diff --git a/core/builtins/custom_tags.py b/core/builtins/custom_tags.py
index 4cac4e3adf..8ca4783fe7 100644
--- a/core/builtins/custom_tags.py
+++ b/core/builtins/custom_tags.py
@@ -178,13 +178,12 @@ def str_date_only(value):
         return localtime(parse(value)).strftime("%-d %B %Y")
 
 
-@register.simple_tag
-@mark_safe  # noqa: S308
+@register.inclusion_tag("inclusion_tags/hidden-field.html")
 def hidden_field(key, value):
     """
     Generates a hidden field from the given key and value
     """
-    return f'<input type="hidden" name="{key}" value="{value}">'
+    return {"key": key, "value": value}
 
 
 @register.filter()
diff --git a/core/templates/inclusion_tags/hidden-field.html b/core/templates/inclusion_tags/hidden-field.html
new file mode 100644
index 0000000000..44db06f0ff
--- /dev/null
+++ b/core/templates/inclusion_tags/hidden-field.html
@@ -0,0 +1 @@
+<input type="hidden" name="{{ key }}" value="{{ value }}">
diff --git a/unit_tests/core/builtins/test_custom_tags.py b/unit_tests/core/builtins/test_custom_tags.py
index 388b8c7c6b..22542a42fc 100644
--- a/unit_tests/core/builtins/test_custom_tags.py
+++ b/unit_tests/core/builtins/test_custom_tags.py
@@ -1,6 +1,8 @@
 import datetime
 import pytest
 
+from pytest_django.asserts import assertHTMLEqual
+
 from decimal import Decimal
 
 from core.builtins import custom_tags
@@ -426,3 +428,33 @@ def test_pagination_params(url, page, expected):
 def test_pagination():
     with pytest.raises(ValueError):
         custom_tags.pagination({}, link_type="madeup")
+
+
+@pytest.mark.parametrize(
+    "input, context, expected",
+    [
+        (
+            "{% hidden_field 'test-key' 'test-value' %}",
+            {},
+            '<input name="test-key" type="hidden" value="test-value">',
+        ),
+        (
+            "{% hidden_field key value %}",
+            {
+                "key": "test-key",
+                "value": "test-value",
+            },
+            '<input name="test-key" type="hidden" value="test-value">',
+        ),
+        (
+            "{% hidden_field key value %}",
+            {
+                "key": '"><script>alert()</script><input type="hidden',
+                "value": '"><script>alert()</script><input type="hidden',
+            },
+            '<input type="hidden" name="&quot;&gt;&lt;script&gt;alert()&lt;/script&gt;&lt;input type=&quot;hidden" value="&quot;&gt;&lt;script&gt;alert()&lt;/script&gt;&lt;input type=&quot;hidden">',
+        ),
+    ],
+)
+def test_hidden_field(render_template_string, input, context, expected):
+    assertHTMLEqual(render_template_string(input, context), expected)