@ -165,8 +165,8 @@ class EditEveAIAgentForm(BaseEditComponentForm):
 
 
 class EditEveAITaskForm(BaseEditComponentForm):
-    task_description = StringField('Task Description', validators=[Optional()])
-    expected_outcome = StringField('Expected Outcome', validators=[Optional()])
+    task_description = TextAreaField('Task Description', validators=[Optional()])
+    expected_outcome = TextAreaField('Expected Outcome', validators=[Optional()])
 
 
 class EditEveAIToolForm(BaseEditComponentForm):
diff --git a/eveai_app/views/interaction_views.py b/eveai_app/views/interaction_views.py
index 88b41f5..4c0f8c9 100644
--- a/eveai_app/views/interaction_views.py
+++ b/eveai_app/views/interaction_views.py
@@ -199,7 +199,7 @@ def specialist():
 @roles_accepted('Super User', 'Partner Admin', 'Tenant Admin')
 def edit_specialist(specialist_id):
     specialist = Specialist.query.get_or_404(specialist_id)
-    form = EditSpecialistForm(request.form, obj=specialist)
+    form = EditSpecialistForm(obj=specialist)
 
     specialist_config = cache_manager.specialists_config_cache.get_config(specialist.type, specialist.type_version)
     form.add_dynamic_fields("configuration", specialist_config, specialist.configuration)
@@ -451,7 +451,7 @@ def edit_task(task_id):
 def save_task(task_id):
     task = EveAITask.query.get_or_404(task_id) if task_id else EveAITask()
     tenant_id = session.get('tenant').get('id')
-    form = EditEveAITaskForm(formdata=request.form, obj=task)  # Bind explicit formdata
+    form = EditEveAITaskForm(obj=task)  # Bind explicit formdata
 
     if form.validate_on_submit():
         try:
@@ -725,7 +725,7 @@ def specialist_magic_link():
 def edit_specialist_magic_link(specialist_magic_link_id):
     specialist_ml = SpecialistMagicLink.query.get_or_404(specialist_magic_link_id)
     # We need to pass along the extra kwarg specialist_id, as this id is required to initialize the form
-    form = EditSpecialistMagicLinkForm(request.form, obj=specialist_ml, specialist_id=specialist_ml.specialist_id)
+    form = EditSpecialistMagicLinkForm(obj=specialist_ml, specialist_id=specialist_ml.specialist_id)
 
     # Find the Specialist type and type_version to enable to retrieve the arguments
     specialist = Specialist.query.get_or_404(specialist_ml.specialist_id)
diff --git a/eveai_app/views/partner_views.py b/eveai_app/views/partner_views.py
index d558ce0..0a49783 100644
--- a/eveai_app/views/partner_views.py
+++ b/eveai_app/views/partner_views.py
@@ -145,7 +145,7 @@ def edit_partner_service(partner_service_id):
     partner_service = PartnerService.query.get_or_404(partner_service_id)
     partner_id = session['partner']['id']
 
-    form = EditPartnerServiceForm(request.form, obj=partner_service)
+    form = EditPartnerServiceForm(obj=partner_service)
     partner_service_config = cache_manager.partner_services_config_cache.get_config(partner_service.type,
                                                                                     partner_service.type_version)
     form.add_dynamic_fields("configuration", partner_service_config, partner_service.configuration)
diff --git a/eveai_app/views/user_views.py b/eveai_app/views/user_views.py
index 711a0b6..3e25fdd 100644
--- a/eveai_app/views/user_views.py
+++ b/eveai_app/views/user_views.py
@@ -262,6 +262,25 @@ def user():
     return render_template('user/user.html', form=form)
 
 
+def _populate_user_from_form(form: EditUserForm, user: User) -> None:
+    """Vul het User-object met veilige velden uit het formulier.
+
+    Let op:
+    - Relaties zoals ``roles`` worden hier bewust NIET gezet.
+    - Systeemvelden / read-only velden (tenant_id, confirmed_at, login_count, ...)
+      laten we hier ongemoeid.
+    """
+
+    # Basisgegevens
+    user.first_name = form.first_name.data
+    user.last_name = form.last_name.data
+    user.valid_to = form.valid_to.data
+
+    # Contact-flags
+    user.is_primary_contact = form.is_primary_contact.data
+    user.is_financial_contact = form.is_financial_contact.data
+
+
 @user_bp.route('/user/<int:user_id>', methods=['GET', 'POST'])
 @roles_accepted('Super User', 'Tenant Admin', 'Partner Admin')
 def edit_user(user_id):
@@ -269,10 +288,8 @@ def edit_user(user_id):
     form = EditUserForm(obj=user)
 
     if form.validate_on_submit():
-        # Populate the user with form data
-        user.first_name = form.first_name.data
-        user.last_name = form.last_name.data
-        user.valid_to = form.valid_to.data
+        # Vul het user-object met veilige velden uit het formulier
+        _populate_user_from_form(form, user)
         user.updated_at = dt.now(tz.utc)
 
         # Update roles
@@ -622,7 +639,7 @@ def edit_tenant_make(tenant_make_id):
     tenant_make = TenantMake.query.get_or_404(tenant_make_id)
 
     # Create form instance with the tenant make
-    form = EditTenantMakeForm(request.form, obj=tenant_make)
+    form = EditTenantMakeForm(obj=tenant_make)
 
     # Initialiseer de allowed_languages selectie met huidige waarden
     if request.method == 'GET':
@@ -756,7 +773,7 @@ def edit_consent_version(consent_version_id):
     cv = ConsentVersion.query.get_or_404(consent_version_id)
 
     # Create form instance with the tenant make
-    form = EditConsentVersionForm(request.form, obj=cv)
+    form = EditConsentVersionForm(obj=cv)
 
     if form.validate_on_submit():
         # Update basic fields