diff --git a/bbs/new.php b/bbs/new.php
index 027574785..c451d1c1d 100644
--- a/bbs/new.php
+++ b/bbs/new.php
@@ -18,7 +18,7 @@ if ($view == "w")
 else if ($view == "c")
     $sql_common .= " and a.wr_id <> a.wr_parent ";
 
-$mb_id = isset($_GET['mb_id']) ? $_GET['mb_id'] : "";
+$mb_id = isset($_GET['mb_id']) ? strip_tags($_GET['mb_id']) : "";
 if ($mb_id) {
     $sql_common .= " and a.mb_id = '{$mb_id}' ";
 }
diff --git a/tail.php b/tail.php
index 39d7e60e9..d9da58f71 100644
--- a/tail.php
+++ b/tail.php
@@ -44,7 +44,7 @@ if(!G4_IS_MOBILE) {
             if($key == 'device')
                 continue;
 
-            $href .= $sep.$key.'='.$val;
+            $href .= $sep.$key.'='.strip_tags($val);
             $sep = '&amp;';
             $seq++;
         }