diff --git a/app/views/profile/content_tagged.rhtml b/app/views/profile/content_tagged.rhtml
index a8d8427..224f5ec 100644
--- a/app/views/profile/content_tagged.rhtml
+++ b/app/views/profile/content_tagged.rhtml
@@ -1,6 +1,6 @@
 <% add_rss_feed_to_head(_("%s's contents tagged with \"%s\"") % [profile.name, @tag], tag_feed_path) %>
 
-<h1><%= _('Content tagged with "%s"') % @tag %></h1>
+<h1><%= _('Content tagged with "%s"') % CGI.escapeHTML(@tag) %></h1>
 
 <p>
 <%= link_to image_tag('icons-mime/rss-feed.png', :alt => _('Feed for this tag'), :title => _('Feed for this tag')), tag_feed_path, :class => 'blog-feed-link'%>
@@ -18,6 +18,6 @@
   <%= pagination_links @tagged, :param_name => 'npage' %>
 
   <div>
-    <%= link_to _('See content tagged with "%s" in the entire site') % @tag, :controller => 'search', :action => 'tag', :tag => @tag %>
+    <%= link_to _('See content tagged with "%s" in the entire site') % CGI.escapeHTML(@tag), :controller => 'search', :action => 'tag', :tag => @tag %>
   </div>
 <% end %>
diff --git a/app/views/search/index.rhtml b/app/views/search/index.rhtml
index 38b16bd..54b3bf5 100644
--- a/app/views/search/index.rhtml
+++ b/app/views/search/index.rhtml
@@ -1,6 +1,6 @@
 <div id="search-page">
 
-<%= search_page_title(_('Search Results'), :query => @query, :category => @category ? @category.name : nil, :total_results => @total_results) %>
+<%= search_page_title(_('Search Results'), :query => CGI.escapeHTML(@query), :category => @category ? @category.name : nil, :total_results => @total_results) %>
 
 <%= render :partial => 'search_form', :locals => { :form_title => _("Refine your search"), :simple_search => true } %>
 
diff --git a/test/functional/profile_controller_test.rb b/test/functional/profile_controller_test.rb
index 7c33326..aecb981 100644
--- a/test/functional/profile_controller_test.rb
+++ b/test/functional/profile_controller_test.rb
@@ -716,6 +716,11 @@ class ProfileControllerTest < Test::Unit::TestCase
     assert_response 302
   end
 
+  should 'escape xss attack in tag feed' do
+    get :content_tagged, :profile => profile.identifier, :id => "<wslite>"
+    assert_no_tag :tag => 'wslite'
+  end
+
   should 'reverse the order of posts in tag feed' do
     TextileArticle.create!(:name => 'First post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now)
     TextileArticle.create!(:name => 'Second post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now + 1.day)
diff --git a/test/functional/search_controller_test.rb b/test/functional/search_controller_test.rb
index 832f671..7c67db9 100644
--- a/test/functional/search_controller_test.rb
+++ b/test/functional/search_controller_test.rb
@@ -50,6 +50,11 @@ class SearchControllerTest < Test::Unit::TestCase
     assert_equal 'carne vaca', assigns('filtered_query')
   end
 
+  should 'espape xss attack' do
+    get 'index', :query => '<wslite>'
+    assert_no_tag :tag => 'wslite'
+  end
+
   should 'search only in specified types of content' do
     get :index, :query => 'something not important', :find_in => [ 'articles' ]
     assert_equal [:articles], assigns(:results).keys
--
libgit2 0.21.2