diff --git a/lib/NodeUtils.js b/lib/NodeUtils.js
index 53e5927..60c84bf 100644
--- a/lib/NodeUtils.js
+++ b/lib/NodeUtils.js
@@ -110,17 +110,17 @@ function escapeAttr(s) {
 function attrname(a) {
   var ns = a.namespaceURI;
   if (!ns)
-    return a.localName;
+    return escape(a.localName);
   if (ns === NAMESPACE.XML)
-    return 'xml:' + a.localName;
+    return 'xml:' + escape(a.localName);
   if (ns === NAMESPACE.XLINK)
-    return 'xlink:' + a.localName;
+    return 'xlink:' + escape(a.localName);
 
   if (ns === NAMESPACE.XMLNS) {
     if (a.localName === 'xmlns') return 'xmlns';
-    else return 'xmlns:' + a.localName;
+    else return 'xmlns:' + escape(a.localName);
   }
-  return a.name;
+  return escape(a.name);
 }
 
 /**
@@ -176,7 +176,8 @@ function serializeOne(kid, parent) {
     case 1: //ELEMENT_NODE
       var ns = kid.namespaceURI;
       var html = ns === NAMESPACE.HTML;
-      var tagname = (html || ns === NAMESPACE.SVG || ns === NAMESPACE.MATHML) ? kid.localName : kid.tagName;
+      var unescapedTagname = (html || ns === NAMESPACE.SVG || ns === NAMESPACE.MATHML) ? kid.localName : kid.tagName;
+      var tagname = escape(unescapedTagname);
 
       s += '<' + tagname;
 
@@ -221,10 +222,10 @@ function serializeOne(kid, parent) {
       break;
     case 7: //PROCESSING_INSTRUCTION_NODE
       const content = escapeProcessingInstructionContent(kid.data);
-      s += '<?' + kid.target + ' ' + content + '?>';
+      s += '<?' + escape(kid.target) + ' ' + content + '?>';
       break;
     case 10: //DOCUMENT_TYPE_NODE
-      s += '<!DOCTYPE ' + kid.name;
+      s += '<!DOCTYPE ' + escape(kid.name);
 
       if (false) {
         // Latest HTML serialization spec omits the public/system ID
diff --git a/test/html5lib-tests.json b/test/html5lib-tests.json
index 58bceba..86165d4 100644
--- a/test/html5lib-tests.json
+++ b/test/html5lib-tests.json
@@ -10945,8 +10945,8 @@
             ]
           }
         ],
-        "html": "<html><head></head><body><div<div></div<div></body></html>",
-        "noQuirksBodyHtml": "<div<div></div<div>"
+        "html": "<html><head></head><body><div&lt;div></div&lt;div></body></html>",
+        "noQuirksBodyHtml": "<div&lt;div></div<div>"
       }
     },
     {
@@ -10990,7 +10990,7 @@
             ]
           }
         ],
-        "html": "<html><head></head><body><div foo<bar=\"\"></div></body></html>",
+        "html": "<html><head></head><body><div foo&lt;bar=\"\"></div></body></html>",
         "noQuirksBodyHtml": "<div foo<bar=\"\"></div>"
       }
     },
@@ -58367,7 +58367,7 @@
             ]
           }
         ],
-        "html": "<!DOCTYPE <!doctype><html><head></head><body>&gt;<!--<!--x-->--&gt;</body></html>",
+        "html": "<!DOCTYPE &lt;!doctype><html><head></head><body>&gt;<!--<!--x-->--&gt;</body></html>",
         "noQuirksBodyHtml": "&gt;<!--<!--x-->--&gt;"
       }
     },
@@ -65403,7 +65403,7 @@
             ]
           }
         ],
-        "html": "<html><head></head><body><p><code x<=\"\" code=\"\"></code></p><code x<=\"\" code=\"\">\n</code></body></html>",
+        "html": "<html><head></head><body><p><code x&lt;=\"\" code=\"\"></code></p><code x&lt;=\"\" code=\"\">\n</code></body></html>",
         "noQuirksBodyHtml": "<p><code x<=\"\" code=\"\"></code></p><code x<=\"\" code=\"\">\n</code>"
       }
     },
@@ -79080,8 +79080,8 @@
             ]
           }
         ],
-        "html": "<html><head></head><body><img <=\"\" fail=\"\"></body></html>",
-        "noQuirksBodyHtml": "<img <=\"\" fail=\"\">"
+        "html": "<html><head></head><body><img &lt;=\"\" fail=\"\"></body></html>",
+        "noQuirksBodyHtml": "<img &lt;=\"\" fail=\"\">"
       }
     },
     {
diff --git a/test/xss.js b/test/xss.js
index 1e60da5..9b12ea6 100644
--- a/test/xss.js
+++ b/test/xss.js
@@ -352,4 +352,66 @@ exports.verifyEscapeProcessingInstructionContent = function () {
   for (const [rawContent, expected] of cases) {
     NodeUtils.ɵescapeProcessingInstructionContent(rawContent).should.equal(expected);
   }
+}
+
+exports.testXssInAttributeName = function () {
+  var document = domino.createDocument();
+  var attr = document.createAttribute('safe');
+  attr.localName = '><script>alert(1)';
+  var div = document.createElement('div');
+  div.setAttributeNode(attr);
+
+  var serialized = div.outerHTML;
+
+  serialized.should.not.containEql('<script>');
+  serialized.should.containEql('&lt;script&gt;');
+};
+
+exports.testXssInAttributePrefix = function () {
+  var document = domino.createDocument();
+  var attr = document.createAttributeNS('http://example.com/ns', 'p:safe');
+  attr.prefix = '><script>alert(1)';
+  var div = document.createElement('div');
+  div.setAttributeNode(attr);
+
+  var serialized = div.outerHTML;
+
+  serialized.should.not.containEql('<script>');
+  serialized.should.containEql('&lt;script&gt;');
+};
+
+exports.testXssInTagName = function () {
+  var document = domino.createDocument();
+  var div = document.createElement('div');
+  div.localName = 'script>alert(1)</script';
+
+  var serialized = div.outerHTML;
+
+  serialized.should.not.containEql('<script>alert(1)');
+  serialized.should.containEql('script&gt;alert(1)');
+};
+
+exports.testXssInDoctypeName = function () {
+  var document = domino.createDocument();
+  // Remove existing doctype/documentElement if any
+  while (document.firstChild) document.removeChild(document.firstChild);
+
+  var doctype = document.implementation.createDocumentType('html', '', '');
+  doctype.name = 'html><script>alert(1)</script>';
+  document.appendChild(doctype);
+
+  var serialized = document.serialize();
+  serialized.should.not.containEql('<script>');
+  serialized.should.containEql('&lt;script&gt;');
+};
+
+exports.testXssInPITarget = function () {
+  var document = domino.createDocument();
+  var pi = document.createProcessingInstruction('target', 'data');
+  pi.target = 'target><script>alert(1)</script>';
+  document.appendChild(pi);
+
+  var serialized = document.serialize();
+  serialized.should.not.containEql('<script>');
+  serialized.should.containEql('&lt;script&gt;');
 };