diff --git a/edit_report.php b/edit_report.php
index c01e91d79..ec18cbbf4 100644
--- a/edit_report.php
+++ b/edit_report.php
@@ -216,7 +216,7 @@ function print_options ( $textarea, $option ) {
       <div class="form-inline">
         <label class="col-sm-2 col-form-label" for="rpt_name">' . translate ('Report Name') . '</label>
         <input class="form-control" type="text" name="report_name" id="rpt_name" size="40" ' .
-        'maxlength="50" value="' . $report_name . '"></div>';
+        'maxlength="50" value="' . htmlentities($report_name) . '"></div>';
 
 if ( $show_participants ) {
   echo '<div class="form-inline">
diff --git a/report.php b/report.php
index 62b1ba6bb..e4e95d54f 100644
--- a/report.php
+++ b/report.php
@@ -110,6 +110,7 @@ function event_to_text ( $event, $date ) {
   } else
     $id = $event->getID();
 
+  $name_str = $description_str = '';
   if ( $tempAcc == 'R' ) {
     if ( ( $login != $user && strlen ( $user ) ) ||
         ( $login != $tempLog && strlen ( $tempLog ) ) ) {
@@ -237,9 +238,9 @@ function event_to_text ( $event, $date ) {
     $addStr = translate ( 'Add new report' );
     $unnamesStr = translate ( 'Unnamed Report' );
     while ( $row = dbi_fetch_row ( $res ) ) {
-      $rep_name = trim ( $row[1] );
+      $rep_name = htmlentities(trim($row[1]));
       if ( empty ( $rep_name ) )
-        $rep_name = $unnamesStr;
+        $rep_name = htmlentities($unnamesStr);
 
       $list .= '
       <li class="nav"><a href="edit_report.php?report_id=' . $row[0] . '" class="nav">'
@@ -463,7 +464,7 @@ function event_to_text ( $event, $date ) {
 $nextStr = translate ( 'Next' );
 $prevStr = translate ( 'Previous' );
 $reportNameStr = ( $include_header ? '
-    <h2>' . $report_name . '</h2>' : '' );
+    <h2>' . htmlentities($report_name) . '</h2>' : '' );
 
 if ( ! empty ( $report_allow_nav ) && $report_allow_nav == 'Y' ) {
   $temp = '" href="report.php?report_id=' . $report_id . $u_url . '&amp;offset=';