diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 18e2992930c..576e6645cb2 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -165,7 +165,7 @@ if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
     	if ($csrfattack)
     	{
     		//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-    		print "Access refused by CSRF protection in main.inc.php. Referer of form (".$_SERVER['HTTP_REFERER'].") is outside the server that serve this page (with method = ".$_SERVER['REQUEST_METHOD'].").\n";
+    		print "Access refused by CSRF protection in main.inc.php. Referer of form (".htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES, 'UTF-8').") is outside the server that serve this page (with method = ".$_SERVER['REQUEST_METHOD'].").\n";
         	print "If you access your server behind a proxy using url rewriting, you might check that all HTTP headers are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file to remove this security check).\n";
     		die;
     	}