diff --git a/_test/tests/inc/html_secedit_pattern.test.php b/_test/tests/inc/html_secedit_pattern.test.php
index ca161588577056b2a64098b5d0cd49bbb4d2a9db..fd703996fdda9c52da07ef53d84cea3dc4e9fe40 100644
--- a/_test/tests/inc/html_secedit_pattern.test.php
+++ b/_test/tests/inc/html_secedit_pattern.test.php
@@ -56,4 +56,15 @@ class html_scedit_pattern_test extends DokuWikiTest {
         }
     }
 
+    public function testSecEditHTMLInjection() {
+        $ins = p_get_instructions("====== Foo ======\n\n===== } --> <script> =====\n\n===== Bar =====\n");
+        $info = array();
+        $xhtml = p_render('xhtml', $ins, $info);
+
+        $this->assertNotNull($xhtml);
+
+        $xhtml_without_secedit = html_secedit($xhtml, false);
+
+        $this->assertFalse(strpos($xhtml_without_secedit, '<script>'), 'Plain <script> tag found in output - HTML/JS injection might be possible!');
+    }
 }
diff --git a/inc/html.php b/inc/html.php
index 11a204eb8a72043eff69c2b0f07a390f49c2d543..a096102dc73a683c6b497873403a44c1e459b589 100644
--- a/inc/html.php
+++ b/inc/html.php
@@ -118,7 +118,8 @@ function html_secedit($text,$show=true){
  * @triggers HTML_SECEDIT_BUTTON
  */
 function html_secedit_button($matches){
-    $data = json_decode($matches[1], true);
+    $json = htmlspecialchars_decode($matches[1], ENT_QUOTES);
+    $data = json_decode($json, true);
     if ($data == NULL) {
         return;
     }
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index df436e0e6ff4462952ad136e297ebc51c510f0c1..a1ce1fce005cbf75f6a7a8eaf941412a1fd448d3 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -103,7 +103,7 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
         }
         $data['range'] = $data['start'].'-'.(is_null($end) ? '' : $end);
         unset($data['start']);
-        $this->doc .= '<!-- EDIT'.json_encode ($data).' -->';
+        $this->doc .= '<!-- EDIT'.hsc(json_encode ($data)).' -->';
     }
 
     /**