diff --git a/changelogs/unreleased/dm-escape-commit-message.yml b/changelogs/unreleased/dm-escape-commit-message.yml
new file mode 100644
index 0000000000000000000000000000000000000000..89af2da3484dc31b8cb4db26b4126b1454747132
--- /dev/null
+++ b/changelogs/unreleased/dm-escape-commit-message.yml
@@ -0,0 +1,5 @@
+---
+title: Escape HTML entities in commit messages
+merge_request:
+author:
+type: fixed
diff --git a/lib/banzai/filter/html_entity_filter.rb b/lib/banzai/filter/html_entity_filter.rb
index f3bd587c28bbf92a333d408a4b2bdf5a6ddc538e..e008fd428b06863da3a803eb624b6790586b4cad 100644
--- a/lib/banzai/filter/html_entity_filter.rb
+++ b/lib/banzai/filter/html_entity_filter.rb
@@ -5,7 +5,7 @@ module Banzai
     # Text filter that escapes these HTML entities: & " < >
     class HtmlEntityFilter < HTML::Pipeline::TextFilter
       def call
-        ERB::Util.html_escape_once(text)
+        ERB::Util.html_escape(text)
       end
     end
   end
diff --git a/spec/helpers/events_helper_spec.rb b/spec/helpers/events_helper_spec.rb
index 8a80b88da5d8f5b02292bba43773539b79edf6a3..fccde8b7ebaadbc1f1d37c3e08910626fad33158 100644
--- a/spec/helpers/events_helper_spec.rb
+++ b/spec/helpers/events_helper_spec.rb
@@ -20,5 +20,9 @@ describe EventsHelper do
     it 'handles nil values' do
       expect(helper.event_commit_title(nil)).to eq('')
     end
+
+    it 'does not escape HTML entities' do
+      expect(helper.event_commit_title("foo & bar")).to eq("foo & bar")
+    end
   end
 end
diff --git a/spec/lib/banzai/filter/html_entity_filter_spec.rb b/spec/lib/banzai/filter/html_entity_filter_spec.rb
index 91e18d876d557afc8a08ebac490ab73ed5217208..1d98fc0d5db90271608674d7f1cd2abc51a66040 100644
--- a/spec/lib/banzai/filter/html_entity_filter_spec.rb
+++ b/spec/lib/banzai/filter/html_entity_filter_spec.rb
@@ -3,17 +3,12 @@ require 'spec_helper'
 describe Banzai::Filter::HtmlEntityFilter do
   include FilterSpecHelper
 
-  let(:unescaped) { 'foo <strike attr="foo">&&&</strike>' }
-  let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;&amp;&lt;/strike&gt;' }
+  let(:unescaped) { 'foo <strike attr="foo">&&amp;&</strike>' }
+  let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;amp;&amp;&lt;/strike&gt;' }
 
   it 'converts common entities to their HTML-escaped equivalents' do
     output = filter(unescaped)
 
     expect(output).to eq(escaped)
   end
-
-  it 'does not double-escape' do
-    escaped = ERB::Util.html_escape("Merge branch 'blabla' into 'master'")
-    expect(filter(escaped)).to eq(escaped)
-  end
 end