diff --git a/seahub/templates/snippets/myhome_extra_script.html b/seahub/templates/snippets/myhome_extra_script.html
index 6eec6cd2ce..6abacfebca 100644
--- a/seahub/templates/snippets/myhome_extra_script.html
+++ b/seahub/templates/snippets/myhome_extra_script.html
@@ -22,7 +22,7 @@ $(function () {
                     hd = $('.hd', form),
                     btn_ct = $(this).parents('td'),
                     repo_id = btn_ct.data('id'),
-                    repo_name = btn_ct.attr('data-name');
+                    repo_name = HTMLescape(btn_ct.attr('data-name'));
                 var grp_options_ct = $('#share-grp-options');
                 if (!$.trim(grp_options_ct.html())) {
                     var grp_options = '<ul class="option-list">';
diff --git a/seahub/templates/snippets/repo_del_js.html b/seahub/templates/snippets/repo_del_js.html
index 857de5eee3..334deecd1b 100644
--- a/seahub/templates/snippets/repo_del_js.html
+++ b/seahub/templates/snippets/repo_del_js.html
@@ -30,7 +30,7 @@ $('.repo-delete-btn').click(function() {
         cfm.css({'left': op.position().left, 'top': op.position().top + op.height() + 2, 'width':202});
     }
     var con = $('.con', cfm);
-    con.html(con.html().replace('%(lib_name)s', '<span class="op-target">' + cfm.parents('td').attr('data-name') + '</span>'));
+    con.html(con.html().replace('%(lib_name)s', '<span class="op-target">' + HTMLescape(cfm.parents('td').attr('data-name')) + '</span>'));
     cfm.removeClass('hide');
     $('.no',cfm).click(function() {
         cfm.addClass('hide');