diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index a185731f95..4e2ec108c6 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -1166,7 +1166,7 @@ def handle_exception!(boom)
 
       if not_found? || bad_request?
         if boom.message && boom.message != boom.class.name
-          body boom.message
+          body Rack::Utils.escape_html(boom.message)
         else
           content_type 'text/html'
           body '<h1>' + (not_found? ? 'Not Found' : 'Bad Request') + '</h1>'
diff --git a/test/static_test.rb b/test/static_test.rb
index b5adbf312c..71ed5eb055 100644
--- a/test/static_test.rb
+++ b/test/static_test.rb
@@ -81,6 +81,12 @@ class StaticTest < Minitest::Test
     assert not_found?
   end
 
+  it 'path is escaped in 404 error pages' do
+    env = Rack::MockRequest.env_for("/dummy").tap { |env| env["PATH_INFO"] = "/<script>" }
+    _, _, body = @app.call(env)
+    assert_equal(["GET &#x2F;&lt;script&gt;"], body, "Unexpected response content.") 
+  end
+
   it 'serves files when .. path traverses within public directory' do
     get "/data/../#{File.basename(__FILE__)}"
     assert ok?