diff --git a/app/models/article.rb b/app/models/article.rb
index 08fd31c..c91440c 100644
--- a/app/models/article.rb
+++ b/app/models/article.rb
@@ -1,5 +1,8 @@
 class Article < ActiveRecord::Base
 
+  # xss_terminate plugin can't sanitize array fields
+  before_save :sanitize_tag_list
+
   belongs_to :profile
   validates_presence_of :profile_id, :name, :slug, :path
 
@@ -109,4 +112,11 @@ class Article < ActiveRecord::Base
     true
   end
 
+  private
+
+  def sanitize_tag_list
+    sanitizer = HTML::FullSanitizer.new
+    self.tag_list.names.map!{|i| sanitizer.sanitize(i) }
+  end
+
 end
diff --git a/test/functional/cms_controller_test.rb b/test/functional/cms_controller_test.rb
index 8f11b7a..0165794 100644
--- a/test/functional/cms_controller_test.rb
+++ b/test/functional/cms_controller_test.rb
@@ -303,4 +303,9 @@ class CmsControllerTest < Test::Unit::TestCase
     assert_equal "<b>the</b>  <strong>of</strong> article ...", assigns(:article).body
   end
 
+  should 'sanitize tags' do
+    post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...', :tag_list => 'tag1, <strong>tag2</strong>' }
+    assert_sanitized assigns(:article).tag_list.names.join(', ')
+  end
+
 end
--
libgit2 0.21.2