diff --git a/lib/mobilizon_web/api/events.ex b/lib/mobilizon_web/api/events.ex
index cfc9ce9d..64a9fb4e 100644
--- a/lib/mobilizon_web/api/events.ex
+++ b/lib/mobilizon_web/api/events.ex
@@ -73,7 +73,7 @@ defmodule MobilizonWeb.API.Events do
 
   defp prepare_args(args) do
     with %Actor{} = organizer_actor <- Map.get(args, :organizer_actor),
-         title <- args |> Map.get(:title, "") |> String.trim(),
+         title <- args |> Map.get(:title, "") |> HtmlSanitizeEx.strip_tags() |> String.trim(),
          visibility <- Map.get(args, :visibility, :public),
          description <- Map.get(args, :description),
          tags <- Map.get(args, :tags),
diff --git a/test/mobilizon_web/resolvers/event_resolver_test.exs b/test/mobilizon_web/resolvers/event_resolver_test.exs
index 53f77b97..ee66ee0e 100644
--- a/test/mobilizon_web/resolvers/event_resolver_test.exs
+++ b/test/mobilizon_web/resolvers/event_resolver_test.exs
@@ -119,6 +119,48 @@ defmodule MobilizonWeb.Resolvers.EventResolverTest do
       assert json_response(res, 200)["data"]["createEvent"]["title"] == "come to my event"
     end
 
+    test "create_event/3 creates an event and escapes title and description", %{
+      conn: conn,
+      actor: actor,
+      user: user
+    } do
+      mutation = """
+          mutation createEvent($title: String!, $description: String, $begins_on: DateTime, $organizer_actor_id: ID!) {
+              createEvent(
+                  title: $title,
+                  description: $description,
+                  begins_on: $begins_on,
+                  organizer_actor_id: $organizer_actor_id
+              ) {
+                title,
+                description,
+                uuid
+              }
+            }
+      """
+
+      res =
+        conn
+        |> auth_conn(user)
+        |> AbsintheHelpers.graphql_query(
+          query: mutation,
+          variables: %{
+            title:
+              "My Event title <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
+            description:
+              "<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
+            begins_on: DateTime.utc_now() |> DateTime.truncate(:second) |> DateTime.to_iso8601(),
+            organizer_actor_id: "#{actor.id}"
+          }
+        )
+
+      assert res["errors"] == nil
+      assert res["data"]["createEvent"]["title"] == "My Event title"
+
+      assert res["data"]["createEvent"]["description"] ==
+               "<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" />"
+    end
+
     test "create_event/3 creates an event as a draft", %{conn: conn, actor: actor, user: user} do
       mutation = """
           mutation {
diff --git a/test/support/abinthe_helpers.ex b/test/support/abinthe_helpers.ex
index ce7e673b..33df27da 100644
--- a/test/support/abinthe_helpers.ex
+++ b/test/support/abinthe_helpers.ex
@@ -1,4 +1,7 @@
 defmodule MobilizonWeb.AbsintheHelpers do
+  use Phoenix.ConnTest
+  @endpoint MobilizonWeb.Endpoint
+
   @moduledoc """
   Absinthe helpers for tests
   """
@@ -17,4 +20,20 @@ defmodule MobilizonWeb.AbsintheHelpers do
       "variables" => ""
     }
   end
+
+  def graphql_query(conn, options) do
+    conn
+    |> post(
+      "/api",
+      build_query(options[:query], options[:variables])
+    )
+    |> json_response(200)
+  end
+
+  defp build_query(query, variables) do
+    %{
+      "query" => query,
+      "variables" => variables
+    }
+  end
 end