diff --git a/CHANGELOG b/CHANGELOG
index 5cbb5270e..31ecaba33 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -196,6 +196,8 @@
 - theme in configuration can override theme of user
 - saving the settings will no longer reenable an extention with no configuration
 - put a red/green bullet before the extension name in the settings
+- escape value of dropfolderfile in input form field created by
+  SeedDMS_Bootstrap_Style::getDropFolderChooserHtml() (CVE-2020-2872)
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.20
diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 06c3b9a60..61ba2efe0 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -1850,7 +1850,7 @@ $(document).ready(function() {
 
 	function getDropFolderChooserHtml($formName, $dropfolderfile="", $showfolders=0) { /* {{{ */
 		$content =  "<div class=\"input-append\">\n";
-		$content .= "<input readonly type=\"text\" id=\"dropfolderfile".$formName."\" name=\"dropfolderfile".$formName."\" value=\"".$dropfolderfile."\">";
+		$content .= "<input readonly type=\"text\" id=\"dropfolderfile".$formName."\" name=\"dropfolderfile".$formName."\" value=\"".htmlspecialchars($dropfolderfile)."\">";
 		$content .= "<button type=\"button\" class=\"btn\" id=\"clearfilename".$formName."\"><i class=\"fa fa-remove\"></i></button>";
 		$content .= $this->getModalBoxLink(
 			array(