diff -Nur loggerhead-1.17/loggerhead/controllers/annotate_ui.py loggerhead-1.17.new/loggerhead/controllers/annotate_ui.py
--- loggerhead-1.17/loggerhead/controllers/annotate_ui.py	2009-08-20 23:53:02.000000000 +1000
+++ loggerhead-1.17.new/loggerhead/controllers/annotate_ui.py	2011-03-24 14:15:34.486850157 +1100
@@ -17,7 +17,6 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #
 
-import cgi
 import os
 import time
 
@@ -71,7 +70,7 @@
                 hl_lines = highlight(file_name, file_text, encoding)
                 hl_lines.extend([u''] * (len(file_lines) - len(hl_lines)))
             else:
-                hl_lines = map(cgi.escape, file_lines)
+                hl_lines = map(util.html_escape, file_lines)
 
             change_cache = {}
 
diff -Nur loggerhead-1.17/loggerhead/templatefunctions.py loggerhead-1.17.new/loggerhead/templatefunctions.py
--- loggerhead-1.17/loggerhead/templatefunctions.py	2009-08-20 23:53:02.000000000 +1000
+++ loggerhead-1.17.new/loggerhead/templatefunctions.py	2011-03-24 14:15:34.486850157 +1100
@@ -14,8 +14,8 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #
 
-import cgi
 import os
+import urllib
 
 import pkg_resources
 
@@ -23,6 +23,7 @@
 
 import loggerhead
 from loggerhead.zptsupport import zpt
+from loggerhead.util import html_format
 
 
 templatefunctions = {}
@@ -49,16 +50,21 @@
     if style == 'fragment':
         def file_link(filename):
             if currently_showing and filename == currently_showing:
-                return '<b><a href="#%s">%s</a></b>' % (
-                    cgi.escape(filename), cgi.escape(filename))
+                return html_format(
+                    '<b><a href="#%s">%s</a></b>',
+                    urllib.quote(filename.encode('utf-8')), filename)
             else:
                 return revision_link(
-                    url, entry.revno, filename, '#' + filename)
+                    url, entry.revno, filename,
+                    '#' + urllib.quote(filename.encode('utf-8')))
     else:
         def file_link(filename):
-            return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>'%(
-                url(['/revision', entry.revno]), '#' + filename, cgi.escape(filename),
-                cgi.escape(entry.revno), cgi.escape(filename))
+            return html_format(
+                '<a href="%s%s" title="View changes to %s in revision %s">'
+                '%s</a>',
+                url(['/revision', entry.revno]),
+                '#' + urllib.quote(filename.encode('utf-8')),
+                filename, entry.revno, filename)
     return _pt('revisionfilechanges').expand(
         entry=entry, file_changes=file_changes, file_link=file_link, **templatefunctions)
 
@@ -122,14 +128,15 @@
 
 @templatefunc
 def annotate_link(url, revno, path):
-    return '<a href="%s" title="Annotate %s">%s</a>'%(
-        url(['/annotate', revno, path]), cgi.escape(path), cgi.escape(path))
+    return html_format(
+        '<a href="%s" title="Annotate %s">%s</a>',
+        url(['/annotate', revno, path]), path, path)
 
 @templatefunc
 def revision_link(url, revno, path, frag=''):
-    return '<a href="%s%s" title="View changes to %s in revision %s">%s</a>'%(
-        url(['/revision', revno, path]), frag, cgi.escape(path),
-        cgi.escape(revno), cgi.escape(path))
+    return html_format(
+        '<a href="%s%s" title="View changes to %s in revision %s">%s</a>',
+        url(['/revision', revno, path]), frag, path, revno, path)
 
 
 @templatefunc
diff -Nur loggerhead-1.17/loggerhead/tests/test_simple.py loggerhead-1.17.new/loggerhead/tests/test_simple.py
--- loggerhead-1.17/loggerhead/tests/test_simple.py	2009-08-20 23:53:02.000000000 +1000
+++ loggerhead-1.17.new/loggerhead/tests/test_simple.py	2011-03-24 14:15:34.486850157 +1100
@@ -59,9 +59,11 @@
 
         self.filecontents = ('some\nmultiline\ndata\n'
                              'with<htmlspecialchars\n')
+        filenames = ['myfilename', 'anotherfile<']
         self.build_tree_contents(
-            [('myfilename', self.filecontents)])
-        self.tree.add('myfilename')
+            (filename, self.filecontents) for filename in filenames)
+        for filename in filenames:
+            self.tree.add(filename, '%s-id' % filename)
         self.fileid = self.tree.path2id('myfilename')
         self.msg = 'a very exciting commit message <'
         self.revid = self.tree.commit(message=self.msg)
@@ -117,6 +119,8 @@
     def test_revision(self):
         app = self.setUpLoggerhead()
         res = app.get('/revision/1')
+        res.mustcontain(no=['anotherfile<'])
+        res.mustcontain('anotherfile&lt;')
         res.mustcontain('myfilename')
 
 
diff -Nur loggerhead-1.17/loggerhead/util.py loggerhead-1.17.new/loggerhead/util.py
--- loggerhead-1.17/loggerhead/util.py	2009-08-20 23:53:02.000000000 +1000
+++ loggerhead-1.17.new/loggerhead/util.py	2011-03-24 14:15:34.486850157 +1100
@@ -27,7 +27,6 @@
 from simpletal.simpleTALUtils import HTMLStructureCleaner
 
 import base64
-import cgi
 import datetime
 import logging
 import re
@@ -193,8 +192,39 @@
 # only do this if unicode turns out to be a problem
 #_BADCHARS_RE = re.compile(ur'[\u007f-\uffff]')
 
-# FIXME: get rid of this method; use fixed_width() and avoid XML().
+# Can't be a dict; &amp; needs to be done first.
+html_entity_subs = [
+    ("&", "&amp;"),
+    ('"', "&quot;"),
+    ("'", "&#39;"), # &apos; is defined in XML, but not HTML.
+    (">", "&gt;"),
+    ("<", "&lt;"),
+    ]
+
+
+def html_escape(s):
+    """Transform dangerous (X)HTML characters into entities.
+
+    Like cgi.escape, except also escaping " and '. This makes it safe to use
+    in both attribute and element content.
+
+    If you want to safely fill a format string with escaped values, use
+    html_format instead
+    """
+    for char, repl in html_entity_subs:
+        s = s.replace(char, repl)
+    return s
+
 
+def html_format(template, *args):
+    """Safely format an HTML template string, escaping the arguments.
+
+    The template string must not be user-controlled; it will not be escaped.
+    """
+    return template % tuple(html_escape(arg) for arg in args)
+
+
+# FIXME: get rid of this method; use fixed_width() and avoid XML().
 
 def html_clean(s):
     """
@@ -202,7 +232,7 @@
     entities, and replace spaces with '&nbsp;'.  this is primarily for use
     in displaying monospace text.
     """
-    s = cgi.escape(s.expandtabs())
+    s = html_escape(s.expandtabs())
     s = s.replace(' ', '&nbsp;')
     return s
 
@@ -250,7 +280,7 @@
         except UnicodeDecodeError:
             s = s.decode('iso-8859-15')
 
-    s = cgi.escape(s).expandtabs().replace(' ', NONBREAKING_SPACE)
+    s = html_escape(s).expandtabs().replace(' ', NONBREAKING_SPACE)
 
     return HSC.clean(s).replace('\n', '<br/>')