diff --git a/django/contrib/admin/templatetags/admin_list.py b/django/contrib/admin/templatetags/admin_list.py
index d5f8df9dfd7..0e550dd4718 100644
--- a/django/contrib/admin/templatetags/admin_list.py
+++ b/django/contrib/admin/templatetags/admin_list.py
@@ -131,7 +131,7 @@ def items_for_result(cl, result):
 
             if isinstance(f.rel, models.ManyToOneRel):
                 if field_val is not None:
-                    result_repr = getattr(result, f.name)
+                    result_repr = escape(getattr(result, f.name))
                 else:
                     result_repr = EMPTY_CHANGELIST_VALUE
             # Dates and times are special: They're formatted in a certain way.