diff --git a/app/assets/javascripts/application-legacy.js b/app/assets/javascripts/application-legacy.js
index 6bd315721..3294615a9 100644
--- a/app/assets/javascripts/application-legacy.js
+++ b/app/assets/javascripts/application-legacy.js
@@ -1348,7 +1348,7 @@ function inlineAutoComplete(element) {
             }
           },
           menuItemTemplate: function (user) {
-            return user.original.name;
+            return sanitizeHTML(user.original.name);
           },
           selectTemplate: function (user) {
             return '@' + user.original.login;
diff --git a/test/system/inline_autocomplete_test.rb b/test/system/inline_autocomplete_test.rb
index 9bd5ac25c..9b5e11278 100644
--- a/test/system/inline_autocomplete_test.rb
+++ b/test/system/inline_autocomplete_test.rb
@@ -237,4 +237,20 @@ class InlineAutocompleteSystemTest < ApplicationSystemTestCase
 
     assert_equal '@jsmith ', find('#issue_notes').value
   end
+
+  def test_inline_autocomplete_for_users_should_escape_html_elements
+    user = User.find(2)
+    user.update!(firstname: 'My <select>')
+
+    log_user(user.login, 'jsmith')
+    visit '/issues/1/edit'
+
+    find('#issue_notes').click
+    fill_in 'issue[notes]', :with => '@My'
+
+    assert_selector '.tribute-container li', count: 1
+    within('.tribute-container') do
+      assert page.has_text? 'My <select> Smith'
+    end
+  end
 end