diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index acf973fab3..ba7ec51a9b 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -1280,17 +1280,15 @@ public function rss($url, $params) {
             for($x = $start; $x != $end; $x += $mod) {
                 $item = $feed->get_item($x);
                 $this->doc .= '<li><div class="li">';
-                // support feeds without links
+
                 $lnkurl = $item->get_permalink();
+                $title = html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8');
+
+                // support feeds without links
                 if($lnkurl) {
-                    // title is escaped by SimplePie, we unescape here because it
-                    // is escaped again in externallink() FS#1705
-                    $this->externallink(
-                        $item->get_permalink(),
-                        html_entity_decode($item->get_title(), ENT_QUOTES, 'UTF-8')
-                    );
+                    $this->externallink($item->get_permalink(), $title);
                 } else {
-                    $this->doc .= ' '.$item->get_title();
+                    $this->doc .= ' '.hsc($item->get_title());
                 }
                 if($params['author']) {
                     $author = $item->get_author(0);
@@ -1304,8 +1302,11 @@ public function rss($url, $params) {
                     $this->doc .= ' ('.$item->get_local_date($conf['dformat']).')';
                 }
                 if($params['details']) {
+                    $desc = $item->get_description();
+                    $desc = strip_tags($desc);
+                    $desc = html_entity_decode($desc, ENT_QUOTES, 'UTF-8');
                     $this->doc .= '<div class="detail">';
-                    $this->doc .= strip_tags($item->get_description());
+                    $this->doc .= hsc($desc);
                     $this->doc .= '</div>';
                 }