diff --git a/app/models/page.rb b/app/models/page.rb
index 9861c6e9..2c9d09ce 100644
--- a/app/models/page.rb
+++ b/app/models/page.rb
@@ -77,7 +77,7 @@ class Page < ActiveRecord::Base
 
   # Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page".
   def plain_name
-    web.brackets_only? ? name : WikiWords.separate(name)
+    web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapHTML(WikiWords.separate(name))
   end
 
   LOCKING_PERIOD = 30.minutes
diff --git a/app/views/wiki/new.rhtml b/app/views/wiki/new.rhtml
index 967fa1d4..7acb8655 100644
--- a/app/views/wiki/new.rhtml
+++ b/app/views/wiki/new.rhtml
@@ -1,5 +1,5 @@
 <% 
-  @title = "Creating #{WikiWords.separate(@page_name)}"
+  @title = "Creating #{CGI.escapeHTML(WikiWords.separate(@page_name))}"
   @content_width = 720
   @hide_navigation = true
 %>