"&" is not escaped on output it leads to many problems. For example:

• go to graph creation form, enter graph name as "graph >", click preview button, after refresh graph name converts to "graph >".
• previous leads to two graphs/apps/items... with identical names. Create one with ">" in name, another with ">". In frontend these will look identical.
• in item list subfilter if item has application which name contain ">" subfilter for that app can be enabled but then connot be disabled.

Solution apply sheath function CHtml::encode() to every field which is displaying inside not input element.