diff --git a/app/views/comment/_comment.html.erb b/app/views/comment/_comment.html.erb
index 4e7aba4..1b02084 100644
--- a/app/views/comment/_comment.html.erb
+++ b/app/views/comment/_comment.html.erb
@@ -38,10 +38,10 @@
       <div class="comment-created-at">
         <%= show_time(comment.created_at) %>
       </div>
-      <h4><%= comment.title.blank? && '&nbsp;' || comment.title %></h4>
+      <h4><%= comment.title.blank? && '&nbsp;' || sanitize(comment.title) %></h4>
       <div class="comment-text">
         <p/>
-        <%= txt2html comment.body %>
+        <%= txt2html sanitize(comment.body) %>
       </div>
       <%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }.join("") %>
     </div>
--
libgit2 0.21.2