diff --git a/app/assets/javascripts/discourse/controllers/notification.js.es6 b/app/assets/javascripts/discourse/controllers/notification.js.es6
index dc23b6936..eaf9d8354 100644
--- a/app/assets/javascripts/discourse/controllers/notification.js.es6
+++ b/app/assets/javascripts/discourse/controllers/notification.js.es6
@@ -7,14 +7,27 @@ export default Discourse.ObjectController.extend({
     return this.get("data.display_username");
   }.property(),
 
-  link: function() {
-    if (this.get('data.badge_id')) {
-      return '<a href="/badges/' + this.get('data.badge_id') + '/' + this.get('data.badge_name').replace(/[^A-Za-z0-9_]+/g, '-').toLowerCase() + '">' + this.get('data.badge_name') + '</a>';
+  safe: function(prop){
+    var val = this.get(prop);
+    if(val) {
+      val = Handlebars.Utils.escapeExpression(val);
     }
+    return val;
+  },
+
+  link: function() {
+
+    var badgeId = this.safe('data.badge_id');
+    if (badgeId) {
+      var badgeName = this.safe('data.badge_name');
+      return '<a href="/badges/' + badgeId + '/' + badgeName.replace(/[^A-Za-z0-9_]+/g, '-').toLowerCase() + '">' + badgeName + '</a>';
+    }
+
     if (this.blank("data.topic_title")) {
       return "";
     }
-    var url = Discourse.Utilities.postUrl(this.get("slug"), this.get("topic_id"), this.get("post_number"));
-    return '<a href="' + url + '">' + this.get("data.topic_title") + '</a>';
+
+    var url = Discourse.Utilities.postUrl(this.safe("slug"), this.safe("topic_id"), this.safe("post_number"));
+    return '<a href="' + url + '">' + this.safe("data.topic_title") + '</a>';
   }.property()
 });