diff --git a/application/controllers/UploaderController.php b/application/controllers/UploaderController.php
index c092acd8c92..9c0f0f22f6e 100644
--- a/application/controllers/UploaderController.php
+++ b/application/controllers/UploaderController.php
@@ -37,7 +37,7 @@ function run($actionID)
         $sFileName = Yii::app()->request->getParam('filename', ''); // The file to delete fu_ or fu_tmp
         $sOriginalFileName = Yii::app()->request->getParam('name', ''); // Used for javascript return only
         $sMode = Yii::app()->request->getParam('mode');
-        $sPreview = Yii::app()->request->getParam('preview', 0);
+        $sPreview = htmlspecialchars(Yii::app()->request->getParam('preview', 0));
 
         // Validate and filter and throw error if problems
         // Using 'futmp_'.randomChars(15).'_'.$pathinfo['extension'] for filename, then remove all other characters