diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp
index e3b976bb9b..fd92eb1666 100644
--- a/WebContent/WEB-INF/jsp/reports.jsp
+++ b/WebContent/WEB-INF/jsp/reports.jsp
@@ -142,7 +142,7 @@
hide("noReportInstances");
dwr.util.addRows("reportInstancesList", instanceArray,
[
- function(ri) { return "" + ri.name + ""; },
+ function(ri) { return "" + escapeHtml(ri.name) + ""; },
function(ri) { return ri.prettyRunStartTime; },
function(ri) { return ri.prettyRunDuration; },
function(ri) { return ri.prettyReportStartTime; },
diff --git a/src/org/scada_lts/dao/report/ReportInstanceDAO.java b/src/org/scada_lts/dao/report/ReportInstanceDAO.java
index 2f8a581bdc..2ec51ccb4c 100644
--- a/src/org/scada_lts/dao/report/ReportInstanceDAO.java
+++ b/src/org/scada_lts/dao/report/ReportInstanceDAO.java
@@ -44,6 +44,8 @@
import com.serotonin.mango.rt.event.EventInstance;
import com.serotonin.mango.vo.report.ReportInstance;
+import static org.directwebremoting.Security.escapeHtml;
+
/**
* DAO for ReportInstance
*
@@ -154,7 +156,7 @@ public ReportInstance mapRow(ResultSet rs, int rowNum) throws SQLException {
ReportInstance reportInstance = new ReportInstance();
reportInstance.setId(rs.getInt(COLUMN_NAME_ID));
reportInstance.setUserId(rs.getInt(COLUMN_NAME_USER_ID));
- reportInstance.setName(rs.getString(COLUMN_NAME_NAME));
+ reportInstance.setName(escapeHtml(rs.getString(COLUMN_NAME_NAME)));
reportInstance.setIncludeEvents(rs.getInt(COLUMN_NAME_INCLUDE_EVENTS));
reportInstance.setIncludeUserComments(DAO.charToBool(rs.getString(COLUMN_NAME_INCLUDE_USER_COMMENTS)));
reportInstance.setReportStartTime(rs.getLong(COLUMN_NAME_REPORT_START_TIME));