diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index cfe1791..ff7acae 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -25,6 +25,7 @@ Fixed
   if the user dn was not found. This was causing the exception
   ``'NoneType' object has no attribute 'getitem'`` describe in #21
 * Increase the max size of usernames (30 chars to 250)
+* Fix XSS js injection
 
 
 
diff --git a/cas_server/templates/cas_server/base.html b/cas_server/templates/cas_server/base.html
index a3dd3a7..8b16b5f 100644
--- a/cas_server/templates/cas_server/base.html
+++ b/cas_server/templates/cas_server/base.html
@@ -58,7 +58,7 @@
                         class="alert alert-danger"
                     {% endif %}
                 {% endspaceless %}>
-                    <p>{{message|safe}}</p>
+                    <p>{{message}}</p>
                 </div>
             {% endfor %}
             {% if auto_submit %}</noscript>{% endif %}
diff --git a/cas_server/templates/cas_server/logout.html b/cas_server/templates/cas_server/logout.html
index 5c69dfc..d8ab1dc 100644
--- a/cas_server/templates/cas_server/logout.html
+++ b/cas_server/templates/cas_server/logout.html
@@ -2,6 +2,6 @@
 {% load staticfiles %}
 {% load i18n %}
 {% block content %}
-<div class="alert alert-success" role="alert">{{logout_msg|safe}}</div>
+<div class="alert alert-success" role="alert">{{logout_msg}}</div>
 {% endblock %}
 
diff --git a/cas_server/views.py b/cas_server/views.py
index 70eb618..3db45c1 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -23,6 +23,7 @@ from django.views.decorators.csrf import csrf_exempt
 from django.middleware.csrf import CsrfViewMiddleware
 from django.views.generic import View
 from django.utils.encoding import python_2_unicode_compatible
+from django.utils.safestring import mark_safe
 
 import re
 import logging
@@ -181,24 +182,24 @@ class LogoutView(View, LogoutMixin):
         else:
             # build logout message depending of the number of sessions the user logs out
             if session_nb == 1:
-                logout_msg = _(
+                logout_msg = mark_safe(_(
                     "<h3>Logout successful</h3>"
                     "You have successfully logged out from the Central Authentication Service. "
                     "For security reasons, close your web browser."
-                )
+                ))
             elif session_nb > 1:
-                logout_msg = _(
+                logout_msg = mark_safe(_(
                     "<h3>Logout successful</h3>"
-                    "You have successfully logged out from %s sessions of the Central "
+                    "You have successfully logged out from %d sessions of the Central "
                     "Authentication Service. "
                     "For security reasons, close your web browser."
-                ) % session_nb
+                ) % session_nb)
             else:
-                logout_msg = _(
+                logout_msg = mark_safe(_(
                     "<h3>Logout successful</h3>"
                     "You were already logged out from the Central Authentication Service. "
                     "For security reasons, close your web browser."
-                )
+                ))
 
             # depending of settings, redirect to the login page with a logout message or display
             # the logout page. The default is to display tge logout page.