diff --git a/modules/user/user.module b/modules/user/user.module
index 46c2ea9d99444cbae5206b8be2996f02b8656ab1..a4d120e72f5b52e36d786f4587e89bb063cc85c6 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -854,7 +854,7 @@ function user_login($msg = '') {
 
   // Display login form:
   if ($msg) {
-    $form['message'] = array('#value' => "<p>$msg</p>");
+    $form['message'] = array('#value' => '<p>'. check_plain($msg) .'</p>');
   }
   $form['name'] = array('#type' => 'textfield',
     '#title' => t('Username'),