Index: typo3/sysext/cms/tslib/content/class.tslib_content_form.php
===================================================================
--- typo3/sysext/cms/tslib/content/class.tslib_content_form.php	(Revision 9751)
+++ typo3/sysext/cms/tslib/content/class.tslib_content_form.php	(Arbeitskopie)
@@ -203,6 +203,7 @@
 				} else {
 					$confData['fieldname'] = str_replace(' ', '_', trim($typeParts[0]));
 				}
+				$confData['fieldname'] = htmlspecialchars($confData['fieldname']);
 				$fieldCode = '';
 
 				$wrapFieldName = isset($conf['wrapFieldName'])
@@ -624,6 +625,7 @@
 
 						// Field:
 					$fieldLabel = $confData['label'];
+					$fieldLabel = t3lib_div::removeXSS($fieldLabel);
 					if ($accessibility && trim($fieldLabel) && !preg_match('/^(label|hidden|comment)$/', $confData['type'])) {
 						$fieldLabel = '<label for="' . $prefix . $fName . '">' . $fieldLabel . '</label>';
 					}