diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 9f37dfc..d4071c6 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -1798,7 +1798,7 @@ function drupal_set_message($message = NULL, $type = 'status', $repeat = TRUE) {
     }
 
     if ($repeat || !in_array($message, $_SESSION['messages'][$type])) {
-      $_SESSION['messages'][$type][] = $message;
+      $_SESSION['messages'][$type][] = filter_xss($message);
     }
 
     // Mark this page as being uncacheable.