diff --git a/Controller/FormTokenController.php b/Controller/FormTokenController.php
index 14a6fe60..630279b8 100644
--- a/Controller/FormTokenController.php
+++ b/Controller/FormTokenController.php
@@ -35,6 +35,9 @@ public function tokenAction(Request $request): Response
         $content = $csrfToken;
 
         if ($request->get('html')) {
+            $formName = htmlspecialchars($formName, ENT_QUOTES, 'UTF-8');
+            $csrfToken = htmlspecialchars($csrfToken, ENT_QUOTES, 'UTF-8');
+
             $content = \sprintf(
                 '<input type="hidden" id="%s__token" name="%s[_token]" value="%s" />',
                 $formName,
diff --git a/Tests/Functional/Controller/FormTokenControllerTest.php b/Tests/Functional/Controller/FormTokenControllerTest.php
new file mode 100644
index 00000000..50c004b2
--- /dev/null
+++ b/Tests/Functional/Controller/FormTokenControllerTest.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Sulu.
+ *
+ * (c) Sulu GmbH
+ *
+ * This source file is subject to the MIT license that is bundled
+ * with this source code in the file LICENSE.
+ */
+
+namespace Sulu\Bundle\FormBundle\Tests\Functional\Controller;
+
+use Sulu\Bundle\FormBundle\Controller\FormTokenController;
+use Sulu\Bundle\TestBundle\Testing\SuluTestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Csrf\CsrfToken;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+
+class FormTokenControllerTest extends SuluTestCase
+{
+    /**
+     * @var FormTokenController
+     */
+    private formTokenController $formTokenController;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
+        $csrfToken = $this->createMock(CsrfToken::class);
+        $csrfToken->method('getValue')->willReturn('testToken');
+        $csrfTokenManager->method('getToken')->willReturn($csrfToken);
+        $this->formTokenController = new FormTokenController($csrfTokenManager);
+    }
+
+    public function testTokenAction(): void
+    {
+        $request = new Request([], [], ['form' => 'testForm', 'html' => true]);
+        $response = $this->formTokenController->tokenAction($request);
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertStringContainsString('testForm', $response->getContent());
+    }
+
+    public function testTokenActionWithScript(): void
+    {
+        $request = new Request([], [], ['form' => '<script>alert(1)</script>', 'html' => true]);
+        $response = $this->formTokenController->tokenAction($request);
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertStringContainsString('&lt;script&gt;alert(1)&lt;/script&gt;', $response->getContent());
+        $this->assertStringNotContainsString('<script>alert(1)</script>', $response->getContent());
+    }
+}