diff --git a/mobile/shop/orderformupdate.php b/mobile/shop/orderformupdate.php
index 65ad7092a..c2be8484e 100644
--- a/mobile/shop/orderformupdate.php
+++ b/mobile/shop/orderformupdate.php
@@ -862,6 +862,8 @@ if($is_member) {
         sql_query($sql);
     }
 
+    $ad_subject = clean_xss_tags($ad_subject);
+
     if($row['ad_id']){
         $sql = " update {$g5['g5_shop_order_address_table']}
                       set ad_default = '$ad_default',
diff --git a/shop/orderaddressupdate.php b/shop/orderaddressupdate.php
index c13491a10..6211f4864 100644
--- a/shop/orderaddressupdate.php
+++ b/shop/orderaddressupdate.php
@@ -16,8 +16,10 @@ if ($is_member && $count) {
         // 실제 번호를 넘김
         $k = $_POST['chk'][$i];
 
+        $ad_subject = clean_xss_tags($_POST['ad_subject'][$k]);
+
         $sql = " update {$g5['g5_shop_order_address_table']}
-                    set ad_subject = '{$_POST['ad_subject'][$k]}' ";
+                    set ad_subject = '$ad_subject' ";
 
         if($_POST['ad_default'] && $_POST['ad_id'][$k] == $_POST['ad_default']) {
             sql_query(" update {$g5['g5_shop_order_address_table']} set ad_default = '0' where mb_id = '{$member['mb_id']}' ");
diff --git a/shop/orderformupdate.php b/shop/orderformupdate.php
index 921445f59..93e91e847 100644
--- a/shop/orderformupdate.php
+++ b/shop/orderformupdate.php
@@ -843,6 +843,8 @@ if($is_member) {
         sql_query($sql);
     }
 
+    $ad_subject = clean_xss_tags($ad_subject);
+
     if($row['ad_id']){
         $sql = " update {$g5['g5_shop_order_address_table']}
                       set ad_default = '$ad_default',