diff --git a/forgotpassword.php b/forgotpassword.php
index 884f648628f8ae3ef37529969cea4aa5d1e50278..90a0bda5251979695d4ad7dd8e75e9200afd9120 100644
--- a/forgotpassword.php
+++ b/forgotpassword.php
@@ -9,7 +9,7 @@ $message = null;
 
 
 if (isset($_POST['email']) && !empty($_POST['email'])) {
-    $provided_email = $_POST['email'];
+    $provided_email = htmlspecialchars($_POST['email']);
 }
 if (isset($_POST['email']) && empty($_POST['email'])) {
     $errors = 'email should\'nt be empty';
@@ -18,7 +18,7 @@ if (isset($_POST['email']) && empty($_POST['email'])) {
 
 
 if (isset($_POST['password']) && !empty($_POST['password'])) {
-    $provided_password = $_POST['password'];
+    $provided_password = htmlspecialchars($_POST['password']);
 }
 if (isset($_POST['password']) && empty($_POST['password'])) {
     $errors = 'password is required';
diff --git a/login.php b/login.php
index e406404019364d97c8882e6da36cdc5939cfcc06..b3a2eb8385ecfcecd016f8c817050ae97f28a836 100644
--- a/login.php
+++ b/login.php
@@ -10,11 +10,11 @@ if ($obj->loggedin($obj)) {
 }
 
 if (isset($_POST['email'])) {
-    $provided_email = $_POST['email'];
+    $provided_email = htmlspecialchars($_POST['email']);
 }
 
 if (isset($_POST['password'])) {
-    $provided_password = $_POST['password'];
+    $provided_password = htmlspecialchars($_POST['password']);
 }