--- ./import.php.orig
+++ ./import.php
@@ -549,9 +549,9 @@
 
             $message->addString($import_notice);
             if (isset($local_import_file)) {
-                $message->addString('(' . $local_import_file . ')');
+                $message->addString('(' . htmlspecialchars($local_import_file) . ')');
             } else {
-                $message->addString('(' . $_FILES['import_file']['name'] . ')');
+                $message->addString('(' . htmlspecialchars($_FILES['import_file']['name']) . ')');
             }
         } else {
             $message = PMA_Message::success(