diff --git a/lib/build.js b/lib/build.js
index 73edb45afa..8b4ba87182 100644
--- a/lib/build.js
+++ b/lib/build.js
@@ -7,6 +7,7 @@ module.exports = async function build (sourceDir, cliOptions = {}) {
   const webpack = require('webpack')
   const readline = require('readline')
   const { promisify } = require('util')
+  const escape = require('escape-html')
   const rimraf = promisify(require('rimraf'))
   const mkdirp = promisify(require('mkdirp'))
   const readFile = promisify(fs.readFile)
@@ -123,7 +124,7 @@ module.exports = async function build (sourceDir, cliOptions = {}) {
   function renderAttrs (attrs = {}) {
     const keys = Object.keys(attrs)
     if (keys.length) {
-      return ' ' + keys.map(name => `${name}="${attrs[name]}"`).join(' ')
+      return ' ' + keys.map(name => `${name}="${escape(attrs[name])}"`).join(' ')
     } else {
       return ''
     }
@@ -162,7 +163,7 @@ module.exports = async function build (sourceDir, cliOptions = {}) {
     return meta.map(m => {
       let res = `<meta`
       Object.keys(m).forEach(key => {
-        res += ` ${key}="${m[key]}"`
+        res += ` ${key}="${escape(m[key])}"`
       })
       return res + `>`
     }).join('')
diff --git a/package.json b/package.json
index fc199cecc6..7a988b43cb 100644
--- a/package.json
+++ b/package.json
@@ -51,6 +51,7 @@
     "copy-webpack-plugin": "^4.5.1",
     "css-loader": "^0.28.11",
     "es6-promise": "^4.2.4",
+    "escape-html": "^1.0.3",
     "file-loader": "^1.1.11",
     "globby": "^8.0.1",
     "html-webpack-plugin": "^3.2.0",
diff --git a/yarn.lock b/yarn.lock
index 4ba91a7de7..15442de3ef 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1578,7 +1578,7 @@ es6-promise@^4.2.4:
   version "4.2.4"
   resolved "https://registry.yarnpkg.com/es6-promise/-/es6-promise-4.2.4.tgz#dc4221c2b16518760bd8c39a52d8f356fc00ed29"
 
-escape-html@~1.0.1:
+escape-html@^1.0.3, escape-html@~1.0.1:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988"