-<h2><%= t 'trace.view.heading', :name => @trace.name %></h2>
+<h2><%= t 'trace.view.heading', :name => h(@trace.name) %></h2>
<% if @trace.inserted %>
<img src="<%= url_for :controller => 'trace', :action => 'picture', :id => @trace.id, :display_name => @trace.user.display_name %>">