diff --git a/app/assets/javascripts/discourse/lib/lightbox.js.es6 b/app/assets/javascripts/discourse/lib/lightbox.js.es6
index 96630d05059..4f6f0d8451d 100644
--- a/app/assets/javascripts/discourse/lib/lightbox.js.es6
+++ b/app/assets/javascripts/discourse/lib/lightbox.js.es6
@@ -1,4 +1,5 @@
 import loadScript from 'discourse/lib/load-script';
+import { escapeExpression } from 'discourse/lib/utilities';
 
 export default function($elem) {
   $("a.lightbox", $elem).each(function(i, e) {
@@ -33,7 +34,7 @@ export default function($elem) {
         image: {
           titleSrc(item) {
             const href = item.el.data("download-href") || item.src;
-            let src = [item.el.attr("title"), $("span.informations", item.el).text().replace('x', '×')];
+            let src = [escapeExpression(item.el.attr("title")), $("span.informations", item.el).text().replace('x', '×')];
             if (!Discourse.SiteSettings.prevent_anons_from_downloading_files || Discourse.User.current()) {
               src.push('<a class="image-source-link" href="' + href + '">' + I18n.t("lightbox.download") + '</a>');
             }