diff --git a/erpnext/templates/utils.py b/erpnext/templates/utils.py
index 57750a56f6f..15af9f0f014 100644
--- a/erpnext/templates/utils.py
+++ b/erpnext/templates/utils.py
@@ -3,6 +3,7 @@
 
 
 import frappe
+from frappe.utils import escape_html
 
 
 @frappe.whitelist(allow_guest=True)
@@ -11,6 +12,8 @@ def send_message(sender, message, subject="Website Query"):
 
 	website_send_message(sender, message, subject)
 
+	message = escape_html(message)
+
 	lead = customer = None
 	customer = frappe.db.sql(
 		"""select distinct dl.link_name from `tabDynamic Link` dl