diff --git a/CHANGES.md b/CHANGES.md
index 4da0fe705..cff43ec6a 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -3,7 +3,7 @@
 
 Changes in 8.9.5
 ----------------
-- Fix stored XSS security issue: do not allow unsanitized XML in FileUpload.fnc.php, thanks to @nhienit2010
+- Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
 - Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
 
 Changes in 8.9.4
diff --git a/ProgramFunctions/FileUpload.fnc.php b/ProgramFunctions/FileUpload.fnc.php
index eadc9a8b4..91c0acf60 100644
--- a/ProgramFunctions/FileUpload.fnc.php
+++ b/ProgramFunctions/FileUpload.fnc.php
@@ -839,11 +839,11 @@ function FileExtensionWhiteList() {
 		'.msg',
 		'.vcf',
 		// Web.
-		// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML
+		// @since 8.9.5 Fix stored XSS security issue: do not allow unsanitized XML & HTML
 		// '.xml',
-		'.xhtml',
-		'.html',
-		'.htm',
+		// '.xhtml',
+		// '.html',
+		// '.htm',
 		'.css',
 		'.rss',
 		// Compressed.