diff --git a/web/ui/static/js/graph/index.js b/web/ui/static/js/graph/index.js
index 6128da1d3..e56928a70 100644
--- a/web/ui/static/js/graph/index.js
+++ b/web/ui/static/js/graph/index.js
@@ -514,7 +514,7 @@ Prometheus.Graph.prototype.submitQuery = function() {
         }
 
         if ("warnings" in json && json.warnings.length > 0) {
-          self.showWarning(json.warnings.join('<br>'));
+          self.showWarning(json.warnings.map(escapeHTML).join('<br>'));
         }
 
         queryHistory.handleHistory(self);