diff --git a/bundles/AdminBundle/Controller/Admin/Document/DocumentControllerBase.php b/bundles/AdminBundle/Controller/Admin/Document/DocumentControllerBase.php
index 712cdc85251..de5ab45c1c2 100644
--- a/bundles/AdminBundle/Controller/Admin/Document/DocumentControllerBase.php
+++ b/bundles/AdminBundle/Controller/Admin/Document/DocumentControllerBase.php
@@ -162,6 +162,11 @@ protected function addSettingsToDocument(Request $request, Model\Document $docum
         if ($request->get('settings')) {
             if ($document->isAllowed('settings')) {
                 $settings = $this->decodeJson($request->get('settings'));
+
+                if(array_key_exists('prettyUrl' , $settings)){
+                    $settings['prettyUrl'] = htmlspecialchars($settings['prettyUrl']);
+                }
+
                 $document->setValues($settings);
             }
         }
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/document/pages/settings.js b/bundles/AdminBundle/Resources/public/js/pimcore/document/pages/settings.js
index f2b1d13a999..ab612adadbf 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/document/pages/settings.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/document/pages/settings.js
@@ -224,7 +224,7 @@ pimcore.document.pages.settings = Class.create(pimcore.document.settings_abstrac
                                             method: "POST",
                                             params: {
                                                 id: this.document.id,
-                                                path: el.getValue()
+                                                path: pimcore.helpers.sanitizeUrlSlug(el.getValue())
                                             },
                                             success: function (res) {
                                                 res = Ext.decode(res.responseText);
@@ -238,6 +238,10 @@ pimcore.document.pages.settings = Class.create(pimcore.document.settings_abstrac
                                                 }
                                             }
                                         });
+                                    }.bind(this),
+                                    "change": function (el) {
+                                        const sanitizedValue = pimcore.helpers.sanitizeUrlSlug(el.getValue());
+                                        el.setValue(sanitizedValue);
                                     }.bind(this)
                                 }
                             }
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js b/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js
index dcb294e6d4b..3c38c819a6f 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/helpers.js
@@ -18,6 +18,10 @@ pimcore.helpers.sanitizeEmail = function (email) {
     return email.replace(/[^a-zA-Z0-9_\-@.+]/g,'');
 };
 
+pimcore.helpers.sanitizeUrlSlug = function (slug) {
+    return slug.replace(/[^a-z0-9-_+/]/gi, '');
+};
+
 pimcore.helpers.registerKeyBindings = function (bindEl, ExtJS) {
 
     if (!ExtJS) {