diff --git a/portal/api_client.go b/portal/api_client.go
index 0b7a9d1..2aacc36 100644
--- a/portal/api_client.go
+++ b/portal/api_client.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"net/http"
 	"sort"
@@ -189,7 +190,7 @@ func fetchStudiesWithSeries(dossierHex string) ([]Study, error) {
 				for _, ser := range apiSeries {
 					s.Series = append(s.Series, Series{
 						ID:          ser.ID,
-						Description: ser.SeriesDesc,
+						Description: html.EscapeString(ser.SeriesDesc), // FIX TASK-019: XSS prevention
 						Modality:    ser.Modality,
 						SliceCount:  ser.SliceCount,
 					})