diff --git a/include/class.sla.php b/include/class.sla.php
index 12d7beabf9..af30a7b59f 100644
--- a/include/class.sla.php
+++ b/include/class.sla.php
@@ -106,7 +106,7 @@ static function getVarScope() {
     }
 
     function update($vars, &$errors) {
-
+        $vars = Format::htmlchars($vars);
         if (!$vars['grace_period'])
             $errors['grace_period'] = __('Grace period required');
         elseif (!is_numeric($vars['grace_period']))
@@ -208,6 +208,7 @@ static function getIdByName($name) {
     }
 
     static function create($vars=false, &$errors=array()) {
+        $vars = Format::htmlchars($vars);
         $sla = new static($vars);
         $sla->created = SqlFunction::NOW();
         return $sla;