diff --git a/WebContent/WEB-INF/ftl/report/reportChart.ftl b/WebContent/WEB-INF/ftl/report/reportChart.ftl
index b11fa20918..12f2a182e3 100644
--- a/WebContent/WEB-INF/ftl/report/reportChart.ftl
+++ b/WebContent/WEB-INF/ftl/report/reportChart.ftl
@@ -87,7 +87,7 @@
       <td>
         <table>
           <tr>
-            <td colspan="2"><h1>${instance.name}</h1></td>
+            <td colspan="2"><h1>${security.escapeHtml(instance.name)}</h1></td>
           </tr>
           <tr>
             <td class="label"><@fmt key="reports.runTimeStart"/></td>
@@ -121,7 +121,7 @@
       
       <td class="stats">
         <table>
-          <tr><td colspan="2" class="pointName">${point.name}</td></tr>
+          <tr><td colspan="2" class="pointName">${security.escapeHtml(point.name)}</td></tr>
           <tr>
             <td class="label"><@fmt key="reports.dataType"/></td>
             <td>${point.dataTypeDescription}</td>
diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp
index 17608d0d06..fd92eb1666 100644
--- a/WebContent/WEB-INF/jsp/reports.jsp
+++ b/WebContent/WEB-INF/jsp/reports.jsp
@@ -142,7 +142,7 @@
             hide("noReportInstances");
             dwr.util.addRows("reportInstancesList", instanceArray,
                 [
-                    function(ri) { return "<span>" + ri.name + "</span>"; },
+                    function(ri) { return "<span>" + escapeHtml(ri.name) + "</span>"; },
                     function(ri) { return ri.prettyRunStartTime; },
                     function(ri) { return ri.prettyRunDuration; },
                     function(ri) { return ri.prettyReportStartTime; },
@@ -336,7 +336,8 @@
     }
     
     function updateReport(id, name) {
-        $("r"+ id +"Name").innerHTML = name;
+        let escapedName = escapeHtml(name);
+        $("r"+ id +"Name").innerHTML = escapedName;
     }
     
     function clearMessages() {
diff --git a/src/com/serotonin/mango/vo/report/ReportChartCreator.java b/src/com/serotonin/mango/vo/report/ReportChartCreator.java
index d56997c41b..025b8262a2 100644
--- a/src/com/serotonin/mango/vo/report/ReportChartCreator.java
+++ b/src/com/serotonin/mango/vo/report/ReportChartCreator.java
@@ -35,6 +35,7 @@
 import freemarker.template.Template;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.directwebremoting.Security;
 import org.jfree.data.time.TimeSeries;
 import org.scada_lts.mango.service.SystemSettingsService;
 import org.scada_lts.utils.ColorUtils;
@@ -123,6 +124,7 @@ public void createContent(ReportInstance reportInstance, ReportDao reportDao, St
         model.put("instance", reportInstance);
         model.put("points", pointStatistics);
         model.put("inline", inlinePrefix == null ? "" : "cid:");
+        model.put("security", new Security());
 
         model.put("ALPHANUMERIC", DataTypes.ALPHANUMERIC);
         model.put("BINARY", DataTypes.BINARY);
diff --git a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
index 6a5dda9666..ae28bf2606 100644
--- a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
+++ b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
@@ -38,6 +38,6 @@ public int hashCode() {
 
     @Override
     public String toString() {
-        return XssProtectHtmlEscapeUtils.escape(name);
+        return name;
     }
 }