diff --git a/modules/widget/widget.controller.php b/modules/widget/widget.controller.php
index 66efd79e3..62d6801ad 100644
--- a/modules/widget/widget.controller.php
+++ b/modules/widget/widget.controller.php
@@ -39,8 +39,9 @@
             $attribute = array();
             if($vars) {
                 foreach($vars as $key => $val) {
-                    if(strpos($val,'|@|')>0) $val = str_replace('|@|',',',$val);
-                    $attribute[] = sprintf('%s="%s"', $key, str_replace('"','\"',$val));
+                    if(strpos($val,'|@|') > 0) $val = str_replace('|@|', ',', $val);
+                    $val = htmlspecialchars($val);
+                    $attribute[] = sprintf('%s="%s"', $key, $val);
                 }
             }