diff --git a/core/classes/TimelineEvent.class.php b/core/classes/TimelineEvent.class.php
index 0db5577b72..92fe9abe8f 100644
--- a/core/classes/TimelineEvent.class.php
+++ b/core/classes/TimelineEvent.class.php
@@ -80,9 +80,9 @@ public function html_start() {
 
 		return sprintf(
 			'<div class="entry"><div class="avatar"><a href="%s"><img class="avatar" src="%s" alt="%s" width="32" height="32" /></a></div><div class="timestamp">%s</div>',
-			$t_avatar->link,
-			$t_avatar->image,
-			$t_avatar->text,
+			htmlspecialchars( $t_avatar->link ),
+			htmlspecialchars( $t_avatar->image ),
+			htmlspecialchars( $t_avatar->text ),
 			$this->format_timestamp( $this->timestamp )
 		);
 	}
diff --git a/plugins/Gravatar/Gravatar.php b/plugins/Gravatar/Gravatar.php
index e49d9595aa..8cbf005ed9 100644
--- a/plugins/Gravatar/Gravatar.php
+++ b/plugins/Gravatar/Gravatar.php
@@ -153,8 +153,7 @@ function user_get_avatar( $p_event, $p_user_id, $p_size = 80 ) {
 					'd' => $t_default_avatar,
 					'r' => $t_rating,
 					's' => $p_size,
-				),
-				'', '&amp;'
+				)
 			);
 
 		$t_avatar = new Avatar();