diff --git a/src/Field/Configurator/CommonPostConfigurator.php b/src/Field/Configurator/CommonPostConfigurator.php
index 532b236e9e..3a6017fe86 100644
--- a/src/Field/Configurator/CommonPostConfigurator.php
+++ b/src/Field/Configurator/CommonPostConfigurator.php
@@ -7,6 +7,7 @@
 use EasyCorp\Bundle\EasyAdminBundle\Contracts\Field\FieldConfiguratorInterface;
 use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
 use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
+use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
 use EasyCorp\Bundle\EasyAdminBundle\Provider\AdminContextProvider;
 use function Symfony\Component\String\u;
 use Twig\Markup;
@@ -53,6 +54,14 @@ private function buildFormattedValueOption($value, FieldDto $field, EntityDto $e
 
         $formatted = $callable($field->getValue(), $entityDto->getInstance());
 
+        // we don't want to unintentionally allow people to add XSS vulnerabilities
+        // in the code just because some people need to have HTML/JS
+        // so that if you want know what you're doing you have to explicitly
+        // disable this.
+        if ($field->getCustomOptions(TextField::OPTION_STRIP_TAGS)) {
+            return $formatted;
+        }
+
         // if the callable returns a string, wrap it in a Twig Markup to render the
         // HTML and CSS/JS elements that it might contain
         return \is_string($formatted) ? new Markup($formatted, $this->charset) : $formatted;