Escape body name in admin title.

3 files changed, 5 insertions, 2 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40e554cc3..16541c16a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,7 @@
         - Fix extra question display when only one category.
         - Fix superusers creating anonymous reports. #2435
         - Ensure non_public reports aren't exposed at /open311 endpoint.
+        - Escape body name in admin title.
     - Development improvements:
         - Make front page cache time configurable.
         - Better working of /fakemapit/ under https.
diff --git a/templates/web/base/admin/bodies/body.html b/templates/web/base/admin/bodies/body.html
index afd2eff46..8f298676e 100644
--- a/templates/web/base/admin/bodies/body.html
+++ b/templates/web/base/admin/bodies/body.html
@@ -1,4 +1,5 @@
-[% INCLUDE 'admin/header.html' title=tprintf(loc('Council contacts for %s'), body.name) -%]
+[% body_name = body.name | html;
+   INCLUDE 'admin/header.html' title=tprintf(loc('Council contacts for %s'), body_name) -%]
 [% PROCESS 'admin/report_blocks.html' %]
 
 [% IF updated %]
diff --git a/templates/web/base/admin/bodies/category.html b/templates/web/base/admin/bodies/category.html
index 2f789ed81..de8cb19ec 100644
--- a/templates/web/base/admin/bodies/category.html
+++ b/templates/web/base/admin/bodies/category.html
@@ -1,4 +1,5 @@
-[% INCLUDE 'admin/header.html' title=tprintf(loc('Council contacts for %s'), body.name) -%]
+[% body_name = body.name | html;
+   INCLUDE 'admin/header.html' title=tprintf(loc('Council contacts for %s'), body_name) -%]
 
 [% BLOCK highlightchanged_yesno %]
 [%- output = loc('No') %]