diff --git a/package-lock.json b/package-lock.json
index 2b82406a7..57e5abfe3 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,6 +23,7 @@
         "@vueuse/components": "^14.3.0",
         "color-convert": "^3.1.3",
         "debounce": "^3.0.0",
+        "dompurify": "^3.2.6",
         "ical.js": "^2.2.0",
         "markdown-it": "^14.1.1",
         "markdown-it-emoji": "^3.0.0",
diff --git a/package.json b/package.json
index 690602039..61fce105d 100644
--- a/package.json
+++ b/package.json
@@ -42,6 +42,7 @@
     "color-convert": "^3.1.3",
     "debounce": "^3.0.0",
     "ical.js": "^2.2.0",
+    "dompurify": "^3.2.6",
     "markdown-it": "^14.1.1",
     "markdown-it-emoji": "^3.0.0",
     "markdown-it-link-attributes": "^4.0.1",
diff --git a/src/components/AppSidebar/NotesItem.vue b/src/components/AppSidebar/NotesItem.vue
index d21862eee..ef866cdd2 100644
--- a/src/components/AppSidebar/NotesItem.vue
+++ b/src/components/AppSidebar/NotesItem.vue
@@ -34,6 +34,7 @@ License along with this library. If not, see <http://www.gnu.org/licenses/>.
 				<pre><span>{{ newValue }}</span><br><br></pre>
 				<textarea ref="note__editor"
 					v-model="newValue"
+					:maxlength="100000"
 					@keyup.escape="setEditing(false)"
 					@keydown.enter.ctrl.prevent="setValue()"
 					@change="setValue()" />
@@ -48,6 +49,7 @@ import editableItem from '../../mixins/editableItem.js'
 import { subscribe, unsubscribe } from '@nextcloud/event-bus'
 import { translate as t } from '@nextcloud/l10n'
 
+import DOMPurify from 'dompurify'
 import MarkdownIt from 'markdown-it'
 import Mila from 'markdown-it-link-attributes'
 import { full as emoji } from 'markdown-it-emoji'
@@ -55,6 +57,8 @@ import Mitl from 'markdown-it-task-lists'
 
 import { vOnClickOutside as ClickOutside } from '@vueuse/components'
 
+const MAX_NOTE_RENDER_SIZE = 100_000
+
 export default {
 	name: 'NotesItem',
 	directives: {
@@ -93,7 +97,11 @@ export default {
 					if (!val.trim()) {
 						val = t('tasks', 'Click here to add a note.')
 					}
-					this.$refs.note__viewer.innerHTML = this.md.render(val)
+					if (val.length > MAX_NOTE_RENDER_SIZE) {
+						this.$refs.note__viewer.textContent = val.slice(0, MAX_NOTE_RENDER_SIZE)
+						return
+					}
+					this.$refs.note__viewer.innerHTML = DOMPurify.sanitize(this.md.render(val))
 				})
 			},
 		},