diff --git a/app/components/shared/search_results_summary_component.rb b/app/components/shared/search_results_summary_component.rb
index cc95c691a..dc5fc8814 100644
--- a/app/components/shared/search_results_summary_component.rb
+++ b/app/components/shared/search_results_summary_component.rb
@@ -10,6 +10,10 @@ class Shared::SearchResultsSummaryComponent < ApplicationComponent
   private
 
     def summary
-      sanitize(t("proposals.index.search_results", count: results.size, search_term: search_terms))
+      sanitize(t(
+        "proposals.index.search_results",
+        count: results.size,
+        search_term: strip_tags(search_terms)
+      ))
     end
 end
diff --git a/app/views/management/proposals/index.html.erb b/app/views/management/proposals/index.html.erb
index 549fc8f48..da89c1dbf 100644
--- a/app/views/management/proposals/index.html.erb
+++ b/app/views/management/proposals/index.html.erb
@@ -10,9 +10,9 @@
         <% if @search_terms %>
           <h3>
             <%= page_entries_info @proposals %>
-            <%= sanitize(
-              t("proposals.index.search_results", count: @proposals.size, search_term: @search_terms)
-            ) %>
+            <%= sanitize(t("proposals.index.search_results",
+                           count: @proposals.size,
+                           search_term: strip_tags(@search_terms))) %>
           </h3>
         <% end %>
 
diff --git a/spec/system/html_injection_spec.rb b/spec/system/html_injection_spec.rb
new file mode 100644
index 000000000..5399354c9
--- /dev/null
+++ b/spec/system/html_injection_spec.rb
@@ -0,0 +1,36 @@
+require "rails_helper"
+
+describe "HTML injection protection" do
+  let(:attack_code) { "<a href='/evil'>Click me</a>" }
+
+  scenario "debates search" do
+    visit debates_path(search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+
+  scenario "investments search" do
+    visit budget_investments_path(budget_id: create(:budget), search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+
+  scenario "proposals search" do
+    visit proposals_path(search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+
+  scenario "proposals search in the management area" do
+    login_managed_user(create(:user, :level_two))
+    login_as_manager
+
+    visit management_proposals_path(search: attack_code)
+
+    expect(page).to have_content "containing the term 'Click me'"
+    expect(page).not_to have_link "Click me"
+  end
+end