diff --git a/app/assets/javascripts/discourse/widgets/post-gutter.js.es6 b/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
index 81443e10b..d8352d2ae 100644
--- a/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
+++ b/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
@@ -29,7 +29,7 @@ export default createWidget('post-gutter', {
         seenTitles[title] = true;
         titleCount++;
         if (result.length < toShow) {
-          const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(title)}</span>`})];
+          const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(title))}</span>`})];
           if (l.clicks) {
             linkBody.push(h('span.badge.badge-notification.clicks', l.clicks.toString()));
           }
diff --git a/lib/onebox/engine/discourse_local_onebox.rb b/lib/onebox/engine/discourse_local_onebox.rb
index 23c98ece2..5e7564037 100644
--- a/lib/onebox/engine/discourse_local_onebox.rb
+++ b/lib/onebox/engine/discourse_local_onebox.rb
@@ -96,7 +96,7 @@ module Onebox
 
             quote = post.excerpt(SiteSetting.post_onebox_maxlength)
             args = { original_url: url,
-                     title: PrettyText.unescape_emoji(topic.title),
+                     title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
                      avatar: PrettyText.avatar_img(topic.user.avatar_template, 'tiny'),
                      posts_count: topic.posts_count,
                      last_post: FreedomPatches::Rails4.time_ago_in_words(topic.last_posted_at, false, scope: :'datetime.distance_in_words_verbose'),