In the "Recently Viewed" block, the title field of the hyperlink was not properly escaped.
- 4.7.20 and earlier
- 4.6.28 and earlier
Upgrade to the latest CiviCRM version
If you cannot upgrade you should apply the following patch:
Chris Burgess of Fuzion Aotearoa for reporting the issue
Sean Madsen for fixing the issue