diff -r adb6b029b102 Lib/http/server.py
--- a/Lib/http/server.py	Wed Mar 09 15:02:31 2016 +0100
+++ b/Lib/http/server.py	Sat Mar 19 00:52:51 2016 +0800
@@ -126,9 +126,6 @@
 
 DEFAULT_ERROR_CONTENT_TYPE = "text/html;charset=utf-8"
 
-def _quote_html(html):
-    return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
-
 class HTTPServer(socketserver.TCPServer):
 
     allow_reuse_address = 1    # Seems to make sense in testing environment
@@ -443,9 +440,12 @@
         if explain is None:
             explain = longmsg
         self.log_error("code %d, message %s", code, message)
-        # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
-        content = (self.error_message_format %
-                   {'code': code, 'message': _quote_html(message), 'explain': _quote_html(explain)})
+        # bug #1100201
+        content = (self.error_message_format % {
+            'code': code,
+            'message': html.escape(message),
+            'explain': html.escape(explain)
+        })
         body = content.encode('UTF-8', 'replace')
         self.send_response(code, message)
         self.send_header("Content-Type", self.error_content_type)
diff -r adb6b029b102 Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py	Wed Mar 09 15:02:31 2016 +0100
+++ b/Lib/test/test_httpservers.py	Sat Mar 19 00:52:51 2016 +0800
@@ -404,6 +404,19 @@
         response = self.request('/', method='GETs')
         self.check_status_and_reason(response, HTTPStatus.NOT_IMPLEMENTED)
 
+    def test_html_escape_filename(self):
+        filename = '<test&>'
+        enc = sys.getfilesystemencoding()
+        try:
+            f = open(os.path.join(self.tempdir, filename), 'w')
+            f.close()
+        except OSError:
+            raise unittest.SkipTest('Can not create file %s on current file '
+                                    'system' % filename)
+        response = self.request(self.tempdir_name + '/')
+        result = response.read()
+        os.unlink(os.path.join(self.tempdir, filename)) # avoid affecting test_undecodable_filename
+        self.assertIn(html.escape(filename).encode(enc, 'surrogateescape'), result)
 
 cgi_file1 = """\
 #!%s
@@ -858,6 +871,11 @@
         self.assertFalse(self.handler.get_called)
         self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')
 
+    def test_html_escape_on_error(self):
+        result = self.send_typical_request(b'<script>alert("hello")</script> / HTTP/1.1')
+        result = b''.join(result).decode('utf-8')
+        self.assertIn(html.escape('<script>alert("hello")</script'), result)
+
     def test_close_connection(self):
         # handle_one_request() should be repeatedly called until
         # it sets close_connection