diff --git a/CHANGELOG.md b/CHANGELOG.md
index 78575adb..946c0717 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@
   - Binaries renamed from `oauth2_proxy` to `oauth2-proxy`
 - [#432](https://github.com/oauth2-proxy/oauth2-proxy/pull/432) Update ruby dependencies for documentation (@theobarberbany)
 - [#471](https://github.com/oauth2-proxy/oauth2-proxy/pull/471) Add logging in case of invalid redirects (@gargath)
+- [#462](https://github.com/oauth2-proxy/oauth2-proxy/pull/462) Allow HTML in banner message (@eritikass).
 
 # v5.1.0
 
@@ -53,6 +54,7 @@ N/A
 - [#405](https://github.com/oauth2-proxy/oauth2-proxy/pull/405) The `/sign_in` page now honors the `rd` query parameter, fixing the redirect after a successful authentication (@ti-mo)
 - [#434](https://github.com/oauth2-proxy/oauth2-proxy/pull/434) Give the option to prefer email address in the username header when using the -pass-user-headers option (@jordancrawfordnz)
 
+
 # v5.0.0
 
 ## Release Hightlights
diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md
index 1617e32c..6b61dc24 100644
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@@ -49,8 +49,8 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example
 | `-exclude-logging-paths` | string | comma separated list of paths to exclude from logging, eg: `"/ping,/path2"` |`""` (no paths excluded) |
 | `-flush-interval` | duration | period between flushing response buffers when streaming responses | `"1s"` |
 | `-force-https` | bool | enforce https redirect | `false` |
-| `-banner` | string | custom banner string. Use `"-"` to disable default banner. | |
-| `-footer` | string | custom footer string. Use `"-"` to disable default footer. | |
+| `-banner` | string | custom (html) banner string. Use `"-"` to disable default banner. | |
+| `-footer` | string | custom (html) footer string. Use `"-"` to disable default footer. | |
 | `-gcp-healthchecks` | bool | will enable `/liveness_check`, `/readiness_check`, and `/` (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses | false |
 | `-github-org` | string | restrict logins to members of this organisation | |
 | `-github-team` | string | restrict logins to members of any of these teams (slug), separated by a comma | |
diff --git a/oauthproxy.go b/oauthproxy.go
index 49323d2e..1b3e3fbe 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -469,7 +469,7 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
 
 	t := struct {
 		ProviderName  string
-		SignInMessage string
+		SignInMessage template.HTML
 		CustomLogin   bool
 		Redirect      string
 		Version       string
@@ -477,7 +477,7 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
 		Footer        template.HTML
 	}{
 		ProviderName:  p.provider.Data().ProviderName,
-		SignInMessage: p.SignInMessage,
+		SignInMessage: template.HTML(p.SignInMessage),
 		CustomLogin:   p.displayCustomLoginForm(),
 		Redirect:      redirectURL,
 		Version:       VERSION,