diff --git a/app/assets/javascripts/discourse/helpers/cook-text.js.es6 b/app/assets/javascripts/discourse/helpers/cook-text.js.es6
index c7acadce1b1..a3756c3bd5b 100644
--- a/app/assets/javascripts/discourse/helpers/cook-text.js.es6
+++ b/app/assets/javascripts/discourse/helpers/cook-text.js.es6
@@ -1,6 +1,6 @@
 import registerUnbound from 'discourse/helpers/register-unbound';
 
 registerUnbound('cook-text', function(text) {
-  return new Handlebars.SafeString(Discourse.Markdown.cook(text));
+  return new Handlebars.SafeString(Discourse.Markdown.cook(text, {sanitize: true}));
 });
 
diff --git a/app/assets/javascripts/discourse/routes/queued-posts.js.es6 b/app/assets/javascripts/discourse/routes/queued-posts.js.es6
index 2b39cb537c2..32706c9a6c3 100644
--- a/app/assets/javascripts/discourse/routes/queued-posts.js.es6
+++ b/app/assets/javascripts/discourse/routes/queued-posts.js.es6
@@ -1,6 +1,13 @@
+import loadScript from 'discourse/lib/load-script';
 import DiscourseRoute from 'discourse/routes/discourse';
 
 export default DiscourseRoute.extend({
+
+  // this route requires the sanitizer
+  beforeModel() {
+    loadScript('defer/html-sanitizer-bundle');
+  },
+
   model() {
     return this.store.find('queuedPost', {status: 'new'});
   },