diff --git a/app/subnets/addresses/mail-notify-check.php b/app/subnets/addresses/mail-notify-check.php
index 69e37f0b9..42463ff09 100644
--- a/app/subnets/addresses/mail-notify-check.php
+++ b/app/subnets/addresses/mail-notify-check.php
@@ -21,7 +21,7 @@
 # verify each recipient
 foreach (explode(",", $_POST['recipients']) as $rec) {
 	if(!filter_var(trim($rec), FILTER_VALIDATE_EMAIL)) {
-		$Result->show("danger", _("Invalid email address")." - ".$rec, true);
+		$Result->show("danger", _("Invalid email address")." - ".escape_input($rec), true);
 	}
 }
 # strip html tags
diff --git a/app/tools/temp-shares/edit-result.php b/app/tools/temp-shares/edit-result.php
index 31ca83b7c..27f7db9f1 100644
--- a/app/tools/temp-shares/edit-result.php
+++ b/app/tools/temp-shares/edit-result.php
@@ -27,7 +27,7 @@
 # verify each recipient
 if(strlen($_POST['email'])>0) {
 	foreach (explode(",", $_POST['email']) as $rec) {
-		if(!filter_var(trim($rec), FILTER_VALIDATE_EMAIL)) 			{ $Result->show("danger", _("Invalid email address")." - ".$rec, true); }
+		if(!filter_var(trim($rec), FILTER_VALIDATE_EMAIL)) 			{ $Result->show("danger", _("Invalid email address")." - ".escape_input($rec), true); }
 	}
 }
 
diff --git a/misc/CHANGELOG b/misc/CHANGELOG
index fa6200ceb..751beb65c 100755
--- a/misc/CHANGELOG
+++ b/misc/CHANGELOG
@@ -3,6 +3,7 @@
     Security Fixes:
     ----------------------------
     + XSS (reflected) in 'bw-calulator-result.php';
+    + XSS (reflected) by invalid email address response;
     + Restrict find_full_subnets.php to CLI;
 
 == 1.5.0