diff --git a/app/assets/javascripts/app/views/publisher/mention_view.js b/app/assets/javascripts/app/views/publisher/mention_view.js
index 2a1c65591956b20c5853741d79df232a6ab7813d..b8f6143f55c5e3334849a95d6c89c130648149da 100644
--- a/app/assets/javascripts/app/views/publisher/mention_view.js
+++ b/app/assets/javascripts/app/views/publisher/mention_view.js
@@ -91,7 +91,7 @@ app.views.PublisherMention = app.views.SearchBase.extend({
    */
   updateMessageTexts: function() {
     var fakeMessageText = this.inputBox.val(),
-        mentionBoxText = fakeMessageText,
+        mentionBoxText = _.escape(fakeMessageText),
         messageText = fakeMessageText;
 
     this.mentionedPeople.forEach(function(person) {
diff --git a/features/desktop/posts_from_main_page.feature b/features/desktop/posts_from_main_page.feature
index b81786b53af7c9bf949af4aa42ff5319f3d1cc74..1c51665dacf7824831b23a478e9407bfc35d19dd 100644
--- a/features/desktop/posts_from_main_page.feature
+++ b/features/desktop/posts_from_main_page.feature
@@ -196,6 +196,12 @@ Feature: posting from the main page
       And I select only "NotPostingThingsHere" aspect
       Then I should not see "I am eating a yogurt" and "And cornflakes also"
 
+    Scenario: Write html in the publisher
+      When I expand the publisher
+      Then I should not see any alert after I write the status message "<script>alert();</script>"
+      When I submit the publisher
+      Then "<script>alert();</script>" should be post 1
+
     # (NOTE) make this a jasmine spec
     Scenario: reject deletion one of my posts
       When I expand the publisher
diff --git a/spec/javascripts/app/views/publisher_mention_view_spec.js b/spec/javascripts/app/views/publisher_mention_view_spec.js
index a28a393e7e3516b4b713c0201df865f93dae426a..436e5e674adbb334b91de3f4c11afe8a797cb1cd 100644
--- a/spec/javascripts/app/views/publisher_mention_view_spec.js
+++ b/spec/javascripts/app/views/publisher_mention_view_spec.js
@@ -197,6 +197,13 @@ describe("app.views.PublisherMention", function() {
       expect(this.view.mentionsBox.find(".mentions").html())
         .toBe("@user1 Text before <strong><span>user1</span></strong>\ntext after");
     });
+
+    it("properly escapes the user input", function() {
+      this.view.inputBox.val("<img src=\"/default.png\"> @user1 Text before \u200Buser1\ntext after");
+      this.view.updateMessageTexts();
+      expect(this.view.mentionsBox.find(".mentions").html())
+        .toBe("&lt;img src=\"/default.png\"&gt; @user1 Text before <strong><span>user1</span></strong>\ntext after");
+    });
   });
 
   describe("updateTypeaheadInput", function() {