diff --git a/javascript/bigup.js b/javascript/bigup.js
index bd84fc15eb49bb308f378dc6ad6c83aeea93282e..5b9b5be4e6efb74bb05e909e65499440749ef856 100644
--- a/javascript/bigup.js
+++ b/javascript/bigup.js
@@ -190,18 +190,28 @@ function Bigup(params, opts, callbacks) {
 				var extension = $.trouver_extension(file.name);
 
 				var template =
-					'\n<div class="fichier">'
-					+ '\n\t<div class="description">'
-					+ '\n\t\t<div class="vignette_extension ' + extension + '" title="' + file.type + '"><span></span></div>'
-					+ '\n\t\t<div class="infos">'
-					+ '\n\t\t\t<span class="name"><strong>' + file.name + '</strong></span>'
-					+ '\n\t\t\t<span class="size">' + $.taille_en_octets(file.size) + '</span>'
-					+ '\n\t\t</div>'
-					+ '\n\t\t<div class="actions">'
-					+ '\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this); return false;">' + _T("bigup:bouton_annuler") + '</span>'
-					+ '\n\t\t</div>'
-					+ '\n\t</div>'
-					+ '\n</div>\n';
+					'\n<div class="fichier">' +
+					'\n\t<div class="description">' +
+					'\n\t\t<div class="vignette_extension ' +
+					$.escapeHtml(extension) +
+					'" title="' +
+					file.type +
+					'"><span></span></div>' +
+					'\n\t\t<div class="infos">' +
+					'\n\t\t\t<span class="name"><strong>' +
+					$.escapeHtml(file.name) +
+					'</strong></span>' +
+					'\n\t\t\t<span class="size">' +
+					$.taille_en_octets(file.size) +
+					'</span>' +
+					'\n\t\t</div>' +
+					'\n\t\t<div class="actions">' +
+					'\n\t\t\t<span class="bigup-btn btn btn-default cancel" onClick="$.bigup_enlever_fichier(this);">' +
+					_T('bigup:bouton_annuler') +
+					'</span>' +
+					'\n\t\t</div>' +
+					'\n\t</div>' +
+					'\n</div>\n';
 
 				return template;
 			}
diff --git a/javascript/bigup.utils.js b/javascript/bigup.utils.js
index 872123be66c296f03411811580a853d73af7d27b..4a1bad9dbb8c7c471ec92d56b60504dd0dd2551a 100644
--- a/javascript/bigup.utils.js
+++ b/javascript/bigup.utils.js
@@ -171,4 +171,14 @@ $.mime_type_image = function(extension) {
 			break;
 	}
 	return mime;
-};
\ No newline at end of file
+};
+
+/** Escape HTML */
+$.escapeHtml = function(unsafe) {
+	return unsafe
+		.replaceAll('&', '&amp;')
+		.replaceAll('<', '&lt;')
+		.replaceAll('>', '&gt;')
+		.replaceAll('"', '&quot;')
+		.replaceAll("'", '&#039;');
+}