diff --git a/fuzz/html.c b/fuzz/html.c
index d212c1f02..449a9d492 100644
--- a/fuzz/html.c
+++ b/fuzz/html.c
@@ -22,7 +22,7 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
static const size_t maxChunkSize = 128;
htmlDocPtr doc;
htmlParserCtxtPtr ctxt;
- xmlChar *out;
+ xmlOutputBufferPtr out;
const char *docBuffer;
size_t docSize, consumed, chunkSize;
int opts, outSize;
@@ -39,9 +39,16 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
/* Pull parser */
doc = htmlReadMemory(docBuffer, docSize, NULL, NULL, opts);
- /* Also test the serializer. */
- htmlDocDumpMemory(doc, &out, &outSize);
- xmlFree(out);
+
+ /*
+ * Also test the serializer. Call htmlDocContentDumpOutput with our
+ * own buffer to avoid encoding the output. The HTML encoding is
+ * excruciatingly slow (see htmlEntityValueLookup).
+ */
+ out = xmlAllocOutputBuffer(NULL);
+ htmlDocContentDumpOutput(out, doc, NULL);
+ xmlOutputBufferClose(out);
+
xmlFreeDoc(doc);
/* Push parser */