diff --git a/utils/html_utils.py b/utils/html_utils.py
index 2db7dbf..464c0be 100644
--- a/utils/html_utils.py
+++ b/utils/html_utils.py
@@ -1,8 +1,11 @@
+def sanitize( s ):
+	return s.replace( "<", "&lt;" ).replace( ">", "&gt;" )
+
 def html_a_format( url, text ):
-	return "<a href='{}'>{}</a>".format( url, text )
+	return "<a href='{}'>{}</a>".format( url, sanitize( text ) )
 
 def html_a_blank_format( url, text ):
-	return "<a href='{}' target='_blank'>{}</a>".format( url, text )
+	return "<a href='{}' target='_blank'>{}</a>".format( url, sanitize( text ) )
 
 # modify to have randon auth hash to verify owner
 # target="dummyframe"
@@ -11,5 +14,5 @@ def html_delete_format( url, playlist_id, user_id, beatmap_id, text ):
 	<input name="playlist_id" type="hidden" value="{ playlist_id }"/>
 	<input name="user_id" type="hidden" value="{ user_id }"/>
 	<input name="beatmap_id" type="hidden" value="{ beatmap_id }"/>
-	<button class="remove">{ text }</button>
+	<button class="remove">{ sanitize( text ) }</button>
 </form>"""
\ No newline at end of file