diff --git a/models/Document/Editable/Link.php b/models/Document/Editable/Link.php
index 4d629fa55ed..f471e4faf4f 100644
--- a/models/Document/Editable/Link.php
+++ b/models/Document/Editable/Link.php
@@ -299,6 +299,11 @@ private function updatePathFromInternal($realPath = false, $editmode = false)
             }
         }
 
+        // sanitize attributes
+        if(isset($this->data['attributes']))  {
+            $this->data['attributes'] = htmlspecialchars($this->data['attributes'], HTML_ENTITIES);
+        }
+
         // deletes unnecessary attribute, which was set by mistake in earlier versions, see also
         // https://github.com/pimcore/pimcore/issues/7394
         if (isset($this->data['type'])) {