diff --git a/web/api/index.php b/web/api/index.php
index 32886446d..c4a01341a 100644
--- a/web/api/index.php
+++ b/web/api/index.php
@@ -42,7 +42,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
         $i++;
         if (!empty($_POST['arg' . $i]))
         {
-            $args[] = $_POST['arg' . $i];
+            $args[] = escapeshellarg($_POST['arg' . $i]);
             continue;
         }
         break;