diff --git a/apps/gallery/lib/tiles.php b/apps/gallery/lib/tiles.php
index 2bc8d4fcce0519a3d6ee502964e7665779499a76..011168471f0f5f06818a4ebe7bb97f28c7f740c9 100644
--- a/apps/gallery/lib/tiles.php
+++ b/apps/gallery/lib/tiles.php
@@ -168,7 +168,7 @@ class TileStack extends TileBase {
 	}
 	
 	public function getOnClickAction() {
-		return 'javascript:openNewGal(\''.$this->stack_name.'\');';
+		return 'javascript:openNewGal(\''.\OCP\Util::sanitizeHTML($this->stack_name).'\');';
 	}
 
 	private $tiles_array;
diff --git a/apps/gallery/templates/index.php b/apps/gallery/templates/index.php
index 1890552fc0c1dab88c33f675dbdf58bde4237ee8..037e53059d116bd627dce5fd00fc84c43565fe90 100644
--- a/apps/gallery/templates/index.php
+++ b/apps/gallery/templates/index.php
@@ -1,6 +1,6 @@
 <script type="text/javascript">
 
-var root = "<?php echo $_['root']; ?>";
+var root = "<?php echo OCP\Util::sanitizeHTML($_['root']); ?>";
 
 $(document).ready(function() {
 		$("a[rel=images]").fancybox({