diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js
index 6d5e2baac14..617192bb4c3 100644
--- a/app/assets/javascripts/discourse/lib/markdown.js
+++ b/app/assets/javascripts/discourse/lib/markdown.js
@@ -166,7 +166,7 @@ Discourse.Markdown = {
     var url = typeof(uri) === "string" ? uri : uri.toString();
 
     // escape single quotes
-    url = url.replace(/'/g, "'");
+    url = url.replace(/'/g, "%27");
 
     // whitelist some iframe only
     if (hints && hints.XML_TAG === "iframe" && hints.XML_ATTR === "src") {
diff --git a/test/javascripts/lib/markdown-test.js.es6 b/test/javascripts/lib/markdown-test.js.es6
index 868300c71ec..32991d40b16 100644
--- a/test/javascripts/lib/markdown-test.js.es6
+++ b/test/javascripts/lib/markdown-test.js.es6
@@ -458,7 +458,7 @@ test("urlAllowed", function() {
   allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");
 
   equal(urlAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"),
-        "http://google.com/test'onmouseover=alert('XSS!');//.swf",
+        "http://google.com/test%27onmouseover=alert(%27XSS!%27);//.swf",
         "escape single quotes");
 });