diff --git a/CHANGES.md b/CHANGES.md
index 3fae752aa..df5f48068 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,6 +1,10 @@
 # CHANGES
 ## RosarioSIS Student Information System
 
+Changes in 8.9.6
+----------------
+- Fix Stored XSS security issue: escape textarea HTML in Inputs.php, thanks to @jo125ker
+
 Changes in 8.9.5
 ----------------
 - Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
diff --git a/functions/Inputs.php b/functions/Inputs.php
index a7c258ea0..b4dcb1d74 100644
--- a/functions/Inputs.php
+++ b/functions/Inputs.php
@@ -422,7 +422,9 @@ function TextAreaInput( $value, $name, $title = '', $extra = '', $div = true, $t
 
 	$textarea =  ( $type === 'markdown' ? MarkDownInputPreview( $id ) : '' ) .
 		'<textarea id="' . $id . '" name="' . $name . '" ' . $extra . '>' .
-		$value . '</textarea>' . ( $type === 'tinymce' ? $ftitle_nobr : $ftitle );
+		// Fix Stored XSS security issue: escape textarea HTML.
+		htmlspecialchars( (string) $value ) .
+		'</textarea>' . ( $type === 'tinymce' ? $ftitle_nobr : $ftitle );
 
 	if ( $value == ''
 		|| ! $div )