diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/notedb/ChangeUpdate.java b/gerrit-server/src/main/java/com/google/gerrit/server/notedb/ChangeUpdate.java
index 23e9fcf69a..c241965fcc 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/notedb/ChangeUpdate.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/notedb/ChangeUpdate.java
@@ -600,7 +600,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
     }
 
     if (subject != null) {
-      addFooter(msg, FOOTER_SUBJECT, sanitizeFooter(subject));
+      addFooter(msg, FOOTER_SUBJECT, subject);
     }
 
     if (branch != null) {
@@ -648,6 +648,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
 
     for (Table.Cell<String, Account.Id, Optional<Short>> c : approvals.cellSet()) {
       addFooter(msg, FOOTER_LABEL);
+      // Label names/values are safe to append without sanitizing.
       if (!c.getValue().isPresent()) {
         msg.append('-').append(c.getRowKey());
       } else {
@@ -674,6 +675,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
 
         if (rec.labels != null) {
           for (SubmitRecord.Label label : rec.labels) {
+            // Label names/values are safe to append without sanitizing.
             addFooter(msg, FOOTER_SUBMITTED_WITH)
                 .append(label.status)
                 .append(": ")
@@ -765,7 +767,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
   private static void addFooter(StringBuilder sb, FooterKey footer, Object... values) {
     addFooter(sb, footer);
     for (Object value : values) {
-      sb.append(value);
+      sb.append(sanitizeFooter(Objects.toString(value)));
     }
     sb.append('\n');
   }