diff --git a/CHANGELOG.md b/CHANGELOG.md
index 570b13482..cc8cd0be7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# v1.7.21
+## mm/dd/2021
+
+1. [](#bugfix)
+    * Fixed escaping in PageIndex::getLevelListing()
+
 # v1.7.20
 ## 09/01/2021
 
diff --git a/system/src/Grav/Common/Flex/Types/Pages/PageIndex.php b/system/src/Grav/Common/Flex/Types/Pages/PageIndex.php
index e2938aeb4..dd06f5868 100644
--- a/system/src/Grav/Common/Flex/Types/Pages/PageIndex.php
+++ b/system/src/Grav/Common/Flex/Types/Pages/PageIndex.php
@@ -674,12 +674,12 @@ class PageIndex extends FlexPageIndex implements PageCollectionInterface
                     $count = $filters ? $tmp->filterBy($filters, true)->count() : null;
                     $route = $child->getRoute();
                     $payload = [
-                        'item-key' => basename($child->rawRoute() ?? $child->getKey()),
+                        'item-key' => htmlspecialchars(basename($child->rawRoute() ?? $child->getKey())),
                         'icon' => $icon,
                         'title' => htmlspecialchars($child->menu()),
                         'route' => [
-                            'display' => ($route ? ($route->toString(false) ?: '/') : null) ?? '',
-                            'raw' => $child->rawRoute(),
+                            'display' => htmlspecialchars(($route ? ($route->toString(false) ?: '/') : null) ?? ''),
+                            'raw' => htmlspecialchars($child->rawRoute()),
                         ],
                         'modified' => $this->jsDate($child->modified()),
                         'child_count' => $child_count ?: null,