diff --git a/HISTORY.rst b/HISTORY.rst
index ca7371198c..007d11dd82 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -1,3 +1,9 @@
+3.0.3 (2018-08-17)
+==================
+- Add explicit casting of escaped tag labels to prevent exploit
+  of cross site scripting. Thanks to Lokesh (@lokesh1095) for
+  the report and proposed solutions. Closes GitLab issue #496.
+
 3.0.2 (2018-08-16)
 ==================
 - Docker install script: Default to verbose.
diff --git a/mayan/apps/tags/widgets.py b/mayan/apps/tags/widgets.py
index 449069576c..d532d0e8c1 100644
--- a/mayan/apps/tags/widgets.py
+++ b/mayan/apps/tags/widgets.py
@@ -3,6 +3,7 @@ from __future__ import absolute_import, unicode_literals
 from django import forms
 from django.apps import apps
 from django.template.loader import render_to_string
+from django.utils.html import conditional_escape
 from django.utils.safestring import mark_safe
 
 from .permissions import permission_tag_view
@@ -17,8 +18,8 @@ class TagFormWidget(forms.SelectMultiple):
 
     def create_option(self, name, value, label, selected, index, subindex=None, attrs=None):
         result = super(TagFormWidget, self).create_option(
-            name=name, value=value, label=label, selected=selected,
-            index=index, subindex=subindex, attrs=attrs
+            name=name, value=value, label='{}'.format(conditional_escape(label)),
+            selected=selected, index=index, subindex=subindex, attrs=attrs
         )
 
         result['attrs']['data-color'] = self.queryset.get(pk=value).color