diff --git a/templates/layout/default.php b/templates/layout/default.php
index 2b7215d1..af061637 100644
--- a/templates/layout/default.php
+++ b/templates/layout/default.php
@@ -43,7 +43,10 @@
 /**
  * Default `body` block.
  */
-$this->prepend('tb_body_attrs', ' class="' . implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) . '" ');
+$this->prepend(
+    'tb_body_attrs',
+    ' class="' . implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) . '" '
+);
 if (!$this->fetch('tb_body_start')) {
     $this->start('tb_body_start');
     echo '<body' . $this->fetch('tb_body_attrs') . '>';
diff --git a/templates/layout/examples/cover.php b/templates/layout/examples/cover.php
index 3e0f4b97..46af2b0e 100644
--- a/templates/layout/examples/cover.php
+++ b/templates/layout/examples/cover.php
@@ -5,7 +5,10 @@
 use Cake\Core\Configure;
 
 $this->Html->css('BootstrapUI.cover', ['block' => true]);
-$this->prepend('tb_body_attrs', 'class="text-center ' . implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) . '" ');
+$this->prepend(
+    'tb_body_attrs',
+    'class="text-center ' . implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) . '" '
+);
 
 $this->start('tb_body_start'); ?>
 <body <?= $this->fetch('tb_body_attrs') ?>>
diff --git a/templates/layout/examples/dashboard.php b/templates/layout/examples/dashboard.php
index 4055f65a..8ff9d757 100644
--- a/templates/layout/examples/dashboard.php
+++ b/templates/layout/examples/dashboard.php
@@ -5,7 +5,10 @@
 use Cake\Core\Configure;
 
 $this->Html->css('BootstrapUI.dashboard', ['block' => true]);
-$this->prepend('tb_body_attrs', ' class="' . implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) . '" ');
+$this->prepend(
+    'tb_body_attrs',
+    ' class="' . implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) . '" '
+);
 $this->start('tb_body_start');
 ?>
 <body <?= $this->fetch('tb_body_attrs') ?>>
@@ -28,7 +31,7 @@
                 </div>
             </nav>
             <main role="main" class="col-md-9 ml-sm-auto col-lg-10 pt-3 px-4">
-                <h1 class="page-header"><?= $this->request->getParam('controller'); ?></h1>
+                <h1 class="page-header"><?= h($this->request->getParam('controller')) ?></h1>
 <?php
 /**
  * Default `flash` block.
diff --git a/templates/layout/examples/signin.php b/templates/layout/examples/signin.php
index 77c1d8bb..19461c40 100644
--- a/templates/layout/examples/signin.php
+++ b/templates/layout/examples/signin.php
@@ -3,7 +3,10 @@
  * @var \Cake\View\View $this
  */
 $this->Html->css('BootstrapUI.signin', ['block' => true]);
-$this->prepend('tb_body_attrs', ' class="' . implode(' ', [$this->request->getParam('controller'), $this->request->getParam('action')]) . '" ');
+$this->prepend(
+    'tb_body_attrs',
+    ' class="' . implode(' ', [h($this->request->getParam('controller')), h($this->request->getParam('action'))]) . '" '
+);
 $this->start('tb_body_start');
 /**
  * Default `flash` block.