diff --git a/app/assets/javascripts/discourse/components/d-editor.js.es6 b/app/assets/javascripts/discourse/components/d-editor.js.es6
index 4d8061c6e6e..879cb9c6434 100644
--- a/app/assets/javascripts/discourse/components/d-editor.js.es6
+++ b/app/assets/javascripts/discourse/components/d-editor.js.es6
@@ -29,7 +29,7 @@ export default Ember.Component.extend({
   preview(ready, value) {
     if (!ready) { return; }
 
-    const text = Discourse.Dialect.cook(value || "", {});
+    const text = Discourse.Dialect.cook(value || "", {sanitize: true});
     return text ? text : "";
   },
 
diff --git a/test/javascripts/components/d-editor-test.js.es6 b/test/javascripts/components/d-editor-test.js.es6
index 7ae1c782393..f27607499c1 100644
--- a/test/javascripts/components/d-editor-test.js.es6
+++ b/test/javascripts/components/d-editor-test.js.es6
@@ -19,6 +19,17 @@ componentTest('preview updates with markdown', {
   }
 });
 
+componentTest('preview sanitizes HTML', {
+  template: '{{d-editor value=value}}',
+
+  test(assert) {
+    this.set('value', `"><svg onload="prompt(/xss/)"></svg>`);
+    andThen(() => {
+      assert.equal(this.$('.d-editor-preview').html().trim(), '<p>\"&gt;</p>');
+    });
+  }
+});
+
 componentTest('updating the value refreshes the preview', {
   template: '{{d-editor value=value}}',