diff --git a/src/Plugin/HmDisplayPlugin/HmDisplayJstree.php b/src/Plugin/HmDisplayPlugin/HmDisplayJstree.php
index eeef1a1dc916a2c5bc79744cb82af2a233553ab0..80c6a97222676c9314adacf7ad9e124d94c9699d 100644
--- a/src/Plugin/HmDisplayPlugin/HmDisplayJstree.php
+++ b/src/Plugin/HmDisplayPlugin/HmDisplayJstree.php
@@ -3,6 +3,7 @@
 namespace Drupal\hierarchy_manager\Plugin\HmDisplayPlugin;
 
 use Drupal\Component\Serialization\Json;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\hierarchy_manager\Plugin\HmDisplayPluginInterface;
@@ -92,6 +93,8 @@ class HmDisplayJstree extends HmDisplayPluginBase implements HmDisplayPluginInte
     // The array key of jsTree is different from the data source.
     // So we need to translate them.
     foreach ($data as $tree_node) {
+      // Applies a very permissive XSS/HTML filter for node text.
+      $tree_node['text'] = Xss::filterAdmin($tree_node['text']);
       $jstree_node = $tree_node;
       // The root id for jsTree is #.
       if (empty($tree_node['parent'])) {