diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/viewattachrev.vm b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/viewattachrev.vm
index 63b45b51e74f..3d7b5eacef87 100644
--- a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/viewattachrev.vm
+++ b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/viewattachrev.vm
@@ -20,7 +20,7 @@
 #template("startpage.vm")
 <div class="main layoutsubsection">
 <div id="mainContentArea">
-<h3>$services.localization.render("core.viewers.attachments.revisions", [$attachment.filename])</h3>
+<h3>$services.localization.render("core.viewers.attachments.revisions", [$escapetool.xml($attachment.filename)])</h3>
 #if ("$tdoc.realLocale" != '')
 #set($lang = "&language=${tdoc.realLocale}")
 #else
@@ -40,7 +40,7 @@
   #set($url = $doc.getAttachmentRevisionURL("${attachment.filename}", ${version.toString()}))
 #end
 #if ($attachment.isImage())
-        <td><img src="${url}" alt="${attachment.filename}" width="80" />
+        <td><img src="${url}" alt="${escapetool.xml($attachment.filename)}" width="80" />
 #else
         <td class="mime">#mimetypeimg($attachment.getMimeType().toLowerCase() $attachment.getFilename().toLowerCase())
 #end