diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index 9d1c9af36a867536d66129bb5c1060554098510f..4c299869358fe9d4b0d596b73953df7795561d6e 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -679,7 +679,7 @@ class TicketsAjaxAPI extends AjaxController {
                 Http::response(422, 'Unknown ticket variable');
 
             // Ticket thread variables are assumed to be quotes
-            $response = "<br/><blockquote>$response</blockquote><br/>";
+            $response = "<br/><blockquote>{$response->asVar()}</blockquote><br/>";
 
             //  Return text if html thread is not enabled
             if (!$cfg->isHtmlThreadEnabled())
diff --git a/include/class.thread.php b/include/class.thread.php
index 6a7e498a1f34901727152ba48335f1f79aeddfe1..44ab73e28c0eaac4fd9ea8e7e21cc1d34519b5ce 100644
--- a/include/class.thread.php
+++ b/include/class.thread.php
@@ -1412,10 +1412,9 @@ class TextThreadBody extends ThreadBody {
 
         switch ($output) {
         case 'html':
-            return '<div style="white-space:pre-wrap">'
-                .Format::clickableurls(Format::htmlchars($this->body)).'</div>';
         case 'email':
-            return '<div style="white-space:pre-wrap">'.$this->body.'</div>';
+            return '<div style="white-space:pre-wrap">'
+                .Format::htmlchars($this->body).'</div>';
         case 'pdf':
             return nl2br($this->body);
         default: