diff --git a/libraries/plugins/export/ExportXml.php b/libraries/plugins/export/ExportXml.php
index 325e2e6e379d..1ccffeee58af 100644
--- a/libraries/plugins/export/ExportXml.php
+++ b/libraries/plugins/export/ExportXml.php
@@ -185,7 +185,7 @@ private function _exportDefinitions($db, $type, $dbitype, $names)
         if ($names) {
             foreach ($names as $name) {
                 $head .= '            <pma:' . $type . ' name="'
-                    . $name . '">' . $crlf;
+                    . htmlspecialchars($name) . '">' . $crlf;
 
                 // Do some formatting
                 $sql = $GLOBALS['dbi']->getDefinition($db, $dbitype, $name);
@@ -232,7 +232,7 @@ public function exportHeader()
             . '- version ' . PMA_VERSION . $crlf
             . '- https://www.phpmyadmin.net' . $crlf
             . '-' . $crlf
-            . '- ' . __('Host:') . ' ' . $cfg['Server']['host'];
+            . '- ' . __('Host:') . ' ' . htmlspecialchars($cfg['Server']['host']);
         if (!empty($cfg['Server']['port'])) {
             $head .= ':' . $cfg['Server']['port'];
         }
@@ -263,7 +263,7 @@ public function exportHeader()
             $head .= '    -->' . $crlf;
             $head .= '    <pma:structure_schemas>' . $crlf;
             $head .= '        <pma:database name="' . htmlspecialchars($db)
-                . '" collation="' . $db_collation . '" charset="' . $db_charset
+                . '" collation="' . htmlspecialchars($db_collation) . '" charset="' . htmlspecialchars($db_charset)
                 . '">' . $crlf;
 
             if (count($tables) == 0) {
@@ -296,7 +296,7 @@ public function exportHeader()
                     continue;
                 }
 
-                $head .= '            <pma:' . $type . ' name="' . $table . '">'
+                $head .= '            <pma:' . $type . ' name="' . htmlspecialchars($table) . '">'
                     . $crlf;
 
                 $tbl = "                " . htmlspecialchars($tbl);
@@ -314,7 +314,7 @@ public function exportHeader()
                         foreach ($triggers as $trigger) {
                             $code = $trigger['create'];
                             $head .= '            <pma:trigger name="'
-                                . $trigger['name'] . '">' . $crlf;
+                                . htmlspecialchars($trigger['name']) . '">' . $crlf;
 
                             // Do some formatting
                             $code = mb_substr(rtrim($code), 0, -3);
@@ -402,7 +402,7 @@ public function exportDBHeader($db, $db_alias = '')
         ) {
             $head = '    <!--' . $crlf
                 . '    - ' . __('Database:') . ' ' . '\''
-                . $db_alias . '\'' . $crlf
+                . htmlspecialchars($db_alias) . '\'' . $crlf
                 . '    -->' . $crlf . '    <database name="'
                 . htmlspecialchars($db_alias) . '">' . $crlf;
 
@@ -491,7 +491,7 @@ public function exportData(
             unset($i);
 
             $buffer = '        <!-- ' . __('Table') . ' '
-                . $table_alias . ' -->' . $crlf;
+                . htmlspecialchars($table_alias) . ' -->' . $crlf;
             if (!PMA_exportOutputHandler($buffer)) {
                 return false;
             }
diff --git a/test/classes/plugin/export/ExportXmlTest.php b/test/classes/plugin/export/ExportXmlTest.php
index e2034b5e7314..e2dcefbf4bbb 100644
--- a/test/classes/plugin/export/ExportXmlTest.php
+++ b/test/classes/plugin/export/ExportXmlTest.php
@@ -589,7 +589,7 @@ public function testExportData()
         $result = ob_get_clean();
 
         $this->assertContains(
-            "<!-- Table ta<ble -->",
+            "<!-- Table ta&lt;ble -->",
             $result
         );