diff --git a/activesupport/lib/active_support/json/encoding.rb b/activesupport/lib/active_support/json/encoding.rb
index ab12f3f4543ad..a6e4e7ced2f5b 100644
--- a/activesupport/lib/active_support/json/encoding.rb
+++ b/activesupport/lib/active_support/json/encoding.rb
@@ -136,7 +136,7 @@ def escape(string)
       end
 
       self.use_standard_json_time_format = true
-      self.escape_html_entities_in_json  = false
+      self.escape_html_entities_in_json  = true
       self.encode_big_decimal_as_string  = true
     end
   end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb
index 5fa96397f0d45..d816f973e6475 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/application.rb
+++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -44,9 +44,6 @@ class Application < Rails::Application
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters += [:password]
 
-    # Enable escaping HTML in JSON. The default is false.
-    # config.active_support.escape_html_entities_in_json = true
-
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types.