diff --git a/app/helpers/removed_js_helpers_helper.rb b/app/helpers/removed_js_helpers_helper.rb
index 874e404a518..65d2ac23503 100644
--- a/app/helpers/removed_js_helpers_helper.rb
+++ b/app/helpers/removed_js_helpers_helper.rb
@@ -46,7 +46,7 @@ module RemovedJsHelpersHelper
   def csp_onclick(callback_str, selector, prevent_default: true)
     content_for(:additional_js_dom_ready) do
       raw <<~JS # rubocop:disable Rails/OutputSafety
-        document.querySelector('#{selector}')?.addEventListener('click', function(event) {
+        document.querySelector('#{j(selector)}')?.addEventListener('click', function(event) {
           #{callback_str&.delete_suffix(';')};#{"\n  event.preventDefault();" if prevent_default}
         });
       JS
diff --git a/spec/helpers/removed_js_helpers_helper_spec.rb b/spec/helpers/removed_js_helpers_helper_spec.rb
index 8dee6d8d884..0df1f3be265 100644
--- a/spec/helpers/removed_js_helpers_helper_spec.rb
+++ b/spec/helpers/removed_js_helpers_helper_spec.rb
@@ -69,5 +69,16 @@ RSpec.describe RemovedJsHelpersHelper do
         });
       JS
     end
+
+    it "escapes selector" do
+      helper.csp_onclick("console.log('hello');", "[data-attr^='foo']")
+
+      expect(helper.content_for(:additional_js_dom_ready)).to eq(<<~JS)
+        document.querySelector('[data-attr^=\\'foo\\']')?.addEventListener('click', function(event) {
+          console.log('hello');
+          event.preventDefault();
+        });
+      JS
+    end
   end
 end