diff --git a/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java b/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
index 5031dd8ec73d225bbbb37703e9b068910c842c39..751187faf9612a55acfb8992c2c482ec10031415 100644
--- a/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
+++ b/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
@@ -855,7 +855,7 @@ public class BaseFullWebappController extends BasicController implements Generic
 			getWindowControl().setError(translate("warn.tabsfull"));
 			return null;
 		}
-		DTabImpl dt = new DTabImpl(ores, repoOres, StringHelper.escapeHtml(title), getWindowControl());
+		DTabImpl dt = new DTabImpl(ores, repoOres, title, getWindowControl());
 		return dt;
 	}
 
@@ -891,7 +891,7 @@ public class BaseFullWebappController extends BasicController implements Generic
 			dtabs.add(dt);
 			dtabsLinkNames.add(Integer.toString(dtabCreateCounter));
 			Link link = LinkFactory.createCustomLink("a" + dtabCreateCounter, "a" + dtabCreateCounter, "", Link.NONTRANSLATED, navVc, this);
-			link.setCustomDisplayText(((DTabImpl) dt).getNavElement().getTitle());
+			link.setCustomDisplayText(StringHelper.escapeHtml(dt.getNavElement().getTitle()));
 			link.setTitle(dt.getTitle());
 			link.setUserObject(dt);
 			// Set accessibility access key using the 's' key. You can loop through all opened tabs by
diff --git a/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html b/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html
index 1cc280a37cddda334a5758ddaeff447368d596ea..96eff9ece6ea1d2677319f35051221f05632cd5e 100644
--- a/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html
+++ b/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html
@@ -47,7 +47,7 @@
 #if($pageTitle)
 	<script type="text/javascript">
 	/* <![CDATA[ */ 
-		document.title = "$r.translate("page.appname") - $r.escapeDoubleQuotes($pageTitle)";
+		document.title = "$r.translate("page.appname") - $r.escapeDoubleQuotes($r.xssScan($pageTitle))";
 	/* ]]> */
 	</script>
 #end