3 files changed, 10 insertions, 2 deletions

diff --git a/BUILD b/BUILD
index 5bf8a19..5e0164b 100644
--- a/BUILD
+++ b/BUILD
@@ -14,6 +14,7 @@ gerrit_plugin(
     ],
     resource_jars = [":banner-info-ui"],
     resources = glob(["src/main/resources/**/*"]),
+    deps = ["@commons-text//jar"],
 )
 
 gerrit_js_bundle(
diff --git a/pom.xml b/pom.xml
index 50deb02..9569efa 100644
--- a/pom.xml
+++ b/pom.xml
@@ -75,6 +75,12 @@ Copyright (C) 2022 The Qt Company
       <scope>provided</scope>
     </dependency>
     <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+      <version>1.2</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
       <version>4.11</version>
diff --git a/src/main/java/org/qtproject/codereview/gerritinfobanner/MessageStore.java b/src/main/java/org/qtproject/codereview/gerritinfobanner/MessageStore.java
index 2fe4a2a..7136e4b 100644
--- a/src/main/java/org/qtproject/codereview/gerritinfobanner/MessageStore.java
+++ b/src/main/java/org/qtproject/codereview/gerritinfobanner/MessageStore.java
@@ -1,10 +1,11 @@
 //
-// Copyright (C) 2022 The Qt Company
+// Copyright (C) 2022-24 The Qt Company
 //
 
 package org.qtproject.codereview.gerritinfobanner;
 
 import com.google.inject.Singleton;
+import org.apache.commons.text.StringEscapeUtils;
 
 @Singleton
 public class MessageStore {
@@ -16,6 +17,6 @@ public class MessageStore {
   }
 
   public void setMessage(String msg) {
-    message = msg;
+    message = StringEscapeUtils.escapeHtml4(msg);
   }
 }