diff --git a/DynmapCore/src/main/resources/extracted/web/standalone/MySQL_markers.php b/DynmapCore/src/main/resources/extracted/web/standalone/MySQL_markers.php
index 688ebe6d..cfa55921 100644
--- a/DynmapCore/src/main/resources/extracted/web/standalone/MySQL_markers.php
+++ b/DynmapCore/src/main/resources/extracted/web/standalone/MySQL_markers.php
@@ -19,7 +19,7 @@ if (strcmp($userid, '-guest-')) {
     $loggedin = true;
 }
 
-$path = $_REQUEST['marker'];
+$path = htmlspecialchars($_REQUEST['marker']);
 if ((!isset($path)) || strstr($path, "..")) {
     header('HTTP/1.0 500 Error');
     echo "<h1>500 Error</h1>";