diff --git a/main.py b/main.py
index 798e038..3724474 100644
--- a/main.py
+++ b/main.py
@@ -91,7 +91,7 @@ def user_edit():
         return redirect(url_for('login'))
 
     if request.method == 'POST':
-        about = request.form['about']
+        about = request.form['about'].replace('\r', '')
         db.set_user_private_info(user_id, about)
     else:
         about, = db.get_user_private_info(user_id)
@@ -120,7 +120,7 @@ def new_thread(forum_id):
         return redirect(url_for('login'))
 
     if request.method == 'POST':
-        id, = db.add_thread(user_id, forum_id, request.form['title'], request.form['text'], time.time_ns())
+        id, = db.add_thread(user_id, forum_id, request.form['title'], request.form['text'].replace('\r', ''), time.time_ns())
         flash('Created thread', 'success')
         return redirect(url_for('thread', thread_id = id))
 
@@ -157,7 +157,7 @@ def add_comment(thread_id):
     if user_id is None:
         return redirect(url_for('login'))
 
-    if db.add_comment_to_thread(thread_id, user_id, request.form['text'], time.time_ns()):
+    if db.add_comment_to_thread(thread_id, user_id, request.form['text'].replace('\r', ''), time.time_ns()):
         flash('Added comment', 'success')
     else:
         flash('Failed to add comment', 'error')
@@ -169,7 +169,7 @@ def add_comment_parent(comment_id):
     if user_id is None:
         return redirect(url_for('login'))
 
-    if db.add_comment_to_comment(comment_id, user_id, request.form['text'], time.time_ns()):
+    if db.add_comment_to_comment(comment_id, user_id, request.form['text'].replace('\r', ''), time.time_ns()):
         flash('Added comment', 'success')
     else:
         flash('Failed to add comment', 'error')
@@ -245,4 +245,19 @@ def utility_processor():
             return f(t.month, n.month, "month")
         # This shouldn't be reachable, but it's still better to return something
         return "incredibly long ago"
-    return {'format_since': format_since}
+
+    def minimd(text):
+        # Replace angle brackets to prevent XSS
+        # Also replace ampersands to prevent surprises.
+        text = text.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;')
+        # Split into paragraphs
+        paragraphs = text.split('\n\n')
+        paragraphs = map(lambda l: l if not l.startswith('  ') else f'<pre>{l}</pre>', paragraphs)
+        paragraphs = map(lambda l: f'<p>{l}</p>', paragraphs)
+        # Glue together again
+        return ''.join(paragraphs)
+
+    return {
+        'format_since': format_since,
+        'minimd': minimd,
+    }
diff --git a/templates/comment.html b/templates/comment.html
index ce25b1c..6983c9e 100644
--- a/templates/comment.html
+++ b/templates/comment.html
@@ -5,7 +5,7 @@
 {% macro render_comment_pre(comment) %}
 <div class=comment>
 	{{ author(comment.author, comment.create_time, comment.modify_time) }}
-	<p>{{ comment.text }}</p>
+	<p>{{ minimd(comment.text) | safe }}</p>
 {% endmacro %}
 
 {% macro render_comment_post(comment) %}
diff --git a/templates/thread.html b/templates/thread.html
index 8094888..e53efe1 100644
--- a/templates/thread.html
+++ b/templates/thread.html
@@ -10,7 +10,7 @@
 </div>
 {% endif %}
 <i>{{ f_author(author, create_time, modify_time) }}</i>
-<p>{{ text }}</p>
+<p>{{ minimd(text) | safe }}</p>
 
 {{ reply() }}