diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb
index 57a2940802c02..f154021ae66d5 100644
--- a/actionpack/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb
@@ -8,7 +8,7 @@
 </header>
 
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
 
   <%= render template: "rescues/_source" %>
   <%= render template: "rescues/_trace" %>
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/missing_template.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/missing_template.erb
index ca14215946e03..5c016e544eddb 100644
--- a/actionpack/lib/action_dispatch/middleware/templates/rescues/missing_template.erb
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/missing_template.erb
@@ -3,5 +3,5 @@
 </header>
 
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
 </div>
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/routing_error.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/routing_error.erb
index cd3daff065545..7e9cedb95e314 100644
--- a/actionpack/lib/action_dispatch/middleware/templates/rescues/routing_error.erb
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/routing_error.erb
@@ -2,7 +2,7 @@
   <h1>Routing Error</h1>
 </header>
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
   <% unless @exception.failures.empty? %>
     <p>
       <h2>Failure reasons:</h2>
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/template_error.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/template_error.erb
index 31f46ee340a6c..027a0f5b3ed5c 100644
--- a/actionpack/lib/action_dispatch/middleware/templates/rescues/template_error.erb
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/template_error.erb
@@ -10,7 +10,7 @@
   <p>
     Showing <i><%= @exception.file_name %></i> where line <b>#<%= @exception.line_number %></b> raised:
   </p>
-  <pre><code><%= @exception.message %></code></pre>
+  <pre><code><%= h @exception.message %></code></pre>
 
   <div class="source">
     <div class="info">
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb
index c1fbf67eed297..259fb2bb3b472 100644
--- a/actionpack/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb
@@ -2,5 +2,5 @@
   <h1>Unknown action</h1>
 </header>
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
 </div>