diff --git a/extensions/admin_ui/controllers/xssrays/xssrays.rb b/extensions/admin_ui/controllers/xssrays/xssrays.rb
index 6ca9e6d34..ef9a7a5b6 100644
--- a/extensions/admin_ui/controllers/xssrays/xssrays.rb
+++ b/extensions/admin_ui/controllers/xssrays/xssrays.rb
@@ -55,13 +55,22 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
         'id'      => log.id,
         'vector_method'  => log.vector_method,
         'vector_name'    => log.vector_name,
-        'vector_poc' => log.vector_poc
+        'vector_poc' => escape_for_html(log.vector_poc)
       }
     }
 
     @body = {'success' => 'true', 'logs' => logs}.to_json
   end
 
+  def escape_for_html(str)
+        str.gsub!(/</, '&lt;')
+        str.gsub!(/>/, '&gt;')
+        str.gsub!(/\u0022/, '&quot;')
+        str.gsub!(/\u0027/, '&#39;')
+        str.gsub!(/\\/, '&#92;')
+    str
+  end
+
    # called by the UI. needed to pass the hooked browser ID/session and store a new scan in the DB
    def set_scan_target
     hooked_browser = HB.first(:session => @params['hb_id'].to_s)