diff --git a/lib/redcarpet/render/gitlab_html.rb b/lib/redcarpet/render/gitlab_html.rb
index 321be9202ccf02e3b7f5f5d22f4fd286ee9379f9..5a87b230579a3a3a8cbf40f647398f681454ed68 100644
--- a/lib/redcarpet/render/gitlab_html.rb
+++ b/lib/redcarpet/render/gitlab_html.rb
@@ -1,5 +1,6 @@
-class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
+require 'active_support/core_ext/string/output_safety'
 
+class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   attr_reader :template
   alias_method :h, :template
 
@@ -21,6 +22,7 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   def normal_text(text)
     return text unless text.present?
 
+    text = ERB::Util.html_escape_once(text)
     text.gsub("'", "&rsquo;")
   end