diff --git a/common.php b/common.php
index a09d7d4..6521b8d 100644
--- a/common.php
+++ b/common.php
@@ -389,7 +389,7 @@ function main($path)
                     $url = proxy_replace_domain($url, $domainforproxy, $header);
                 }
                 return output('', 302, $header);
-            } else return output('No ' . $_GET['random'] . 'file', 404);
+            } else return output('No ' . htmlspecialchars($_GET['random']) . 'file', 404);
         } else return output('Hidden', 401);
     }
     // is file && not preview mode, download file