diff --git a/web/scanEngine/static/scanEngine/js/custom_tools.js b/web/scanEngine/static/scanEngine/js/custom_tools.js
index fb3722d86..7af299d16 100644
--- a/web/scanEngine/static/scanEngine/js/custom_tools.js
+++ b/web/scanEngine/static/scanEngine/js/custom_tools.js
@@ -1,7 +1,7 @@
 function load_gf_template(pattern_name){
   $('#modal-size').removeClass('modal-xl');
   $('#modal-size').addClass('modal-lg');
-  $('.modal-title').html(`GF Pattern ` + pattern_name);
+  $('.modal-title').html(`GF Pattern ` + htmlEncode(pattern_name));
   $('#exampleModal').modal('show');
   $('.modal-text').empty();
   $('.modal-text').append(`<div class='outer-div' id="modal-loader"><span class="inner-div spinner-border text-info align-self-center loader-sm"></span></div>`);
@@ -18,7 +18,7 @@ function load_gf_template(pattern_name){
 function load_nuclei_template(pattern_name){
   $('#modal-size').removeClass('modal-lg');
   $('#modal-size').addClass('modal-xl');
-  $('.modal-title').html(`Nuclei Pattern ` + pattern_name);
+  $('.modal-title').html(`Nuclei Pattern ` + htmlEncode(pattern_name));
   $('#exampleModal').modal('show');
   $('.modal-text').empty();
   $('.modal-text').append(`<div class='outer-div' id="modal-loader"><span class="inner-div spinner-border text-info align-self-center loader-sm"></span></div>`);
diff --git a/web/scanEngine/templates/scanEngine/settings/tool.html b/web/scanEngine/templates/scanEngine/settings/tool.html
index 169f93e89..bb5c5e4b9 100644
--- a/web/scanEngine/templates/scanEngine/settings/tool.html
+++ b/web/scanEngine/templates/scanEngine/settings/tool.html
@@ -201,4 +201,5 @@ <h4><a href="https://github.com/OWASP/Amass" class="text-info" target="_blank">A
 
 {% block page_level_script %}
 <script src="{% static 'scanEngine/js/custom_tools.js' %}" charset="utf-8"></script>
+<script src="{% static 'custom/custom.js' %}" charset="utf-8"></script>
 {% endblock page_level_script %}
diff --git a/web/scanEngine/views.py b/web/scanEngine/views.py
index d65b529af..c5ecca4a8 100644
--- a/web/scanEngine/views.py
+++ b/web/scanEngine/views.py
@@ -245,7 +245,9 @@ def tool_specific_settings(request):
             if file_extension != 'json':
                 messages.add_message(request, messages.ERROR, 'Invalid GF Pattern, upload only *.json extension')
             else:
-                file_path = '/root/.gf/' + gf_file.name
+                # remove special chars from filename, that could possibly do directory traversal or XSS
+                filename = re.sub(r'[\\/*?:"<>|]',"", gf_file.name)
+                file_path = '/root/.gf/' + filename
                 file = open(file_path, "w")
                 file.write(gf_file.read().decode("utf-8"))
                 file.close()
@@ -258,7 +260,8 @@ def tool_specific_settings(request):
             if file_extension != 'yaml':
                 messages.add_message(request, messages.ERROR, 'Invalid Nuclei Pattern, upload only *.yaml extension')
             else:
-                file_path = '/root/nuclei-templates/' + nuclei_file.name
+                filename = re.sub(r'[\\/*?:"<>|]',"", nuclei_file.name)
+                file_path = '/root/nuclei-templates/' + filename
                 file = open(file_path, "w")
                 file.write(nuclei_file.read().decode("utf-8"))
                 file.close()