2 files changed, 10 insertions, 2 deletions

diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 6d31b8ff..598a5c83 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -1,4 +1,12 @@
 # Release Notes
+## <i class="fa fa-tag"></i> 1.7.1 <i class="fa fa-calendar-o"></i> 2020-12-27
+This release fixes two security issues. We recommend upgrading as soon as possible.
+### Security Fixes
+- [CVE-2020-26286: Arbitrary file upload](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc)  
+  An unauthenticated attacker can upload arbitrary files to the upload storage backend.
+- [CVE-2020-26287: Stored XSS in mermaid diagrams](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p)  
+  An attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams.
+
 
 ## <i class="fa fa-tag"></i> 1.7.0 <i class="fa fa-calendar-o"></i> 2020-12-21
 
@@ -46,7 +54,7 @@ otherwise you will encounter login-issues.
 - Butterflyoffire (translator)
 - civic john (translator)
 - [Daniel Lublin](https://github.com/quite)
-- [Davod Mehren](github.com/davidmehren)
+- [David Mehren](github.com/davidmehren)
 - [david-sawatzke](https://github.com/david-sawatzke)
 - deluxghost (translator)
 - [Dexter Chua](https://github.com/dalcde)
diff --git a/public/js/extra.js b/public/js/extra.js
index 49dd23ce..44db742a 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -386,7 +386,7 @@ export function finishView (view) {
 
       window.mermaid.mermaidAPI.parse($value.text())
       $ele.addClass('mermaid')
-      $ele.html($value.text())
+      $ele.text($value.text())
       window.mermaid.init(undefined, $ele)
     } catch (err) {
       var errormessage = err