diff --git a/CHANGELOG.md b/CHANGELOG.md
index d8a680901..d6df8c3f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Fixes
+### Security
+- Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://github.com/smarty-php/smarty/issues/454)
+
+### Fixed
 - Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty-php/smarty/issues/794)
 
 ## [3.1.46] - 2022-08-01
diff --git a/libs/plugins/function.mailto.php b/libs/plugins/function.mailto.php
index 8faf696af..5f4cf3a9e 100644
--- a/libs/plugins/function.mailto.php
+++ b/libs/plugins/function.mailto.php
@@ -48,8 +48,13 @@
  */
 function smarty_function_mailto($params)
 {
-    static $_allowed_encoding =
-        array('javascript' => true, 'javascript_charcode' => true, 'hex' => true, 'none' => true);
+    static $_allowed_encoding = array(
+        'javascript' => true,
+        'javascript_charcode' => true,
+        'hex' => true,
+        'none' => true
+    );
+
     $extra = '';
     if (empty($params[ 'address' ])) {
         trigger_error("mailto: missing 'address' parameter", E_USER_WARNING);
@@ -57,11 +62,11 @@ function smarty_function_mailto($params)
     } else {
         $address = $params[ 'address' ];
     }
+
     $text = $address;
+
     // netscape and mozilla do not decode %40 (@) in BCC field (bug?)
     // so, don't encode it.
-    $search = array('%40', '%2C');
-    $replace = array('@', ',');
     $mail_parms = array();
     foreach ($params as $var => $value) {
         switch ($var) {
@@ -69,7 +74,7 @@ function smarty_function_mailto($params)
             case 'bcc':
             case 'followupto':
                 if (!empty($value)) {
-                    $mail_parms[] = $var . '=' . str_replace($search, $replace, rawurlencode($value));
+                    $mail_parms[] = $var . '=' . str_replace(array('%40', '%2C'), array('@', ','), rawurlencode($value));
                 }
                 break;
             case 'subject':
@@ -83,6 +88,7 @@ function smarty_function_mailto($params)
             default:
         }
     }
+
     if ($mail_parms) {
         $address .= '?' . join('&', $mail_parms);
     }
@@ -94,19 +100,21 @@ function smarty_function_mailto($params)
         );
         return;
     }
+
+    $string = '<a href="mailto:' . htmlspecialchars($address, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) .
+        '" ' . $extra . '>' . htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) . '</a>';
+
     if ($encode === 'javascript') {
-	    $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
         $js_encode = '';
         for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
             $js_encode .= '%' . bin2hex($string[ $x ]);
         }
         return '<script type="text/javascript">document.write(unescape(\'' . $js_encode . '\'))</script>';
     } elseif ($encode === 'javascript_charcode') {
-        $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
         for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
             $ord[] = ord($string[ $x ]);
         }
-	    return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
+        return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
     } elseif ($encode === 'hex') {
         preg_match('!^(.*)(\?.*)$!', $address, $match);
         if (!empty($match[ 2 ])) {
@@ -129,6 +137,6 @@ function smarty_function_mailto($params)
         return '<a href="' . $mailto . $address_encode . '" ' . $extra . '>' . $text_encode . '</a>';
     } else {
         // no encoding
-        return '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
+        return $string;
     }
 }
diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
index 014a25e14..e84e85bc4 100644
--- a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
@@ -150,7 +150,7 @@ public function testExtraWithoutMbstring()
 
     public function testUmlauts()
     {
-        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
         $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
         $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
     }
@@ -158,9 +158,26 @@ public function testUmlauts()
     public function testUmlautsWithoutMbstring()
     {
         Smarty::$_MBSTRING = false;
-        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
         $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
         $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
         Smarty::$_MBSTRING = true;
     }
+
+	public function testJavascriptChars()
+	{
+		$result = '<script type="text/javascript">document.write(unescape(\'%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%22%20%3e%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%3c%2f%61%3e\'))</script>';
+		$this->smarty->assign('address', 'me@example.com">me@example.com\'); alert("injection"); //');
+		$tpl = $this->smarty->createTemplate('eval:{mailto address=$address encode=javascript}');
+		$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+	}
+
+	public function testHtmlChars()
+	{
+		$result = '<a href="mailto:me@example.com&quot;&gt;&lt;h1&gt;" class="email">me@example.com&quot;&gt;&lt;h1&gt;</a>';
+		$this->smarty->assign('address', 'me@example.com"><h1>');
+		$tpl = $this->smarty->createTemplate('eval:{mailto address=$address extra=\'class="email"\'}');
+		$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+	}
+
 }