diff --git a/include/staff/tpl.inc.php b/include/staff/tpl.inc.php
index fff7e85dad6f77e8a1c4bd593f1ea7ba7af670e4..9faa9d33b46fc249016ab4a68660b1508bce11f9 100644
--- a/include/staff/tpl.inc.php
+++ b/include/staff/tpl.inc.php
@@ -77,7 +77,7 @@ $tpl=$msgtemplates[$selected];
 <form action="templates.php?id=<?php echo $id; ?>&amp;a=manage" method="post" id="save">
 <?php csrf_token(); ?>
 <?php foreach ($extras as $k=>$v) { ?>
-    <input type="hidden" name="<?php echo $k; ?>" value="<?php echo $v; ?>" />
+    <input type="hidden" name="<?php echo $k; ?>" value="<?php echo Format::htmlchars($v); ?>" />
 <?php } ?>
 <input type="hidden" name="id" value="<?php echo $id; ?>">
 <input type="hidden" name="a" value="manage">