diff --git a/src/home/room_screen.rs b/src/home/room_screen.rs
index dc42a462..0b163415 100644
--- a/src/home/room_screen.rs
+++ b/src/home/room_screen.rs
@@ -3784,7 +3784,7 @@ fn populate_file_message_content(
     file_content: &FileMessageEventContent,
 ) -> bool {
     // Display the file name, human-readable size, caption, and a button to download it.
-    let filename = file_content.filename();
+    let filename = htmlize::escape_text(file_content.filename());
     let size = file_content
         .info
         .as_ref()
@@ -3814,7 +3814,7 @@ fn populate_audio_message_content(
     audio: &AudioMessageEventContent,
 ) -> bool {
     // Display the file name, human-readable size, caption, and a button to download it.
-    let filename = audio.filename();
+    let filename = htmlize::escape_text(audio.filename());
     let (duration, mime, size) = audio
         .info
         .as_ref()
@@ -3855,7 +3855,7 @@ fn populate_video_message_content(
     video: &VideoMessageEventContent,
 ) -> bool {
     // Display the file name, human-readable size, caption, and a button to download it.
-    let filename = video.filename();
+    let filename = htmlize::escape_text(video.filename());
     let (duration, mime, size, dimensions) = video
         .info
         .as_ref()
diff --git a/src/home/rooms_list_entry.rs b/src/home/rooms_list_entry.rs
index 093c1680..dbe78fd3 100644
--- a/src/home/rooms_list_entry.rs
+++ b/src/home/rooms_list_entry.rs
@@ -348,8 +348,8 @@ impl RoomsListEntryContent {
         // Hide the timestamp field, and use the latest message field to show the inviter.
         self.view.label(ids!(timestamp)).set_text(cx, "");
         let inviter_string = match &room_info.inviter_info {
-            Some(InviterInfo { user_id, display_name: Some(dn), .. }) => format!("Invited by <b>{dn}</b> ({user_id})"),
-            Some(InviterInfo { user_id, .. }) => format!("Invited by {user_id}"),
+            Some(InviterInfo { user_id, display_name: Some(dn), .. }) => format!("Invited by <b>{}</b> ({})", htmlize::escape_text(dn), htmlize::escape_text(user_id.as_str())),
+            Some(InviterInfo { user_id, .. }) => format!("Invited by {}", htmlize::escape_text(user_id.as_str())),
             None => String::from("You were invited"),
         };
         self.view.html_or_plaintext(ids!(latest_message)).show_html(cx, &inviter_string);