diff --git a/webapp/themes/vitro/templates/head.ftl b/webapp/themes/vitro/templates/head.ftl
index 94a035cb4..6bd70bf0c 100644
--- a/webapp/themes/vitro/templates/head.ftl
+++ b/webapp/themes/vitro/templates/head.ftl
@@ -4,7 +4,7 @@
 <!-- Google Chrome Frame open source plug-in brings Google Chrome's open web technologies and speedy JavaScript engine to Internet Explorer-->
 <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
 
-<title>${siteName!}</title>
+<title>${(title?html)!siteName!}</title>
 
 <#include "stylesheets.ftl">
 <link rel="stylesheet" href="${urls.theme}/css/screen.css" />
diff --git a/webapp/web/templates/freemarker/page/partials/pageSetup.ftl b/webapp/web/templates/freemarker/page/partials/pageSetup.ftl
index 48c4c46b3..be51b0745 100644
--- a/webapp/web/templates/freemarker/page/partials/pageSetup.ftl
+++ b/webapp/web/templates/freemarker/page/partials/pageSetup.ftl
@@ -6,8 +6,10 @@ the domain of the controllers. -->
 
 <#assign bodyClasses>
     <#-- The compress directives and formatting here resolve whitespace issues in output; please do not alter them. -->
+    <#-- Add the ?html builtin to currentServlet to guard against hacks. 
+         Otherwise, the servletPath portion of the URL is rendered verbatim into the HTML -->
     <#compress>
-    <#assign bodyClassList = [currentServlet!]>
+    <#assign bodyClassList = [(currentServlet?html)!]>
     
     <#if user.loggedIn> 
         <#assign bodyClassList = bodyClassList + ["loggedIn"]/>