diff --git a/packages/react-devtools-core/src/standalone.js b/packages/react-devtools-core/src/standalone.js
index 81f357751913..80ea51bc0246 100644
--- a/packages/react-devtools-core/src/standalone.js
+++ b/packages/react-devtools-core/src/standalone.js
@@ -195,11 +195,14 @@ function onError({code, message}: $FlowFixMe) {
         <div class="box-header">
           Unknown error
         </div>
-        <div class="box-content">
-          ${message}
-        </div>
+        <div class="box-content"></div>
       </div>
     `;
+    // Use textContent to avoid XSS from error message strings.
+    const contentNode = node.querySelector('.box-content');
+    if (contentNode !== null) {
+      contentNode.textContent = message;
+    }
   }
 }