diff --git a/CHANGES.md b/CHANGES.md
index 24ac364a3..4cb143465 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -4,6 +4,7 @@
 Changes in 8.9.4
 ----------------
 - Fix SQL injection sanitize all `$_REQUEST` keys in Warehouse.php, thanks to @nhienit2010
+- Fix reflected XSS via mime-type in FileUpload.fnc.php, thanks to @nhienit2010
 
 Changes in 8.9.3
 ----------------
diff --git a/ProgramFunctions/FileUpload.fnc.php b/ProgramFunctions/FileUpload.fnc.php
index f6c8af125..05ed2f65a 100644
--- a/ProgramFunctions/FileUpload.fnc.php
+++ b/ProgramFunctions/FileUpload.fnc.php
@@ -49,7 +49,8 @@ function FileUpload( $input, $path, $ext_white_list, $size_limit, &$error, $fina
 	{
 		$error[] = sprintf(
 			_( 'Wrong file type: %s (%s required)' ),
-			$_FILES[ $input ]['type'],
+			// Fix reflected XSS via mime-type.
+			strip_tags( $_FILES[ $input ]['type'] ),
 			implode( ', ', $ext_white_list )
 		);
 	}