diff --git a/addons/mail/static/src/js/composer.js b/addons/mail/static/src/js/composer.js
index 4112a8498cf2e3944432db0f1fdbcc75bdbb4c97..2965ccf9298abda54adcf9aebb21538fce8135fc 100644
--- a/addons/mail/static/src/js/composer.js
+++ b/addons/mail/static/src/js/composer.js
@@ -398,7 +398,7 @@ var Composer = Widget.extend({
     preprocess_message: function () {
         // Return a deferred as this function is extended with asynchronous
         // behavior for the chatter composer
-        var value = this.$input.val().replace(/\n|\r/g, '<br/>');
+        var value = _.escape(this.$input.val()).replace(/\n|\r/g, '<br/>');
         return $.when({
             content: this.mention_manager.generate_links(value),
             attachment_ids: _.pluck(this.get('attachment_ids'), 'id'),
diff --git a/addons/mail/static/src/js/window_manager.js b/addons/mail/static/src/js/window_manager.js
index fe60dff4bd5586752970b1827b0178fe46a20dc1..f217d929c201cff872c127cbc410565f25e2509c 100644
--- a/addons/mail/static/src/js/window_manager.js
+++ b/addons/mail/static/src/js/window_manager.js
@@ -38,6 +38,7 @@ function open_chat (session) {
         });
 
         chat_session.window.on("post_message", null, function (message, channel_id) {
+            message.content = _.escape(message.content);
             chat_manager.post_message(message, {channel_id: channel_id});
         });
         chat_session.window.on("messages_read", null, function () {