diff --git a/apps/common/main/lib/view/ReviewPopover.js b/apps/common/main/lib/view/ReviewPopover.js
index 466226e0d..c2f1a922d 100644
--- a/apps/common/main/lib/view/ReviewPopover.js
+++ b/apps/common/main/lib/view/ReviewPopover.js
@@ -1118,7 +1118,7 @@ define([
return (item.email && 0 === item.email.toLowerCase().indexOf(str) || item.name && 0 === item.name.toLowerCase().indexOf(str))
});
}
- var tpl = _.template('<%= caption %>
<%= options.value %>
'),
+ var tpl = _.template('<%= Common.Utils.String.htmlEncode(caption) %>
<%= Common.Utils.String.htmlEncode(options.value) %>
'),
divider = false;
_.each(users, function(menuItem, index) {
if (divider && !menuItem.hasAccess) {