diff --git a/html/error.go b/html/error.go
index 826c42b..ac222c4 100644
--- a/html/error.go
+++ b/html/error.go
@@ -1,6 +1,7 @@
 package html
 
 import (
+	"html/template"
 	"net/http"
 	"strconv"
 	"strings"
@@ -39,7 +40,8 @@ func errorMessage(statusCode int) string {
 
 // TODO: use template engine
 func errorBody(statusCode int) string {
-	return strings.ReplaceAll(NotFoundPage,
-		"%status%",
-		strconv.Itoa(statusCode)+" "+errorMessage(statusCode))
+	return template.HTMLEscapeString(
+		strings.ReplaceAll(NotFoundPage,
+			"%status%",
+			strconv.Itoa(statusCode)+" "+errorMessage(statusCode)))
 }