diff --git a/app.js b/app.js
index e3d4a0d..8e41170 100755
--- a/app.js
+++ b/app.js
@@ -78,6 +78,17 @@ function replace_format_indicators(input_string, post_index=0, tag_name="tag") {
 	return output_string
 }
 
+function escape_input(input) {
+    let output = input
+        .replaceAll("<", "&lt;")
+        .replaceAll(">", "&gt;")
+        .replaceAll("\\", "&#92;")
+        .replaceAll('"', "&#34;")
+        .replaceAll("'", "&#39;")
+        .replaceAll("/", "&#47;")
+    return output
+}
+
 app.get(config.rss_path, (req,res) => {
 	if (config.rss == false) {
 		res.send("Sorry, RSS is disabled!")
@@ -227,10 +238,10 @@ app.post("/submit_edit", (req,res) => {
 });
 app.post("/submit_post", (req,res) => {
 	const password = crypto.createHash('sha512').update(req.body.password).digest('hex');
-	const username = req.body.username
-	const title = req.body.title
-	const content = req.body.content
-	const tags = req.body.tags.split(',');
+	const username = escape_input(req.body.username)
+	const title = escape_input(req.body.title)
+	const content = escape_input(req.body.content)
+	const tags = escape_input(req.body.tags).split(',');
 	const unix_timestamp = getUnixTime(new Date())
 	console.log(username, "is submitting a post titled:", title);	
 
diff --git a/hitcount.txt b/hitcount.txt
index 3f10ffe..7d37386 100644
--- a/hitcount.txt
+++ b/hitcount.txt
@@ -1 +1 @@
-15
\ No newline at end of file
+45
\ No newline at end of file