diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..0fd10e69a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,3 @@
+For security disclosures please contact me at [miguel at chaskiq.io]
+thanks!
+
diff --git a/app/graphql/mutations/app_users/update_app_user.rb b/app/graphql/mutations/app_users/update_app_user.rb
index 7ca6a09b8..5d7544be3 100644
--- a/app/graphql/mutations/app_users/update_app_user.rb
+++ b/app/graphql/mutations/app_users/update_app_user.rb
@@ -4,6 +4,7 @@ module Mutations
   module AppUsers
     class UpdateAppUser < Mutations::BaseMutation
       field :app_user, Types::AppUserType, null: false
+      field :errors, Types::JsonType, null: true
       argument :app_key, String, required: true
       argument :options, Types::JsonType, required: true
       argument :id, Integer, required: true
diff --git a/app/javascript/packages/components/src/components/segmentManager/index.tsx b/app/javascript/packages/components/src/components/segmentManager/index.tsx
index 8ef3cbb59..90577abd5 100644
--- a/app/javascript/packages/components/src/components/segmentManager/index.tsx
+++ b/app/javascript/packages/components/src/components/segmentManager/index.tsx
@@ -8,7 +8,7 @@ import Dropdown from '../Dropdown';
 import Button, { ButtonIndigo } from '../Button';
 import { PredicateType } from './types';
 import I18n from '../../../../../src/shared/FakeI18n';
-
+import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';
 // import ClickAwayListener  from '@material-ui/core/ClickAwayListener'
 
 import defaultFields from '../../utils/defaultFields';
@@ -178,7 +178,7 @@ export class SaveSegmentModal extends Component<SaveSegmentModalType> {
                       className="ml-2"
                       dangerouslySetInnerHTML={{
                         __html: I18n.t('segment_manager.save_changes_to', {
-                          name: this.props.segment.name,
+                          name: escapeHTML(this.props.segment.name),
                         }),
                       }}
                     ></span>
diff --git a/app/javascript/packages/messenger/src/client_messenger/consentView.tsx b/app/javascript/packages/messenger/src/client_messenger/consentView.tsx
index d9d03afd8..5f44f3e42 100644
--- a/app/javascript/packages/messenger/src/client_messenger/consentView.tsx
+++ b/app/javascript/packages/messenger/src/client_messenger/consentView.tsx
@@ -3,6 +3,8 @@ import styled from '@emotion/styled';
 
 import tw from 'twin.macro';
 
+import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';
+
 export const Wrapper = styled.div`
   top: 0px;
   z-index: 999999;
@@ -37,7 +39,7 @@ export default function GDPRView({ confirm, cancel, i18n, app }) {
         <Title>{i18n.t('messenger.gdpr_title')}</Title>
         <TextContent
           dangerouslySetInnerHTML={{
-            __html: i18n.t('messenger.gdpr', { name: app.name }),
+            __html: i18n.t('messenger.gdpr', { name: escapeHTML(app.name) }),
           }}
         ></TextContent>
 
diff --git a/app/javascript/packages/messenger/src/client_messenger/conversations/appPackageBlock.tsx b/app/javascript/packages/messenger/src/client_messenger/conversations/appPackageBlock.tsx
index 57722352a..f650eec65 100644
--- a/app/javascript/packages/messenger/src/client_messenger/conversations/appPackageBlock.tsx
+++ b/app/javascript/packages/messenger/src/client_messenger/conversations/appPackageBlock.tsx
@@ -2,6 +2,8 @@ import React, { Component } from 'react';
 import { DefinitionRenderer } from '@chaskiq/components/src/components/packageBlocks/components';
 import Button from '@chaskiq/components/src/components/Button';
 import { toCamelCase } from '@chaskiq/components/src/utils/caseConverter';
+import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';
+
 import autolink from '../autolink';
 import serialize from 'form-serialize';
 import { isEmpty } from 'lodash';
@@ -196,7 +198,7 @@ export default class AppPackageBlock extends Component<
                 __html: this.props.i18n.t(
                   'messenger.conversation_block.choosen',
                   {
-                    field: item.label,
+                    field: escapeHTML(item.label),
                   }
                 ),
               }}
diff --git a/app/javascript/src/layout/sidebar.tsx b/app/javascript/src/layout/sidebar.tsx
index a0ef4f982..827af9977 100644
--- a/app/javascript/src/layout/sidebar.tsx
+++ b/app/javascript/src/layout/sidebar.tsx
@@ -34,6 +34,8 @@ import {
   ChartsIcons,
 } from '@chaskiq/components/src/components/icons';
 
+import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';
+
 import I18n from '../shared/FakeI18n';
 
 import SidebarAgents from '../pages/conversations/SidebarAgents';
@@ -140,7 +142,7 @@ function Sidebar({
                 className="text-sm leading-5 text-gray-500 dark:text-gray-100 font-light"
                 dangerouslySetInnerHTML={{
                   __html: I18n.t('dashboard.hey', {
-                    name: app.name,
+                    name: escapeHTML(app.name),
                   }),
                 }}
               />
diff --git a/app/javascript/src/pages/Dashboard.tsx b/app/javascript/src/pages/Dashboard.tsx
index a952c4b4b..cb8825e81 100644
--- a/app/javascript/src/pages/Dashboard.tsx
+++ b/app/javascript/src/pages/Dashboard.tsx
@@ -11,6 +11,8 @@ import PageHeader from '@chaskiq/components/src/components/PageHeader';
 
 import DashboardItem from './reports/ReportItem';
 
+import { escapeHTML } from '@chaskiq/components/src/utils/htmlSanitize';
+
 import {
   ConversationChatIcon,
   CampaignsIcon,
@@ -123,7 +125,7 @@ function Dashboard(props) {
             className="text-4xl leading-2 text-gray-900 dark:text-gray-100 font-bold"
             dangerouslySetInnerHTML={{
               __html: I18n.t('dashboard.hey', {
-                name: app.name,
+                name: escapeHTML(app.name),
               }),
             }}
           />
diff --git a/app/javascript/src/pages/Profile.tsx b/app/javascript/src/pages/Profile.tsx
index 68b12bc56..d4074c565 100644
--- a/app/javascript/src/pages/Profile.tsx
+++ b/app/javascript/src/pages/Profile.tsx
@@ -25,7 +25,9 @@ import {
 import graphql from '@chaskiq/store/src/graphql/client';
 
 import DialogEditor from './conversations/DialogEditor';
-import sanitizeHtml from '@chaskiq/components/src/utils/htmlSanitize';
+import sanitizeHtml, {
+  escapeHTML,
+} from '@chaskiq/components/src/utils/htmlSanitize';
 //require('sanitize-html')
 
 import { setCurrentSection } from '@chaskiq/store/src/actions/navigation';
@@ -515,8 +517,10 @@ class ProfilePage extends Component<ProfilePageProps, ProfilePageState> {
                             <div
                               className="text-sm text-gray-500 truncate"
                               dangerouslySetInnerHTML={{
-                                __html: sanitizeHtml(
-                                  o.lastMessage.message.htmlContent
+                                __html: escapeHTML(
+                                  sanitizeHtml(
+                                    o.lastMessage.message.htmlContent
+                                  )
                                 ).substring(0, 250),
                               }}
                             />
diff --git a/app/javascript/src/pages/campaigns/editor.tsx b/app/javascript/src/pages/campaigns/editor.tsx
index 4c764da5f..7bbca7f14 100644
--- a/app/javascript/src/pages/campaigns/editor.tsx
+++ b/app/javascript/src/pages/campaigns/editor.tsx
@@ -311,7 +311,7 @@ function Preview({ campaign, app }) {
               {I18n.t('campaign.preview')}
             </h3>
             <div className="mt-2 text-sm leading-5 text-yellow-700">
-              <p>{I18n.t('campaign.preview_hint')}</p>
+              <p>{I18n.t('campaign.preview_hint', { name: '{{name}}' })}</p>
             </div>
           </div>
         </div>