diff --git a/include/api.tickets.php b/include/api.tickets.php
index 4ff2fbdad44beed212f7ef6e15bd61320ab86489..1cff0b424bae9c36e5c0b502abb35b3f43015ac6 100644
--- a/include/api.tickets.php
+++ b/include/api.tickets.php
@@ -93,7 +93,7 @@ class TicketApiController extends ApiController {
                 catch (FileUploadError $ex) {
                     $name = $file['name'];
                     $file = array();
-                    $file['error'] = $name . ': ' . $ex->getMessage();
+                    $file['error'] = Format::htmlchars($name) . ': ' . $ex->getMessage();
                 }
             }
             unset($file);
diff --git a/include/class.mailfetch.php b/include/class.mailfetch.php
index a2d44337cba644684d9fd30c8a882879d7163bba..dd7edd815653fee8a8fb3f0a81e79863dc3d9a94 100644
--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -847,7 +847,7 @@ class MailFetcher {
                 catch (FileUploadError $ex) {
                     $name = $file['name'];
                     $file = array();
-                    $file['error'] = $name . ': ' . $ex->getMessage();
+                    $file['error'] = Format::htmlchars($name) . ': ' . $ex->getMessage();
                 }
 
                 $vars['attachments'][] = $file;