diff --git a/app/template/rest.py b/app/template/rest.py
index 26ae98502..8da697667 100644
--- a/app/template/rest.py
+++ b/app/template/rest.py
@@ -4,6 +4,7 @@ from flask import (
     request,
     current_app
 )
+import bleach
 from sqlalchemy.exc import IntegrityError
 
 from app.dao.templates_dao import (
@@ -34,6 +35,7 @@ def create_template(service_id):
     if errors:
         return jsonify(result="error", message=errors), 400
     new_template.service = fetched_service
+    new_template.content = _strip_html(new_template.content)
     try:
         dao_create_template(new_template)
     except IntegrityError as ex:
@@ -55,6 +57,7 @@ def update_template(service_id, template_id):
 
     current_data = dict(template_schema.dump(fetched_template).data.items())
     current_data.update(request.get_json())
+    current_data['content'] = _strip_html(current_data['content'])
 
     update_dict, errors = template_schema.load(current_data)
     if errors:
@@ -79,3 +82,7 @@ def get_template_by_id_and_service_id(service_id, template_id):
         return jsonify(data=data)
     else:
         return jsonify(result="error", message="Template not found"), 404
+
+
+def _strip_html(content):
+    return bleach.clean(content, tags=[], strip=True)
diff --git a/requirements.txt b/requirements.txt
index c41e2e6f4..254a2f3a5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
+bleach==1.4.2
 Flask==0.10.1
 Flask-Script==2.0.5
 Flask-Migrate==1.3.1
diff --git a/tests/app/template/test_rest.py b/tests/app/template/test_rest.py
index 0ba8c0a68..670862bb5 100644
--- a/tests/app/template/test_rest.py
+++ b/tests/app/template/test_rest.py
@@ -10,7 +10,7 @@ def test_should_create_a_new_sms_template_for_a_service(notify_api, sample_servi
             data = {
                 'name': 'my template',
                 'template_type': 'sms',
-                'content': 'template content',
+                'content': 'template <b>content</b>',
                 'service': str(sample_service.id)
             }
             data = json.dumps(data)
@@ -42,7 +42,7 @@ def test_should_create_a_new_email_template_for_a_service(notify_api, sample_ser
                 'name': 'my template',
                 'template_type': 'email',
                 'subject': 'subject',
-                'content': 'template content',
+                'content': 'template <b>content</b>',
                 'service': str(sample_service.id)
             }
             data = json.dumps(data)
@@ -222,7 +222,7 @@ def test_should_be_able_to_update_a_template(notify_api, sample_service):
             json_resp = json.loads(create_response.get_data(as_text=True))
             assert json_resp['data']['name'] == 'my template'
             data = {
-                'name': 'my template has a new name'
+                'content': 'my template has new content <script type="text/javascript">alert("foo")</script>'
             }
             data = json.dumps(data)
             auth_header = create_authorization_header(
@@ -239,7 +239,7 @@ def test_should_be_able_to_update_a_template(notify_api, sample_service):
 
             assert update_response.status_code == 200
             update_json_resp = json.loads(update_response.get_data(as_text=True))
-            assert update_json_resp['data']['name'] == 'my template has a new name'
+            assert update_json_resp['data']['content'] == 'my template has new content alert("foo")'
 
 
 def test_should_be_able_to_get_all_templates_for_a_service(notify_api, sample_service):