diff --git a/UI/Templates/UIxAclEditor.wox b/UI/Templates/UIxAclEditor.wox
index d567d39d7..4435b6914 100644
--- a/UI/Templates/UIxAclEditor.wox
+++ b/UI/Templates/UIxAclEditor.wox
@@ -38,7 +38,7 @@
         </div>
 	<ul id="userList">
 	  <var:foreach list="usersForObject" item="currentUser"
-            ><li var:id="currentUser" var:class="currentUserClass">
+            ><li var:id="currentUser.stringByEscapingHTMLString" var:class="currentUserClass">
               <span class="userFullName"
                  ><var:string value="currentUserDisplayName"
                  /></span>
diff --git a/UI/WebServerResources/UIxAclEditor.js b/UI/WebServerResources/UIxAclEditor.js
index 66b4b6837..035e6ecee 100644
--- a/UI/WebServerResources/UIxAclEditor.js
+++ b/UI/WebServerResources/UIxAclEditor.js
@@ -41,7 +41,7 @@ function addUser(userName, userID, type) {
         var url = window.location.href;
         var elements = url.split("/");
         elements[elements.length-1] = ("addUserInAcls?uid="
-                                       + encodeURIComponent(userID));
+                                       + encodeURIComponent(userID.unescapeHTML()));
         triggerAjaxRequest(elements.join("/"), addUserCallback, newNode);
         result = true;
     }
@@ -91,7 +91,7 @@ function nodeForUser(userName, userId, canSubscribe) {
 
     var span = createElement("span");
     span.addClassName("userFullName");
-    span.appendChild(document.createTextNode(" " + userName));
+    span.appendChild(document.createTextNode(" " + userName.unescapeHTML()));
     node.appendChild(span);
 
     if (canSubscribe) {
@@ -135,9 +135,9 @@ function onUserRemove(event) {
     var baseURL = elements.join("/");
 
     for (var i = 0; i < nodes.length; i++) {
-        var userId = nodes[i].id;
+        var userId = nodes[i].id.unescapeHTML();
         if (userId != defaultUserID && userId != "anonymous") {
-            triggerAjaxRequest(baseURL + userId, removeUserCallback,
+            triggerAjaxRequest(baseURL + encodeURIComponent(userId), removeUserCallback,
                                nodes[i]);
         }
     }
@@ -159,7 +159,7 @@ function subscribeToFolder(refreshCallback, refreshCallbackData) {
 function openRightsForUserID(userID) {
     var url = window.location.href;
     var elements = url.split("/");
-    elements[elements.length-1] = "userRights?uid=" + userID;
+    elements[elements.length-1] = "userRights?uid=" + encodeURIComponent(userID);
 
     var height = AclEditor.userRightsHeight;
     if (userID == "anonymous") {
@@ -178,7 +178,7 @@ function openRightsForUserID(userID) {
 function openRightsForUser(button) {
     var nodes = $("userList").getSelectedRows();
     if (nodes.length > 0)
-        openRightsForUserID(nodes[0].getAttribute("id"));
+        openRightsForUserID(nodes[0].getAttribute("id").unescapeHTML());
 
     return false;
 }
diff --git a/UI/WebServerResources/UIxContactsUserFolders.js b/UI/WebServerResources/UIxContactsUserFolders.js
index 49689e2f5..3a8eb238b 100644
--- a/UI/WebServerResources/UIxContactsUserFolders.js
+++ b/UI/WebServerResources/UIxContactsUserFolders.js
@@ -117,7 +117,7 @@ function buildUsersTree(treeDiv, response) {
 function onUserNodeToggle(event) {
     this.stopObserving("click", onUserNodeToggle);
 
-    var person = this.parentNode.getAttribute("dataname");
+    var person = this.parentNode.getAttribute("dataname").unescapeHTML();
 
     var url = (UserFolderURLForUser(person) + "foldersSearch"
                + "?type=" + window.opener.userFolderType);
diff --git a/UI/WebServerResources/dtree.js b/UI/WebServerResources/dtree.js
index 958c033a5..0a874b67a 100644
--- a/UI/WebServerResources/dtree.js
+++ b/UI/WebServerResources/dtree.js
@@ -12,11 +12,7 @@
 /* The content of attribute values should be quoted properly by using the
  equivalent entities. */
 function dTreeQuote(str) {
-    return (str
-            .replace(/&/g, "&amp;")
-            .replace(/</g, "&lt;")
-            .replace(/\"/g, "&quot;")
-            .replace(/\'/g, "&apos;"));
+    return str.escapeHTML();
 }
 
 // Node object