diff --git a/include/class.forms.php b/include/class.forms.php
index ded5e766371c9b05c8a53e1db062b4a4c5629ac8..c3396edabb62f18089d60bdad28cc01951b4098a 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -1017,12 +1017,13 @@ class PhoneNumberWidget extends Widget {
         list($phone, $ext) = explode("X", $this->value);
         ?>
         <input type="text" name="<?php echo $this->name; ?>" value="<?php
-        echo $phone; ?>"/><?php
+        echo Format::htmlchars($phone); ?>"/><?php
         // Allow display of extension field even if disabled if the phone
         // number being edited has an extension
         if ($ext || $config['ext']) { ?> Ext:
             <input type="text" name="<?php
-            echo $this->name; ?>-ext" value="<?php echo $ext; ?>" size="5"/>
+            echo $this->name; ?>-ext" value="<?php echo Format::htmlchars($ext);
+                ?>" size="5"/>
         <?php }
     }