diff --git a/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html b/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html
index 40cd9f5128a363d34d7c2dd6740b792ea39b90b5..09f643c8bbccfceb2073e13c6327ce98a1d2c76e 100644
--- a/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html
+++ b/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html
@@ -8,7 +8,7 @@
 #set($checkJavaScript = $r.checkJavaScript($responseDeclaration,$interaction.patternmask))
 <input name="qtiworks_presented_${responseIdentifier}" type="hidden" value="1"/>
 <span class="$localName">
-	<input id="od_${responseIdentifier}" type="text" name="qtiworks_response_${responseIdentifier}" #if($responseInputString && !$responseInputString.isEmpty()) value="$responseInputString" #else value="" #end #if(!$r.isItemSessionEnded()) $r.placeholder($interaction) #end #if($r.isItemSessionEnded()) disabled #end #if($isBadResponse) class='badResponse' #end #if($interaction.expectedLength) size='$interaction.expectedLength' #end #if($checks && $checks.size() > 0) onchange='$checkJavaScript' #end autocomplete="off"/>
+	<input id="od_${responseIdentifier}" type="text" name="qtiworks_response_${responseIdentifier}" #if($responseInputString && !$responseInputString.isEmpty()) value="$r.escapeHtml($responseInputString)" #else value="" #end #if(!$r.isItemSessionEnded()) $r.placeholder($interaction) #end #if($r.isItemSessionEnded()) disabled #end #if($isBadResponse) class='badResponse' #end #if($interaction.expectedLength) size='$interaction.expectedLength' #end #if($checks && $checks.size() > 0) onchange='$checkJavaScript' #end autocomplete="off"/>
 	#if($isBadResponse)
         <span class="badResponse">
 		#if($responseDeclaration.cardinality.toQtiString() == "record")