diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11e23849e..da5de244c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,10 +2,11 @@
 ## mm/dd/2021
 
 1. [](#improved)
-   * Use Symfony `dump` instead of PHP's `vardump` in side the `{{ vardump(x) }}` Twig vardump function
-   * Added `route` and `request` to `onPagesInitialized` event
-   * Improved page cloning, added method `Page::initialize()`
-
+    * Use Symfony `dump` instead of PHP's `vardump` in side the `{{ vardump(x) }}` Twig vardump function
+    * Added `route` and `request` to `onPagesInitialized` event
+    * Improved page cloning, added method `Page::initialize()`
+2. [](#bugfix)
+    * Fixed unescaped error messages in JSON error responses
 
 # v1.7.24
 ## 10/26/2021
diff --git a/system/src/Grav/Framework/Controller/Traits/ControllerResponseTrait.php b/system/src/Grav/Framework/Controller/Traits/ControllerResponseTrait.php
index 62ed3e103..53c9cd4c2 100644
--- a/system/src/Grav/Framework/Controller/Traits/ControllerResponseTrait.php
+++ b/system/src/Grav/Framework/Controller/Traits/ControllerResponseTrait.php
@@ -203,7 +203,7 @@ trait ControllerResponseTrait
     protected function getErrorJson(Throwable $e): array
     {
         $code = $this->getErrorCode($e instanceof RequestException ? $e->getHttpCode() : $e->getCode());
-        $message = $e->getMessage();
+        $message = htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8');
         $response = [
             'code' => $code,
             'status' => 'error',
diff --git a/system/src/Grav/Framework/RequestHandler/Middlewares/Exceptions.php b/system/src/Grav/Framework/RequestHandler/Middlewares/Exceptions.php
index a9935eeb0..63cfe3ead 100644
--- a/system/src/Grav/Framework/RequestHandler/Middlewares/Exceptions.php
+++ b/system/src/Grav/Framework/RequestHandler/Middlewares/Exceptions.php
@@ -14,6 +14,7 @@ namespace Grav\Framework\RequestHandler\Middlewares;
 use Grav\Common\Debugger;
 use Grav\Common\Grav;
 use Grav\Framework\Psr7\Response;
+use JsonException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -27,15 +28,26 @@ use function get_class;
  */
 class Exceptions implements MiddlewareInterface
 {
+    /**
+     * @param ServerRequestInterface $request
+     * @param RequestHandlerInterface $handler
+     * @return ResponseInterface
+     * @throws JsonException
+     */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
         try {
             return $handler->handle($request);
         } catch (Throwable $exception) {
+            $code = $exception->getCode();
+            $message = htmlspecialchars($exception->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8');
             $response = [
+                'code' => $code,
+                'status' => 'error',
+                'message' => $message,
                 'error' => [
-                    'code' => $exception->getCode(),
-                    'message' => $exception->getMessage(),
+                    'code' => $code,
+                    'message' => $message,
                 ]
             ];
 
@@ -51,9 +63,9 @@ class Exceptions implements MiddlewareInterface
             }
 
             /** @var string $json */
-            $json = json_encode($response);
+            $json = json_encode($response, JSON_THROW_ON_ERROR);
 
-            return new Response($exception->getCode() ?: 500, ['Content-Type' => 'application/json'], $json);
+            return new Response($code ?: 500, ['Content-Type' => 'application/json'], $json);
         }
     }
 }