diff --git a/webapp/src/utils.test.ts b/webapp/src/utils.test.ts
index 4827a30b4..b9ed7dfd5 100644
--- a/webapp/src/utils.test.ts
+++ b/webapp/src/utils.test.ts
@@ -25,7 +25,7 @@ describe('utils', () => {
 
     describe('htmlFromMarkdown', () => {
         test('should not allow XSS on links href on the webapp', () => {
-            expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('<p><a href="%22xss-attack=%22true%22other=%22whatever"></a></p>')
+            expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" ></a></p>')
         })
 
         test('should not allow XSS on links href on the desktop app', () => {
diff --git a/webapp/src/utils.ts b/webapp/src/utils.ts
index 56a483118..2fce16b23 100644
--- a/webapp/src/utils.ts
+++ b/webapp/src/utils.ts
@@ -112,8 +112,14 @@ class Utils {
     static htmlFromMarkdown(text: string): string {
         // HACKHACK: Somehow, marked doesn't encode angle brackets
         const renderer = new marked.Renderer()
-        if ((window as any).openInNewBrowser) {
-            renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);">${contents}</a>`
+        renderer.link = (href, title, contents) => {
+            return '<a ' +
+                'target="_blank" ' +
+                'rel="noreferrer" ' +
+                `href="${encodeURI(href || '')}" ` +
+                `title="${title ? encodeURI(title) : ''}" ` +
+                ((window as any).openInNewBrowser ? 'onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);"' : '') +
+            '>' + contents + '</a>'
         }
         const html = marked(text.replace(/</g, '&lt;'), {renderer, breaks: true})
         return html.trim()