Index: scheduler/client.c
===================================================================
--- a/scheduler/client.c	(revision 11597)
+++ b/scheduler/client.c	(working copy)
@@ -3316,6 +3316,14 @@
     return (0);
 
  /*
+  * Check for "<" or quotes in the path and reject since this is probably
+  * someone trying to inject HTML...
+  */
+
+  if (strchr(path, '<') != NULL || strchr(path, '\"') != NULL || strchr(path, '\'') != NULL)
+    return (0);
+
+ /*
   * Check for "/.." in the path...
   */