diff --git a/wp-includes/post-formats.php b/wp-includes/post-formats.php
index 5a2c1f7..d2a3853 100644
--- a/wp-includes/post-formats.php
+++ b/wp-includes/post-formats.php
@@ -747,7 +747,7 @@ function get_the_post_format_quote( &$post = null ) {
 	$meta = get_post_format_meta( $post->ID );
 
 	if ( ! empty( $meta['quote_source_name'] ) ) {
-		$source = ( empty( $meta['quote_source_url'] ) ) ? $meta['quote_source_name'] : sprintf( '<a href="%s">%s</a>', esc_url( $meta['quote_source_url'] ), $meta['quote_source_name'] );
+		$source = ( empty( $meta['quote_source_url'] ) ) ? esc_html( $meta['quote_source_name'] ) : sprintf( '<a href="%s">%s</a>', esc_url( $meta['quote_source_url'] ), esc_html( $meta['quote_source_name'] ) );
 		$source = sprintf( apply_filters( 'quote_source_format', __( '&#8212;&#160;%s' ) ), $source );
 		$quote .= sprintf( '<figcaption class="quote-caption">%s</figcaption>', $source );
 	}