diff --git a/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java b/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java
index 27df0dcfd1..61d6f97dcf 100644
--- a/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java
+++ b/reactor-netty-http/src/test/java/reactor/netty/TomcatServer.java
@@ -21,6 +21,7 @@
 import org.apache.coyote.AbstractProtocol;
 import org.apache.coyote.ProtocolHandler;
 import org.apache.coyote.http11.AbstractHttp11Protocol;
+import org.apache.tomcat.util.security.Escape;
 
 import javax.servlet.MultipartConfigElement;
 import javax.servlet.ServletException;
@@ -183,7 +184,10 @@ protected void service(HttpServletRequest req, HttpServletResponse resp) throws
 				}
 				resp.setStatus(Integer.parseInt(path));
 
-				writer.print(path);
+				// Use Tomcat's HTML escaping method, to avoid cross-site scripting Github security alert.
+				String sanitizedPath = Escape.htmlElementContent(path);
+
+				writer.print(sanitizedPath);
 				writer.flush();
 			}
 		}