diff --git a/action.php b/action.php
index b87e16054..d800e4797 100644
--- a/action.php
+++ b/action.php
@@ -216,7 +216,7 @@ $http_headers[] = 'Content-Type: '.$ctype;
 
 if (isset($_GET['download']))
 {
-  $http_headers[] = 'Content-Disposition: attachment; filename="'.$element_info['file'].'";';
+  $http_headers[] = 'Content-Disposition: attachment; filename="'.htmlspecialchars_decode($element_info['file']).'";';
   $http_headers[] = 'Content-Transfer-Encoding: binary';
 }
 else
diff --git a/admin/include/functions_upload.inc.php b/admin/include/functions_upload.inc.php
index 900612fdd..cedebd14c 100644
--- a/admin/include/functions_upload.inc.php
+++ b/admin/include/functions_upload.inc.php
@@ -161,6 +161,11 @@ function add_uploaded_file($source_filepath, $original_filename=null, $categorie
 
   global $conf, $user;
 
+  if (!is_null($original_filename))
+  {
+    $original_filename = htmlspecialchars($original_filename);
+  }
+
   if (isset($original_md5sum))
   {
     $md5sum = $original_md5sum;