--- ./import.php.orig
+++ ./import.php
@@ -409,11 +409,11 @@
             $message->addParam($executed_queries);
 
             $message->addString($import_notice);
-            $message->addString('(' . $_FILES['import_file']['name'] . ')');
+            $message->addString('(' . htmlspecialchars($_FILES['import_file']['name']) . ')');
         } else {
             $message = PMA_Message::success(__('Import has been successfully finished, %d queries executed.'));
             $message->addParam($executed_queries);
-            $message->addString('(' . $_FILES['import_file']['name'] . ')');
+            $message->addString('(' . htmlspecialchars($_FILES['import_file']['name']) . ')');
         }
     }
 }