diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 8cbd96803715b2b1c53f8a2adbdcfbe2c5e6eda7..48dd4ffc0c0575d34e6ea422e6d27c16bc675312 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -905,9 +905,12 @@ public class I2PSnarkServlet extends Default {
     private void writeAddForm(PrintWriter out, HttpServletRequest req) throws IOException {
         String uri = req.getRequestURI();
         String newURL = req.getParameter("newURL");
-        if ( (newURL == null) || (newURL.trim().length() <= 0) ) newURL = "";
-        String newFile = req.getParameter("newFile");
-        if ( (newFile == null) || (newFile.trim().length() <= 0) ) newFile = "";
+        if ( (newURL == null) || (newURL.trim().length() <= 0) )
+            newURL = "";
+        else
+            newURL = DataHelper.stripHTML(newURL);    // XSS
+        //String newFile = req.getParameter("newFile");
+        //if ( (newFile == null) || (newFile.trim().length() <= 0) ) newFile = "";
         
         out.write("<span class=\"snarkNewTorrent\">\n");
         // *not* enctype="multipart/form-data", so that the input type=file sends the filename, not the file
@@ -935,8 +938,10 @@ public class I2PSnarkServlet extends Default {
     private void writeSeedForm(PrintWriter out, HttpServletRequest req) throws IOException {
         String uri = req.getRequestURI();
         String baseFile = req.getParameter("baseFile");
-        if (baseFile == null)
+        if (baseFile == null || baseFile.trim().length() <= 0)
             baseFile = "";
+        else
+            baseFile = DataHelper.stripHTML(baseFile);    // XSS
         
         out.write("<div class=\"newtorrentsection\"><span class=\"snarkNewTorrent\">\n");
         // *not* enctype="multipart/form-data", so that the input type=file sends the filename, not the file