diff --git a/www/ac.php b/www/ac.php
index 7c6b596..fe8ac18 100644
--- a/www/ac.php
+++ b/www/ac.php
@@ -23,7 +23,7 @@
 	$s = mysql_real_escape_string($_REQUEST['s']);
 
 	$id = mysql_real_escape_string(strip_tags($_REQUEST['id']));
-	echo "parent._ac_rpc('$id',";
+	echo "parent._ac_rpc('".sanitizeHTML($id)."',";
 
 	$bits = explode(",", $s);