diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb
index f4249cecde..dc041acfee 100644
--- a/lib/cooked_post_processor.rb
+++ b/lib/cooked_post_processor.rb
@@ -269,9 +269,9 @@ class CookedPostProcessor
     informations = "#{original_width}x#{original_height}"
     informations << " #{number_to_human_size(upload.filesize)}" if upload
 
-    a["title"] = img["title"] || filename
+    a["title"] = CGI.escapeHTML(img["title"] || filename)
 
-    meta.add_child create_span_node("filename", img["title"] || filename)
+    meta.add_child create_span_node("filename", a["title"])
     meta.add_child create_span_node("informations", informations)
     meta.add_child create_span_node("expand")
   end
diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb
index 7d5a5f0b1d..74a1b0e850 100644
--- a/spec/components/cooked_post_processor_spec.rb
+++ b/spec/components/cooked_post_processor_spec.rb
@@ -160,6 +160,14 @@ describe CookedPostProcessor do
         expect(cpp).to be_dirty
       end
 
+      it "should escape the filename" do
+        upload.update_attributes!(original_filename: "><img src=x onerror=alert('haha')>.png")
+        cpp.post_process_images
+        expect(cpp.html).to match_html "<p><div class=\"lightbox-wrapper\"><a data-download-href=\"/subfolder/uploads/default/#{upload.sha1}\" href=\"/subfolder/uploads/default/1/1234567890123456.jpg\" class=\"lightbox\" title=\"&amp;gt;&amp;lt;img src=x onerror=alert(&amp;#39;haha&amp;#39;)&amp;gt;.png\"><img src=\"/subfolder/uploads/default/optimized/1X/#{upload.sha1}_1_690x788.png\" width=\"690\" height=\"788\"><div class=\"meta\">
+<span class=\"filename\">&amp;gt;&amp;lt;img src=x onerror=alert(&amp;#39;haha&amp;#39;)&amp;gt;.png</span><span class=\"informations\">1750x2000 1.21 KB</span><span class=\"expand\"></span>
+</div></a></div></p>"
+      end
+
     end
 
     context "with title" do