diff --git a/swift/account/utils.py b/swift/account/utils.py
index ce5fa7bb28..769169152f 100644
--- a/swift/account/utils.py
+++ b/swift/account/utils.py
@@ -96,7 +96,7 @@ def account_listing_response(account, req, response_content_type, broker=None,
         account_list = json.dumps(data)
     elif response_content_type.endswith('/xml'):
         output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                       '<account name="%s">' % saxutils.escape(account)]
+                       '<account name=%s>' % saxutils.quoteattr(account)]
         for (name, object_count, bytes_used, is_subdir) in account_list:
             name = saxutils.escape(name)
             if is_subdir:
diff --git a/test/unit/account/test_server.py b/test/unit/account/test_server.py
index 255ac71dc6..5368f1df5f 100644
--- a/test/unit/account/test_server.py
+++ b/test/unit/account/test_server.py
@@ -632,6 +632,43 @@ def test_GET_with_containers_xml(self):
         self.assertEquals(node.firstChild.nodeValue, '4')
         self.assertEquals(resp.charset, 'utf-8')
 
+    def test_GET_xml_escapes_account_name(self):
+        req = Request.blank(
+            '/sda1/p/%22%27',   # "'
+            environ={'REQUEST_METHOD': 'PUT', 'HTTP_X_TIMESTAMP': '0'})
+        self.controller.PUT(req)
+
+        req = Request.blank(
+            '/sda1/p/%22%27?format=xml',
+            environ={'REQUEST_METHOD': 'GET', 'HTTP_X_TIMESTAMP': '1'})
+        resp = self.controller.GET(req)
+
+        dom = xml.dom.minidom.parseString(resp.body)
+        self.assertEquals(dom.firstChild.attributes['name'].value, '"\'')
+
+    def test_GET_xml_escapes_container_name(self):
+        req = Request.blank(
+            '/sda1/p/a',
+            environ={'REQUEST_METHOD': 'PUT', 'HTTP_X_TIMESTAMP': '0'})
+        self.controller.PUT(req)
+
+        req = Request.blank(
+            '/sda1/p/a/%22%3Cword',  # "<word
+            environ={'REQUEST_METHOD': 'PUT', 'HTTP_X_TIMESTAMP': '1',
+                     'HTTP_X_PUT_TIMESTAMP': '1', 'HTTP_X_OBJECT_COUNT': '0',
+                     'HTTP_X_DELETE_TIMESTAMP': '0', 'HTTP_X_BYTES_USED': '1'})
+        self.controller.PUT(req)
+
+        req = Request.blank(
+            '/sda1/p/a?format=xml',
+            environ={'REQUEST_METHOD': 'GET', 'HTTP_X_TIMESTAMP': '1'})
+        resp = self.controller.GET(req)
+        dom = xml.dom.minidom.parseString(resp.body)
+
+        self.assertEquals(
+            dom.firstChild.firstChild.nextSibling.firstChild.firstChild.data,
+            '"<word')
+
     def test_GET_limit_marker_plain(self):
         req = Request.blank('/sda1/p/a', environ={'REQUEST_METHOD': 'PUT',
             'HTTP_X_TIMESTAMP': '0'})