diff --git a/app/assets/javascripts/discourse/components/post-gutter.js.es6 b/app/assets/javascripts/discourse/components/post-gutter.js.es6
index 13f0f728f48..056c48c1c1e 100644
--- a/app/assets/javascripts/discourse/components/post-gutter.js.es6
+++ b/app/assets/javascripts/discourse/components/post-gutter.js.es6
@@ -38,7 +38,10 @@ export default Em.Component.extend({
 
         buffer.push("<li><a href='" + Em.get(l, 'url') + "' class='track-link'>");
         buffer.push("<i class='fa fa-arrow-" + direction + "'></i>");
-        buffer.push(Em.get(l, 'title'));
+        var title = Em.get(l, 'title');
+        if (!Em.isEmpty(title)) {
+          buffer.push(Handlebars.Utils.escapeExpression(title));
+        }
         if (clicks) {
           buffer.push("<span class='badge badge-notification clicks'>" + clicks + "</span>");
         }
diff --git a/app/assets/javascripts/discourse/models/composer.js b/app/assets/javascripts/discourse/models/composer.js
index 060ab9a07bd..a53519cec05 100644
--- a/app/assets/javascripts/discourse/models/composer.js
+++ b/app/assets/javascripts/discourse/models/composer.js
@@ -403,7 +403,7 @@ Discourse.Composer = Discourse.Model.extend({
       var topic = this.get('topic');
       topic.setProperties({
         title: this.get('title'),
-        fancy_title: this.get('title'),
+        fancy_title: Handlebars.Utils.escapeExpression(this.get('title')),
         category_id: parseInt(this.get('categoryId'), 10)
       });
       topic.save();