diff --git a/nautobot/utilities/tests/test_templatetags_helpers.py b/nautobot/utilities/tests/test_templatetags_helpers.py
@@ -93,9 +93,24 @@ def test_render_markdown(self):
         self.assertEqual(render_markdown("*italics*"), "<p><em>italics</em></p>")
         self.assertEqual(render_markdown("**bold and _italics_**"), "<p><strong>bold and <em>italics</em></strong></p>")
         self.assertEqual(render_markdown("* list"), "<ul>\n<li>list</li>\n</ul>")
-        self.assertEqual(
+        self.assertHTMLEqual(
             render_markdown("[I am a link](https://www.example.com)"),
-            '<p><a href="https://www.example.com">I am a link</a></p>',
+            '<p><a href="https://www.example.com" rel="noopener noreferrer">I am a link</a></p>',
+        )
+
+    def test_render_markdown_security(self):
+        self.assertEqual(render_markdown('<script>alert("XSS")</script>'), "")
+        self.assertHTMLEqual(
+            render_markdown('[link](javascript:alert("XSS"))'),
+            '<p><a title="XSS" rel="noopener noreferrer">link</a>)</p>',  # the trailing ) seems weird to me, but...
+        )
+        self.assertHTMLEqual(
+            render_markdown(
+                "[link\nJS]"
+                "(&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A"  # '(javascript:'
+                "&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)"  # 'alert("XSS"))'
+            ),
+            '<p><a rel="noopener noreferrer">link JS</a></p>',
         )
 
     def test_render_json(self):
@@ -220,8 +235,8 @@ def test_support_message(self):
                 self.assertHTMLEqual(
                     support_message(),
                     "<p>If further assistance is required, please join the <code>#nautobot</code> channel "
-                    'on <a href="https://slack.networktocode.com/">Network to Code\'s Slack community</a> '
-                    "and post your question.</p>",
+                    'on <a href="https://slack.networktocode.com/" rel="noopener noreferrer">Network to Code\'s '
+                    "Slack community</a> and post your question.</p>",
                 )
 
             with override_config(SUPPORT_MESSAGE="Reach out to your support team for assistance."):

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -119,6 +119,8 @@ netaddr = "~0.8.0"
 # Note: netutils is limited in scope, dependencies, and observes semver, as such
 #       we permit a looser (^) version constraint here.
 netutils = "^1.5.0"
+# HTML sanitization
+nh3 = "~0.2.15"
 # Handling of version numbers
 packaging = ">=23.0,<23.2"
 # Image processing library