diff --git a/app/models/topic_embed.rb b/app/models/topic_embed.rb
index 306687ba7c5..39cab1a7983 100644
--- a/app/models/topic_embed.rb
+++ b/app/models/topic_embed.rb
@@ -29,6 +29,7 @@ class TopicEmbed < ActiveRecord::Base
   end
 
   def self.imported_from_html(url)
+    url = UrlHelper.normalized_encode(url)
     I18n.with_locale(SiteSetting.default_locale) do
       "\n<hr>\n<small>#{I18n.t("embed.imported_from", link: "<a href='#{url}'>#{url}</a>")}</small>\n"
     end
diff --git a/spec/models/topic_embed_spec.rb b/spec/models/topic_embed_spec.rb
index a15e4b13ab5..82ed4957e66 100644
--- a/spec/models/topic_embed_spec.rb
+++ b/spec/models/topic_embed_spec.rb
@@ -457,5 +457,15 @@ RSpec.describe TopicEmbed do
       I18n.locale = :de
       expect(TopicEmbed.imported_from_html("some_url")).to eq(expected_html)
     end
+
+    it "normalize_encodes the url" do
+      html =
+        TopicEmbed.imported_from_html(
+          'http://www.discourse.org/%23<%2Fa><img%20src%3Dx%20onerror%3Dalert("document.domain")%3B>',
+        )
+      expected_html =
+        "\n<hr>\n<small>This is a companion discussion topic for the original entry at <a href='http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E'>http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E</a></small>\n"
+      expect(html).to eq(expected_html)
+    end
   end
 end