diff --git a/packages/vite/CHANGELOG.md b/packages/vite/CHANGELOG.md
index c889efd5f8ad00..c81e9884025b5b 100644
--- a/packages/vite/CHANGELOG.md
+++ b/packages/vite/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 3.2.6 (2023-04-18)
+
+* fix: escape msg in render restricted error html, backport (#12889) (#12892) ([b48ac2a](https://github.com/vitejs/vite/commit/b48ac2a)), closes [#12889](https://github.com/vitejs/vite/issues/12889) [#12892](https://github.com/vitejs/vite/issues/12892)
+
+
+
## 3.2.5 (2022-12-05)
* chore: cherry pick more v4 bug fixes to v3 (#11189) ([eba9b42](https://github.com/vitejs/vite/commit/eba9b42)), closes [#11189](https://github.com/vitejs/vite/issues/11189) [#10949](https://github.com/vitejs/vite/issues/10949) [#11056](https://github.com/vitejs/vite/issues/11056) [#8663](https://github.com/vitejs/vite/issues/8663) [#10958](https://github.com/vitejs/vite/issues/10958) [#11120](https://github.com/vitejs/vite/issues/11120) [#11122](https://github.com/vitejs/vite/issues/11122) [#11123](https://github.com/vitejs/vite/issues/11123) [#11132](https://github.com/vitejs/vite/issues/11132)
diff --git a/packages/vite/package.json b/packages/vite/package.json
index 3f3c15934cc197..0427acfccb582f 100644
--- a/packages/vite/package.json
+++ b/packages/vite/package.json
@@ -1,6 +1,6 @@
{
"name": "vite",
- "version": "3.2.5",
+ "version": "3.2.6",
"type": "module",
"license": "MIT",
"author": "Evan You",
@@ -78,6 +78,7 @@
"@rollup/plugin-node-resolve": "14.1.0",
"@rollup/plugin-typescript": "^8.5.0",
"@rollup/pluginutils": "^4.2.1",
+ "@types/escape-html": "^1.0.0",
"acorn": "^8.8.1",
"acorn-walk": "^8.2.0",
"cac": "^6.7.14",
@@ -92,6 +93,7 @@
"dotenv": "^14.3.2",
"dotenv-expand": "^5.1.0",
"es-module-lexer": "^1.1.0",
+ "escape-html": "^1.0.3",
"estree-walker": "^3.0.1",
"etag": "^1.8.1",
"fast-glob": "^3.2.12",
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index c877022a63cde7..d9eadc4fee8cb7 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -3,6 +3,7 @@ import type { OutgoingHttpHeaders, ServerResponse } from 'node:http'
import type { Options } from 'sirv'
import sirv from 'sirv'
import type { Connect } from 'dep-types/connect'
+import escapeHtml from 'escape-html'
import type { ViteDevServer } from '../..'
import { FS_PREFIX } from '../../constants'
import {
@@ -208,7 +209,7 @@ function renderRestrictedErrorHTML(msg: string): string {
return html`
403 Restricted
- ${msg.replace(/\n/g, '
')}
+ ${escapeHtml(msg).replace(/\n/g, '
')}