diff --git a/package.json b/package.json
index fce86c7..39d0ff8 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "krunker-civilian-client",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Cross-platform Krunker game client",
   "main": "dist/main/index.js",
   "homepage": "https://gitea.crjlab.net/bigjakk/krunker-civilian-client",
diff --git a/src/preload/index.ts b/src/preload/index.ts
index 9b4487c..6e3adc6 100644
--- a/src/preload/index.ts
+++ b/src/preload/index.ts
@@ -372,7 +372,7 @@ function createCheckboxGrid(opts: {
     const label = document.createElement('label');
     label.className = 'hostOpt';
     label.innerHTML =
-      '<span class="optName">' + item.label + '</span>' +
+      '<span class="optName">' + escapeHtml(item.label) + '</span>' +
       '<input type="checkbox"' + (opts.selected.includes(item.value) ? ' checked' : '') + '>' +
       '<div class="optCheck"></div>';
     const cb = label.querySelector('input') as HTMLInputElement;
@@ -1114,12 +1114,12 @@ function renderUserscriptsSection(body: HTMLElement): void {
       const scriptRow = document.createElement('div');
       scriptRow.className = 'setting settName safety-0 bool';
 
-      const displayName = inst.meta.name || inst.filename;
+      const displayName = escapeHtml(inst.meta.name || inst.filename);
       let metaParts: string[] = [];
-      if (inst.meta.author) metaParts.push('by ' + inst.meta.author);
-      if (inst.meta.version) metaParts.push('v' + inst.meta.version);
+      if (inst.meta.author) metaParts.push('by ' + escapeHtml(inst.meta.author));
+      if (inst.meta.version) metaParts.push('v' + escapeHtml(inst.meta.version));
       const metaLine = metaParts.length > 0 ? '<span class="kpc-us-meta">' + metaParts.join(' &middot; ') + '</span>' : '';
-      const descText = inst.meta.desc || '';
+      const descText = escapeHtml(inst.meta.desc || '');
 
       scriptRow.innerHTML =
         '<span class="setting-title">' + displayName + '</span>' +
@@ -1161,8 +1161,8 @@ function renderScriptSettings(inst: UserscriptInstance, container: HTMLElement):
     const row = document.createElement('div');
     row.className = 'setting settName safety-0' + (typeClass ? ' ' + typeClass : '');
     row.innerHTML =
-      '<span class="setting-title">' + setting.title + '</span>' +
-      (setting.desc ? '<div class="setting-desc-new">' + setting.desc + '</div>' : '');
+      '<span class="setting-title">' + escapeHtml(setting.title) + '</span>' +
+      (setting.desc ? '<div class="setting-desc-new">' + escapeHtml(setting.desc) + '</div>' : '');
 
     switch (setting.type) {
       case 'bool': {