diff --git a/ddportfolioservice/lib/helpers.py b/ddportfolioservice/lib/helpers.py
index 79d12f4..bf113c2 100644
--- a/ddportfolioservice/lib/helpers.py
+++ b/ddportfolioservice/lib/helpers.py
@@ -27,6 +27,7 @@ available to Controllers. This module is available to both as 'h'.
 """
 from webhelpers import *
 from webhelpers.html.tags import *
+from webhelpers.html.builder import escape
 from webhelpers.text import *
 from webhelpers.textile import *
 from routes.util import *
diff --git a/ddportfolioservice/templates/showform.mako b/ddportfolioservice/templates/showform.mako
index a520ae1..0458394 100644
--- a/ddportfolioservice/templates/showform.mako
+++ b/ddportfolioservice/templates/showform.mako
@@ -36,10 +36,11 @@ ${h.form(h.url_for(action='urllist'), method='get')}
     <label for="email">${_('Email address:')}
       % if 'email' in c.messages['errors']:
       <br />
-      <span class="errormsg">${c.messages['errors']['email']}</span>
+      <span class="errormsg">${c.messages['errors']['email'] | h}</span>
       % endif
     </label><br />
-    ${h.text('email', request.params.get('email', None), id='email')}<br />
+    ${h.text('email',
+             h.escape(request.params.get('email', None), True), id='email')}<br />
   </div>
   <div id="namefield" \
        % if 'name' in c.messages['errors']:
@@ -49,20 +50,22 @@ ${h.form(h.url_for(action='urllist'), method='get')}
     <label for="name">${_('Name:')}
       % if 'name' in c.messages['errors']:
       <br />
-      <span class="errormsg">${c.messages['errors']['name']}</span>
+      <span class="errormsg">${c.messages['errors']['name'] | h}</span>
       % endif
     </label><br />
-    ${h.text('name', request.params.get('name', None), id='name')}<br />
+    ${h.text('name',
+             h.escape(request.params.get('name', None)), id='name')}<br />
   </div>
   <div id="gpgfpfield" class="hidden">
     <label for="gpgfp">${_('GPG fingerprint:')}
       % if 'gpgfp' in c.messages['errors']:
       <br />
-      <span class="errormsg">${c.messages['errors']['gpgfp']}</span>
+      <span class="errormsg">${c.messages['errors']['gpgfp'] | h}</span>
       % endif
     </label><br />
-    ${h.text('gpgfp', request.params.get('gpgfp', None),
-    id='gpgfp', readonly='readonly')}<br />
+    ${h.text('gpgfp',
+             h.escape(request.params.get('gpgfp', None)),
+             id='gpgfp', readonly='readonly')}<br />
   </div>
   <div id="usernamefield" \
        % if 'username' in c.messages['errors']:
@@ -72,25 +75,27 @@ ${h.form(h.url_for(action='urllist'), method='get')}
     <label for="username">${_('Debian user name:')}
       % if 'username' in c.messages['errors']:
       <br />
-      <span class="errormsg">${c.messages['errors']['username']}</span>
+      <span class="errormsg">${c.messages['errors']['username'] | h}</span>
       % endif
     </label><br />
-    ${h.text('username', request.params.get('username', None),
-    id='username')}<br />
+    ${h.text('username',
+             h.escape(request.params.get('username', None)),
+             id='username')}<br />
   </div>
   <div id="nonddemailfield" \
        % if 'nonddemail' in c.messages['errors']:
        class="witherrors" \
        % endif
        >
-    <label for="nonddemail">${_('Non DD email address:')}
+    <label for="nonddemail">${_('Non DD email address:') | h}
       % if 'nonddemail' in c.messages['errors']:
       <br />
-      <span class="errormsg">${c.messages['errors']['nonddemail']}</span>
+      <span class="errormsg">${c.messages['errors']['nonddemail'] | h}</span>
       % endif
     </label><br />
-    ${h.text('nonddemail', request.params.get('nonddemail', None),
-    id='nonddemail')}<br />
+    ${h.text('nonddemail',
+             h.escape(request.params.get('nonddemail', None)),
+             id='nonddemail')}<br />
   </div>
   <div id="aliothusernamefield" \
        % if 'aliothusername' in c.messages['errors']:
@@ -101,17 +106,18 @@ ${h.form(h.url_for(action='urllist'), method='get')}
       % if 'aliothusername' in c.messages['errors']:
       <br />
       <span
-         class="errormsg">${c.messages['errors']['aliothusername']}</span>
+         class="errormsg">${c.messages['errors']['aliothusername'] | h}</span>
       % endif
     </label><br />
-    ${h.text('aliothusername', request.params.get('username', None),
-    id='aliothusername')}<br />
+    ${h.text('aliothusername',
+             h.escape(request.params.get('username', None)),
+             id='aliothusername')}<br />
   </div>
   <div id="modefield">
     <label for="mode_html">${_('Output format:')}
       % if 'mode' in c.messages['errors']:
       <br />
-      <span class="errormsg">${c.messages['errors']['mode']}</span>
+      <span class="errormsg">${c.messages['errors']['mode'] | h}</span>
       % endif
     </label><br />
     ${_('HTML')}&#160;${h.radio('mode', 'html',