diff --git a/NEWS b/NEWS
index 029c86ece..c506f572e 100644
--- a/NEWS
+++ b/NEWS
@@ -4,7 +4,8 @@
 Bug fixes
  - [web] fixed generic avatar in lists (#3719)
  - [web] fixed validation in Sieve filter editor
- - [web] properly encode events and tasks rawsource to avoid XSS issues (#3718)
+ - [web] properly encode rawsource of events and tasks to avoid XSS issues (#3718)
+ - [web] properly encode rawsource of cards to avoid XSS issues
 
 3.1.2 (2016-06-06)
 ------------------
diff --git a/UI/Contacts/UIxContactActions.m b/UI/Contacts/UIxContactActions.m
index 87c5d769f..75182fe55 100644
--- a/UI/Contacts/UIxContactActions.m
+++ b/UI/Contacts/UIxContactActions.m
@@ -20,6 +20,8 @@
 
 #import <Foundation/NSArray.h>
 
+#import <NGExtensions/NSString+misc.h>
+
 #import <NGObjWeb/WOContext.h>
 #import <NGObjWeb/WORequest.h>
 #import <NGObjWeb/WOResponse.h>
@@ -140,7 +142,7 @@
   [content appendFormat: @"%@", [[self clientObject] contentAsString]];
   [response setHeader: @"text/plain; charset=utf-8" 
             forKey: @"content-type"];
-  [response appendContentString: content];
+  [response appendContentString: [content stringByEscapingHTMLString]];
 
   return response;
 }
diff --git a/UI/Templates/ContactsUI/UIxContactViewTemplate.wox b/UI/Templates/ContactsUI/UIxContactViewTemplate.wox
index 6be21e509..c32b74e34 100644
--- a/UI/Templates/ContactsUI/UIxContactViewTemplate.wox
+++ b/UI/Templates/ContactsUI/UIxContactViewTemplate.wox
@@ -192,7 +192,7 @@
           </md-button>
         </md-card-actions>
         <md-card-content>
-          <pre>{{editor.rawSource}}</pre>
+          <pre ng-bind-html="editor.rawSource"><!-- raw --></pre>
         </md-card-content>
       </md-card>
     </div>