diff --git a/src/api/bkuser_core/api/web/profile/serializers.py b/src/api/bkuser_core/api/web/profile/serializers.py
index 729833469..212b67548 100644
--- a/src/api/bkuser_core/api/web/profile/serializers.py
+++ b/src/api/bkuser_core/api/web/profile/serializers.py
@@ -13,7 +13,7 @@
 from rest_framework import serializers
 
 from bkuser_core.api.web.serializers import StringArrayField
-from bkuser_core.api.web.utils import get_default_category_id, get_raw_password
+from bkuser_core.api.web.utils import escape_value, get_default_category_id, get_raw_password
 from bkuser_core.profiles.models import Profile
 from bkuser_core.profiles.validators import validate_username
 
@@ -106,6 +106,7 @@ class ProfileUpdateInputSLZ(serializers.ModelSerializer):
     leader = serializers.ListField(child=serializers.IntegerField(), required=False)
     departments = serializers.ListField(child=serializers.IntegerField(), required=False)
     password = serializers.CharField(required=False, write_only=True)
+    display_name = serializers.CharField(required=False)
     old_password = serializers.CharField(required=False, write_only=True)  # 只有admin用户重置密码时才需要传递该字段
 
     class Meta:
@@ -116,6 +117,9 @@ class Meta:
     def validate_password(self, password):
         return get_raw_password(self.instance.category_id, password)
 
+    def validate_display_name(self, display_name):
+        return escape_value(display_name)
+
     def validate_old_password(self, old_password):
         return get_raw_password(self.instance.category_id, old_password)
 
@@ -173,6 +177,9 @@ class Meta:
         # exclude = ["password"]
         validators: list = []
 
+    def validate_display_name(self, display_name):
+        return escape_value(display_name)
+
 
 class ProfileBatchDeleteInputSLZ(serializers.Serializer):
     id = serializers.IntegerField()
diff --git a/src/api/bkuser_core/api/web/utils.py b/src/api/bkuser_core/api/web/utils.py
index 4829343d8..b682e4dbd 100644
--- a/src/api/bkuser_core/api/web/utils.py
+++ b/src/api/bkuser_core/api/web/utils.py
@@ -178,3 +178,17 @@ def get_token_handler(token: str) -> ProfileTokenHolder:
         raise error_codes.PROFILE_TOKEN_EXPIRED
 
     return token_holder
+
+
+def escape_value(input_value: str) -> str:
+    """Replace special characters "&", "<" and ">" to HTML-safe sequences.
+    If the optional flag quote is true, the quotation mark character (")
+    is also translated.
+    rewrite the cgi method
+    """
+    escaped_value = input_value.replace("&", "")  # Must be done first!
+    escaped_value = escaped_value.replace("<", "")
+    escaped_value = escaped_value.replace(">", "")
+    escaped_value = escaped_value.replace('"', "")
+    escaped_value = escaped_value.replace("'", "")
+    return escaped_value