diff --git a/src/controllers/admin/postqueue.js b/src/controllers/admin/postqueue.js
index 66ce1e237f..0105445a90 100644
--- a/src/controllers/admin/postqueue.js
+++ b/src/controllers/admin/postqueue.js
@@ -1,6 +1,7 @@
 'use strict';
 
 var async = require('async');
+var validator = require('validator');
 
 var db = require('../../database');
 var user = require('../../user');
@@ -81,6 +82,7 @@ function getQueuedPosts(ids, callback) {
 
 			async.map(postData, function (postData, next) {
 				postData.data.rawContent = postData.data.content;
+				postData.data.title = validator.escape(String(postData.data.title));
 				async.waterfall([
 					function (next) {
 						if (postData.data.cid) {