diff --git a/CHANGELOG b/CHANGELOG
index 7eaa2ffc6..18109955f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -63,6 +63,7 @@ CHANGELOG Roundcube Webmail
 - Fix various issues with Turkish (and similar) locales (#1490519)
 - Fix so In-Reply-To header is set also for MDN receipts (#1490523)
 - Fix missing HTTP_X_FORWARDED_FOR address in generated Received header
+- Fix XSS issue in drag-n-drop file uploads (#1490530)
 
 RELEASE 1.1.2
 -------------
diff --git a/program/js/app.js b/program/js/app.js
index d322d6b07..4b9f5d683 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -7916,7 +7916,8 @@ function rcube_webmail()
     var submit_data = function() {
       var multiple = files.length > 1,
         ts = new Date().getTime(),
-        content = '<span>' + (multiple ? ref.get_label('uploadingmany') : files[0].name) + '</span>';
+        // jQuery way to escape filename (#1490530)
+        content = $('<span>').text(multiple ? ref.get_label('uploadingmany') : files[0].name).html();
 
       // add to attachments list
       if (!ref.add2attachment_list(ts, { name:'', html:content, classname:'uploading', complete:false }))