diff --git a/pandora_console/godmode/setup/file_manager.php b/pandora_console/godmode/setup/file_manager.php
index 77a19d0072..201eb2507c 100644
--- a/pandora_console/godmode/setup/file_manager.php
+++ b/pandora_console/godmode/setup/file_manager.php
@@ -63,7 +63,7 @@ if (empty($directory) === true) {
 
 $real_directory = realpath($config['homedir'].'/'.$directory);
 
-echo '<h4>'.__('Index of %s', $directory).'</h4>';
+echo '<h4>'.__('Index of %s', io_safe_input($directory)).'</h4>';
 
 $upload_file = (bool) get_parameter('upload_file');
 $create_text_file   = (bool) get_parameter('create_text_file');
diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php
index 0879ce678c..b4b648b210 100644
--- a/pandora_console/include/functions_filemanager.php
+++ b/pandora_console/include/functions_filemanager.php
@@ -670,16 +670,16 @@ function filemanager_file_explorer(
             }
 
             if ($fileinfo['is_dir']) {
-                $data[1] = '<a href="'.$url.'&directory='.$relative_directory.'/'.$fileinfo['name'].'&hash2='.md5($relative_directory.'/'.$fileinfo['name'].$config['server_unique_identifier']).'">'.$fileinfo['name'].'</a>';
+                $data[1] = '<a href="'.$url.'&directory='.$relative_directory.'/'.io_safe_input($fileinfo['name']).'&hash2='.md5($relative_directory.'/'.$fileinfo['name'].$config['server_unique_identifier']).'">'.io_safe_input($fileinfo['name']).'</a>';
             } else if (empty($url_file) === false) {
                 // Set the custom url file.
                 $url_file_clean = str_replace('[FILE_FULLPATH]', $fileinfo['realpath'], $url_file);
 
-                $data[1] = '<a href="'.$url_file_clean.'">'.$fileinfo['name'].'</a>';
+                $data[1] = '<a href="'.$url_file_clean.'">'.io_safe_input($fileinfo['name']).'</a>';
             } else {
                 $filename = base64_encode($relative_directory.'/'.$fileinfo['name']);
                 $hash = md5($filename.$config['server_unique_identifier']);
-                $data[1] = '<a href="'.$hack_metaconsole.'include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'">'.$fileinfo['name'].'</a>';
+                $data[1] = '<a href="'.$hack_metaconsole.'include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'">'.io_safe_input($fileinfo['name']).'</a>';
             }
 
             // Notice that uploaded php files could be dangerous.