diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 119ca66..c3e6689 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -459,7 +459,7 @@ module ApplicationHelper
   # #profile_image) or only its name below.
   def profile_add_link( profile, image=false, size=:portrait, tag='li')
     the_class = profile.members.include?(user) ? 'profile_member' : ''
-    name = profile.short_name
+    name = h(profile.short_name)
     if image
       display = content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
                 content_tag( 'span', name, :class => 'org' ) +
@@ -492,7 +492,7 @@ module ApplicationHelper
     content_tag tag,
         link_to(
             content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
-            content_tag( 'span', name, :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
+            content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
             city + profile_sex_icon( profile ) + profile_cat_icons( profile ),
             profile.url,
             :onclick => 'document.location.href = this.href', # work-arround for ie.
@@ -505,7 +505,7 @@ module ApplicationHelper
   # displays a link to the community homepage with its image (as generated by
   # #profile_image) and its name and number of members beside it.
   def community_image_link( profile, size=:portrait, tag='li' )
-    name = profile.name
+    name = h(profile.name)
     content_tag tag,
         link_to(
             content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
diff --git a/app/helpers/content_viewer_helper.rb b/app/helpers/content_viewer_helper.rb
index f9dd3d9..518ee86 100644
--- a/app/helpers/content_viewer_helper.rb
+++ b/app/helpers/content_viewer_helper.rb
@@ -14,7 +14,7 @@ module ContentViewerHelper
   def article_title(article, args = {})
     title = article.display_title if article.kind_of?(UploadedFile) && article.image?
     title = article.title if title.blank?
-    title = content_tag('h1', title, :class => 'title')
+    title = content_tag('h1', h(title), :class => 'title')
     if article.belongs_to_blog?
       unless args[:no_link]
         title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
diff --git a/app/helpers/tags_helper.rb b/app/helpers/tags_helper.rb
index 6bdeee7..fef502a 100644
--- a/app/helpers/tags_helper.rb
+++ b/app/helpers/tags_helper.rb
@@ -57,7 +57,7 @@ module TagsHelper
         display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
         link_to tag + display_count, destination, :style => style
       else
-        link_to tag , destination, :style => style,
+        link_to h(tag) , destination, :style => style,
           :title => n_( 'one item', '%d items', count ) % count
       end
 
diff --git a/app/views/blocks/profile_image.rhtml b/app/views/blocks/profile_image.rhtml
index 9bcb5b5..fe0fd30 100644
--- a/app/views/blocks/profile_image.rhtml
+++ b/app/views/blocks/profile_image.rhtml
@@ -11,7 +11,7 @@
 </div>
 
 <% if show_name %>
-  <p><%= block.owner.short_name %></p>
+  <p><%= h block.owner.short_name %></p>
 <% end %>
 
 <% if !user.nil? and user.has_permission?('edit_profile', profile) %>
diff --git a/app/views/blocks/profile_info.rhtml b/app/views/blocks/profile_info.rhtml
index 43e6605..20e2f48 100644
--- a/app/views/blocks/profile_info.rhtml
+++ b/app/views/blocks/profile_info.rhtml
@@ -1,6 +1,6 @@
 <div class="vcard">
 
-<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= block.owner.short_name %></h2>
+<h2 class="<%= profile.class == Person ? 'fn' : 'org' %>"><%= h block.owner.short_name %></h2>
 
 <div class="profile-info-picture">
   <div class="profile-info-picture-inner1">
diff --git a/app/views/layouts/application-ng.rhtml b/app/views/layouts/application-ng.rhtml
index f4da3b9..c64453e 100644
--- a/app/views/layouts/application-ng.rhtml
+++ b/app/views/layouts/application-ng.rhtml
@@ -1,7 +1,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>">
   <head>
-    <title><%= page_title %></title>
+    <title><%= h page_title %></title>
     <%= meta_tags_for_article(@page) %>
     <!--<meta http-equiv="refresh" content="1"/>-->
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
diff --git a/app/views/layouts/application.rhtml b/app/views/layouts/application.rhtml
index a52c34c..3bb65c3 100644
--- a/app/views/layouts/application.rhtml
+++ b/app/views/layouts/application.rhtml
@@ -1,7 +1,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>">
   <head>
-    <title><%= page_title %></title>
+    <title><%= h page_title %></title>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <meta name="description" content="<%= @environment.name %>" />
     <meta name="keywords" content="Noosfero, Community, Open Source" />
diff --git a/app/views/profile/index.rhtml b/app/views/profile/index.rhtml
index 24f7e4e..5cc9e8a 100644
--- a/app/views/profile/index.rhtml
+++ b/app/views/profile/index.rhtml
@@ -1,6 +1,6 @@
 <%= render :partial => 'shared/disabled_enterprise' %>
 
-<h1><%= profile.name %></h1>
+<h1><%= h profile.name %></h1>
 
 <% if @action %>
   <%= render :partial => 'private_profile' %>
diff --git a/app/views/profile_editor/index.rhtml b/app/views/profile_editor/index.rhtml
index cfc5994..3645134 100644
--- a/app/views/profile_editor/index.rhtml
+++ b/app/views/profile_editor/index.rhtml
@@ -1,7 +1,7 @@
 <div id="profile-editor-index">
 
   <h1 class="block-title">
-    <span class='control-panel-title'><%= profile.short_name %></span>
+    <span class='control-panel-title'><%= h profile.short_name %></span>
     <span class='control-panel-sep'>&#150;</span>
     <span class='control-panel-subtitle'><%= _('Control Panel') %></span>
   </h1>
--
libgit2 0.21.2