diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js
index 27760e483aa5c1b2322b78db9fefe183b440d8ed..5372f6555d29051479b9a7369a174c1dd5b8ea0b 100644
--- a/app/assets/javascripts/lib/dompurify.js
+++ b/app/assets/javascripts/lib/dompurify.js
@@ -18,7 +18,7 @@ export const defaultConfig = {
     'data-disable',
     'data-turbo',
   ],
-  FORBID_TAGS: ['style', 'mstyle'],
+  FORBID_TAGS: ['style', 'mstyle', 'form'],
   ALLOW_UNKNOWN_PROTOCOLS: true,
 };
 
diff --git a/spec/frontend/lib/dompurify_spec.js b/spec/frontend/lib/dompurify_spec.js
index 412408ce377d13a40017984da4adac2648fdb97e..f767a6735538cbd0068e9a6f4fcf2d04b04bcbea 100644
--- a/spec/frontend/lib/dompurify_spec.js
+++ b/spec/frontend/lib/dompurify_spec.js
@@ -94,6 +94,11 @@ describe('~/lib/dompurify', () => {
     expect(sanitize('<link rel="stylesheet" href="styles.css">')).toBe('');
   });
 
+  it("doesn't allow form tags", () => {
+    expect(sanitize('<form>')).toBe('');
+    expect(sanitize('<form method="post" action="path"></form>')).toBe('');
+  });
+
   describe.each`
     type          | gon
     ${'root'}     | ${rootGon}