diff -r f4eb5d125e58 -r 607712fb3c66 src/server/plugins/postgresql/service.c
--- a/src/server/plugins/postgresql/service.c	Thu Jan 27 15:50:42 2022 +0100
+++ b/src/server/plugins/postgresql/service.c	Thu Jan 27 18:46:38 2022 +0100
@@ -76,7 +76,12 @@
     if(nfields > 0) {
         net_printf(sn->csd, "<table>\n<tr>\n");
         for(int i=0;i<nfields;i++) {
-            net_printf(sn->csd, "<th>%s</th>\n", PQfname(result, i));
+            char *fieldName = PQfname(result, i);
+            char *fieldNameEscaped = util_html_escape(fieldName);
+            if(fieldNameEscaped) {
+                net_printf(sn->csd, "<th>%s</th>\n", fieldNameEscaped);
+                FREE(fieldNameEscaped);
+            }
         }
         net_printf(sn->csd, "</tr>\n");
         
@@ -84,7 +89,12 @@
         for(int r=0;r<nrows;r++) {
             net_printf(sn->csd, "<tr>\n");
             for(int c=0;c<nfields;c++) {
-                net_printf(sn->csd, "<td>%s</td>\n", PQgetvalue(result, r, c));
+                char *fieldValue = PQgetvalue(result, r, c);
+                char *fieldValueEscaped = util_html_escape(fieldValue);
+                if(fieldValueEscaped) {
+                    net_printf(sn->csd, "<td>%s</td>\n", fieldValueEscaped);
+                    FREE(fieldValueEscaped);
+                }
             }
             net_printf(sn->csd, "</tr>\n");
         }