diff --git a/app/presenters/user_application_presenter.rb b/app/presenters/user_application_presenter.rb
index 17dc1b1b2..8a0015622 100644
--- a/app/presenters/user_application_presenter.rb
+++ b/app/presenters/user_application_presenter.rb
@@ -14,7 +14,7 @@ class UserApplicationPresenter
   end
 
   def name
-    @app.client_name
+    CGI::escape @app.client_name
   end
 
   def image
diff --git a/features/desktop/user_applications.feature b/features/desktop/user_applications.feature
index ac51b4d4c..b1147ae1a 100644
--- a/features/desktop/user_applications.feature
+++ b/features/desktop/user_applications.feature
@@ -21,7 +21,3 @@ Feature: managing authorized applications
     Then I should see 1 authorized applications
     And I revoke the first authorization
     Then I should see 0 authorized applications
-
-  Scenario: XSS escaping
-    When An application manually registers
-    Then I should not see "<script>alert(0);</script>"
diff --git a/features/step_definitions/user_applications_steps.rb b/features/step_definitions/user_applications_steps.rb
index afbae1930..7cef79050 100644
--- a/features/step_definitions/user_applications_steps.rb
+++ b/features/step_definitions/user_applications_steps.rb
@@ -14,9 +14,3 @@ end
 When /^I revoke the first authorization$/ do
   find(".app-revoke", match: :first).click
 end
-
-When /^An application manually registers$/ do
-  post api_openid_connect_authorizations_new_path, client_name: "<script>alert(0);</script>",
-       redirect_uri: "http://example.org/", response_type: "id_token", scope: "openid",
-       state: 1234, display: "page", prompt: "none"
-end
diff --git a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
index 9c07d9177..7527bacce 100644
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@@ -130,7 +130,6 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
         end
       end
     end
-
     context "when already authorized" do
       let!(:auth) {
         Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,
diff --git a/spec/controllers/api/openid_connect/user_applications_spec.rb b/spec/controllers/api/openid_connect/user_applications_spec.rb
new file mode 100644
index 000000000..71c7dc7e3
--- /dev/null
+++ b/spec/controllers/api/openid_connect/user_applications_spec.rb
@@ -0,0 +1,17 @@
+require "spec_helper"
+
+describe Api::OpenidConnect::UserApplicationsController, type: :controller do
+  before do
+    @app = FactoryGirl.create(:o_auth_application_with_xss)
+    @user = FactoryGirl.create :user
+    FactoryGirl.create :auth_with_read, user: @user, o_auth_application: @app
+    sign_in :user, @user
+  end
+
+  context "when try to XSS" do
+    it "should not include XSS script" do
+      get :index
+      expect(response.body).to_not include("<script>alert(0);</script>")
+    end
+  end
+end
diff --git a/spec/factories.rb b/spec/factories.rb
index 7027fd57b..988a6b754 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -340,6 +340,11 @@ FactoryGirl.define do
     redirect_uris %w(http://localhost:3000/ http://localhost/)
   end
 
+  factory :o_auth_application_with_xss, class: Api::OpenidConnect::OAuthApplication do
+    client_name "<script>alert(0);</script>"
+    redirect_uris %w(http://localhost:3000/)
+  end
+
   factory :auth_with_read, class: Api::OpenidConnect::Authorization do
     o_auth_application
     user