diff --git a/packages/vite/CHANGELOG.md b/packages/vite/CHANGELOG.md
index a970611530a54b..c206dd07c88e3b 100644
--- a/packages/vite/CHANGELOG.md
+++ b/packages/vite/CHANGELOG.md
@@ -1,3 +1,9 @@
+## <small>4.2.2 (2023-04-18)</small>
+
+* fix: escape msg in render restricted error html, backport #12889 ([8758c5c](https://github.com/vitejs/vite/commit/8758c5c)), closes [#12889](https://github.com/vitejs/vite/issues/12889)
+
+
+
 ## <small>4.2.1 (2023-03-20)</small>
 
 * fix: add `virtual:` to virtual module source map ignore (#12444) ([c4aa28f](https://github.com/vitejs/vite/commit/c4aa28f)), closes [#12444](https://github.com/vitejs/vite/issues/12444)
diff --git a/packages/vite/package.json b/packages/vite/package.json
index cb996a035acf97..d3a9d6ff84d2f1 100644
--- a/packages/vite/package.json
+++ b/packages/vite/package.json
@@ -1,6 +1,6 @@
 {
   "name": "vite",
-  "version": "4.2.1",
+  "version": "4.2.2",
   "type": "module",
   "license": "MIT",
   "author": "Evan You",
@@ -86,6 +86,7 @@
     "@rollup/plugin-node-resolve": "15.0.1",
     "@rollup/plugin-typescript": "^11.0.0",
     "@rollup/pluginutils": "^5.0.2",
+    "@types/escape-html": "^1.0.0",
     "acorn": "^8.8.2",
     "acorn-walk": "^8.2.0",
     "cac": "^6.7.14",
@@ -100,6 +101,7 @@
     "dotenv": "^16.0.3",
     "dotenv-expand": "^9.0.0",
     "es-module-lexer": "^1.2.0",
+    "escape-html": "^1.0.3",
     "estree-walker": "^3.0.3",
     "etag": "^1.8.1",
     "fast-glob": "^3.2.12",
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index 229b860dbcec56..d9ffb377a7256b 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -3,6 +3,7 @@ import type { OutgoingHttpHeaders, ServerResponse } from 'node:http'
 import type { Options } from 'sirv'
 import sirv from 'sirv'
 import type { Connect } from 'dep-types/connect'
+import escapeHtml from 'escape-html'
 import type { ViteDevServer } from '../..'
 import { FS_PREFIX } from '../../constants'
 import {
@@ -230,7 +231,7 @@ function renderRestrictedErrorHTML(msg: string): string {
   return html`
     <body>
       <h1>403 Restricted</h1>
-      <p>${msg.replace(/\n/g, '<br/>')}</p>
+      <p>${escapeHtml(msg).replace(/\n/g, '<br/>')}</p>
       <style>
         body {
           padding: 1em 2em;
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index af77b56d9db759..9f81e548ac2e25 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -177,6 +177,7 @@ importers:
       '@rollup/plugin-node-resolve': 15.0.1
       '@rollup/plugin-typescript': ^11.0.0
       '@rollup/pluginutils': ^5.0.2
+      '@types/escape-html': ^1.0.0
       acorn: ^8.8.2
       acorn-walk: ^8.2.0
       cac: ^6.7.14
@@ -192,6 +193,7 @@ importers:
       dotenv-expand: ^9.0.0
       es-module-lexer: ^1.2.0
       esbuild: ^0.17.5
+      escape-html: ^1.0.3
       estree-walker: ^3.0.3
       etag: ^1.8.1
       fast-glob: ^3.2.12
@@ -246,6 +248,7 @@ importers:
       '@rollup/plugin-node-resolve': 15.0.1_rollup@3.18.0
       '@rollup/plugin-typescript': 11.0.0_rollup@3.18.0+tslib@2.5.0
       '@rollup/pluginutils': 5.0.2_rollup@3.18.0
+      '@types/escape-html': 1.0.2
       acorn: 8.8.2
       acorn-walk: 8.2.0_acorn@8.8.2
       cac: 6.7.14
@@ -260,6 +263,7 @@ importers:
       dotenv: 16.0.3
       dotenv-expand: 9.0.0_dccccn23nvejzy75sgiosdt2au
       es-module-lexer: 1.2.0
+      escape-html: 1.0.3
       estree-walker: 3.0.3
       etag: 1.8.1
       fast-glob: 3.2.12
@@ -3418,6 +3422,10 @@ packages:
       '@types/ms': 0.7.31
     dev: true
 
+  /@types/escape-html/1.0.2:
+    resolution: {integrity: sha512-gaBLT8pdcexFztLSPRtriHeXY/Kn4907uOCZ4Q3lncFBkheAWOuNt53ypsF8szgxbEJ513UeBzcf4utN0EzEwA==}
+    dev: true
+
   /@types/estree/1.0.0:
     resolution: {integrity: sha512-WulqXMDUTYAXCjZnk6JtIHPigp55cVtDgDrO2gHRwhyJto21+1zbVCtOYB2L1F9w4qCQ0rOGWBnBe0FNTiEJIQ==}
     dev: true