diff --git a/frappe/website/doctype/blog_post/blog_post.py b/frappe/website/doctype/blog_post/blog_post.py
index a20e9fa128..e4c757e64b 100644
--- a/frappe/website/doctype/blog_post/blog_post.py
+++ b/frappe/website/doctype/blog_post/blog_post.py
@@ -7,7 +7,7 @@
 from frappe import _
 from frappe.website.website_generator import WebsiteGenerator
 from frappe.website.render import clear_cache
-from frappe.utils import today, cint, global_date_format, get_fullname, strip_html_tags, markdown
+from frappe.utils import today, cint, global_date_format, get_fullname, strip_html_tags, markdown, sanitize_html
 from frappe.website.utils import find_first_image, get_comment_list
 
 class BlogPost(WebsiteGenerator):
@@ -95,7 +95,7 @@ def get_list_context(context=None):
 		title = _('Blog')
 	)
 
-	category = frappe.local.form_dict.blog_category or frappe.local.form_dict.category
+	category = sanitize_html(frappe.local.form_dict.blog_category or frappe.local.form_dict.category)
 	if category:
 		category_title = get_blog_category(category)
 		list_context.sub_title = _("Posts filed under {0}").format(category_title)
@@ -107,7 +107,7 @@ def get_list_context(context=None):
 		list_context.title = blogger
 
 	elif frappe.local.form_dict.txt:
-		list_context.sub_title = _('Filtered by "{0}"').format(frappe.local.form_dict.txt)
+		list_context.sub_title = _('Filtered by "{0}"').format(sanitize_html(frappe.local.form_dict.txt))
 
 	if list_context.sub_title:
 		list_context.parents = [{"name": _("Home"), "route": "/"},