diff --git a/admin/include/functions.php b/admin/include/functions.php
index 1657b24c6a..b2e51c5a37 100644
--- a/admin/include/functions.php
+++ b/admin/include/functions.php
@@ -2365,6 +2365,9 @@ function get_extents($start='')
  */
 function create_tag($tag_name)
 {
+  // clean the tag, no html/js allowed in tag name
+  $tag_name = strip_tags($tag_name);
+
   // does the tag already exists?
   $query = '
 SELECT id