diff --git a/src/pretix/base/pdf.py b/src/pretix/base/pdf.py
index 5d27cda4d6..7afc69de9e 100644
--- a/src/pretix/base/pdf.py
+++ b/src/pretix/base/pdf.py
@@ -14,6 +14,7 @@ from django.conf import settings
 from django.contrib.staticfiles import finders
 from django.dispatch import receiver
 from django.utils.formats import date_format
+from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import ugettext_lazy as _
 from PyPDF2 import PdfFileReader
@@ -55,32 +56,32 @@ DEFAULT_VARIABLES = OrderedDict((
     ("item", {
         "label": _("Product name"),
         "editor_sample": _("Sample product"),
-        "evaluate": lambda orderposition, order, event: str(orderposition.item.name)
+        "evaluate": lambda orderposition, order, event: escape(str(orderposition.item.name))
     }),
     ("variation", {
         "label": _("Variation name"),
         "editor_sample": _("Sample variation"),
-        "evaluate": lambda op, order, event: str(op.variation) if op.variation else ''
+        "evaluate": lambda op, order, event: escape(str(op.variation) if op.variation else '')
     }),
     ("item_description", {
         "label": _("Product description"),
         "editor_sample": _("Sample product description"),
-        "evaluate": lambda orderposition, order, event: str(orderposition.item.description)
+        "evaluate": lambda orderposition, order, event: escape(str(orderposition.item.description))
     }),
     ("itemvar", {
         "label": _("Product name and variation"),
         "editor_sample": _("Sample product – sample variation"),
-        "evaluate": lambda orderposition, order, event: (
+        "evaluate": lambda orderposition, order, event: escape((
             '{} - {}'.format(orderposition.item.name, orderposition.variation)
             if orderposition.variation else str(orderposition.item.name)
-        )
+        ))
     }),
     ("item_category", {
         "label": _("Product category"),
         "editor_sample": _("Ticket category"),
-        "evaluate": lambda orderposition, order, event: (
+        "evaluate": lambda orderposition, order, event: escape((
             str(orderposition.item.category.name) if orderposition.item.category else ""
-        )
+        ))
     }),
     ("price", {
         "label": _("Price"),
@@ -99,12 +100,12 @@ DEFAULT_VARIABLES = OrderedDict((
     ("attendee_name", {
         "label": _("Attendee name"),
         "editor_sample": _("John Doe"),
-        "evaluate": lambda op, order, ev: op.attendee_name or (op.addon_to.attendee_name if op.addon_to else '')
+        "evaluate": lambda op, order, ev: escape(op.attendee_name or (op.addon_to.attendee_name if op.addon_to else ''))
     }),
     ("event_name", {
         "label": _("Event name"),
         "editor_sample": _("Sample event name"),
-        "evaluate": lambda op, order, ev: str(ev.name)
+        "evaluate": lambda op, order, ev: escape(str(ev.name))
     }),
     ("event_date", {
         "label": _("Event date"),
@@ -185,12 +186,12 @@ DEFAULT_VARIABLES = OrderedDict((
     ("invoice_name", {
         "label": _("Invoice address name"),
         "editor_sample": _("John Doe"),
-        "evaluate": lambda op, order, ev: order.invoice_address.name if getattr(order, 'invoice_address', None) else ''
+        "evaluate": lambda op, order, ev: escape(order.invoice_address.name if getattr(order, 'invoice_address', None) else '')
     }),
     ("invoice_company", {
         "label": _("Invoice address company"),
         "editor_sample": _("Sample company"),
-        "evaluate": lambda op, order, ev: order.invoice_address.company if getattr(order, 'invoice_address', None) else ''
+        "evaluate": lambda op, order, ev: escape(order.invoice_address.company if getattr(order, 'invoice_address', None) else '')
     }),
     ("addons", {
         "label": _("List of Add-Ons"),
@@ -207,7 +208,7 @@ DEFAULT_VARIABLES = OrderedDict((
     ("organizer", {
         "label": _("Organizer name"),
         "editor_sample": _("Event organizer company"),
-        "evaluate": lambda op, order, ev: str(order.event.organizer.name)
+        "evaluate": lambda op, order, ev: escape(str(order.event.organizer.name))
     }),
     ("organizer_info_text", {
         "label": _("Organizer info text"),
@@ -300,11 +301,11 @@ def variables_from_questions(sender, *args, **kwargs):
 
 
 def _get_attendee_name_part(key, op, order, ev):
-    return op.attendee_name_parts.get(key, '')
+    return escape(op.attendee_name_parts.get(key, ''))
 
 
 def _get_ia_name_part(key, op, order, ev):
-    return order.invoice_address.name_parts.get(key, '') if getattr(order, 'invoice_address', None) else ''
+    return escape(order.invoice_address.name_parts.get(key, '') if getattr(order, 'invoice_address', None) else '')
 
 
 def get_variables(event):