diff --git a/include/ajax.tickets.php b/include/ajax.tickets.php
index 8d7228dea69f4c74eb6eb464be1cf6bcdf5aa766..9933fb28abdc38e645392e6e0c5c152aa2306d8f 100644
--- a/include/ajax.tickets.php
+++ b/include/ajax.tickets.php
@@ -785,9 +785,11 @@ class TicketsAjaxAPI extends AjaxController {
     }
 
     function triggerThreadAction($ticket_id, $thread_id, $action) {
-        $thread = ThreadEntry::lookup($thread_id, $ticket_id);
+        $thread = ThreadEntry::lookup($thread_id);
         if (!$thread)
             Http::response(404, 'No such ticket thread entry');
+        if ($thread->getThread()->getObjectId() != $ticket_id)
+            Http::response(404, 'No such ticket thread entry');
 
         $valid = false;
         foreach ($thread->getActions() as $group=>$list) {
diff --git a/include/staff/templates/thread-email-headers.tmpl.php b/include/staff/templates/thread-email-headers.tmpl.php
index 6e2f45809e0e9dc7d985b92eff1252fcb52ca7a0..a84216ab46be6c4816a679ada4a1e77ff96e5216 100644
--- a/include/staff/templates/thread-email-headers.tmpl.php
+++ b/include/staff/templates/thread-email-headers.tmpl.php
@@ -3,7 +3,7 @@
 <hr/>
 
 <pre style="max-height: 300px; overflow-y: scroll">
-<?php echo $headers; ?>
+<?php echo Format::htmlchars($headers); ?>
 </pre>
 
 <hr>