diff --git a/install.php b/install.php
index a069a8f7..1da65281 100644
--- a/install.php
+++ b/install.php
@@ -155,7 +155,7 @@
                 $config['installation_complete']['database'] = true; // database settings successful set
                 $config['installation_complete']['db_backup_path'] = true; //Workaround, because we removed the dialog for this
             } catch (Exception $e) {
-                $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red');
+                $messages[] = array('text' => nl2br(htmlentities($e->getMessage())), 'strong' => true, 'color' => 'red');
             }
             break;
 
@@ -166,7 +166,7 @@
 
                 $config['installation_complete']['db_backup_path'] = true; // database backup path successful set
             } catch (Exception $e) {
-                $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red');
+                $messages[] = array('text' => nl2br(htmlentities($e->getMessage())), 'strong' => true, 'color' => 'red');
             }
             break;
 
@@ -179,7 +179,7 @@
 try {
     saveConfig();
 } catch (Exception $e) {
-    $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red');
+    $messages[] = array('text' => nl2br(htmlentities($e->getMessage())), 'strong' => true, 'color' => 'red');
     $fatal_error = true;
 }
 
@@ -228,7 +228,7 @@
             $tmpl_site_to_show = 'finish';
         }
     } catch (Exception $e) {
-        $messages[] = array('text' => nl2br($e->getMessage()), 'strong' => true, 'color' => 'red');
+        $messages[] = array('text' => nl2br(htmlspecialchars($e->getMessage())), 'strong' => true, 'color' => 'red');
         $fatal_error = true;
     }
 }