diff --git a/ApplicationController.rb b/ApplicationController.rb
index 85e059f..605de7a 100644
--- a/ApplicationController.rb
+++ b/ApplicationController.rb
@@ -13,6 +13,7 @@
 $:.unshift(libdir, "#{libdir}/grit/lib", "#{libdir}/mime-types/lib")
 require 'grit'
 require 'time_extensions'
+require 'string_hacks'
 require 'InfoWindowController'
 
 OSX.ns_import 'CommitSummaryCell'
diff --git a/CommitsController.rb b/CommitsController.rb
index 178cf5b..67cec8d 100644
--- a/CommitsController.rb
+++ b/CommitsController.rb
@@ -151,9 +151,9 @@ def update_main_document
     diffs = []
     doc = @commit_details.mainFrame.DOMDocument
     title, message = active_commit.message.split("\n", 2)
-    set_html("title", title.strip.gsub("\n", "<br />"))
+    set_html("title", title.escapeHTML.strip.gsub("\n", "<br />"))
     if message
-      set_html("message", message.strip.gsub("\n", "<br />"))
+      set_html("message", message.escapeHTML.strip.gsub("\n", "<br />"))
       show_element("message")
     else
       hide_element("message")
diff --git a/lib/string_hacks.rb b/lib/string_hacks.rb
new file mode 100644
index 0000000..e66045e
--- /dev/null
+++ b/lib/string_hacks.rb
@@ -0,0 +1,19 @@
+class String
+  HTML_ESCAPES = {
+    ?& => "amp",
+    ?" => "quot",
+    ?< => "lt",
+    ?> => "gt"
+  }.freeze
+
+  def escapeHTML
+    self.split("").collect { |x| HTML_ESCAPES.key?(x.ord) ? "&#{HTML_ESCAPES[x.ord]};" : x }.join("")
+  end
+
+  # Ruby 1.9 forward-compatibility
+  unless String.method_defined?(:ord)
+    define_method :ord do
+      self[0]
+    end
+  end
+end