sn · sn · Nov 8, 2025 · Nov 8, 2025
diff --git a/src/ydnatl/core/element.py b/src/ydnatl/core/element.py
@@ -2,6 +2,7 @@
 import copy
 import os
 import functools
+import html
 
 from typing import Callable, Any, Iterator, Union, List
 
@@ -225,7 +226,7 @@ def self_closing(self, value: bool) -> None:
     def _render_attributes(self) -> str:
         """Returns a string of HTML attributes for the tag."""
         attr_str = " ".join(
-            f'{("class" if k == "class_name" else k)}="{v}"'
+            f'{("class" if k == "class_name" else k)}="{html.escape(str(v), quote=True)}"'
             for k, v in self._attributes.items()
         )
         return f" {attr_str}" if attr_str else ""
@@ -240,7 +241,8 @@ def render(self) -> str:
             result = f"{tag_start} />"
         else:
             children_html = "".join(child.render() for child in self._children)
-            result = f"{tag_start}>{self._text}{children_html}</{self._tag}>"
+            escaped_text = html.escape(self._text)
+            result = f"{tag_start}>{escaped_text}{children_html}</{self._tag}>"
 
         if hasattr(self, "_prefix") and self._prefix:
             result = f"{self._prefix}{result}"

diff --git a/tests/test_element.py b/tests/test_element.py
@@ -218,6 +218,32 @@ def test_to_dict(self):
         self.assertIsInstance(el1.to_dict(), dict)
         self.assertEqual(el1.to_dict(), should_be)
 
+    def test_html_escaping_text_content(self):
+        """Test that text content is properly escaped to prevent XSS."""
+        malicious_text = '<script>alert("XSS")</script>'
+        element = HTMLElement(malicious_text, tag="div")
+        rendered = str(element)
+        self.assertIn("&lt;script&gt;", rendered)
+        self.assertIn("&lt;/script&gt;", rendered)
+        self.assertNotIn("<script>", rendered)
+        self.assertNotIn("</script>", rendered)
+
+    def test_html_escaping_attribute_values(self):
+        """Test that attribute values are properly escaped to prevent XSS."""
+        malicious_attr = '"><script>alert("XSS")</script><div id="'
+        element = HTMLElement(tag="div", id=malicious_attr)
+        rendered = str(element)
+        self.assertIn("&quot;", rendered)
+        self.assertIn("&lt;script&gt;", rendered)
+        self.assertNotIn('"><script>', rendered)
+
+    def test_html_escaping_normal_content(self):
+        """Test that normal content is not affected by escaping."""
+        normal_text = "Hello, World!"
+        element = HTMLElement(normal_text, tag="p")
+        rendered = str(element)
+        self.assertEqual(rendered, f"<p>{normal_text}</p>")
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/tests/test_text.py b/tests/test_text.py
@@ -169,7 +169,8 @@ def test_code(self):
         """Test the creation of a code element."""
         code = Code("print('Hello, World!')")
         self.assertEqual(code.tag, "code")
-        self.assertEqual(str(code), "<code>print('Hello, World!')</code>")
+        # Single quotes are escaped for security (&#x27;)
+        self.assertEqual(str(code), "<code>print(&#x27;Hello, World!&#x27;)</code>")
 
     def test_attributes(self):
         """Test the addition of attributes to text elements."""