diff --git a/TESTING.README.LATEST b/TESTING.README.LATEST
index 5a9c3778dd690cec7a0c899ef176f482af659f6c..592e1b68135524f561b33220015da295a502f627 100644
--- a/TESTING.README.LATEST
+++ b/TESTING.README.LATEST
@@ -75,6 +75,9 @@ junit and integration tests in OpenOLAT 8
 	mvn -Parquillian surefire:test
 
 You can add "clean-mysql-dbsetup" to the profils to drop / restore the database
+The Selenium tests can be run with different browser but with some limitations:
+- Chrome cannot do an upload
+- Selenium need Firefox version 17
 
 * Execute a single selenium functional integration test in Eclipse
 -----------------------------------------
diff --git a/src/main/java/org/olat/course/nodes/iq/IQRunController.java b/src/main/java/org/olat/course/nodes/iq/IQRunController.java
index c1ae962367a500e0b70aeaf18d56f355b68e33bd..947f586c6943d03560c50c39ff0a3191984a135a 100644
--- a/src/main/java/org/olat/course/nodes/iq/IQRunController.java
+++ b/src/main/java/org/olat/course/nodes/iq/IQRunController.java
@@ -54,6 +54,7 @@ import org.olat.core.logging.AssertException;
 import org.olat.core.logging.OLATRuntimeException;
 import org.olat.core.logging.activity.ThreadLocalUserActivityLogger;
 import org.olat.core.util.Formatter;
+import org.olat.core.util.StringHelper;
 import org.olat.core.util.UserSession;
 import org.olat.core.util.event.EventBus;
 import org.olat.core.util.event.GenericEventListener;
@@ -184,14 +185,13 @@ public class IQRunController extends BasicController implements GenericEventList
 		RepositoryEntry re = courseNode.getReferencedRepositoryEntry();
 		//re could be null, but if we are here it should not be null!
 		Roles userRoles = ureq.getUserSession().getRoles();
-		boolean showAll = false;
-		showAll = userRoles.isAuthor() || userRoles.isOLATAdmin();
+		boolean showAll = userRoles.isAuthor() || userRoles.isOLATAdmin();
 		//get changelog
 		Formatter formatter = Formatter.getInstance(ureq.getLocale());
 		ImsRepositoryResolver resolver = new ImsRepositoryResolver(re.getKey());
 		QTIChangeLogMessage[] qtiChangeLog = resolver.getDocumentChangeLog();
 		StringBuilder qtiChangelog = new StringBuilder();
-		Date msgDate = null;
+
 		if(qtiChangeLog.length>0){
 			//there are resource changes
 			Arrays.sort(qtiChangeLog);
@@ -199,15 +199,17 @@ public class IQRunController extends BasicController implements GenericEventList
 				//show latest change first
 				if(!showAll && qtiChangeLog[i].isPublic()){
 					//logged in person is a normal user, hence public messages only
-					msgDate=new Date(qtiChangeLog[i].getTimestmp());
+					Date msgDate = new Date(qtiChangeLog[i].getTimestmp());
 					qtiChangelog.append("\nChange date: ").append(formatter.formatDateAndTime(msgDate)).append("\n");
-					qtiChangelog.append(qtiChangeLog[i].getLogMessage());
+					String msg = StringHelper.escapeHtml(qtiChangeLog[i].getLogMessage());
+					qtiChangelog.append(msg);
 					qtiChangelog.append("\n********************************\n");
 				}else if (showAll){
 					//logged in person is an author, olat admin, owner, show all messages
-					msgDate=new Date(qtiChangeLog[i].getTimestmp());
+					Date msgDate = new Date(qtiChangeLog[i].getTimestmp());
 					qtiChangelog.append("\nChange date: ").append(formatter.formatDateAndTime(msgDate)).append("\n");
-					qtiChangelog.append(qtiChangeLog[i].getLogMessage());
+					String msg = StringHelper.escapeHtml(qtiChangeLog[i].getLogMessage());
+					qtiChangelog.append(msg);
 					qtiChangelog.append("\n********************************\n");
 				}//else non public messages are not shown to normal user
 			}