diff --git a/lib/private/eventsource.php b/lib/private/eventsource.php
index 4df0bc2e7cd4de73c9c20221d486c2a31f75f8ce..5a41ddd8b372775a5145f7a0f107fcc380365de8 100644
--- a/lib/private/eventsource.php
+++ b/lib/private/eventsource.php
@@ -63,8 +63,9 @@ class OC_EventSource{
 			$type=null;
 		}
 		if($this->fallback) {
+			$fallBackId = OC_Util::sanitizeHTML($this->fallBackId);
 			$response='<script type="text/javascript">window.parent.OC.EventSource.fallBackCallBack('
-				.$this->fallBackId.',"' . $type . '",' . OCP\JSON::encode($data) . ')</script>' . PHP_EOL;
+				.$fallBackId.',"' . $type . '",' . OCP\JSON::encode($data) . ')</script>' . PHP_EOL;
 			echo $response;
 		}else{
 			if($type) {