diff --git a/app/assets/javascripts/banners.js b/app/assets/javascripts/banners.js
index d69066c92..9ae732ee4 100644
--- a/app/assets/javascripts/banners.js
+++ b/app/assets/javascripts/banners.js
@@ -4,12 +4,12 @@
     initialize: function() {
       $("[data-js-banner-title]").on({
         change: function() {
-          $("#js-banner-title").html($(this).val());
+          $("#js-banner-title").text($(this).val());
         }
       });
       $("[data-js-banner-description]").on({
         change: function() {
-          $("#js-banner-description").html($(this).val());
+          $("#js-banner-description").text($(this).val());
         }
       });
       $("[name='banner[background_color]']").on({
diff --git a/app/assets/javascripts/markdown_editor.js b/app/assets/javascripts/markdown_editor.js
index c0a587e31..7369c356f 100644
--- a/app/assets/javascripts/markdown_editor.js
+++ b/app/assets/javascripts/markdown_editor.js
@@ -33,10 +33,10 @@
           editor.toggleClass("fullscreen");
           $(".fullscreen-container").toggleClass("medium-8", "medium-12");
           span = $(this).find("span");
-          if (span.html() === span.data("open-text")) {
-            span.html(span.data("closed-text"));
+          if (span.text() === span.data("open-text")) {
+            span.text(span.data("closed-text"));
           } else {
-            span.html(span.data("open-text"));
+            span.text(span.data("open-text"));
           }
           if (editor.hasClass("fullscreen")) {
             App.MarkdownEditor.find_textarea(editor).height($(window).height() - 100);
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
index 71447c976..4852e3396 100644
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -13,6 +13,18 @@ describe "Cross-Site Scripting protection", :js do
     expect(page.text).not_to be_empty
   end
 
+  scenario "edit banner" do
+    banner = create(:banner, title: attack_code)
+
+    login_as(create(:administrator).user)
+    visit edit_admin_banner_path(banner)
+
+    title_id = find_field("Title")[:id]
+    execute_script "document.getElementById('#{title_id}').dispatchEvent(new Event('change'))"
+
+    expect(page.text).not_to be_empty
+  end
+
   scenario "document title" do
     process = create(:legislation_process)
     create(:document, documentable: process, title: attack_code)