diff --git a/code/CMSMenuItem.php b/code/CMSMenuItem.php
index d11f0f287..ef3f49fb1 100644
--- a/code/CMSMenuItem.php
+++ b/code/CMSMenuItem.php
@@ -108,7 +108,11 @@ public function getAttributesHTML($attrs = null)
         $parts = array();
 
         foreach ($attrs as $name => $value) {
-            $parts[] = ($value === true) ? "{$name}=\"{$name}\"" : "{$name}=\"" . Convert::raw2att($value) . "\"";
+            if ($value === true) {
+                $value = $name;
+            }
+
+            $parts[] = sprintf('%s="%s"', Convert::raw2att($name), Convert::raw2att($value));
         }
 
         /** @var DBHTMLText $fragment */
diff --git a/tests/php/CMSMenuItemTest.php b/tests/php/CMSMenuItemTest.php
index 5a0ac37b1..7db9f964e 100644
--- a/tests/php/CMSMenuItemTest.php
+++ b/tests/php/CMSMenuItemTest.php
@@ -43,5 +43,8 @@ public function testAttributes()
             (string)$menuItem->getAttributesHTML('data-foo'),
             'getAttributesHTML() ignores a string argument and falls back to class property'
         );
+
+        $menuItem->setAttributes(['<html>' => '<html>']);
+        $this->assertNotContains('<html>', $menuItem->getAttributesHTML(), 'Html is escaped for both name and value');
     }
 }