diff --git a/CHANGES.md b/CHANGES.md
index 27f68aaf8..4da0fe705 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -4,6 +4,7 @@
Changes in 8.9.5
----------------
- Fix stored XSS security issue: do not allow unsanitized XML in FileUpload.fnc.php, thanks to @nhienit2010
+- Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
Changes in 8.9.4
----------------
diff --git a/modules/Grades/includes/StudentAssignments.fnc.php b/modules/Grades/includes/StudentAssignments.fnc.php
index 950084727..d10d54346 100644
--- a/modules/Grades/includes/StudentAssignments.fnc.php
+++ b/modules/Grades/includes/StudentAssignments.fnc.php
@@ -575,7 +575,7 @@ function MakeAssignmentTitle( $value, $column )
// Truncate value to 36 chars.
$title = mb_strlen( $value ) <= 36 ?
$value :
- '' . mb_substr( $value, 0, 33 ) . '...';
+ '' . mb_substr( $value, 0, 33 ) . '...';
if ( User( 'PROFILE' ) === 'teacher' )
{