diff --git a/content/js/generic/index.js b/content/js/generic/index.js
index f2419f8..5c95d65 100644
--- a/content/js/generic/index.js
+++ b/content/js/generic/index.js
@@ -21,7 +21,7 @@ async function main() {
         },
         3: {
             "type": 'ok',
-            "text": `Found user account: <b>${localStorage.getItem('username')}</b>`
+            "text": `Found user account: <b>${localStorage.getItem('username') ? escape_HTML(localStorage.getItem('username')) : ''}</b>`
         },
         4: {
             "type": 'ok',
diff --git a/content/js/shell/func.js b/content/js/shell/func.js
index c74bd78..aa8bb2b 100644
--- a/content/js/shell/func.js
+++ b/content/js/shell/func.js
@@ -117,7 +117,7 @@ function su(cmd) {
     if (cmd[0]) {
         if (cmd[0] == '.') {
             root = !root
-            return `Switched to the <b>${root ? 'root' : localStorage.getItem('username')}</b> user.`
+            return `Switched to the <b>${root ? 'root' : escape_HTML(localStorage.getItem('username'))}</b> user.`
         } else {
             root = true;
             let ret = 'Command not found';
@@ -163,7 +163,7 @@ function passwd() {
 
 
 function whoami() {
-    return root ? "root" : window.localStorage.getItem("username");
+    return root ? "root" : escape_HTML(window.localStorage.getItem("username"));
 }