diff --git a/main.py b/main.py
index fd03988..24eb825 100644
--- a/main.py
+++ b/main.py
@@ -1,17 +1,24 @@
-import os
 import base64
+import os
+import random
+
+from flask import Flask, request, session
 
-from flask import Flask, request
-from model import Message 
+from model import Message
 
 app = Flask(__name__)
+app.secret_key = b'\x9d\xb1u\x08%\xe0\xd0p\x9bEL\xf8JC\xa3\xf4J(hAh\xa4\xcdw\x12S*,u\xec\xb8\xb8'
 
 @app.route('/', methods=['GET', 'POST'])
 def home():
 
+    if 'csrf_token' not in session:
+        session['csrf_token'] = str(random.randint(10000000, 99999999))
+
     if request.method == 'POST':
-        m = Message(content=request.form['content'])
-        m.save()
+        if request.form.get('csrf_token', None) == session['csrf_token']:
+            m = Message(content=request.form['content'])
+            m.save()
 
     body = """
 <html>
@@ -19,19 +26,21 @@ def home():
 <h1>Class Message Board</h1>
 <h2>Contribute to the Knowledge of Others</h2>
 <form method="POST">
+    <input type="hidden" name="csrf_token" value="{}">
+
     <textarea name="content"></textarea>
     <input type="submit" value="Submit">
 </form>
 
 <h2>Wisdom From Your Fellow Classmates</h2>
-"""
+""".format(session['csrf_token'])
     
     for m in Message.select():
         body += """
 <div class="message">
 {}
 </div>
-""".format(m.content)
+""".format(m.content.replace('<', '&lt;').replace('>', '&gt;'))
 
     return body 
 
diff --git a/requirements.txt b/requirements.txt
index b4ca511..7ff63ed 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,6 +2,6 @@ click==6.7
 Flask==1.0.2
 itsdangerous==0.24
 Jinja2==2.10
-MarkupSafe==1.0
+MarkupSafe==1.1.1
 peewee==3.3.4
 Werkzeug==0.14.1