In CiviContribute forms which combine the "On Behalf Of" feature with "Organization" records, some data was not properly escaped.
- 4.7.20 and earlier
- 4.6.28 and earlier
Upgrade to the latest version of CiviCRM
If you cannot upgrade then apply the following patch
Alan Dixon of Blackfly Solutions for reporting and fixing the issue