diff --git a/data/web/mobileconfig.php b/data/web/mobileconfig.php
index 7c0ead7f5..c57c48857 100644
--- a/data/web/mobileconfig.php
+++ b/data/web/mobileconfig.php
@@ -65,6 +65,7 @@ if (isset($_GET['app_password'])) {
       $attr['protocols'][] = 'dav_access';
   }
   app_passwd("add", $attr);
+  $password = htmlspecialchars($password, ENT_NOQUOTES);
 } else {
   $app_password = false;
 }