diff --git a/cara/apps/calculator/model_generator.py b/cara/apps/calculator/model_generator.py
index 907a78b2..3ad6bc37 100644
--- a/cara/apps/calculator/model_generator.py
+++ b/cara/apps/calculator/model_generator.py
@@ -1,5 +1,6 @@
 from cara.models import Model
 from dataclasses import dataclass
+import html
 import typing
 
 from cara import models
@@ -67,6 +68,11 @@ class FormData:
             if form_data[key] not in valid_set:
                 raise ValueError(f"{form_data[key]} is not a valid value for {key}")
 
+        # Don't let arbirtrary unescaped HTML through the net.
+        for key, value in form_data.items():
+            if isinstance(value, str):
+                form_data[key] = html.escape(value)
+
         # TODO: This fixup is a problem with the form.html.
         for key, value in form_data.items():
             if value == "":