diff --git a/rhodecode/apps/admin/views/users.py b/rhodecode/apps/admin/views/users.py
--- a/rhodecode/apps/admin/views/users.py
+++ b/rhodecode/apps/admin/views/users.py
@@ -291,8 +291,7 @@ class AdminUsersView(BaseAppView, DataGr
             h.flash(_("Added new email address `%s` for user account") % email,
                     category='success')
         except formencode.Invalid as error:
-            msg = error.error_dict['email']
-            h.flash(msg, category='error')
+            h.flash(h.escape(error.error_dict['email']), category='error')
         except Exception:
             log.exception("Exception during email saving")
             h.flash(_('An error occurred during email saving'),
diff --git a/rhodecode/apps/my_account/views.py b/rhodecode/apps/my_account/views.py
--- a/rhodecode/apps/my_account/views.py
+++ b/rhodecode/apps/my_account/views.py
@@ -253,8 +253,7 @@ class MyAccountView(BaseAppView):
             h.flash(_("Added new email address `%s` for user account") % email,
                     category='success')
         except formencode.Invalid as error:
-            msg = error.error_dict['email']
-            h.flash(msg, category='error')
+            h.flash(h.escape(error.error_dict['email']), category='error')
         except Exception:
             log.exception("Exception in my_account_emails")
             h.flash(_('An error occurred during email saving'),