diff -r 1d72402c1c91 Lib/http/server.py
--- a/Lib/http/server.py	Tue Mar 15 13:33:28 2016 +1300
+++ b/Lib/http/server.py	Fri Mar 18 11:16:01 2016 +0800
@@ -127,9 +127,6 @@
 
 DEFAULT_ERROR_CONTENT_TYPE = "text/html;charset=utf-8"
 
-def _quote_html(html):
-    return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
-
 class HTTPServer(socketserver.TCPServer):
 
     allow_reuse_address = 1    # Seems to make sense in testing environment
@@ -444,9 +441,12 @@
         if explain is None:
             explain = longmsg
         self.log_error("code %d, message %s", code, message)
-        # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
-        content = (self.error_message_format %
-                   {'code': code, 'message': _quote_html(message), 'explain': _quote_html(explain)})
+        # bug #1100201
+        content = (self.error_message_format % {
+            'code': code,
+            'message': html.escape(message),
+            'explain': html.escape(explain)
+        })
         body = content.encode('UTF-8', 'replace')
         self.send_response(code, message)
         self.send_header("Content-Type", self.error_content_type)