diff --git a/app/View/CorrelationExclusions/top_correlations.ctp b/app/View/CorrelationExclusions/top_correlations.ctp
index ea6f6c13f..14982404f 100644
--- a/app/View/CorrelationExclusions/top_correlations.ctp
+++ b/app/View/CorrelationExclusions/top_correlations.ctp
@@ -28,7 +28,7 @@
                     'data_path' => 'Correlation.count'
                 ]
             ],
-            'title' => empty($ajax) ? $title_for_layout : false,
+            'title' => empty($ajax) ? h($title_for_layout) : false,
             'description' => empty($ajax) ? __('The values with the most correlation entries.') : false,
             'pull' => 'right',
             'actions' => [
diff --git a/app/View/Correlations/over_correlations.ctp b/app/View/Correlations/over_correlations.ctp
index 8b68383f1..1d2ad6b95 100644
--- a/app/View/Correlations/over_correlations.ctp
+++ b/app/View/Correlations/over_correlations.ctp
@@ -63,7 +63,7 @@ echo $this->element('genericElements/IndexTable/index_table', [
                 'element' => 'boolean'
             ]
         ],
-        'title' => empty($ajax) ? $title_for_layout : false,
+        'title' => empty($ajax) ? h($title_for_layout) : false,
         'description' => empty($ajax) ? __('The values with the most correlation entries.') : false,
         'pull' => 'right',
         'actions' => [
diff --git a/app/View/Correlations/top.ctp b/app/View/Correlations/top.ctp
index 1176f32d0..00c681dab 100644
--- a/app/View/Correlations/top.ctp
+++ b/app/View/Correlations/top.ctp
@@ -43,7 +43,7 @@
                     'class' => 'shortish'
                 ]
             ],
-            'title' => empty($ajax) ? $title_for_layout : false,
+            'title' => empty($ajax) ? h($title_for_layout) : false,
             'description' => empty($ajax) ? __('The values with the most correlation entries.') : false,
             'pull' => 'right',
             'actions' => [
diff --git a/app/View/Layouts/Emails/html/default.ctp b/app/View/Layouts/Emails/html/default.ctp
index bab97d110..243dece79 100644
--- a/app/View/Layouts/Emails/html/default.ctp
+++ b/app/View/Layouts/Emails/html/default.ctp
@@ -19,7 +19,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
 <html>
 <head>
-    <title><?php echo $title_for_layout;?></title>
+    <title><?php echo h($title_for_layout);?></title>
 </head>
 <body>
     <?php echo $this->fetch('content');?>
diff --git a/app/View/Layouts/default.ctp b/app/View/Layouts/default.ctp
index e9dadf3e0..886b1cff2 100644
--- a/app/View/Layouts/default.ctp
+++ b/app/View/Layouts/default.ctp
@@ -5,7 +5,7 @@
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width">
     <link rel="shortcut icon" href="<?= $baseurl ?>/img/favicon.png">
-    <title><?= $title_for_layout, ' - ', h(Configure::read('MISP.title_text') ?: 'MISP') ?></title>
+    <title><?= h($title_for_layout), ' - ', h(Configure::read('MISP.title_text') ?: 'MISP') ?></title>
     <?php
         $css = [
             ['bootstrap', ['preload' => true]],
diff --git a/app/View/Layouts/error.ctp b/app/View/Layouts/error.ctp
index 75aa10050..89f37722e 100644
--- a/app/View/Layouts/error.ctp
+++ b/app/View/Layouts/error.ctp
@@ -24,7 +24,7 @@ $cakeDescription = __d('cake_dev', 'CakePHP: the rapid development php framework
     <?php echo $this->Html->charset(); ?>
     <title>
         <?php echo $cakeDescription ?>:
-        <?php echo $title_for_layout; ?>
+        <?php echo h($title_for_layout); ?>
     </title>
     <?php
         echo $this->Html->meta('icon');