diff --git a/Test Suite-DE.md b/Test Suite-DE.md
index 071189c..92c697d 100644
--- a/Test Suite-DE.md	
+++ b/Test Suite-DE.md	
@@ -87,7 +87,7 @@ Die abschnitte App enthält 33 Tests, die Modelle, Utility-Funktionen, Diagram-C
 
 ## dokumente App Tests
 
-Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, die alle Modelle, Views, URLs und Geschäftslogik abdeckt.
+Die dokumente App enthält 121 Tests und ist damit die umfassendste Test-Suite, die alle Modelle, Views, URLs, Geschäftslogik und Kommentarfunktionalität mit XSS-Schutz abdeckt.
 
 ### Modell-Tests
 
@@ -131,6 +131,14 @@ Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, d
 - **test_checklistenfrage_str**: Überprüft, dass die String-Repräsentation lange Fragen kürzt
 - **test_checklistenfrage_related_name**: Testet die umgekehrte Beziehung von Vorgabe
 
+#### VorgabeCommentModelTest
+- **test_comment_creation**: Testet die Erstellung von VorgabeComment mit Vorgabe, Benutzer und Text
+- **test_comment_str**: Überprüft, dass die String-Repräsentation Benutzername und Vorgabennummer enthält
+- **test_comment_related_name**: Testet die umgekehrte Beziehung von Vorgabe
+- **test_comment_ordering**: Testet, dass Kommentare nach created_at absteigend sortiert sind (neueste zuerst)
+- **test_comment_timestamps_auto_update**: Testet, dass sich updated_at ändert, wenn ein Kommentar geändert wird
+- **test_multiple_users_can_comment**: Testet, dass mehrere Benutzer zur selben Vorgabe kommentieren können
+
 ### Text-Abschnitt-Tests
 
 #### DokumentTextAbschnitteTest
@@ -217,6 +225,40 @@ Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, d
 - **test_vorgabe_links**: Testet, dass Vorgaben zu korrekten Admin-Seiten verlinken
 - **test_back_link**: Testet, dass der Zurück-Link zur Standardübersicht existiert
 
+### Kommentar-Funktionalität Tests
+
+#### GetVorgabeCommentsViewTest
+- **test_get_comments_requires_login**: Testet, dass anonyme Benutzer keine Kommentare sehen können und weitergeleitet werden
+- **test_regular_user_sees_only_own_comments**: Testet, dass normale Benutzer nur ihre eigenen Kommentare sehen
+- **test_staff_user_sees_all_comments**: Testet, dass Staff-Benutzer alle Kommentare sehen können
+- **test_get_comments_returns_404_for_nonexistent_vorgabe**: Testet 404-Antwort für nicht existierende Vorgabe
+- **test_comments_are_html_escaped**: Testet HTML-Escaping zur Verhinderung von XSS-Angriffen (z.B. `<script>`-Tags)
+- **test_line_breaks_preserved**: Testet, dass Zeilenumbrüche in `<br>`-Tags umgewandelt werden
+- **test_security_headers_present**: Testet, dass Content-Security-Policy und X-Content-Type-Options Header gesetzt sind
+
+#### AddVorgabeCommentViewTest
+- **test_add_comment_requires_login**: Testet, dass anonyme Benutzer keine Kommentare hinzufügen können
+- **test_add_comment_requires_post**: Testet, dass nur POST-Methode erlaubt ist (405 für GET)
+- **test_add_comment_success**: Testet erfolgreiche Kommentarerstellung mit gültigen Daten
+- **test_add_empty_comment_fails**: Testet, dass leere Kommentare mit 400-Fehler abgelehnt werden
+- **test_add_whitespace_only_comment_fails**: Testet, dass Kommentare nur mit Leerzeichen abgelehnt werden
+- **test_add_too_long_comment_fails**: Testet, dass Kommentare über 2000 Zeichen abgelehnt werden
+- **test_add_comment_xss_script_tag_blocked**: Testet, dass Kommentare mit `<script>`-Tags blockiert werden
+- **test_add_comment_xss_javascript_protocol_blocked**: Testet, dass `javascript:`-Protokoll blockiert wird
+- **test_add_comment_xss_event_handlers_blocked**: Testet, dass Event-Handler (onload, onerror, onclick, onmouseover) blockiert werden
+- **test_add_comment_invalid_json_fails**: Testet, dass ungültige JSON-Payloads abgelehnt werden
+- **test_add_comment_nonexistent_vorgabe_fails**: Testet 404-Antwort für nicht existierende Vorgabe
+- **test_add_comment_security_headers**: Testet, dass Sicherheits-Header in Antworten vorhanden sind
+
+#### DeleteVorgabeCommentViewTest
+- **test_delete_comment_requires_login**: Testet, dass anonyme Benutzer keine Kommentare löschen können
+- **test_delete_comment_requires_post**: Testet, dass nur POST-Methode erlaubt ist (405 für GET)
+- **test_user_can_delete_own_comment**: Testet, dass Benutzer ihre eigenen Kommentare löschen können
+- **test_user_cannot_delete_other_users_comment**: Testet, dass Benutzer keine Kommentare anderer löschen können (403 Forbidden)
+- **test_staff_can_delete_any_comment**: Testet, dass Staff-Benutzer jeden Kommentar löschen können
+- **test_delete_nonexistent_comment_returns_404**: Testet 404-Antwort für nicht existierenden Kommentar
+- **test_delete_comment_security_headers**: Testet, dass Sicherheits-Header in Antworten vorhanden sind
+
 ---
 
 ## pages App Tests
@@ -333,9 +375,17 @@ Die stichworte App enthält 18 Tests, die Schlüsselwortmodelle und ihre Sortier
 
 ## Test-Statistiken
 
-- **Gesamt-Tests**: 207
+- **Gesamt-Tests**: 230
 - **abschnitte**: 33 Tests (einschließlich XSS-Prävention)
-- **dokumente**: 116 Tests (98 in tests.py + 9 in test_json.py + 9 JSON-Tests in Haupt-tests.py)
+- **dokumente**: 121 Tests (einschließlich Kommentarfunktionalität mit XSS-Schutz)
+  - Modell-Tests: 44 Tests
+  - View-Tests: 7 Tests
+  - URL-Pattern-Tests: 4 Tests
+  - Sanity-Check-Tests: 16 Tests
+  - Management-Befehl-Tests: 2 Tests
+  - JSON-Export-Tests: 9 Tests
+  - Unvollständige-Vorgaben-Tests: 15 Tests
+  - Kommentar-Tests: 24 Tests (6 Modell + 18 View-Tests)
 - **pages**: 4 Tests
 - **referenzen**: 18 Tests
 - **rollen**: 18 Tests
@@ -349,7 +399,17 @@ Die stichworte App enthält 18 Tests, die Schlüsselwortmodelle und ihre Sortier
 4. **Utility-Funktionen**: Textverarbeitung, Caching, Formatierung
 5. **Management-Befehle**: CLI-Schnittstelle und Ausgabeverarbeitung
 6. **Integration**: App-übergreifende Funktionalität und Datenfluss
-7. **Sicherheit**: XSS-Prävention durch HTML-Bereinigung beim Rendern von Inhalten
+7. **Sicherheit**: 
+   - XSS-Prävention durch HTML-Bereinigung beim Rendern von Inhalten
+   - XSS-Angriffsverhinderung im Kommentarsystem (Script-Tags, javascript:-Protokoll, Event-Handler)
+   - Eingabevalidierung und -bereinigung
+   - Autorisierungsprüfungen (Staff vs. normale Benutzer)
+   - Sicherheits-Header (Content-Security-Policy, X-Content-Type-Options)
+8. **Kommentar-Funktionalität**:
+   - CRUD-Operationen (Create, Read, Delete)
+   - Benutzerberechtigungen und -besitz
+   - HTML-Escaping und Erhalt von Zeilenumbrüchen
+   - Verhinderung mehrerer XSS-Angriffsvektoren
 
 ## Ausführen der Tests
 
diff --git a/Test suite.md b/Test suite.md
index dda99a5..fc97ac8 100644
--- a/Test suite.md	
+++ b/Test suite.md	
@@ -87,7 +87,7 @@ The abschnitte app contains 33 tests covering models, utility functions, diagram
 
 ## dokumente App Tests
 
-The dokumente app contains 98 tests, making it the most comprehensive test suite, covering all models, views, URLs, and business logic.
+The dokumente app contains 121 tests, making it the most comprehensive test suite, covering all models, views, URLs, business logic, and comment functionality with XSS protection.
 
 ### Model Tests
 
@@ -131,6 +131,14 @@ The dokumente app contains 98 tests, making it the most comprehensive test suite
 - **test_checklistenfrage_str**: Verifies string representation truncates long questions
 - **test_checklistenfrage_related_name**: Tests the reverse relationship from Vorgabe
 
+#### VorgabeCommentModelTest
+- **test_comment_creation**: Tests VorgabeComment creation with vorgabe, user, and text
+- **test_comment_str**: Verifies string representation includes username and Vorgabennummer
+- **test_comment_related_name**: Tests the reverse relationship from Vorgabe
+- **test_comment_ordering**: Tests comments are ordered by created_at descending (newest first)
+- **test_comment_timestamps_auto_update**: Tests that updated_at changes when comment is modified
+- **test_multiple_users_can_comment**: Tests multiple users can comment on same Vorgabe
+
 ### Text Abschnitt Tests
 
 #### DokumentTextAbschnitteTest
@@ -217,6 +225,40 @@ The dokumente app contains 98 tests, making it the most comprehensive test suite
 - **test_vorgabe_links**: Tests Vorgaben link to correct admin pages
 - **test_back_link**: Tests back link to standard list exists
 
+### Comment Functionality Tests
+
+#### GetVorgabeCommentsViewTest
+- **test_get_comments_requires_login**: Tests anonymous users cannot view comments and are redirected
+- **test_regular_user_sees_only_own_comments**: Tests regular users only see their own comments
+- **test_staff_user_sees_all_comments**: Tests staff users can see all comments
+- **test_get_comments_returns_404_for_nonexistent_vorgabe**: Tests 404 response for non-existent Vorgabe
+- **test_comments_are_html_escaped**: Tests HTML escaping prevents XSS attacks (e.g., `<script>` tags)
+- **test_line_breaks_preserved**: Tests line breaks are converted to `<br>` tags
+- **test_security_headers_present**: Tests Content-Security-Policy and X-Content-Type-Options headers are set
+
+#### AddVorgabeCommentViewTest
+- **test_add_comment_requires_login**: Tests anonymous users cannot add comments
+- **test_add_comment_requires_post**: Tests only POST method is allowed (405 for GET)
+- **test_add_comment_success**: Tests successful comment creation with valid data
+- **test_add_empty_comment_fails**: Tests empty comments are rejected with 400 error
+- **test_add_whitespace_only_comment_fails**: Tests whitespace-only comments are rejected
+- **test_add_too_long_comment_fails**: Tests comments exceeding 2000 characters are rejected
+- **test_add_comment_xss_script_tag_blocked**: Tests comments with `<script>` tags are blocked
+- **test_add_comment_xss_javascript_protocol_blocked**: Tests `javascript:` protocol is blocked
+- **test_add_comment_xss_event_handlers_blocked**: Tests event handlers (onload, onerror, onclick, onmouseover) are blocked
+- **test_add_comment_invalid_json_fails**: Tests invalid JSON payloads are rejected
+- **test_add_comment_nonexistent_vorgabe_fails**: Tests 404 response for non-existent Vorgabe
+- **test_add_comment_security_headers**: Tests security headers are present in responses
+
+#### DeleteVorgabeCommentViewTest
+- **test_delete_comment_requires_login**: Tests anonymous users cannot delete comments
+- **test_delete_comment_requires_post**: Tests only POST method is allowed (405 for GET)
+- **test_user_can_delete_own_comment**: Tests users can delete their own comments
+- **test_user_cannot_delete_other_users_comment**: Tests users cannot delete others' comments (403 Forbidden)
+- **test_staff_can_delete_any_comment**: Tests staff users can delete any comment
+- **test_delete_nonexistent_comment_returns_404**: Tests 404 response for non-existent comment
+- **test_delete_comment_security_headers**: Tests security headers are present in responses
+
 ---
 
 ## pages App Tests
@@ -333,9 +375,17 @@ The stichworte app contains 18 tests covering keyword models and their ordering.
 
 ## Test Statistics
 
-- **Total Tests**: 207
+- **Total Tests**: 230
 - **abschnitte**: 33 tests (including XSS prevention)
-- **dokumente**: 116 tests (98 in tests.py + 9 in test_json.py + 9 JSON tests in main tests.py)
+- **dokumente**: 121 tests (including comment functionality with XSS protection)
+  - Model tests: 44 tests
+  - View tests: 7 tests
+  - URL pattern tests: 4 tests
+  - Sanity check tests: 16 tests
+  - Management command tests: 2 tests
+  - JSON export tests: 9 tests
+  - Incomplete Vorgaben tests: 15 tests
+  - Comment tests: 24 tests (6 model + 18 view tests)
 - **pages**: 4 tests
 - **referenzen**: 18 tests
 - **rollen**: 18 tests
@@ -349,7 +399,17 @@ The stichworte app contains 18 tests covering keyword models and their ordering.
 4. **Utility Functions**: Text processing, caching, formatting
 5. **Management Commands**: CLI interface and output handling
 6. **Integration**: Cross-app functionality and data flow
-7. **Security**: XSS prevention through HTML sanitization in content rendering
+7. **Security**: 
+   - XSS prevention through HTML sanitization in content rendering
+   - XSS attack prevention in comment system (script tags, javascript: protocol, event handlers)
+   - Input validation and sanitization
+   - Authorization checks (staff vs. regular users)
+   - Security headers (Content-Security-Policy, X-Content-Type-Options)
+8. **Comment Functionality**:
+   - CRUD operations (Create, Read, Delete)
+   - User permissions and ownership
+   - HTML escaping and line break preservation
+   - Multiple XSS attack vector prevention
 
 ## Running the Tests
 
diff --git a/argocd/deployment.yaml b/argocd/deployment.yaml
index 7f4c84f..96a9392 100644
--- a/argocd/deployment.yaml
+++ b/argocd/deployment.yaml
@@ -18,7 +18,7 @@ spec:
         fsGroupChangePolicy: "OnRootMismatch"
       initContainers:
         - name: loader
-          image: git.baumann.gr/adebaumann/vui-data-loader:0.9
+          image: git.baumann.gr/adebaumann/vui-data-loader:0.10
           command: [ "sh","-c","cp -n preload/preload.sqlite3 /data/db.sqlite3; chown -R 999:999 /data; ls -la /data; sleep 10; exit 0" ]
           volumeMounts:
             - name: data
diff --git a/data-loader/preload.sqlite3 b/data-loader/preload.sqlite3
index 58a6294..3900958 100644
Binary files a/data-loader/preload.sqlite3 and b/data-loader/preload.sqlite3 differ
diff --git a/data/db.sqlite3 b/data/db.sqlite3
index 96d3df4..3900958 100644
Binary files a/data/db.sqlite3 and b/data/db.sqlite3 differ
diff --git a/dokumente/admin.py b/dokumente/admin.py
index 55733e5..4a0e923 100644
--- a/dokumente/admin.py
+++ b/dokumente/admin.py
@@ -293,6 +293,6 @@ class VorgabeAdmin(NestedModelAdmin):
 
 admin.site.register(Checklistenfrage)
 admin.site.register(Dokumententyp)
-#admin.site.register(Person)
+admin.site.register(VorgabeComment)
 
 #admin.site.register(Changelog)
diff --git a/dokumente/migrations/0010_vorgabentable_alter_person_options_vorgabecomment.py b/dokumente/migrations/0010_vorgabentable_alter_person_options_vorgabecomment.py
new file mode 100644
index 0000000..b1937e4
--- /dev/null
+++ b/dokumente/migrations/0010_vorgabentable_alter_person_options_vorgabecomment.py
@@ -0,0 +1,49 @@
+# Generated by Django 5.2.5 on 2025-11-27 22:02
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dokumente', '0009_alter_vorgabe_options_vorgabe_order'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='VorgabenTable',
+            fields=[
+            ],
+            options={
+                'verbose_name': 'Vorgabe (Tabellenansicht)',
+                'verbose_name_plural': 'Vorgaben (Tabellenansicht)',
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('dokumente.vorgabe',),
+        ),
+        migrations.AlterModelOptions(
+            name='person',
+            options={'ordering': ['name'], 'verbose_name_plural': 'Personen'},
+        ),
+        migrations.CreateModel(
+            name='VorgabeComment',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('text', models.TextField()),
+                ('created_at', models.DateTimeField(auto_now_add=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+                ('vorgabe', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='comments', to='dokumente.vorgabe')),
+            ],
+            options={
+                'verbose_name': 'Vorgabe-Kommentar',
+                'verbose_name_plural': 'Vorgabe-Kommentare',
+                'ordering': ['-created_at'],
+            },
+        ),
+    ]
diff --git a/dokumente/models.py b/dokumente/models.py
index 8c5f716..df90bff 100644
--- a/dokumente/models.py
+++ b/dokumente/models.py
@@ -1,5 +1,6 @@
 from django.db import models
 from mptt.models import MPTTModel, TreeForeignKey
+from django.contrib.auth.models import User
 from abschnitte.models import Textabschnitt
 from stichworte.models import Stichwort
 from referenzen.models import Referenz
@@ -261,3 +262,19 @@ class Changelog(models.Model):
     class Meta:
         verbose_name_plural="Changelog"
         verbose_name="Changelog-Eintrag"
+
+
+class VorgabeComment(models.Model):
+    vorgabe = models.ForeignKey(Vorgabe, on_delete=models.CASCADE, related_name='comments')
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    text = models.TextField()
+    created_at = models.DateTimeField(auto_now_add=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    class Meta:
+        verbose_name = "Vorgabe-Kommentar"
+        verbose_name_plural = "Vorgabe-Kommentare"
+        ordering = ['-created_at']
+
+    def __str__(self):
+        return f"Kommentar von {self.user.username} zu {self.vorgabe.Vorgabennummer()}"
diff --git a/dokumente/templates/standards/incomplete_vorgaben.html b/dokumente/templates/standards/incomplete_vorgaben.html
index e6c9f15..b8425f9 100644
--- a/dokumente/templates/standards/incomplete_vorgaben.html
+++ b/dokumente/templates/standards/incomplete_vorgaben.html
@@ -105,13 +105,13 @@
 {% else %}
     <div class="alert alert-success" role="alert">
         <h4 class="alert-heading">
-            <i class="fas fa-check-circle"></i> Alle Vorgaben sind vollständig!
+            <span class="emoji-icon">✅</span> Alle Vorgaben sind vollständig!
         </h4>
         <p>Alle Vorgaben haben Referenzen, Stichworte, Text und Checklistenfragen.</p>
         <hr>
         <p class="mb-0">
             <a href="{% url 'standard_list' %}" class="btn btn-primary">
-                <i class="fas fa-list"></i> Zurück zur Übersicht
+                <span class="emoji-icon">📋</span> Zurück zur Übersicht
             </a>
         </p>
     </div>
@@ -119,7 +119,7 @@
 
 <div class="mt-3">
     <a href="{% url 'standard_list' %}" class="btn btn-secondary">
-        <i class="fas fa-arrow-left"></i> Zurück zur Übersicht
+        <span class="emoji-icon">←</span> Zurück zur Übersicht
     </a>
 </div>
 
diff --git a/dokumente/templates/standards/standard_detail.html b/dokumente/templates/standards/standard_detail.html
index f847591..38c2d54 100644
--- a/dokumente/templates/standards/standard_detail.html
+++ b/dokumente/templates/standards/standard_detail.html
@@ -145,6 +145,20 @@
               {% endif %}
             </p>
           </div>
+
+          <!-- Comment Button -->
+          {% if user.is_authenticated %}
+          <div class="mt-3 text-right">
+            <button class="btn btn-sm btn-outline-primary comment-btn" 
+                    data-vorgabe-id="{{ vorgabe.id }}" 
+                    data-vorgabe-nummer="{{ vorgabe.Vorgabennummer }}">
+              <span class="emoji-icon">💬</span> Kommentare
+              {% if vorgabe.comment_count > 0 %}
+              <span class="comment-count">{{ vorgabe.comment_count }}</span>
+              {% endif %}
+            </button>
+          </div>
+          {% endif %}
         </div>
       </div>
     </div>
@@ -176,4 +190,210 @@
     </div>
   </div>
 </div>
+
+<!-- Comment Modal -->
+<div class="modal fade" id="commentModal" tabindex="-1" role="dialog" aria-labelledby="commentModalLabel" aria-hidden="true">
+  <div class="modal-dialog modal-lg" role="document">
+    <div class="modal-content">
+      <div class="modal-header">
+        <h5 class="modal-title" id="commentModalLabel">Kommentare für <span id="modalVorgabeNummer"></span></h5>
+        <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+          <span aria-hidden="true">&times;</span>
+        </button>
+      </div>
+      <div class="modal-body">
+        <div id="commentsContainer">
+          <!-- Comments will be loaded here -->
+        </div>
+        
+        <!-- Add Comment Form -->
+        <div class="mt-4">
+          <h6>Neuen Kommentar hinzufügen:</h6>
+          <textarea id="newCommentText" class="form-control" rows="3" placeholder="Ihr Kommentar..."></textarea>
+          <button id="addCommentBtn" class="btn btn-primary btn-sm mt-2">Kommentar hinzufügen</button>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- JavaScript for Comments -->
+<script>
+// Content Security Policy for comment system
+document.addEventListener('DOMContentLoaded', function() {
+  // Prevent inline script execution in dynamically loaded content
+  const commentsContainer = document.getElementById('commentsContainer');
+  if (commentsContainer) {
+    // Use DOMPurify-like approach - only allow safe HTML
+    const allowedTags = ['br', 'small', 'div', 'span', 'button'];
+    const allowedAttributes = ['class', 'data-comment-id', 'aria-hidden'];
+    
+    // Monitor for any script injection attempts
+    const observer = new MutationObserver(function(mutations) {
+      mutations.forEach(function(mutation) {
+        mutation.addedNodes.forEach(function(node) {
+          if (node.nodeType === 1) { // Element node
+            const tagName = node.tagName.toLowerCase();
+            if (tagName === 'script') {
+              console.warn('Script injection attempt blocked');
+              node.parentNode.removeChild(node);
+            }
+          }
+        });
+      });
+    });
+    
+    observer.observe(commentsContainer, {
+      childList: true,
+      subtree: true
+    });
+  }
+});
+document.addEventListener('DOMContentLoaded', function() {
+  let currentVorgabeId = null;
+  let currentVorgabeNummer = null;
+  
+  // Comment button click handler
+  document.querySelectorAll('.comment-btn').forEach(btn => {
+    btn.addEventListener('click', function() {
+      currentVorgabeId = this.dataset.vorgabeId;
+      currentVorgabeNummer = this.dataset.vorgabeNummer;
+      
+      document.getElementById('modalVorgabeNummer').textContent = currentVorgabeNummer;
+      document.getElementById('newCommentText').value = '';
+      
+      loadComments();
+      $('#commentModal').modal('show');
+    });
+  });
+  
+  // Load comments function
+  function loadComments() {
+    fetch(`/dokumente/comments/${currentVorgabeId}/`)
+      .then(response => response.json())
+      .then(data => {
+        renderComments(data.comments);
+      })
+      .catch(error => {
+        console.error('Error loading comments:', error);
+        document.getElementById('commentsContainer').innerHTML = 
+          '<div class="alert alert-danger">Fehler beim Laden der Kommentare</div>';
+      });
+  }
+  
+  // Render comments function
+  function renderComments(comments) {
+    const container = document.getElementById('commentsContainer');
+    
+    if (comments.length === 0) {
+      container.innerHTML = '<p class="text-muted">Noch keine Kommentare vorhanden.</p>';
+      return;
+    }
+    
+    let html = '';
+    comments.forEach(comment => {
+      const canDelete = comment.is_own || {% if user.is_authenticated %}'{{ user.is_staff|yesno:"true,false" }}'{% else %}'false'{% endif %} === 'true';
+      html += `
+        <div class="comment-item border-bottom pb-2 mb-2">
+          <div class="d-flex justify-content-between align-items-start">
+            <div class="flex-grow-1">
+              <strong>${comment.user}</strong>
+              <small class="text-muted">(${comment.created_at})</small>
+              ${comment.updated_at !== comment.created_at ? `<small class="text-muted">(bearbeitet: ${comment.updated_at})</small>` : ''}
+              <div class="mt-1">${comment.text}</div>
+            </div>
+            ${canDelete ? `
+              <button class="btn btn-sm btn-outline-danger ml-2 delete-comment-btn" data-comment-id="${comment.id}">
+<span aria-hidden="true">&times;</span>
+              </button>
+            ` : ''}
+          </div>
+        </div>
+      `;
+    });
+    
+    container.innerHTML = html;
+    
+    // Add delete handlers
+    document.querySelectorAll('.delete-comment-btn').forEach(btn => {
+      btn.addEventListener('click', function() {
+        if (confirm('Möchten Sie diesen Kommentar wirklich löschen?')) {
+          deleteComment(this.dataset.commentId);
+        }
+      });
+    });
+  }
+  
+  // Add comment function
+  document.getElementById('addCommentBtn').addEventListener('click', function() {
+    const text = document.getElementById('newCommentText').value.trim();
+    
+    if (!text) {
+      alert('Bitte geben Sie einen Kommentar ein.');
+      return;
+    }
+    
+    fetch(`/dokumente/comments/${currentVorgabeId}/add/`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRFToken': getCookie('csrftoken')
+      },
+      body: JSON.stringify({ text: text })
+    })
+    .then(response => response.json())
+    .then(data => {
+      if (data.success) {
+        document.getElementById('newCommentText').value = '';
+        loadComments();
+      } else {
+        alert('Fehler: ' + (data.error || 'Unbekannter Fehler'));
+      }
+    })
+    .catch(error => {
+      console.error('Error adding comment:', error);
+      alert('Fehler beim Hinzufügen des Kommentars');
+    });
+  });
+  
+  // Delete comment function
+  function deleteComment(commentId) {
+    fetch(`/dokumente/comments/delete/${commentId}/`, {
+      method: 'POST',
+      headers: {
+        'X-CSRFToken': getCookie('csrftoken')
+      }
+    })
+    .then(response => response.json())
+    .then(data => {
+      if (data.success) {
+        loadComments();
+      } else {
+        alert('Fehler: ' + (data.error || 'Unbekannter Fehler'));
+      }
+    })
+    .catch(error => {
+      console.error('Error deleting comment:', error);
+      alert('Fehler beim Löschen des Kommentars');
+    });
+  }
+  
+  // CSRF token helper
+  function getCookie(name) {
+    let cookieValue = null;
+    if (document.cookie && document.cookie !== '') {
+      const cookies = document.cookie.split(';');
+      for (let i = 0; i < cookies.length; i++) {
+        const cookie = cookies[i].trim();
+        if (cookie.substring(0, name.length + 1) === (name + '=')) {
+          cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+          break;
+        }
+      }
+    }
+    return cookieValue;
+  }
+});
+</script>
+
 {% endblock %}
diff --git a/dokumente/tests.py b/dokumente/tests.py
index d7a3709..11cc550 100644
--- a/dokumente/tests.py
+++ b/dokumente/tests.py
@@ -7,7 +7,7 @@ from io import StringIO
 from .models import (
     Dokumententyp, Person, Thema, Dokument, Vorgabe,
     VorgabeLangtext, VorgabeKurztext, Geltungsbereich,
-    Einleitung, Checklistenfrage, Changelog
+    Einleitung, Checklistenfrage, Changelog, VorgabeComment
 )
 from .utils import check_vorgabe_conflicts, date_ranges_intersect, format_conflict_report
 from abschnitte.models import AbschnittTyp
@@ -1506,3 +1506,669 @@ class StandardJSONViewTest(TestCase):
         # Check that JSON is properly indented (should be formatted)
         self.assertIn('\n', response.content.decode())
         self.assertIn('  ', response.content.decode())  # Check for indentation
+
+
+class VorgabeCommentModelTest(TestCase):
+    """Test cases for VorgabeComment model"""
+    
+    def setUp(self):
+        """Set up test data for comment tests"""
+        self.user = User.objects.create_user(
+            username='testuser',
+            password='testpass123'
+        )
+        
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(
+            name="Test Thema"
+        )
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test Document",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+        
+        self.comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.user,
+            text="Dies ist ein Testkommentar"
+        )
+    
+    def test_comment_creation(self):
+        """Test that VorgabeComment is created correctly"""
+        self.assertEqual(self.comment.vorgabe, self.vorgabe)
+        self.assertEqual(self.comment.user, self.user)
+        self.assertEqual(self.comment.text, "Dies ist ein Testkommentar")
+        self.assertIsNotNone(self.comment.created_at)
+        self.assertIsNotNone(self.comment.updated_at)
+    
+    def test_comment_str(self):
+        """Test string representation of VorgabeComment"""
+        expected = f"Kommentar von {self.user.username} zu {self.vorgabe.Vorgabennummer()}"
+        self.assertEqual(str(self.comment), expected)
+    
+    def test_comment_related_name(self):
+        """Test related name works correctly"""
+        self.assertIn(self.comment, self.vorgabe.comments.all())
+    
+    def test_comment_ordering(self):
+        """Test comments are ordered by created_at descending"""
+        comment2 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.user,
+            text="Zweiter Kommentar"
+        )
+        
+        comments = list(self.vorgabe.comments.all())
+        self.assertEqual(comments[0], comment2)  # Newest first
+        self.assertEqual(comments[1], self.comment)
+    
+    def test_comment_timestamps_auto_update(self):
+        """Test that updated_at changes when comment is modified"""
+        original_updated_at = self.comment.updated_at
+        
+        # Wait a tiny bit and update
+        import time
+        time.sleep(0.01)
+        
+        self.comment.text = "Updated text"
+        self.comment.save()
+        
+        self.assertNotEqual(self.comment.updated_at, original_updated_at)
+        self.assertEqual(self.comment.text, "Updated text")
+    
+    def test_multiple_users_can_comment(self):
+        """Test multiple users can comment on same Vorgabe"""
+        user2 = User.objects.create_user(
+            username='testuser2',
+            password='testpass123'
+        )
+        
+        comment2 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=user2,
+            text="Kommentar von anderem Benutzer"
+        )
+        
+        self.assertEqual(self.vorgabe.comments.count(), 2)
+        self.assertIn(self.comment, self.vorgabe.comments.all())
+        self.assertIn(comment2, self.vorgabe.comments.all())
+
+
+class GetVorgabeCommentsViewTest(TestCase):
+    """Test cases for get_vorgabe_comments view"""
+    
+    def setUp(self):
+        """Set up test data"""
+        self.client = Client()
+        
+        # Create users
+        self.regular_user = User.objects.create_user(
+            username='regularuser',
+            password='testpass123'
+        )
+        
+        self.staff_user = User.objects.create_user(
+            username='staffuser',
+            password='testpass123'
+        )
+        self.staff_user.is_staff = True
+        self.staff_user.save()
+        
+        self.other_user = User.objects.create_user(
+            username='otheruser',
+            password='testpass123'
+        )
+        
+        # Create test data
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(name="Test Thema")
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+        
+        # Create comments from different users
+        self.comment1 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.regular_user,
+            text="Kommentar von Regular User"
+        )
+        
+        self.comment2 = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.other_user,
+            text="Kommentar von Other User"
+        )
+    
+    def test_get_comments_requires_login(self):
+        """Test that anonymous users cannot view comments"""
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        # Should redirect to login
+        self.assertEqual(response.status_code, 302)
+        self.assertIn('/login/', response.url)
+    
+    def test_regular_user_sees_only_own_comments(self):
+        """Test that regular users only see their own comments"""
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response['Content-Type'], 'application/json')
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Should only see their own comment
+        self.assertEqual(len(data['comments']), 1)
+        self.assertEqual(data['comments'][0]['text'], 'Kommentar von Regular User')
+        self.assertEqual(data['comments'][0]['user'], 'regularuser')
+        self.assertTrue(data['comments'][0]['is_own'])
+    
+    def test_staff_user_sees_all_comments(self):
+        """Test that staff users see all comments"""
+        self.client.login(username='staffuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Should see all comments
+        self.assertEqual(len(data['comments']), 2)
+        usernames = [c['user'] for c in data['comments']]
+        self.assertIn('regularuser', usernames)
+        self.assertIn('otheruser', usernames)
+    
+    def test_get_comments_returns_404_for_nonexistent_vorgabe(self):
+        """Test that requesting comments for non-existent Vorgabe returns 404"""
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': 99999})
+        response = self.client.get(url)
+        
+        self.assertEqual(response.status_code, 404)
+    
+    def test_comments_are_html_escaped(self):
+        """Test that comments are properly HTML escaped"""
+        # Create comment with HTML
+        comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.regular_user,
+            text="Test <script>alert('xss')</script> comment"
+        )
+        
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Find the comment with script tag
+        script_comment = [c for c in data['comments'] if 'script' in c['text'].lower()][0]
+        
+        # Should be escaped
+        self.assertIn('&lt;script&gt;', script_comment['text'])
+        self.assertNotIn('<script>', script_comment['text'])
+    
+    def test_line_breaks_preserved(self):
+        """Test that line breaks are converted to <br> tags"""
+        comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.regular_user,
+            text="Line 1\nLine 2\nLine 3"
+        )
+        
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        import json
+        data = json.loads(response.content)
+        
+        # Find the multiline comment
+        multiline_comment = [c for c in data['comments'] if 'Line 1' in c['text']][0]
+        
+        # Should contain <br> tags
+        self.assertIn('<br>', multiline_comment['text'])
+        self.assertIn('Line 1<br>Line 2<br>Line 3', multiline_comment['text'])
+    
+    def test_security_headers_present(self):
+        """Test that security headers are present in response"""
+        self.client.login(username='regularuser', password='testpass123')
+        
+        url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        self.assertIn('Content-Security-Policy', response)
+        self.assertIn('X-Content-Type-Options', response)
+        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
+
+
+class AddVorgabeCommentViewTest(TestCase):
+    """Test cases for add_vorgabe_comment view"""
+    
+    def setUp(self):
+        """Set up test data"""
+        self.client = Client()
+        
+        self.user = User.objects.create_user(
+            username='testuser',
+            password='testpass123'
+        )
+        
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(name="Test Thema")
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+    
+    def test_add_comment_requires_login(self):
+        """Test that anonymous users cannot add comments"""
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url, 
+            data='{"text": "Test comment"}',
+            content_type='application/json'
+        )
+        
+        # Should redirect to login
+        self.assertEqual(response.status_code, 302)
+    
+    def test_add_comment_requires_post(self):
+        """Test that only POST method is allowed"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.get(url)
+        
+        # Should return method not allowed
+        self.assertEqual(response.status_code, 405)
+    
+    def test_add_comment_success(self):
+        """Test successful comment addition"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Dies ist ein neuer Kommentar"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertTrue(data['success'])
+        self.assertEqual(data['comment']['text'], 'Dies ist ein neuer Kommentar')
+        self.assertEqual(data['comment']['user'], 'testuser')
+        self.assertTrue(data['comment']['is_own'])
+        
+        # Verify comment was created in database
+        self.assertEqual(VorgabeComment.objects.count(), 1)
+        comment = VorgabeComment.objects.first()
+        self.assertEqual(comment.text, 'Dies ist ein neuer Kommentar')
+        self.assertEqual(comment.user, self.user)
+    
+    def test_add_empty_comment_fails(self):
+        """Test that empty comments are rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": ""}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('leer', data['error'].lower())
+        
+        # No comment should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_whitespace_only_comment_fails(self):
+        """Test that whitespace-only comments are rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "   \\n\\t  "}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_too_long_comment_fails(self):
+        """Test that comments exceeding max length are rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        long_text = "a" * 2001  # Over the 2000 character limit
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data=f'{{"text": "{long_text}"}}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('lang', data['error'].lower())
+        
+        # No comment should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_xss_script_tag_blocked(self):
+        """Test that comments with <script> tags are blocked"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Test <script>alert(\\"xss\\")</script> comment"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('ungültige', data['error'].lower())
+        
+        # No comment should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_xss_javascript_protocol_blocked(self):
+        """Test that comments with javascript: protocol are blocked"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Click <a href=\\"javascript:alert(1)\\">here</a>"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_xss_event_handlers_blocked(self):
+        """Test that comments with event handlers are blocked"""
+        dangerous_inputs = [
+            'Test onload=alert(1) comment',
+            'Test onerror=alert(1) comment',
+            'Test onclick=alert(1) comment',
+            'Test onmouseover=alert(1) comment'
+        ]
+        
+        self.client.login(username='testuser', password='testpass123')
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        
+        for dangerous_input in dangerous_inputs:
+            response = self.client.post(url,
+                data=f'{{"text": "{dangerous_input}"}}',
+                content_type='application/json'
+            )
+            
+            self.assertEqual(response.status_code, 400)
+        
+        # No comments should be created
+        self.assertEqual(VorgabeComment.objects.count(), 0)
+    
+    def test_add_comment_invalid_json_fails(self):
+        """Test that invalid JSON is rejected"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='invalid json',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('Ungültige', data['error'])
+    
+    def test_add_comment_nonexistent_vorgabe_fails(self):
+        """Test that adding comment to non-existent Vorgabe returns 404"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': 99999})
+        response = self.client.post(url,
+            data='{"text": "Test comment"}',
+            content_type='application/json'
+        )
+        
+        self.assertEqual(response.status_code, 404)
+    
+    def test_add_comment_security_headers(self):
+        """Test that security headers are present in response"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
+        response = self.client.post(url,
+            data='{"text": "Test comment"}',
+            content_type='application/json'
+        )
+        
+        self.assertIn('Content-Security-Policy', response)
+        self.assertIn('X-Content-Type-Options', response)
+        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
+
+
+class DeleteVorgabeCommentViewTest(TestCase):
+    """Test cases for delete_vorgabe_comment view"""
+    
+    def setUp(self):
+        """Set up test data"""
+        self.client = Client()
+        
+        self.user = User.objects.create_user(
+            username='testuser',
+            password='testpass123'
+        )
+        
+        self.other_user = User.objects.create_user(
+            username='otheruser',
+            password='testpass123'
+        )
+        
+        self.staff_user = User.objects.create_user(
+            username='staffuser',
+            password='testpass123'
+        )
+        self.staff_user.is_staff = True
+        self.staff_user.save()
+        
+        self.dokumententyp = Dokumententyp.objects.create(
+            name="Test Typ",
+            verantwortliche_ve="Test VE"
+        )
+        
+        self.thema = Thema.objects.create(name="Test Thema")
+        
+        self.dokument = Dokument.objects.create(
+            nummer="COMM-001",
+            dokumententyp=self.dokumententyp,
+            name="Comment Test",
+            aktiv=True
+        )
+        
+        self.vorgabe = Vorgabe.objects.create(
+            order=1,
+            nummer=1,
+            dokument=self.dokument,
+            thema=self.thema,
+            titel="Test Vorgabe",
+            gueltigkeit_von=date.today()
+        )
+        
+        self.comment = VorgabeComment.objects.create(
+            vorgabe=self.vorgabe,
+            user=self.user,
+            text="Test comment to delete"
+        )
+    
+    def test_delete_comment_requires_login(self):
+        """Test that anonymous users cannot delete comments"""
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        # Should redirect to login
+        self.assertEqual(response.status_code, 302)
+        
+        # Comment should still exist
+        self.assertTrue(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_delete_comment_requires_post(self):
+        """Test that only POST method is allowed"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.get(url)
+        
+        # Should return method not allowed
+        self.assertEqual(response.status_code, 405)
+    
+    def test_user_can_delete_own_comment(self):
+        """Test that users can delete their own comments"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertTrue(data['success'])
+        
+        # Comment should be deleted
+        self.assertFalse(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_user_cannot_delete_other_users_comment(self):
+        """Test that users cannot delete other users' comments"""
+        self.client.login(username='otheruser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 403)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertIn('error', data)
+        self.assertIn('Berechtigung', data['error'])
+        
+        # Comment should still exist
+        self.assertTrue(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_staff_can_delete_any_comment(self):
+        """Test that staff users can delete any comment"""
+        self.client.login(username='staffuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 200)
+        
+        import json
+        data = json.loads(response.content)
+        
+        self.assertTrue(data['success'])
+        
+        # Comment should be deleted
+        self.assertFalse(VorgabeComment.objects.filter(id=self.comment.id).exists())
+    
+    def test_delete_nonexistent_comment_returns_404(self):
+        """Test that deleting non-existent comment returns 404"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': 99999})
+        response = self.client.post(url)
+        
+        self.assertEqual(response.status_code, 404)
+    
+    def test_delete_comment_security_headers(self):
+        """Test that security headers are present in response"""
+        self.client.login(username='testuser', password='testpass123')
+        
+        url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
+        response = self.client.post(url)
+        
+        self.assertIn('Content-Security-Policy', response)
+        self.assertIn('X-Content-Type-Options', response)
+        self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
diff --git a/dokumente/urls.py b/dokumente/urls.py
index a2db977..23e4fe1 100644
--- a/dokumente/urls.py
+++ b/dokumente/urls.py
@@ -8,6 +8,9 @@ urlpatterns = [
     path('<str:nummer>/history/<str:check_date>/', views.standard_detail),
     path('<str:nummer>/history/', views.standard_detail, {"check_date":"today"}, name='standard_history'),
     path('<str:nummer>/checkliste/', views.standard_checkliste, name='standard_checkliste'),
-    path('<str:nummer>/json/', views.standard_json, name='standard_json')
+    path('<str:nummer>/json/', views.standard_json, name='standard_json'),
+    path('comments/<int:vorgabe_id>/', views.get_vorgabe_comments, name='get_vorgabe_comments'),
+    path('comments/<int:vorgabe_id>/add/', views.add_vorgabe_comment, name='add_vorgabe_comment'),
+    path('comments/delete/<int:comment_id>/', views.delete_vorgabe_comment, name='delete_vorgabe_comment'),
 ]
 
diff --git a/dokumente/views.py b/dokumente/views.py
index 0c6df0a..53e7b49 100644
--- a/dokumente/views.py
+++ b/dokumente/views.py
@@ -2,8 +2,12 @@ from django.shortcuts import render, get_object_or_404
 from django.contrib.auth.decorators import login_required, user_passes_test
 from django.http import JsonResponse
 from django.core.serializers.json import DjangoJSONEncoder
+from django.views.decorators.http import require_POST
+from django.views.decorators.csrf import csrf_exempt
+from django.utils.html import escape, mark_safe
+from django.utils.safestring import SafeString
 import json
-from .models import Dokument, Vorgabe, VorgabeKurztext, VorgabeLangtext, Checklistenfrage
+from .models import Dokument, Vorgabe, VorgabeKurztext, VorgabeLangtext, Checklistenfrage, VorgabeComment
 from abschnitte.utils import render_textabschnitte
 
 from datetime import date
@@ -44,6 +48,15 @@ def standard_detail(request, nummer,check_date=""):
         for r in vorgabe.referenzen.all():
             referenz_items.append(r.Path())
         vorgabe.referenzpfade = referenz_items
+        
+        # Add comment count
+        if request.user.is_authenticated:
+            if request.user.is_staff:
+                vorgabe.comment_count = vorgabe.comments.count()
+            else:
+                vorgabe.comment_count = vorgabe.comments.filter(user=request.user).count()
+        else:
+            vorgabe.comment_count = 0
 
     return render(request, 'standards/standard_detail.html', {
         'standard': standard,
@@ -237,3 +250,119 @@ def standard_json(request, nummer):
 
     # Return JSON response
     return JsonResponse(doc_data, json_dumps_params={'indent': 2, 'ensure_ascii': False}, encoder=DjangoJSONEncoder)
+
+
+@login_required
+def get_vorgabe_comments(request, vorgabe_id):
+    """Get comments for a specific Vorgabe"""
+    vorgabe = get_object_or_404(Vorgabe, id=vorgabe_id)
+    
+    if request.user.is_staff:
+        # Staff can see all comments
+        comments = vorgabe.comments.all().select_related('user').order_by('created_at')
+    else:
+        # Regular users can only see their own comments
+        comments = vorgabe.comments.filter(user=request.user).select_related('user').order_by('created_at')
+    
+    comments_data = []
+    for comment in comments:
+        # Escape HTML but preserve line breaks
+        escaped_text = escape(comment.text).replace('\n', '<br>')
+        comments_data.append({
+            'id': comment.id,
+            'text': escaped_text,
+            'user': escape(comment.user.first_name+" "+comment.user.last_name),
+            'created_at': comment.created_at.strftime('%d.%m.%Y %H:%M'),
+            'updated_at': comment.updated_at.strftime('%d.%m.%Y %H:%M'),
+            'is_own': comment.user == request.user
+        })
+    
+    response = JsonResponse({'comments': comments_data})
+    response['Content-Security-Policy'] = "default-src 'self'"
+    response['X-Content-Type-Options'] = 'nosniff'
+    return response
+
+
+@require_POST
+@login_required
+def add_vorgabe_comment(request, vorgabe_id):
+    """Add a new comment to a Vorgabe"""
+    vorgabe = get_object_or_404(Vorgabe, id=vorgabe_id)
+    
+    try:
+        data = json.loads(request.body)
+        text = data.get('text', '').strip()
+        
+        # Validate input
+        if not text:
+            return JsonResponse({'error': 'Kommentar darf nicht leer sein'}, status=400)
+        
+        if len(text) > 2000:  # Reasonable length limit
+            return JsonResponse({'error': 'Kommentar ist zu lang (max 2000 Zeichen)'}, status=400)
+        
+        # Additional XSS prevention - check for dangerous patterns
+        dangerous_patterns = ['<script', 'javascript:', 'onload=', 'onerror=', 'onclick=', 'onmouseover=']
+        text_lower = text.lower()
+        for pattern in dangerous_patterns:
+            if pattern in text_lower:
+                return JsonResponse({'error': 'Kommentar enthält ungültige Zeichen'}, status=400)
+        
+        comment = VorgabeComment.objects.create(
+            vorgabe=vorgabe,
+            user=request.user,
+            text=text
+        )
+        
+        # Escape HTML but preserve line breaks
+        escaped_text = escape(comment.text).replace('\n', '<br>')
+        response = JsonResponse({
+            'success': True,
+            'comment': {
+                'id': comment.id,
+                'text': escaped_text,
+                'user': escape(comment.user.username),
+                'created_at': comment.created_at.strftime('%d.%m.%Y %H:%M'),
+                'updated_at': comment.updated_at.strftime('%d.%m.%Y %H:%M'),
+                'is_own': True
+            }
+        })
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+        
+    except json.JSONDecodeError:
+        response = JsonResponse({'error': 'Ungültige Daten'}, status=400)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+    except Exception as e:
+        response = JsonResponse({'error': 'Serverfehler'}, status=500)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+
+
+@require_POST
+@login_required
+def delete_vorgabe_comment(request, comment_id):
+    """Delete a comment (only own comments or staff can delete)"""
+    comment = get_object_or_404(VorgabeComment, id=comment_id)
+    
+    # Check if user can delete this comment
+    if comment.user != request.user and not request.user.is_staff:
+        response = JsonResponse({'error': 'Keine Berechtigung zum Löschen dieses Kommentars'}, status=403)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+    
+    try:
+        comment.delete()
+        response = JsonResponse({'success': True})
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
+    except Exception as e:
+        response = JsonResponse({'error': 'Serverfehler'}, status=500)
+        response['Content-Security-Policy'] = "default-src 'self'"
+        response['X-Content-Type-Options'] = 'nosniff'
+        return response
diff --git a/pages/templates/base.html b/pages/templates/base.html
index cd71670..09051a9 100644
--- a/pages/templates/base.html
+++ b/pages/templates/base.html
@@ -215,7 +215,7 @@
           </p>
         </div>
         <div class="col-sm-6 text-right">
-          <p class="text-muted">Version {{ version|default:"0.958" }}</p>
+          <p class="text-muted">Version {{ version|default:"0.960" }}</p>
         </div>
       </div>
     </div>
diff --git a/referenzen/migrations/0003_alter_referenzerklaerung_options.py b/referenzen/migrations/0003_alter_referenzerklaerung_options.py
new file mode 100644
index 0000000..e214b19
--- /dev/null
+++ b/referenzen/migrations/0003_alter_referenzerklaerung_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.2.5 on 2025-11-27 22:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('referenzen', '0002_alter_referenz_table_alter_referenzerklaerung_table'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='referenzerklaerung',
+            options={'verbose_name': 'Erklärung', 'verbose_name_plural': 'Erklärungen'},
+        ),
+    ]
diff --git a/static/custom/css/admin_extras.css b/static/custom/css/admin_extras.css
index 2e15826..29450c5 100644
--- a/static/custom/css/admin_extras.css
+++ b/static/custom/css/admin_extras.css
@@ -11,4 +11,93 @@
     margin-bottom: 1em;
     border: 1px solid #ccc;
     padding: 0;
-  }
\ No newline at end of file
+  }
+
+/* Comment System Styles */
+.comment-btn {
+  position: relative;
+}
+
+.comment-btn .comment-count {
+  position: absolute;
+  top: -8px;
+  right: -8px;
+  background-color: #dc3545;
+  color: white;
+  border-radius: 50%;
+  width: 20px;
+  height: 20px;
+  font-size: 11px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-weight: bold;
+}
+
+.comment-item {
+  max-width: 100%;
+  word-wrap: break-word;
+  overflow-wrap: break-word;
+}
+
+.comment-item .text-muted {
+  font-size: 0.85em;
+}
+
+#commentModal .modal-body {
+  max-height: 60vh;
+  overflow-y: auto;
+}
+
+#commentsContainer {
+  min-height: 100px;
+}
+
+.delete-comment-btn {
+  opacity: 0.7;
+  transition: opacity 0.2s;
+}
+
+.delete-comment-btn:hover {
+  opacity: 1;
+}
+
+.delete-comment-btn {
+  font-size: 18px;
+  font-weight: bold;
+  line-height: 1;
+  color: #721c24;
+  border: 1px solid #f5c6cb;
+  border-radius: 4px;
+  width: 28px;
+  height: 28px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 0;
+}
+
+.delete-comment-btn:hover {
+  opacity: 1;
+  background-color: #f8d7da;
+  border-color: #f5c6cb;
+}
+
+/* Icon styling for emoji replacements */
+.emoji-icon {
+  font-size: 1.1em;
+  margin-right: 0.3em;
+  vertical-align: middle;
+}
+
+/* Responsive adjustments */
+@media (max-width: 768px) {
+  .comment-item .d-flex {
+    flex-direction: column;
+  }
+  
+  .delete-comment-btn {
+    margin-left: 0 !important;
+    margin-top: 0.5rem;
+  }
+}
\ No newline at end of file
diff --git a/stichworte/migrations/0003_alter_stichworterklaerung_options.py b/stichworte/migrations/0003_alter_stichworterklaerung_options.py
new file mode 100644
index 0000000..948e9f4
--- /dev/null
+++ b/stichworte/migrations/0003_alter_stichworterklaerung_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.2.5 on 2025-11-27 22:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('stichworte', '0002_stichworterklaerung_order'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='stichworterklaerung',
+            options={'verbose_name': 'Erklärung', 'verbose_name_plural': 'Erklärungen'},
+        ),
+    ]
