diff --git a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
index 98c37a64e2..9c65e413c5 100644
--- a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
+++ b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
@@ -7,6 +7,7 @@
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.util.HtmlUtils;
 
 @Slf4j
 // TODO move back to lesson
@@ -47,7 +48,7 @@ private void readObject(ObjectInputStream stream) throws Exception {
 
     // do something with the data
     log.info("restoring task: {}", taskName);
-    log.info("restoring time: {}", requestedExecutionTime);
+    log.info("restoring time: {}", HtmlUtils.htmlEscape(String.valueOf(requestedExecutionTime).replace("\n", "").replace("\r", "")));
 
     if (requestedExecutionTime != null
         && (requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
@@ -60,7 +61,7 @@ private void readObject(ObjectInputStream stream) throws Exception {
     // condition is here to prevent you from destroying the goat altogether
     if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping"))
         && taskAction.length() < 22) {
-      log.info("about to execute: {}", taskAction);
+      log.info("about to execute: {}", HtmlUtils.htmlEscape(String.valueOf(taskAction).replace("\n", "").replace("\r", "")));
       try {
         Process p = Runtime.getRuntime().exec(taskAction);
         BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));