diff --git a/server/resource.go b/server/resource.go
index bbf009edd6628..9021b044b60df 100644
--- a/server/resource.go
+++ b/server/resource.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/usememos/memos/api"
@@ -42,6 +43,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
 		}
 
 		filename := file.Filename
+		if strings.HasSuffix(filename, ".html") {
+			return echo.NewHTTPError(http.StatusBadRequest, "html file is not allowed")
+		}
+
 		filetype := file.Header.Get("Content-Type")
 		size := file.Size
 		src, err := file.Open()