diff --git a/app/Mage.php b/app/Mage.php
index 283a66a4f3..9b39268796 100644
--- a/app/Mage.php
+++ b/app/Mage.php
@@ -84,7 +84,7 @@ final class Mage {
 
     public static function getVersion()
     {
-        return '1.3.2.3';
+        return '1.3.2.4';
     }
 
     /**
diff --git a/app/code/core/Mage/Core/Block/Messages.php b/app/code/core/Mage/Core/Block/Messages.php
index 732fd6020f..51657b7be0 100644
--- a/app/code/core/Mage/Core/Block/Messages.php
+++ b/app/code/core/Mage/Core/Block/Messages.php
@@ -40,13 +40,30 @@ class Mage_Core_Block_Messages extends Mage_Core_Block_Template
      */
     protected $_messages;
 
+    /**
+     * Flag which require message text escape
+     *
+     * @var bool
+     */
+    protected $_escapeMessageFlag = false;
+
     public function _prepareLayout()
     {
         $this->addMessages(Mage::getSingleton('core/session')->getMessages(true));
-
         parent::_prepareLayout();
     }
 
+    /**
+     * Set message escape flag
+     * @param bool $flag
+     * @return Mage_Core_Block_Messages
+     */
+    public function setEscapeMessageFlag($flag)
+    {
+        $this->_escapeMessageFlag = $flag;
+        return $this;
+    }
+
     /**
      * Set messages collection
      *
@@ -59,6 +76,12 @@ public function setMessages(Mage_Core_Model_Message_Collection $messages)
         return $this;
     }
 
+    /**
+     * Add messages to display
+     *
+     * @param Mage_Core_Model_Message_Collection $messages
+     * @return Mage_Core_Block_Messages
+     */
     public function addMessages(Mage_Core_Model_Message_Collection $messages)
     {
         foreach ($messages->getItems() as $message) {
@@ -161,7 +184,9 @@ public function getHtml($type=null)
     {
         $html = '<ul id="admin_messages">';
         foreach ($this->getMessages($type) as $message) {
-            $html.= '<li class="'.$message->getType().'-msg">'.$message->getText().'</li>';
+            $html.= '<li class="'.$message->getType().'-msg">'
+                . ($this->_escapeMessageFlag) ? $this->htmlEscape($message->getText()) : $message->getText()
+                . '</li>';
         }
         $html .= '</ul>';
         return $html;
@@ -192,7 +217,7 @@ public function getGroupedHtml()
 
                 foreach ( $messages as $message ) {
                     $html.= '<li>';
-                    $html.= $message->getText();
+                    $html.= ($this->_escapeMessageFlag) ? $this->htmlEscape($message->getText()) : $message->getText();
                     $html.= '</li>';
                 }
                 $html .= '</ul>';
diff --git a/app/code/core/Mage/Core/Controller/Varien/Action.php b/app/code/core/Mage/Core/Controller/Varien/Action.php
index 1454746657..b8becf7573 100644
--- a/app/code/core/Mage/Core/Controller/Varien/Action.php
+++ b/app/code/core/Mage/Core/Controller/Varien/Action.php
@@ -553,6 +553,9 @@ protected function _initLayoutMessages($messagesStorage)
     {
         if ($storage = Mage::getSingleton($messagesStorage)) {
             $this->getLayout()->getMessagesBlock()->addMessages($storage->getMessages(true));
+            $this->getLayout()->getMessagesBlock()->setEscapeMessageFlag(
+                $storage->getEscapeMessages(true)
+            );
         }
         else {
             Mage::throwException(
diff --git a/app/code/core/Mage/Customer/controllers/AccountController.php b/app/code/core/Mage/Customer/controllers/AccountController.php
index dc98ca5f8a..ae24d2a5d2 100644
--- a/app/code/core/Mage/Customer/controllers/AccountController.php
+++ b/app/code/core/Mage/Customer/controllers/AccountController.php
@@ -318,7 +318,10 @@ public function createPostAction()
                     ->addException($e, $this->__('Can\'t save customer'));
             }
         }
-
+        /**
+         * Protect XSS injection in user input
+         */
+        $this->_getSession()->setEscapeMessages(true);
         $this->_redirectError(Mage::getUrl('*/*/create', array('_secure'=>true)));
     }