diff --git a/lib/SimpleSAML/Utils/EMail.php b/lib/SimpleSAML/Utils/EMail.php
index 9ed3692794af6358f5683c11508f2bbe258931a8..d7074cdf6e442336310fa818f30d01a71e645e0d 100644
--- a/lib/SimpleSAML/Utils/EMail.php
+++ b/lib/SimpleSAML/Utils/EMail.php
@@ -274,7 +274,7 @@ pre {
 </head>
 <body>
 <div class="container" style="background: #fafafa; border: 1px solid #eee; margin: 2em; padding: .6em;">
-' . $this->text . '
+' . htmlspecialchars($this->text) . '
 </div>
 </body>
 </html>';
diff --git a/www/errorreport.php b/www/errorreport.php
index 1c80713058474b613f35fa9a80b877493c7570b8..025a81edecebf5602e65820f3c75ba0425683e77 100644
--- a/www/errorreport.php
+++ b/www/errorreport.php
@@ -17,6 +17,10 @@ $reportId = $_REQUEST['reportId'];
 $email = $_REQUEST['email'];
 $text = $_REQUEST['text'];
 
+if (!preg_match('/^[0-9a-f]{8}$/', $reportId)) {
+    throw new \SimpleSAML\Error\Exception('Invalid reportID');
+}
+
 $data = null;
 try {
     $session = \SimpleSAML\Session::getSessionFromRequest();