diff --git a/src/registrar/admin.py b/src/registrar/admin.py
index 4b36c9589..e3bd5c9f7 100644
--- a/src/registrar/admin.py
+++ b/src/registrar/admin.py
@@ -3068,11 +3068,11 @@ def display_admins(self, obj):
for portfolio_admin in admins:
change_url = reverse("admin:registrar_user_change", args=[portfolio_admin.pk])
admin_details += "
"
- admin_details += f'{portfolio_admin}
'
- admin_details += f"{portfolio_admin.title}
"
- admin_details += f"{portfolio_admin.email}"
+ admin_details += f'{escape(portfolio_admin)}
'
+ admin_details += f"{escape(portfolio_admin.title)}
"
+ admin_details += f"{escape(portfolio_admin.email)}"
admin_details += ""
- admin_details += f""
+ admin_details += f""
admin_details += (
""
admin_details += "
"
- admin_details += f"{portfolio_admin.phone}"
+ admin_details += f"{escape(portfolio_admin.phone)}"
admin_details += ""
return format_html(admin_details)
@@ -3108,13 +3108,13 @@ def display_members(self, obj):
for member in members:
full_name = member.get_formatted_name()
member_details += ""
- member_details += f"{full_name} | "
- member_details += f"{member.title} | "
- member_details += f"{member.email} | "
- member_details += f"{member.phone} | "
+ member_details += f"{escape(full_name)} | "
+ member_details += f"{escape(member.title)} | "
+ member_details += f"{escape(member.email)} | "
+ member_details += f"{escape(member.phone)} | "
member_details += ""
for role in member.portfolio_role_summary(obj):
- member_details += f"{role} "
+ member_details += f"{escape(role)} "
member_details += " |
"
member_details += ""
return format_html(member_details)