diff --git a/include/ajax.sequence.php b/include/ajax.sequence.php
index 37be03269c87483a77e8d99cc7aaf840ffaeae34..299e8c3223d7a1d8262cc40c8919ac44fbde534f 100644
--- a/include/ajax.sequence.php
+++ b/include/ajax.sequence.php
@@ -33,7 +33,7 @@ class SequenceAjaxAPI extends AjaxController {
         elseif (!($sequence = Sequence::lookup($id)))
             Http::response(404, 'No such object');
 
-        return $sequence->current($_GET['format']);
+        return $sequence->current(Format::htmlchars($_GET['format']));
     }
 
     /**