diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index c8b580b5fd9df78112c4b808cc595d47acccd7c2..38aa31be32bc8ca5009ffe586130d2a633713842 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -31,7 +31,7 @@
 
 			<ul id="settings" class="svg">
 				<span id="expand">
-					<?php echo OCP\User::getDisplayName($user=null)?OCP\User::getDisplayName($user=null):(OC_User::getUser()?OC_User::getUser():'') ?>
+					<?php echo OCP\User::getDisplayName($user=null)?OC_Util::sanitizeHTML(OCP\User::getDisplayName($user=null)):(OC_User::getUser()?OC_User::getUser():'') ?>
 					<img class="svg" src="<?php echo image_path('', 'actions/caret.svg'); ?>" />
 				</span>
 				<div id="expanddiv">
diff --git a/settings/js/users.js b/settings/js/users.js
index da18b4be8367d0e49bfbc579fb9d83467e56dacb..086b0884a3b402a33fa3a2de2de2848ebcd825a0 100644
--- a/settings/js/users.js
+++ b/settings/js/users.js
@@ -308,7 +308,7 @@ $(document).ready(function () {
 		event.stopPropagation();
 		var img = $(this);
 		var uid = img.parent().parent().attr('data-uid');
-		var displayName = img.parent().parent().attr('data-displayName');
+		var displayName = escapeHTML(img.parent().parent().attr('data-displayName'));
 		var input = $('<input type="text" value="' + displayName + '">');
 		img.css('display', 'none');
 		img.parent().children('span').replaceWith(input);
@@ -329,7 +329,7 @@ $(document).ready(function () {
 			}
 		});
 		input.blur(function () {
-			$(this).replaceWith($(this).val());
+			$(this).replaceWith(escapeHTML($(this).val()));
 			img.css('display', '');
 		});
 	});