diff -r fd1dafb0ab10 -r b3a1d15965d9 web/views/cwuser.py
--- a/web/views/cwuser.py	Thu Sep 25 10:50:23 2014 +0200
+++ b/web/views/cwuser.py	Thu Sep 11 15:17:08 2014 +0200
@@ -160,7 +160,8 @@
     def entity_call(self, entity, **kwargs):
         entity.complete()
         self.w(u'<a href="%s" class="%s">%s</a>' % (
-            entity.absolute_url(), entity.name, entity.printable_value('name')))
+            entity.absolute_url(), xml_escape(entity.name),
+            entity.printable_value('name')))
 
 
 # user / groups management views ###############################################