diff --git a/templates/default/en/login.php b/templates/default/en/login.php
index 334568122885a33f0274c2ba8463b1c138025121..410a69325f35d0975e485a843a29be8269d6a534 100644
--- a/templates/default/en/login.php
+++ b/templates/default/en/login.php
@@ -30,11 +30,11 @@
 				<td style="padding: .3em;">Username</td>
 				<td><input type="text" tabindex="1" name="username" 
 					<?php if (isset($data['username'])) {
-						echo 'value="' . $data['username'] . '"';
+						echo 'value="' . htmlspecialchars($data['username']) . '"';
 					} ?> /></td>
 				<td style="padding: .4em; rowspan="2">
 					<input type="submit" tabindex="3" value="Login" />
-					<input type="hidden" name="RelayState" value="<?php echo $data['relaystate']; ?>" />
+					<input type="hidden" name="RelayState" value="<?php echo htmlspecialchars($data['relaystate']); ?>" />
 				</td>
 			</tr>
 			<tr>