diff --git a/bot/static/index.html b/bot/static/index.html
index 7faf356..c82a801 100644
--- a/bot/static/index.html
+++ b/bot/static/index.html
@@ -5024,12 +5024,15 @@ function addChatMessage(sender, content, isError = false) {
   
   messageDiv.innerHTML = `
     <div class="chat-message-header">
-      <span class="chat-message-sender">${sender}</span>
+      <span class="chat-message-sender">${escapeHtml(sender)}</span>
       <span class="chat-message-time">${timestamp}</span>
     </div>
-    <div class="chat-message-content">${content}</div>
+    <div class="chat-message-content"></div>
   `;
   
+  // Set content via textContent to prevent XSS
+  messageDiv.querySelector('.chat-message-content').textContent = content;
+  
   chatMessages.appendChild(messageDiv);
   
   // Scroll to bottom