diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl
index ca3c6f82e8..bbbb8bf720 100644
--- a/templates/repo/issue/view_content/pull.tmpl
+++ b/templates/repo/issue/view_content/pull.tmpl
@@ -214,7 +214,7 @@
 							const mergeForm = {
 								'baseLink': {{.Link}},
 								'textCancel': {{ctx.Locale.Tr "cancel"}},
-								'textDeleteBranch': {{ctx.Locale.Tr "repo.branch.delete" .HeadTarget}},
+								'textDeleteBranch': {{ctx.Locale.TrString "repo.branch.delete" .HeadTarget}},
 								'textAutoMergeButtonWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_button_when_succeed"}},
 								'textAutoMergeWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_when_succeed"}},
 								'textAutoMergeCancelSchedule': {{ctx.Locale.Tr "repo.pulls.auto_merge_cancel_schedule"}},
diff --git a/web_src/js/components/PullRequestMergeForm.test.js b/web_src/js/components/PullRequestMergeForm.test.js
new file mode 100644
index 0000000000..7b856e0b88
--- /dev/null
+++ b/web_src/js/components/PullRequestMergeForm.test.js
@@ -0,0 +1,34 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+import {flushPromises, mount} from '@vue/test-utils';
+import PullRequestMergeForm from './PullRequestMergeForm.vue';
+
+async function renderMergeForm(branchName) {
+  window.config.pageData.pullRequestMergeForm = {
+    textDeleteBranch: `Delete branch "${branchName}"`,
+    textDoMerge: 'Merge',
+    defaultMergeStyle: 'merge',
+    isPullBranchDeletable: true,
+    canMergeNow: true,
+    mergeStyles: [{
+      'name': 'merge',
+      'allowed': true,
+      'textDoMerge': 'Merge',
+      'mergeTitleFieldText': 'Merge PR',
+      'mergeMessageFieldText': 'Description',
+      'hideAutoMerge': 'Hide this message',
+    }],
+  };
+  const mergeform = mount(PullRequestMergeForm);
+  mergeform.get('.merge-button').trigger('click');
+  await flushPromises();
+  return mergeform;
+}
+
+test('renders escaped branch name', async () => {
+  let mergeform = await renderMergeForm('<b>evil</b>');
+  expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<b>evil</b>"');
+
+  mergeform = await renderMergeForm('<script class="evil">alert("evil message");</script>');
+  expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<script class="evil">alert("evil message");</script>"');
+});