diff --git a/CHANGES.md b/CHANGES.md
index 9ded02ad9..33f44155e 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,6 +1,10 @@
 # CHANGES
 ## RosarioSIS Student Information System
 
+Changes in 9.0.1
+----------------
+- Fix stored XSS security issue: decode HTML entities from URL in PreparePHP_SELF.fnc.php, thanks to @domiee13
+
 Changes in 9.0
 --------------
 - CSS add length to previous meals select in DailyMenus.php
diff --git a/functions/PreparePHP_SELF.fnc.php b/functions/PreparePHP_SELF.fnc.php
index f7dfe677b..280b6a03c 100644
--- a/functions/PreparePHP_SELF.fnc.php
+++ b/functions/PreparePHP_SELF.fnc.php
@@ -191,7 +191,7 @@ function( $match ) {
 	);
 
 	// Fix stored XSS security issue: decode HTML entities from URL.
-	$string = html_entity_decode( (string) $string );
+	$string = html_entity_decode( (string) $string, ENT_QUOTES | ENT_HTML5 );
 
 	$remove = [
 		// Fix stored XSS security issue: remove inline JS from URL.