diff --git a/packages/rocketchat-lib/server/lib/sendEmailOnMessage.js b/packages/rocketchat-lib/server/lib/sendEmailOnMessage.js
index c4351cc46c7..860f2232860 100644
--- a/packages/rocketchat-lib/server/lib/sendEmailOnMessage.js
+++ b/packages/rocketchat-lib/server/lib/sendEmailOnMessage.js
@@ -4,9 +4,9 @@ import s from 'underscore.string';
 function getEmailContent({ messageContent, message, user, room }) {
 	const lng = user && user.language || RocketChat.settings.get('language') || 'en';
 
-	const roomName = `#${ RocketChat.settings.get('UI_Allow_room_names_with_special_chars') ? room.fname || room.name : room.name }`;
+	const roomName = s.escapeHTML(`#${ RocketChat.settings.get('UI_Allow_room_names_with_special_chars') ? room.fname || room.name : room.name }`);
 
-	const userName = RocketChat.settings.get('UI_Use_Real_Name') ? message.u.name || message.u.username : message.u.username;
+	const userName = s.escapeHTML(RocketChat.settings.get('UI_Use_Real_Name') ? message.u.name || message.u.username : message.u.username);
 
 	const header = TAPi18n.__(room.t === 'd' ? 'User_sent_a_message_to_you' : 'User_sent_a_message_on_channel', {
 		username: userName,
@@ -25,10 +25,10 @@ function getEmailContent({ messageContent, message, user, room }) {
 			lng
 		});
 
-		let content = `${ TAPi18n.__('Attachment_File_Uploaded') }: ${ message.file.name }`;
+		let content = `${ TAPi18n.__('Attachment_File_Uploaded') }: ${ s.escapeHTML(message.file.name) }`;
 
 		if (message.attachments && message.attachments.length === 1 && message.attachments[0].description !== '') {
-			content += `<br/><br/>${ message.attachments[0].description }`;
+			content += `<br/><br/>${ s.escapeHTML(message.attachments[0].description) }`;
 		}
 
 		return `${ fileHeader }<br/><br/>${ content }`;
@@ -40,10 +40,10 @@ function getEmailContent({ messageContent, message, user, room }) {
 		let content = '';
 
 		if (attachment.title) {
-			content += `${ attachment.title }<br/>`;
+			content += `${ s.escapeHTML(attachment.title) }<br/>`;
 		}
 		if (attachment.text) {
-			content += `${ attachment.text }<br/>`;
+			content += `${ s.escapeHTML(attachment.text) }<br/>`;
 		}
 
 		return `${ header }<br/><br/>${ content }`;
@@ -241,9 +241,9 @@ RocketChat.callbacks.add('afterSaveMessage', function(message, room) {
 						};
 						// using user full-name/channel name in from address
 						if (room.t === 'd') {
-							email.from = `${ message.u.name } <${ RocketChat.settings.get('From_Email') }>`;
+							email.from = `${ String(message.u.name).replace(/@/g, '%40').replace(/[<>,]/g, '') } <${ RocketChat.settings.get('From_Email') }>`;
 						} else {
-							email.from = `${ room.name } <${ RocketChat.settings.get('From_Email') }>`;
+							email.from = `${ String(room.name).replace(/@/g, '%40').replace(/[<>,]/g, '') } <${ RocketChat.settings.get('From_Email') }>`;
 						}
 						// If direct reply enabled, email content with headers
 						if (RocketChat.settings.get('Direct_Reply_Enable')) {