diff --git a/index.js b/index.js
index cf6f695..647ec91 100644
--- a/index.js
+++ b/index.js
@@ -88,6 +88,18 @@ function utf8ToAscii(str) {
     .join('');
 }
 
+function escapeHtml(str) {
+  if (typeof str !== 'string') {
+    return '';
+  }
+  return str
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 function sanitizeErrorHeader(msg) {
   if (typeof msg === 'string') {
     return utf8ToAscii(msg).replace(/\r?\n|\r/g, '');
@@ -122,7 +134,7 @@ function failSvg(res, msg, statusCode = 500) {
   </style>
   <foreignObject width="240" height="80"
    requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility">
-    <p xmlns="http://www.w3.org/1999/xhtml">${msg}</p>
+    <p xmlns="http://www.w3.org/1999/xhtml">${escapeHtml(msg)}</p>
   </foreignObject>
 </svg>`);
 }
@@ -353,7 +365,7 @@ app.get('/chart', (req, res) => {
     renderChartToPng(req, res, opts);
   } else {
     logger.error(`Request for unsupported format ${outputFormat}`);
-    res.status(500).end(`Unsupported format ${outputFormat}`);
+    res.status(500).end(`Unsupported format ${escapeHtml(outputFormat)}`);
   }
 
   telemetry.count('chartCount');