diff --git a/application/dashlet.class.inc.php b/application/dashlet.class.inc.php
index e22b02525..63a1f9413 100644
--- a/application/dashlet.class.inc.php
+++ b/application/dashlet.class.inc.php
@@ -849,6 +849,7 @@ class DashletPlainText extends Dashlet
 	public function Render($oPage, $bEditMode = false, $aExtraParams = array())
 	{
 		$sText = $this->aProperties['text'];
+		$sText = utils::EscapeHtml($sText);
 		$sText = str_replace(array("\r\n", "\n", "\r"), "<br/>", $sText);
 
 		$sId = 'plaintext_'.($bEditMode ? 'edit_' : '').$this->sId;
diff --git a/templates/base/components/dashlet/dashlet-plain-text.html.twig b/templates/base/components/dashlet/dashlet-plain-text.html.twig
index c4e372de6..619c646b5 100644
--- a/templates/base/components/dashlet/dashlet-plain-text.html.twig
+++ b/templates/base/components/dashlet/dashlet-plain-text.html.twig
@@ -1,5 +1,8 @@
 {# @copyright   Copyright (C) 2010-2021 Combodo SARL #}
 {# @license     http://opensource.org/licenses/AGPL-3.0 #}
 {% apply spaceless %}
-    <div id="{{ oUIBlock.GetId() }}" class="ibo-dashlet-text {% if oUIBlock.IsHidden() %}ibo-is-hidden{% endif %}" data-role="ibo-dashlet-text">{{ oUIBlock.GetText() }}</div>
+    <div id="{{ oUIBlock.GetId() }}" class="ibo-dashlet-text {% if oUIBlock.IsHidden() %}ibo-is-hidden{% endif %}" data-role="ibo-dashlet-text">
+        {# |raw filter is ok here as the escaping is already done by the \DashletPlainText class itself #}
+        {{ oUIBlock.GetText()|raw }}
+    </div>
 {% endapply %}
\ No newline at end of file