diff --git a/horizon.dhall b/horizon.dhall
index 74f6275e42bfc85a21215f64676d4d90647c76ce..5a9d565b056fedbca47151e4d2dfb19197336f58 100644
--- a/horizon.dhall
+++ b/horizon.dhall
@@ -971,6 +971,7 @@ let packages =
       , xml = H.callHackage "xml" "1.3.14"
       , xmonad-contrib = H.callHackage "xmonad-contrib" "0.17.1"
       , xmonad = H.callHackage "xmonad" "0.17.1"
+      , xss-sanitize = H.callHackage "xss-sanitize" "0.3.7.1"
       , yaml = H.callHackage "yaml" "0.11.8.0"
       , zip-archive = H.callHackage "zip-archive" "0.4.2.2"
       , zlib = H.callHackage "zlib" "0.6.3.0"
diff --git a/initial-packages.nix b/initial-packages.nix
index bc09724ce438aeb3bf56d667f2e2d5f87ade5cda..20894b1e399d543897a7a21ca1e293e96b7bf308 100644
--- a/initial-packages.nix
+++ b/initial-packages.nix
@@ -1589,6 +1589,8 @@ self: with pkgs.haskell.lib; {
 
   xmonad-contrib = self.callPackage (./pkgs/xmonad-contrib.nix) { };
 
+  xss-sanitize = self.callPackage (./pkgs/xss-sanitize.nix) { };
+
   yaml = self.callPackage (./pkgs/yaml.nix) { };
 
   zip-archive = self.callPackage (./pkgs/zip-archive.nix) { };
diff --git a/pkgs/xss-sanitize.nix b/pkgs/xss-sanitize.nix
new file mode 100644
index 0000000000000000000000000000000000000000..dd798fa868d2760a7209b9a0a39fc2cdac1558f7
--- /dev/null
+++ b/pkgs/xss-sanitize.nix
@@ -0,0 +1,54 @@
+{ mkDerivation
+, HUnit
+, attoparsec
+, base
+, containers
+, css-text
+, hspec
+, lib
+, network-uri
+, tagsoup
+, text
+, utf8-string
+}:
+mkDerivation {
+  pname = "xss-sanitize";
+  version = "0.3.7.1";
+  sha256 = "303c15935f0e54dd0ef1b3665d307e4e74e2a3e9f8d4612a2133ac8a04f4b5d2";
+  isLibrary = true;
+  isExecutable = false;
+  enableSeparateDataOutput = false;
+  libraryHaskellDepends = [
+    attoparsec
+    base
+    containers
+    css-text
+    network-uri
+    tagsoup
+    text
+    utf8-string
+  ];
+  testHaskellDepends = [
+    attoparsec
+    base
+    containers
+    css-text
+    hspec
+    HUnit
+    network-uri
+    tagsoup
+    text
+    utf8-string
+  ];
+  enableLibraryProfiling = true;
+  enableExecutableProfiling = true;
+  doHaddock = false;
+  jailbreak = true;
+  doCheck = false;
+  doBenchmark = false;
+  hyperlinkSource = false;
+  homepage = "https://github.com/yesodweb/haskell-xss-sanitize#readme";
+  description = "sanitize untrusted HTML to prevent XSS attacks";
+  license = lib.licenses.bsd2;
+  broken = false;
+}