diff --git a/TODO.md b/TODO.md
index a5f5b27..80b22dc 100644
--- a/TODO.md
+++ b/TODO.md
@@ -27,7 +27,7 @@
 - [ ] All command be available with both `!` and `/`.
 - [x] Auto remove commands if they're not sent by admins.
 - [x] Auto remove joining messages.
-- [ ] Use first name instead of username for link.
+- [x] Use first name instead of username for link.
 - [ ] Commands work with username too.
 - [ ] Commands should tell which admin sent the command.
 - [ ] Ban and remove Arabic/Russian/Indian text.
diff --git a/utils/tg.js b/utils/tg.js
index 9b4e7b2..96cde4b 100644
--- a/utils/tg.js
+++ b/utils/tg.js
@@ -1,7 +1,10 @@
 'use strict';
 
-const link = ({ id, username, first_name }) =>
-	`<a href="tg://user?id=${id}">${username ? username : first_name}</a>`;
+const escapeHtml = s => s
+	.replace(/</g, '&lt;');
+
+const link = ({ id, first_name }) =>
+	`<a href="tg://user?id=${id}">${escapeHtml(first_name)}</a>`;
 
 const deleteAfter = ms => ctx =>
 	setTimeout(() =>