diff --git a/qwen_agent/gui/gradio_utils.py b/qwen_agent/gui/gradio_utils.py
index 3d599823..d875c29a 100644
--- a/qwen_agent/gui/gradio_utils.py
+++ b/qwen_agent/gui/gradio_utils.py
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 import base64
+import html
 
 
 def covert_image_to_base64(image_path):
@@ -36,6 +37,9 @@ def format_cover_html(bot_name, bot_description, bot_avatar):
         image_src = covert_image_to_base64(bot_avatar)
     else:
         image_src = '//img.alicdn.com/imgextra/i3/O1CN01YPqZFO1YNZerQfSBk_!!6000000003047-0-tps-225-225.jpg'
+    # Escape HTML to prevent XSS attacks
+    safe_bot_name = html.escape(bot_name or '')
+    safe_bot_description = html.escape(bot_description or '')
     return f"""
 <style>
     body.dark-mode .bot_cover {{
@@ -74,7 +78,7 @@ def format_cover_html(bot_name, bot_description, bot_avatar):
     <div class="bot_avatar">
         <img src="{image_src}" />
     </div>
-    <div class="bot_name">{bot_name}</div>
-    <div class="bot_desp">{bot_description}</div>
+    <div class="bot_name">{safe_bot_name}</div>
+    <div class="bot_desp">{safe_bot_description}</div>
 </div>
 """