diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index f2b853b457..7bbf9cb0ef 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -558,13 +558,13 @@ int ssl_hook_Handler(request_rec *r)
         port = ap_get_server_port(r);
         if (!ap_is_default_port(port, r))
             thisport = apr_psprintf(r->pool, ":%u", port);
-        thisurl = apr_psprintf(r->pool, "https://%s%s/",
-                               ap_get_server_name(r), thisport);
+        thisurl = ap_escape_html(r->pool, apr_psprintf(r->pool, "https://%s%s/",
+                                 ap_get_server_name(r), thisport));
 
         apr_table_setn(r->notes, "error-notes", apr_psprintf(r->pool,
-                       "Reason: You're speaking plain HTTP to an SSL-enabled server port.<BR>\n"
-                       "Instead use the HTTPS scheme to access this URL, please.<BR>\n"
-                       "<BLOCKQUOTE>Hint: <A HREF=\"%s\"><B>%s</B></A></BLOCKQUOTE>",
+                       "Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />\n"
+                       "Instead use the HTTPS scheme to access this URL, please.<br />\n"
+                       "<blockquote>Hint: <a href=\"%s\"><b>%s</b></a></blockquote>",
                        thisurl, thisurl));
     }