diff --git a/mails/record.go b/mails/record.go
index 1e0f5630..00258b96 100644
--- a/mails/record.go
+++ b/mails/record.go
@@ -16,7 +16,7 @@ func SendRecordAuthAlert(app core.App, authRecord *core.Record, info string) err
 	mailClient := app.NewMailClient()
 
 	subject, body, err := resolveEmailTemplate(app, authRecord, authRecord.Collection().AuthAlert.EmailTemplate, map[string]any{
-		core.EmailPlaceholderAlertInfo: info,
+		core.EmailPlaceholderAlertInfo: html.EscapeString(info),
 	})
 	if err != nil {
 		return err
diff --git a/mails/record_test.go b/mails/record_test.go
index 02ad60ec..24f86d3c 100644
--- a/mails/record_test.go
+++ b/mails/record_test.go
@@ -15,12 +15,14 @@ func TestSendRecordAuthAlert(t *testing.T) {
 	testApp, _ := tests.NewTestApp()
 	defer testApp.Cleanup()
 
+	info := "<p>test_info</p>"
+
 	user, _ := testApp.FindFirstRecordByData("users", "email", "test@example.com")
 
 	// to test that it is escaped
 	user.Set("name", "<p>"+user.GetString("name")+"</p>")
 
-	err := mails.SendRecordAuthAlert(testApp, user, "test_info")
+	err := mails.SendRecordAuthAlert(testApp, user, info)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -34,7 +36,7 @@ func TestSendRecordAuthAlert(t *testing.T) {
 		"login to your " + testApp.Settings().Meta.AppName + " account from a new location",
 		"If this was you",
 		"If this wasn't you",
-		"test_info",
+		html.EscapeString(info),
 	}
 	for _, part := range expectedParts {
 		if !strings.Contains(testApp.TestMailer.LastMessage().HTML, part) {