diff --git a/src/inc/routes/tag_image.mjs b/src/inc/routes/tag_image.mjs
index fa0bee3..6c547c1 100644
--- a/src/inc/routes/tag_image.mjs
+++ b/src/inc/routes/tag_image.mjs
@@ -7,6 +7,21 @@ export default (router, tpl) => {
// Create a deterministic hash from the tag
const hash = crypto.createHash('md5').update(tag).digest('hex');
+ // Escape character for SVG
+ const escapeXml = (unsafe) => {
+ return unsafe.replace(/[<>&'"]/g, (c) => {
+ switch (c) {
+ case '<': return '<';
+ case '>': return '>';
+ case '&': return '&';
+ case '\'': return ''';
+ case '"': return '"';
+ }
+ });
+ };
+
+ const displayTag = escapeXml(tag);
+
// Generate colors from hash
const c1 = '#' + hash.substring(0, 6);
const c2 = '#' + hash.substring(6, 12);
@@ -27,7 +42,7 @@ export default (router, tpl) => {
- ${tag}
+ ${displayTag}
`.trim();