diff --git a/YouTubeVideo.py b/YouTubeVideo.py
index d5923c2..bf2aa6a 100644
--- a/YouTubeVideo.py
+++ b/YouTubeVideo.py
@@ -29,12 +29,23 @@ def macro_YouTubeVideo(macro, video_id=None, width=None, height=None):
         # no video id given
         return macro.formatter.rawHTML(u'')
 
+    video_id = wikiutil.escape(str(video_id))
+
+    if width is None:
+        width_attrib = ''
+    else:
+        escaped = wikiutil.escape(str(width))
+        width_attrib = 'width="%s"' % escaped
+
+    if height is None:
+        height_attrib = ''
+    else:
+        escaped = wikiutil.escape(str(height))
+        height_attrib = 'height="%s"' % escaped
 
-    width = '' if width is None else 'width="%s"' % str(width)
-    height = '' if height is None else 'height="%s"' % str(height)
     tmp = (u'<iframe src="https://www.youtube-nocookie.com/embed/%s?rel=0" '
            u'%s %s frameborder="0" allow="autoplay; encrypted-media" '
            u'allowfullscreen></iframe>'
           )
-    html = tmp % (video_id, width, height)
+    html = tmp % (video_id, width_attrib, height_attrib)
     return macro.formatter.rawHTML(html)