diff --git a/CHANGES.md b/CHANGES.md
index 27f68aaf8..4da0fe705 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -4,6 +4,7 @@
 Changes in 8.9.5
 ----------------
 - Fix stored XSS security issue: do not allow unsanitized XML in FileUpload.fnc.php, thanks to @nhienit2010
+- Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
 
 Changes in 8.9.4
 ----------------
diff --git a/modules/Grades/includes/StudentAssignments.fnc.php b/modules/Grades/includes/StudentAssignments.fnc.php
index 950084727..d10d54346 100644
--- a/modules/Grades/includes/StudentAssignments.fnc.php
+++ b/modules/Grades/includes/StudentAssignments.fnc.php
@@ -575,7 +575,7 @@ function MakeAssignmentTitle( $value, $column )
 		// Truncate value to 36 chars.
 		$title = mb_strlen( $value ) <= 36 ?
 		$value :
-		'<span title="' . $value . '">' . mb_substr( $value, 0, 33 ) . '...</span>';
+		'<span title="' . htmlspecialchars( $value, ENT_QUOTES ) . '">' . mb_substr( $value, 0, 33 ) . '...</span>';
 
 		if ( User( 'PROFILE' ) === 'teacher' )
 		{