diff --git a/core/markdown.go b/core/markdown.go
index e32bde0..42a4b6a 100644
--- a/core/markdown.go
+++ b/core/markdown.go
@@ -2,6 +2,7 @@ package core
 
 import (
 	"path"
+	"text/template"
 
 	"fmt"
 	"os"
@@ -106,6 +107,9 @@ func (r *Runner) ResolveContentSrc(tag string) string {
 		fileContent := utils.GetFileContent(match[1])
 		utils.DebugF("Replace content src: %v", color.GreenString(match[1]))
 
+		// sanitize file content to prevent XSS
+		fileContent = template.HTMLEscapeString(fileContent)
+
 		if strings.Contains(tag, "expand=true") {
 			return "```\n" + fileContent + "```"
 		}