diff --git a/webapp/graphite/errors.py b/webapp/graphite/errors.py
index 289541798a..3538e152ad 100644
--- a/webapp/graphite/errors.py
+++ b/webapp/graphite/errors.py
@@ -1,7 +1,6 @@
 from django.http import HttpResponseBadRequest
 from graphite.logger import log
 
-
 class NormalizeEmptyResultError(Exception):
     # throw error for normalize() when empty
     pass
@@ -94,6 +93,15 @@ def __str__(self):
         return msg
 
 
+def escape(s):
+    # Replace special characters "&", "<" and ">" to HTML-safe sequences.
+    s = s.replace("&", "&amp;") # Must be done first!
+    s = s.replace("<", "&lt;")
+    s = s.replace(">", "&gt;")
+
+    return s
+
+
 # decorator which turns InputParameterExceptions into Django's HttpResponseBadRequest
 def handleInputParameterError(f):
     def new_f(*args, **kwargs):
@@ -102,6 +110,6 @@ def new_f(*args, **kwargs):
         except InputParameterError as e:
             msgStr = str(e)
             log.warning('%s', msgStr)
-            return HttpResponseBadRequest(msgStr)
+            return HttpResponseBadRequest(escape(msgStr))
 
     return new_f