diff --git a/weblate/accounts/models.py b/weblate/accounts/models.py
index e022379b5a53..5a8a77512f48 100644
--- a/weblate/accounts/models.py
+++ b/weblate/accounts/models.py
@@ -22,6 +22,7 @@
 from django.dispatch import receiver
 from django.utils import timezone
 from django.utils.functional import cached_property
+from django.utils.html import format_html
 from django.utils.timezone import now
 from django.utils.translation import get_language, gettext, gettext_lazy, pgettext_lazy
 from django_otp.plugins.otp_static.models import StaticDevice
@@ -349,7 +350,14 @@ def get_params(self):
         result = {
             "site_title": settings.SITE_TITLE,
         }
-        result.update(self.params)
+        for name, value in self.params.items():
+            if name in {"old", "new", "name", "email", "username"}:
+                value = format_html("<code>{}</code>", value)
+            elif name in {"device", "project", "site_title", "method"}:
+                value = format_html("<strong>{}</strong>", value)
+
+            result[name] = value
+
         if "method" in result:
             # The gettext is here for legacy entries which contained method name
             result["method"] = gettext(get_auth_name(result["method"]))
@@ -363,7 +371,7 @@ def get_message(self):
             message = ACCOUNT_ACTIVITY_METHOD[method][activity]
         else:
             message = ACCOUNT_ACTIVITY[activity]
-        return message.format(**self.get_params())
+        return format_html(message, **self.get_params())
 
     def get_extra_message(self):
         if self.activity in EXTRA_MESSAGES: