diff --git a/app/assets/javascripts/discourse/app/lib/render-tag.js b/app/assets/javascripts/discourse/app/lib/render-tag.js
index 418b37f1b4a..d0fbb81515e 100644
--- a/app/assets/javascripts/discourse/app/lib/render-tag.js
+++ b/app/assets/javascripts/discourse/app/lib/render-tag.js
@@ -2,6 +2,7 @@ import User from "discourse/models/user";
 import { escapeExpression } from "discourse/lib/utilities";
 import getURL from "discourse-common/lib/get-url";
 import { helperContext } from "discourse-common/lib/helpers";
+import { escape } from "pretty-text/sanitizer";
 
 let _renderer = defaultRenderTag;
 
@@ -44,7 +45,7 @@ export function defaultRenderTag(tag, params) {
     href +
     " data-tag-name=" +
     tag +
-    (params.description ? ' title="' + params.description + '" ' : "") +
+    (params.description ? ' title="' + escape(params.description) + '" ' : "") +
     " class='" +
     classes.join(" ") +
     "'>" +