diff --git a/src/Model/Term.php b/src/Model/Term.php
index 2f8da0fac2..669d2167c7 100644
--- a/src/Model/Term.php
+++ b/src/Model/Term.php
@@ -447,13 +447,13 @@ class Term
$item['body'] = str_replace($orig_tag, $tag['url'], $item['body']);
}
- $return['hashtags'][] = $prefix . '' . $tag['term'] . '';
- $return['tags'][] = $prefix . '' . $tag['term'] . '';
+ $return['hashtags'][] = $prefix . '' . htmlspecialchars($tag['term']) . '';
+ $return['tags'][] = $prefix . '' . htmlspecialchars($tag['term']) . '';
break;
case self::MENTION:
$tag['url'] = Contact::magicLink($tag['url']);
- $return['mentions'][] = $prefix . '' . $tag['term'] . '';
- $return['tags'][] = $prefix . '' . $tag['term'] . '';
+ $return['mentions'][] = $prefix . '' . htmlspecialchars($tag['term']) . '';
+ $return['tags'][] = $prefix . '' . htmlspecialchars($tag['term']) . '';
break;
case self::IMPLICIT_MENTION:
$return['implicit_mentions'][] = $prefix . $tag['term'];