diff --git a/app/assets/javascripts/admin/models/staff_action_log.js b/app/assets/javascripts/admin/models/staff_action_log.js
index e4fc6ecaa62..3b2f2a733fc 100644
--- a/app/assets/javascripts/admin/models/staff_action_log.js
+++ b/app/assets/javascripts/admin/models/staff_action_log.js
@@ -22,14 +22,14 @@ Discourse.StaffActionLog = Discourse.Model.extend({
       formatted += this.format('admin.logs.staff_actions.previous_value', 'previous_value');
     }
     if (!this.get('useModalForDetails')) {
-      if (this.get('details')) formatted += this.get('details') + '<br/>';
+      if (this.get('details')) formatted += Handlebars.Utils.escapeExpression(this.get('details')) + '<br/>';
     }
     return formatted;
   }.property('ip_address', 'email'),
 
   format: function(label, propertyName) {
     if (this.get(propertyName)) {
-      return ('<b>' + I18n.t(label) + ':</b> ' + this.get(propertyName) + '<br/>');
+      return ('<b>' + I18n.t(label) + ':</b> ' + Handlebars.Utils.escapeExpression(this.get(propertyName)) + '<br/>');
     } else {
       return '';
     }