diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index e59cb7b..82ff208 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -1,3 +1,6 @@
+# 3.9.1
+* Escaping HTML entities 
+
 # 3.9.0
 * Set page title as the bookmark name when editing 
 
diff --git a/VERSION b/VERSION
index a5c4c76..6bd1074 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.9.0
+3.9.1
diff --git a/src/main/java/com/mageddo/bookmarks/apiserver/SettingsController.java b/src/main/java/com/mageddo/bookmarks/apiserver/SettingsController.java
index cadbdb6..b0dc9a9 100644
--- a/src/main/java/com/mageddo/bookmarks/apiserver/SettingsController.java
+++ b/src/main/java/com/mageddo/bookmarks/apiserver/SettingsController.java
@@ -1,14 +1,9 @@
 package com.mageddo.bookmarks.apiserver;
 
-import java.util.List;
-
 import com.mageddo.bookmarks.entity.SettingEntity;
 import com.mageddo.bookmarks.exception.NotFoundException;
 import com.mageddo.bookmarks.service.SettingsService;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import io.micronaut.http.HttpResponse;
 import io.micronaut.http.MediaType;
 import io.micronaut.http.annotation.Body;
@@ -17,6 +12,13 @@
 import io.micronaut.http.annotation.Patch;
 import io.micronaut.http.annotation.QueryValue;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.unbescape.html.HtmlEscape;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
 import static io.micronaut.http.HttpResponse.badRequest;
 import static io.micronaut.http.HttpResponse.notFound;
 import static io.micronaut.http.HttpResponse.ok;
@@ -65,7 +67,12 @@ public HttpResponse _3(String version, @QueryValue("key") String key) {
       produces = MediaType.APPLICATION_JSON)
   public HttpResponse _4(String version, @Body List<SettingEntity> settings) {
     try {
-      settingsService.patch(settings);
+      settingsService.patch(
+          settings
+              .stream()
+              .map(it -> it.setValue(HtmlEscape.escapeHtml4(it.getValue())))
+              .collect(Collectors.toList())
+      );
       return ok();
     } catch (NotFoundException e) {
       logger.warn("status=not-found, msg={}", e.getMessage(), e);
diff --git a/src/main/java/thymeleaf/ThymeleafUtils.java b/src/main/java/thymeleaf/ThymeleafUtils.java
index 810ef04..e0cc700 100644
--- a/src/main/java/thymeleaf/ThymeleafUtils.java
+++ b/src/main/java/thymeleaf/ThymeleafUtils.java
@@ -5,6 +5,9 @@
 import com.mageddo.bookmarks.service.SiteMapService;
 import com.mageddo.commons.UrlUtils;
 
+import org.commonmark.internal.util.Html5Entities;
+import org.unbescape.html.HtmlEscape;
+
 import static com.mageddo.config.ApplicationContextUtils.context;
 
 public final class ThymeleafUtils {
@@ -30,10 +33,10 @@ public static String analyticsId() {
   }
 
   public static String headerHtml(){
-    return context()
+    return HtmlEscape.unescapeHtml(context()
         .getBean(SettingsService.class)
         .findSetting(Setting.PUBLIC_PAGES_HEADER_HTML.name())
-        .getValue()
+        .getValue())
         ;
   }
 }