diff --git a/core/templates/login.php b/core/templates/login.php
index a40bf5c330a8da2a3cc0655b87f29c21f74b5b03..41d6ba41ef8e0df52d9d04e7f67ca3e557664a98 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -1,7 +1,7 @@
 <!--[if IE 8]><style>input[type="checkbox"]{padding:0;}</style><![endif]-->
 <form action="index.php" method="post">
 	<fieldset>
-		<?php if(!empty($_['redirect'])) { echo '<input type="hidden" name="redirect_url" value="'.$_['redirect'].'" />'; } ?>
+		<?php if(!empty($_['redirect'])) { echo '<input type="hidden" name="redirect_url" value="'.htmlentities($_['redirect']).'" />'; } ?>
 		<?php if($_['error']): ?>
 			<a href="./core/lostpassword/"><?php echo $l->t('Lost your password?'); ?></a>
 		<?php endif; ?>