diff --git a/apps/files_external/templates/settings.php b/apps/files_external/templates/settings.php
index d7a4dd5150d75497b05f256c4768861159188d3f..3709fd2e51d5034f0110d79631d22834fa07d68b 100644
--- a/apps/files_external/templates/settings.php
+++ b/apps/files_external/templates/settings.php
@@ -18,7 +18,7 @@
 			<?php foreach ($_['mounts'] as $mountPoint => $mount): ?>
 				<tr <?php echo ($mountPoint != '') ? 'class="'.$mount['class'].'"' : 'id="addMountPoint"'; ?>>
 					<td class="mountPoint"><input type="text" name="mountPoint"
-												  value="<?php echo $mountPoint; ?>"
+												  value="<?php p($mountPoint); ?>"
 												  placeholder="<?php echo $l->t('Mount point'); ?>" /></td>
 					<?php if ($mountPoint == ''): ?>
 						<td class="backend">
diff --git a/settings/js/users.js b/settings/js/users.js
index 086b0884a3b402a33fa3a2de2de2848ebcd825a0..63a6204983931af387f192105d4edf858882d680 100644
--- a/settings/js/users.js
+++ b/settings/js/users.js
@@ -182,7 +182,7 @@ var UserList = {
 			var addGroup = function (select, group) {
 				$('select[multiple]').each(function (index, element) {
 					if ($(element).find('option[value="' + group + '"]').length === 0 && select.data('msid') !== $(element).data('msid')) {
-						$(element).append('<option value="' + group + '">' + group + '</option>');
+						$(element).append('<option value="' + escapeHTML(group) + '">' + escapeHTML(group) + '</option>');
 					}
 				})
 			};