diff --git a/lib/plugins/helper/toc.js b/lib/plugins/helper/toc.js
index 5f3f7e5f90..263497120e 100644
--- a/lib/plugins/helper/toc.js
+++ b/lib/plugins/helper/toc.js
@@ -1,6 +1,7 @@
 'use strict';
 
 var cheerio;
+var escapeHTML = require('hexo-util').escapeHTML;
 
 function tocHelper(str, options) {
   options = options || {};
@@ -25,7 +26,7 @@ function tocHelper(str, options) {
   headings.each(function() {
     var level = +this.name[1];
     var id = $(this).attr('id');
-    var text = $(this).text();
+    var text = escapeHTML($(this).text());
 
     lastNumber[level - 1]++;