diff --git a/server/config.go b/server/config.go
index 8fc01411..4f1cbef6 100644
--- a/server/config.go
+++ b/server/config.go
@@ -105,6 +105,7 @@ type Config struct {
 	SMTPServerListen                     string
 	SMTPServerDomain                     string
 	SMTPServerAddrPrefix                 string
+	TwilioBaseURL                        string
 	TwilioAccount                        string
 	TwilioAuthToken                      string
 	TwilioFromNumber                     string
@@ -186,6 +187,7 @@ func NewConfig() *Config {
 		SMTPServerListen:                     "",
 		SMTPServerDomain:                     "",
 		SMTPServerAddrPrefix:                 "",
+		TwilioBaseURL:                        "https://api.twilio.com", // Override for tests
 		TwilioAccount:                        "",
 		TwilioAuthToken:                      "",
 		TwilioFromNumber:                     "",
diff --git a/server/server_twilio.go b/server/server_twilio.go
index a9a2edb8..fc21aaca 100644
--- a/server/server_twilio.go
+++ b/server/server_twilio.go
@@ -1,6 +1,8 @@
 package server
 
 import (
+	"bytes"
+	"encoding/xml"
 	"fmt"
 	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/util"
@@ -11,9 +13,10 @@ import (
 )
 
 const (
-	twilioMessageEndpoint = "Messages.json"
-	twilioCallEndpoint    = "Calls.json"
-	twilioCallTemplate    = `
+	twilioMessageEndpoint     = "Messages.json"
+	twilioMessageFooterFormat = "This message was sent by %s via %s"
+	twilioCallEndpoint        = "Calls.json"
+	twilioCallFormat          = `
 <Response>
 	<Pause length="1"/>
 	<Say>You have a message from notify on topic %s. Message:</Say>
@@ -37,7 +40,7 @@ func (s *Server) sendSMS(v *visitor, r *http.Request, m *message, to string) {
 }
 
 func (s *Server) callPhone(v *visitor, r *http.Request, m *message, to string) {
-	body := fmt.Sprintf(twilioCallTemplate, m.Topic, m.Message, s.messageFooter(m))
+	body := fmt.Sprintf(twilioCallFormat, xmlEscapeText(m.Topic), xmlEscapeText(m.Message), xmlEscapeText(s.messageFooter(m)))
 	data := url.Values{}
 	data.Set("From", s.config.TwilioFromNumber)
 	data.Set("To", to)
@@ -73,7 +76,7 @@ func (s *Server) performTwilioRequest(v *visitor, r *http.Request, m *message, e
 }
 
 func (s *Server) performTwilioRequestInternal(endpoint string, data url.Values) (string, error) {
-	requestURL := fmt.Sprintf("https://api.twilio.com/2010-04-01/Accounts/%s/%s", s.config.TwilioAccount, endpoint)
+	requestURL := fmt.Sprintf("%s/2010-04-01/Accounts/%s/%s", s.config.TwilioBaseURL, s.config.TwilioAccount, endpoint)
 	req, err := http.NewRequest(http.MethodPost, requestURL, strings.NewReader(data.Encode()))
 	if err != nil {
 		return "", err
@@ -97,5 +100,11 @@ func (s *Server) messageFooter(m *message) string {
 	if m.User != "" {
 		sender = fmt.Sprintf("%s (%s)", m.User, m.Sender)
 	}
-	return fmt.Sprintf("This message was sent by %s via %s", sender, util.ShortTopicURL(topicURL))
+	return fmt.Sprintf(twilioMessageFooterFormat, sender, util.ShortTopicURL(topicURL))
+}
+
+func xmlEscapeText(text string) string {
+	var buf bytes.Buffer
+	_ = xml.EscapeText(&buf, []byte(text))
+	return buf.String()
 }
diff --git a/server/server_twilio_test.go b/server/server_twilio_test.go
new file mode 100644
index 00000000..16c1274c
--- /dev/null
+++ b/server/server_twilio_test.go
@@ -0,0 +1,38 @@
+package server
+
+import (
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestServer_Twilio_SMS(t *testing.T) {
+	c := newTestConfig(t)
+	c.TwilioBaseURL = "http://"
+	c.TwilioAccount = "AC123"
+	c.TwilioAuthToken = "secret-token"
+	c.TwilioFromNumber = "+123456789"
+	s := newTestServer(t, c)
+
+	response := request(t, s, "POST", "/mytopic", "test", map[string]string{
+		"SMS": "+11122233344",
+	})
+	require.Equal(t, 1, toMessage(t, response.Body.String()).Priority)
+
+	response = request(t, s, "GET", "/mytopic/send?priority=low", "test", nil)
+	require.Equal(t, 2, toMessage(t, response.Body.String()).Priority)
+
+	response = request(t, s, "GET", "/mytopic/send?priority=default", "test", nil)
+	require.Equal(t, 3, toMessage(t, response.Body.String()).Priority)
+
+	response = request(t, s, "GET", "/mytopic/send?priority=high", "test", nil)
+	require.Equal(t, 4, toMessage(t, response.Body.String()).Priority)
+
+	response = request(t, s, "GET", "/mytopic/send?priority=max", "test", nil)
+	require.Equal(t, 5, toMessage(t, response.Body.String()).Priority)
+
+	response = request(t, s, "GET", "/mytopic/trigger?priority=urgent", "test", nil)
+	require.Equal(t, 5, toMessage(t, response.Body.String()).Priority)
+
+	response = request(t, s, "GET", "/mytopic/trigger?priority=INVALID", "test", nil)
+	require.Equal(t, 40007, toHTTPError(t, response.Body.String()).Code)
+}