diff --git a/inbox/totp-2fa.xml b/inbox/totp-2fa.xml
index 83035605..714388c4 100644
--- a/inbox/totp-2fa.xml
+++ b/inbox/totp-2fa.xml
@@ -29,6 +29,12 @@
     <email>dave.cridland@surevine.com</email>
     <jid>dave.cridland@surevine.com</jid>
   </author>
+  <revision>
+    <version>0.0.2</version>
+    <date>2018-01-08</date>
+    <initials>dwd</initials>
+    <remark><p>So ABNF isn't well-formed XML, of course...</p></remark>
+  </revision>
   <revision>
     <version>0.0.1</version>
     <date>2018-01-08</date>
@@ -95,13 +101,13 @@
     <p>A commonly implemented technique for passing TOTP Secrets is to encode them as a URI within which the various parameters, including the TOTP secret, are specified. Unfortunately this URI scheme appears to only be specified on a Wiki page.</p>
     <p>However, this URI scheme is so widely supported that interoperability demands that it is used, so this document therefore specifies a cut-down variant of the URI which is to be used within XMPP. Treatment of this URI as anything but an especially formatted string is not within the scope of this document.</p>
     <p>A TOTP URI is specified with the following ABNF:</p>
-    <code>
+    <code><![CDATA[
 totp-uri = "otpauth://totp/" label "?secret=" secret "&issuer=" issuer
 label = issuer (":" / "%3A") jid
 jid = 1*CHAR ; URI-encoded jid
 secret = 40 * HEXCHAR ; Base32 (hex) encoded secret with no padding.
 issuer = 1*CHAR ; Issuer name.
-    </code>
+]]></code>
     <p>Yes, issuer is in there twice. No, I don't either.</p>
     <p>TOTP URIs are normally presented to the user as a QR Code</p>
   </section1>