diff --git a/lib/svg/generator.escapeXML.test.ts b/lib/svg/generator.escapeXML.test.ts
index 9161bb336..3e982d858 100644
--- a/lib/svg/generator.escapeXML.test.ts
+++ b/lib/svg/generator.escapeXML.test.ts
@@ -16,6 +16,10 @@ describe('escapeXML', () => {
     expect(escapeXML('hello world')).toBe('hello world');
   });
 
+  it('should escape backticks to prevent attribute breakout', () => {
+    expect(escapeXML('label=`alert(1)`')).toBe('label=`alert(1)`');
+  });
+
   it('should return an empty string unchanged', () => {
     expect(escapeXML('')).toBe('');
   });
diff --git a/lib/svg/generator.test.ts b/lib/svg/generator.test.ts
index 550a2a728..c9562f488 100644
--- a/lib/svg/generator.test.ts
+++ b/lib/svg/generator.test.ts
@@ -1529,9 +1529,12 @@ describe('escapeXML', () => {
   });
 
   it('leaves a safe string unchanged', () => {
-    const safe = 'Hello World 123!@#%^*()_+-=[]{}|;:,./?`~';
+    const safe = 'Hello World 123!@#%^*()_+-=[]{}|;:,./?~';
     expect(escapeXML(safe)).toBe(safe);
   });
+  it('escapes backticks in XML-sensitive strings', () => {
+    expect(escapeXML('onload=`alert(1)`')).toBe('onload=`alert(1)`');
+  });
   it('escapes script injection characters <script>&" together', () => {
     expect(escapeXML('<script>&"')).toBe('&lt;script&gt;&amp;&quot;');
   });
diff --git a/lib/svg/generator.ts b/lib/svg/generator.ts
index 0672d2093..b4d0182a8 100644
--- a/lib/svg/generator.ts
+++ b/lib/svg/generator.ts
@@ -107,7 +107,8 @@ export function escapeXML(str: string): string {
     .replace(/</g, '&lt;')
     .replace(/>/g, '&gt;')
     .replace(/"/g, '&quot;')
-    .replace(/'/g, '&#39;');
+    .replace(/'/g, '&#39;')
+    .replace(/`/g, '&#96;');
 }
 
 export function particleCount(count?: number | null): number {