diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php
index 32f1b2b4..4ed4e26f 100644
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@@ -10,7 +10,7 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
   $port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
   $location = @$_SERVER['HTTPS'] === true ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $to : 'http://' . $_SERVER['SERVER_NAME'] . $port . $to;
   if (!headers_sent()) header('Location: ' . $location);
-  exit('<meta http-equiv="refresh" content="0; url=' . $location . '"/>');
+  exit('<meta http-equiv="refresh" content="0; url=' . htmlspecialchars($location) . '"/>');
 } else if (@$_POST['username'] && @$_POST['password']) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
 }