diff --git a/src/Navigation/Notifications/Entity/Notify.php b/src/Navigation/Notifications/Entity/Notify.php
index b7a007a2f0..45f450b1d1 100644
--- a/src/Navigation/Notifications/Entity/Notify.php
+++ b/src/Navigation/Notifications/Entity/Notify.php
@@ -134,6 +134,6 @@ class Notify extends BaseEntity
 	 */
 	public static function formatMessage(string $name, string $message): string
 	{
-		return str_replace('{0}', '<span class="contactname">' . strip_tags(BBCode::convert($name)) . '</span>', $message);
+		return str_replace('{0}', '<span class="contactname">' . strip_tags(BBCode::convert($name)) . '</span>', htmlspecialchars($message));
 	}
 }
diff --git a/tests/src/Navigation/Notifications/Entity/NotifyTest.php b/tests/src/Navigation/Notifications/Entity/NotifyTest.php
new file mode 100644
index 0000000000..2021759e09
--- /dev/null
+++ b/tests/src/Navigation/Notifications/Entity/NotifyTest.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace Friendica\Test\src\Navigation\Notifications\Entity;
+
+use Friendica\Navigation\Notifications\Entity\Notify;
+use Friendica\Test\FixtureTest;
+
+class NotifyTest extends FixtureTest
+{
+	public function dataFormatNotify(): array
+	{
+		return [
+			'xss-notify' => [
+				'name' => 'Whiskers',
+				'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>',
+				'assertion' => '<span class="contactname">Whiskers</span> commented in the thread &quot;If my username causes a pop up in a piece of software, that softwar…&quot; from &lt;script&gt;alert(&quot;Tek&quot;);&lt;/script&gt;',
+			],
+		];
+	}
+
+	/**
+	 * @dataProvider dataFormatNotify
+	 */
+	public function testFormatNotify(string $name, string $message, string $assertion)
+	{
+		self::assertEquals($assertion, Notify::formatMessage($name, $message));
+	}
+}