diff --git a/public/src/ajaxify.js b/public/src/ajaxify.js
index 26576dabbd..2ee4836fb6 100644
--- a/public/src/ajaxify.js
+++ b/public/src/ajaxify.js
@@ -223,7 +223,7 @@ ajaxify = window.ajaxify || {};
 	}
 
 	function updateTags() {
-		var metaWhitelist = ['title', 'description', /og:.+/, /article:.+/].map(function (val) {
+		var metaWhitelist = ['title', 'description', /og:.+/, /article:.+/, 'robots'].map(function (val) {
 			return new RegExp(val);
 		});
 		var linkWhitelist = ['canonical', 'alternate', 'up'];
diff --git a/src/topics/thumbs.js b/src/topics/thumbs.js
index 48520d4f81..cd0a93f3cd 100644
--- a/src/topics/thumbs.js
+++ b/src/topics/thumbs.js
@@ -64,7 +64,8 @@ async function getThumbs(set) {
 	if (cached !== undefined) {
 		return cached.slice();
 	}
-	const thumbs = await db.getSortedSetRange(set, 0, -1);
+	let thumbs = await db.getSortedSetRange(set, 0, -1);
+	thumbs = thumbs.map(t => validator.escape(String(t)));
 	cache.set(set, thumbs);
 	return thumbs.slice();
 }