diff --git a/htdocs/document.php b/htdocs/document.php
index 4a323bd89b3..3808dd755fd 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -219,7 +219,7 @@ if (!$accessallowed)
 if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file))
 {
 	dol_syslog("Refused to deliver file ".$fullpath_original_file);
-	print "ErrorFileNameInvalid: ".$original_file;
+	print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
 	exit;
 }
 
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index c2856848dc5..0ddccc537d1 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -236,7 +236,7 @@ if (!$accessallowed)
 if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file))
 {
 	dol_syslog("Refused to deliver file ".$fullpath_original_file);
-	print "ErrorFileNameInvalid: ".$original_file;
+	print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file);
 	exit;
 }