diff --git a/htdocs/artefact/blog/lib.php b/htdocs/artefact/blog/lib.php
index c904f3e143829828acbc47a6acb9b321b1206dff..c473c058258bb831fdd5af6219ba212c7a04705f 100644
--- a/htdocs/artefact/blog/lib.php
+++ b/htdocs/artefact/blog/lib.php
@@ -520,7 +520,7 @@ class ArtefactTypeBlog extends ArtefactType {
         global $THEME;
 
         $confirm = get_string('deleteblog?', 'artefact.blog');
-
+        $title = hsc($title);
         // Check if this blog has posts.
         $postcnt = count_records_sql("
             SELECT COUNT(*)
@@ -1133,6 +1133,7 @@ class ArtefactTypeBlogPost extends ArtefactType {
             $post = new ArtefactTypeBlogPost($id);
             $published = $post->published;
         }
+        $title = hsc($title);
         if ($published) {
             $strchangepoststatus = '<span class="icon icon-times icon-lg left text-danger" role="presentation" aria-hidden="true"></span> ' .get_string('unpublish', 'artefact.blog');
         }
@@ -1164,6 +1165,7 @@ class ArtefactTypeBlogPost extends ArtefactType {
     }
 
     public static function delete_form($id, $title = '') {
+        $title = hsc($title);
         global $THEME;
         return pieform(array(
             'name' => 'delete_' . $id,