diff --git a/docs/en_US/release_notes_4_16.rst b/docs/en_US/release_notes_4_16.rst
index 853704160..a8492735e 100644
--- a/docs/en_US/release_notes_4_16.rst
+++ b/docs/en_US/release_notes_4_16.rst
@@ -47,6 +47,7 @@ Bug fixes
 | `Issue #4933 <https://redmine.postgresql.org/issues/4933>`_ -  Ensure that the Servers collection node should expand independently of server connections.
 | `Issue #4934 <https://redmine.postgresql.org/issues/4934>`_ -  Fix the help button link on the User Management dialog.
 | `Issue #4935 <https://redmine.postgresql.org/issues/4935>`_ -  Fix accessibility issues.
+| `Issue #4947 <https://redmine.postgresql.org/issues/4947>`_ -  Fix XSS issue in explain and explain analyze for table and type which contain HTML.
 | `Issue #4952 <https://redmine.postgresql.org/issues/4952>`_ -  Fix an issue of retrieving properties for Compound Triggers. It's a regression of #4006.
 | `Issue #4953 <https://redmine.postgresql.org/issues/4953>`_ -  Fix an issue where pgAdmin4 unable to retrieve table node if the trigger is already disabled and the user clicks on Enable All.
 | `Issue #4958 <https://redmine.postgresql.org/issues/4958>`_ -  Fix reverse engineering SQL issue for triggers when passed a single argument to trigger function.
diff --git a/web/pgadmin/misc/static/explain/js/explain.js b/web/pgadmin/misc/static/explain/js/explain.js
index e0aeb100c..e783afa9f 100644
--- a/web/pgadmin/misc/static/explain/js/explain.js
+++ b/web/pgadmin/misc/static/explain/js/explain.js
@@ -436,7 +436,7 @@ define('pgadmin.misc.explain', [
         tooltip.push(' as ');
         display_text.push('<span class="pg-explain-text-name">');
         display_text.push(_.escape(_planData['Alias']));
-        tooltip.push(_planData['Alias']);
+        tooltip.push(_.escape(_planData['Alias']));
         display_text.push('</span>');
       }
     }