diff --git a/packages/vite/package.json b/packages/vite/package.json
index 3f3c15934cc197..33e55befd6170b 100644
--- a/packages/vite/package.json
+++ b/packages/vite/package.json
@@ -78,6 +78,7 @@
     "@rollup/plugin-node-resolve": "14.1.0",
     "@rollup/plugin-typescript": "^8.5.0",
     "@rollup/pluginutils": "^4.2.1",
+    "@types/escape-html": "^1.0.0",
     "acorn": "^8.8.1",
     "acorn-walk": "^8.2.0",
     "cac": "^6.7.14",
@@ -92,6 +93,7 @@
     "dotenv": "^14.3.2",
     "dotenv-expand": "^5.1.0",
     "es-module-lexer": "^1.1.0",
+    "escape-html": "^1.0.3",
     "estree-walker": "^3.0.1",
     "etag": "^1.8.1",
     "fast-glob": "^3.2.12",
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index c877022a63cde7..d9eadc4fee8cb7 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -3,6 +3,7 @@ import type { OutgoingHttpHeaders, ServerResponse } from 'node:http'
 import type { Options } from 'sirv'
 import sirv from 'sirv'
 import type { Connect } from 'dep-types/connect'
+import escapeHtml from 'escape-html'
 import type { ViteDevServer } from '../..'
 import { FS_PREFIX } from '../../constants'
 import {
@@ -208,7 +209,7 @@ function renderRestrictedErrorHTML(msg: string): string {
   return html`
     <body>
       <h1>403 Restricted</h1>
-      <p>${msg.replace(/\n/g, '<br/>')}</p>
+      <p>${escapeHtml(msg).replace(/\n/g, '<br/>')}</p>
       <style>
         body {
           padding: 1em 2em;
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index caf3d36ffe550e..c2d9089c6ff255 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -222,6 +222,7 @@ importers:
       '@rollup/plugin-node-resolve': 14.1.0
       '@rollup/plugin-typescript': ^8.5.0
       '@rollup/pluginutils': ^4.2.1
+      '@types/escape-html': ^1.0.0
       acorn: ^8.8.1
       acorn-walk: ^8.2.0
       cac: ^6.7.14
@@ -237,6 +238,7 @@ importers:
       dotenv-expand: ^5.1.0
       es-module-lexer: ^1.1.0
       esbuild: ^0.15.9
+      escape-html: ^1.0.3
       estree-walker: ^3.0.1
       etag: ^1.8.1
       fast-glob: ^3.2.12
@@ -290,6 +292,7 @@ importers:
       '@rollup/plugin-node-resolve': 14.1.0_rollup@2.79.1
       '@rollup/plugin-typescript': 8.5.0_rollup@2.79.1+tslib@2.4.0
       '@rollup/pluginutils': 4.2.1
+      '@types/escape-html': 1.0.2
       acorn: 8.8.1
       acorn-walk: 8.2.0_acorn@8.8.1
       cac: 6.7.14
@@ -304,6 +307,7 @@ importers:
       dotenv: 14.3.2
       dotenv-expand: 5.1.0
       es-module-lexer: 1.1.0
+      escape-html: 1.0.3
       estree-walker: 3.0.1
       etag: 1.8.1
       fast-glob: 3.2.12
@@ -2608,6 +2612,10 @@ packages:
       '@types/ms': 0.7.31
     dev: true
 
+  /@types/escape-html/1.0.2:
+    resolution: {integrity: sha512-gaBLT8pdcexFztLSPRtriHeXY/Kn4907uOCZ4Q3lncFBkheAWOuNt53ypsF8szgxbEJ513UeBzcf4utN0EzEwA==}
+    dev: true
+
   /@types/estree/0.0.39:
     resolution: {integrity: sha512-EYNwp3bU+98cpU4lAWYYL7Zz+2gryWH1qbdDTidVd6hkiR6weksdbMadyXKXNPEkQFhXM+hVO9ZygomHXp+AIw==}
     dev: true