diff --git a/include/class.mailfetch.php b/include/class.mailfetch.php
index 8b0cfcd7b8130cf6090612efa22f0159fa09a4e3..79ef5d652b90613b19da733f440abfb3be16fe5d 100644
--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -342,13 +342,15 @@ class MailFetcher {
     function getBody($mid) {
 
         $body ='';
-        if(!($body = $this->getPart($mid,'TEXT/PLAIN', $this->charset))) {
-            if(($body = $this->getPart($mid,'TEXT/HTML', $this->charset))) {
-                //Convert tags of interest before we striptags
-                $body=str_replace("</DIV><DIV>", "\n", $body);
-                $body=str_replace(array("<br>", "<br />", "<BR>", "<BR />"), "\n", $body);
-                $body=Format::safe_html($body); //Balance html tags & neutralize unsafe tags.
-            }
+        if ($body = $this->getPart($mid,'TEXT/PLAIN', $this->charset))
+            // The Content-Type was text/plain, so escape anything that
+            // looks like HTML
+            $body=Format::htmlchars($body);
+        elseif ($body = $this->getPart($mid,'TEXT/HTML', $this->charset)) {
+            //Convert tags of interest before we striptags
+            $body=str_replace("</DIV><DIV>", "\n", $body);
+            $body=str_replace(array("<br>", "<br />", "<BR>", "<BR />"), "\n", $body);
+            $body=Format::safe_html($body); //Balance html tags & neutralize unsafe tags.
         }
 
         return $body;
diff --git a/include/class.mailparse.php b/include/class.mailparse.php
index b1f57a6f50281d71658e7e868e62029ef8787d40..822d3f5ed58b21009be467ae116e0d5f34103f13 100644
--- a/include/class.mailparse.php
+++ b/include/class.mailparse.php
@@ -146,13 +146,13 @@ class Mail_Parse {
     function getBody(){
 
         $body='';
-        if(!($body=$this->getPart($this->struct,'text/plain'))) {
-            if(($body=$this->getPart($this->struct,'text/html'))) {
-                //Cleanup the html.
-                $body=str_replace("</DIV><DIV>", "\n", $body);
-                $body=str_replace(array("<br>", "<br />", "<BR>", "<BR />"), "\n", $body);
-                $body=Format::safe_html($body); //Balance html tags & neutralize unsafe tags.
-            }
+        if($body=$this->getPart($this->struct,'text/plain'))
+            $body = Format::htmlchars($body);
+        elseif($body=$this->getPart($this->struct,'text/html')) {
+            //Cleanup the html.
+            $body=str_replace("</DIV><DIV>", "\n", $body);
+            $body=str_replace(array("<br>", "<br />", "<BR>", "<BR />"), "\n", $body);
+            $body=Format::safe_html($body); //Balance html tags & neutralize unsafe tags.
         }
         return $body;
     }
diff --git a/include/class.thread.php b/include/class.thread.php
index f45c0e518bd179d3a41b5000ada56b7b5ccdc1b5..9b4853a420b77b67d74a51bebad8875065f349b3 100644
--- a/include/class.thread.php
+++ b/include/class.thread.php
@@ -146,6 +146,10 @@ class Thread {
         //Add ticket Id.
         $vars['ticketId'] = $this->getTicketId();
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Note::create($vars, $errors);
     }
 
@@ -154,6 +158,10 @@ class Thread {
         $vars['ticketId'] = $this->getTicketId();
         $vars['staffId'] = 0;
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Message::create($vars, $errors);
     }
 
@@ -161,6 +169,10 @@ class Thread {
 
         $vars['ticketId'] = $this->getTicketId();
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Response::create($vars, $errors);
     }