diff --git a/public/src/modules/pictureCropper.js b/public/src/modules/pictureCropper.js
index 5a02962d1a..60e7f2708c 100644
--- a/public/src/modules/pictureCropper.js
+++ b/public/src/modules/pictureCropper.js
@@ -33,7 +33,7 @@ define('pictureCropper', ['translator', 'cropper', 'benchpress'], function (tran
 	module.handleImageCrop = function (data, callback) {
 		$('#crop-picture-modal').remove();
 		Benchpress.parse('modals/crop_picture', {
-			url: data.url,
+			url: utils.escapeHTML(data.url),
 		}, function (cropperHtml) {
 			translator.translate(cropperHtml, function (translated) {
 				var cropperModal = $(translated);