diff --git a/CRM/TwingleCampaign/BAO/Campaign.php b/CRM/TwingleCampaign/BAO/Campaign.php
index 0e43c47..1560fb4 100644
--- a/CRM/TwingleCampaign/BAO/Campaign.php
+++ b/CRM/TwingleCampaign/BAO/Campaign.php
@@ -114,6 +114,9 @@ abstract class Campaign {
       // Translate custom field names back
       $this->translateCustomFields($values, self::OUT);
 
+      // Escape html in embed code fields
+      $this->escapeHtml($values);
+
       // Translate keys from CiviCRM format to Twingle format
       self::translateKeys($values, self::OUT);
 
@@ -196,7 +199,6 @@ abstract class Campaign {
    * @throws Exception
    */
   public function update(array $values) {
-
     // Update campaign values
     $this->values = array_merge($this->values, $values);
   }
@@ -480,6 +482,22 @@ abstract class Campaign {
   }
 
 
+  /**
+   * Escape html in all embed code fields
+   * @param array $values
+   */
+  protected function escapeHtml(array &$values) {
+    $embed_data_keys = Cache::getInstance()
+      ->getTemplates()['project_embed_data'];
+
+    foreach ($embed_data_keys as $key) {
+      if (key_exists($key, $values)) {
+        $values[$key] = htmlspecialchars($values[$key]);
+      }
+    }
+  }
+
+
   /**
    * Validates $input to be either a DateTime string or an Unix timestamp
    *