diff --git a/files/assets/js/submit.js b/files/assets/js/submit.js
index 7407b02ad..66a43ca01 100644
--- a/files/assets/js/submit.js
+++ b/files/assets/js/submit.js
@@ -181,9 +181,9 @@ function checkRepost() {
 			catch(e) {console.log(e)}
 
 			if (data && data["permalink"]) {
-				const permalink = data["permalink"]
+				const permalink = encodeURIComponent(data["permalink"])
 				if (permalink) {
-					system.innerHTML = `<span class='text-danger'>This is a repost of <a href=${permalink}>${permalink}</a></span>`;
+					system.innerHTML = `<span class="text-danger">This is a repost of <a href="${permalink}">${permalink}</a></span>`;
 				}
 			}
 		}
diff --git a/files/helpers/media.py b/files/helpers/media.py
index 4a3211c85..b009bf10e 100644
--- a/files/helpers/media.py
+++ b/files/helpers/media.py
@@ -10,6 +10,7 @@ from .const import *
 import gevent
 import imagehash
 from shutil import copyfile
+from werkzeug.utils import secure_filename
 from files.classes.media import *
 from files.helpers.cloudflare import purge_files_in_cache
 from files.__main__ import db_session
@@ -36,7 +37,8 @@ def process_files():
 def process_audio(file):
 	name = f'/audio/{time.time()}'.replace('.','')
 
-	extension = file.filename.split('.')[-1].lower()
+	name_original = secure_filename(file.filename)
+	extension = name_original.split('.')[-1].lower()
 	name = name + '.' + extension
 
 	file.save(name)
@@ -93,7 +95,8 @@ def process_video(file):
 		os.remove(old)
 		abort(413, f"Max video size is {MAX_VIDEO_SIZE_MB} MB ({MAX_VIDEO_SIZE_MB_PATRON} MB for paypigs)")
 
-	extension = file.filename.split('.')[-1].lower()
+	name_original = secure_filename(file.filename)
+	extension = name_original.split('.')[-1].lower()
 	new = old + '.' + extension
 
 	if extension == 'webm':