diff --git a/package.json b/package.json
index 331d42d48..c0d3cf910 100644
--- a/package.json
+++ b/package.json
@@ -37,6 +37,7 @@
     "diff-match-patch": "git+https://github.com/hackmdio/diff-match-patch.git",
     "ejs": "^2.5.5",
     "emojify.js": "~1.1.0",
+    "escape-html": "^1.0.3",
     "express": ">=4.14",
     "express-session": "^1.14.2",
     "file-saver": "^1.3.3",
diff --git a/public/js/extra.js b/public/js/extra.js
index b80290d1d..011e21439 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -15,6 +15,7 @@ import hljs from 'highlight.js'
 import PDFObject from 'pdfobject'
 import S from 'string'
 import { saveAs } from 'file-saver'
+import escapeHTML from 'escape-html'
 
 require('./lib/common/login')
 require('../vendor/md-toc')
@@ -323,7 +324,7 @@ export function finishView (view) {
       svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet')
     } catch (err) {
       $value.unwrap()
-      $value.parent().append('<div class="alert alert-warning">' + err + '</div>')
+      $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
       console.warn(err)
     }
   })
@@ -347,7 +348,7 @@ export function finishView (view) {
       $value.children().unwrap().unwrap()
     } catch (err) {
       $value.unwrap()
-      $value.parent().append('<div class="alert alert-warning">' + err + '</div>')
+      $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
       console.warn(err)
     }
   })
@@ -366,7 +367,7 @@ export function finishView (view) {
       $value.children().unwrap().unwrap()
     } catch (err) {
       $value.unwrap()
-      $value.parent().append('<div class="alert alert-warning">' + err + '</div>')
+      $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
       console.warn(err)
     }
   })
@@ -388,7 +389,7 @@ export function finishView (view) {
       }
 
       $value.unwrap()
-      $value.parent().append('<div class="alert alert-warning">' + errormessage + '</div>')
+      $value.parent().append(`<div class="alert alert-warning">${escapeHTML(errormessage)}</div>`)
       console.warn(errormessage)
     }
   })
@@ -408,7 +409,7 @@ export function finishView (view) {
       svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet')
     } catch (err) {
       $value.unwrap()
-      $value.parent().append('<div class="alert alert-warning">' + err + '</div>')
+      $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
       console.warn(err)
     }
   })
@@ -568,7 +569,7 @@ export function postProcess (code) {
     if (warning && warning.length > 0) {
       warning.text(md.metaError)
     } else {
-      warning = $('<div id="meta-error" class="alert alert-warning">' + md.metaError + '</div>')
+      warning = $(`<div id="meta-error" class="alert alert-warning">${escapeHTML(md.metaError)}</div>`)
       result.prepend(warning)
     }
   }