diff --git a/services/web-ui/public/projects.html b/services/web-ui/public/projects.html
index 946f7cd..7fa80dd 100644
--- a/services/web-ui/public/projects.html
+++ b/services/web-ui/public/projects.html
@@ -480,6 +480,9 @@
   }
 
   function binCard(b) {
+    // Use JSON.stringify + esc so the bin name is safe in an onclick JS string
+    // regardless of quotes, backslashes, or other special characters it may contain.
+    const nameJs = esc(JSON.stringify(b.name));
     return '<div class="proj-bin-card">' +
       '<div class="proj-bin-card-name">' +
         '<svg viewBox="0 0 16 16" fill="none" stroke="currentColor" stroke-width="1.5" width="14" height="14"><path d="M1 4a1 1 0 0 1 1-1h4l2 2h5a1 1 0 0 1 1 1v6a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1z"/></svg>' +
@@ -487,7 +490,7 @@
       '</div>' +
       '<div class="proj-bin-card-meta">Created ' + new Date(b.created_at).toLocaleDateString() + '</div>' +
       '<div class="proj-bin-card-actions">' +
-        '<button class="btn btn-ghost btn-sm" style="padding:4px 8px" onclick="renameBinPrompt(\'' + b.id + '\', \'' + esc(b.name).replace(/'/g, "\\'") + '\')">Rename</button>' +
+        '<button class="btn btn-ghost btn-sm" style="padding:4px 8px" onclick="renameBinPrompt(\'' + b.id + '\', ' + nameJs + ')">Rename</button>' +
         '<button class="btn btn-ghost btn-sm" style="padding:4px 8px;color:var(--status-red)" onclick="deleteBin(\'' + b.id + '\')">Delete</button>' +
       '</div>' +
     '</div>';