diff --git a/JavaSource/org/unitime/timetable/action/MainAction.java b/JavaSource/org/unitime/timetable/action/MainAction.java
index 45eb536dee..f43e24a294 100644
--- a/JavaSource/org/unitime/timetable/action/MainAction.java
+++ b/JavaSource/org/unitime/timetable/action/MainAction.java
@@ -21,6 +21,7 @@
 
 import java.io.IOException;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.apache.struts2.convention.annotation.Action;
 import org.apache.struts2.convention.annotation.Result;
 import org.apache.struts2.tiles.annotation.TilesDefinition;
@@ -78,7 +79,9 @@ public void printInitializationError() throws IOException {
 	}
 	
 	public String execute() throws Exception {
-		if (message == null)
+		if (message != null && !message.isEmpty())
+			message = StringEscapeUtils.escapeHtml4(message);
+		else if (message == null)
 			message = getSystemMessage();
 		if ("cas-logout".equals(op)) {
 			message = MSG.casLoggedOut();
diff --git a/WebContent/help/Release-Notes.xml b/WebContent/help/Release-Notes.xml
index 93293da76f..86910d2340 100644
--- a/WebContent/help/Release-Notes.xml
+++ b/WebContent/help/Release-Notes.xml
@@ -56,6 +56,15 @@
 			</description>
 		</item>
 	</category>
+	<category>
+		<title>Other</title>
+		<item>
+			<name>Main page</name>
+			<description>
+				<line>To prevent an XSS vulnerability, sanitize the message when provided as a parameter.</line>				
+			</description>
+		</item>
+	</category>
 </release>
 <release>
 	<version>4.8.145</version>