diff --git a/src/Controls/File.php b/src/Controls/File.php
index fd7bfde..ef0182d 100644
--- a/src/Controls/File.php
+++ b/src/Controls/File.php
@@ -57,7 +57,7 @@ public function render()
                 'title' => trans('fluentform::controls.file.delete')
             ]));
             $content .= ' ';
-            $content .= '<a href="'.$value.'" target="_blank">'.basename($value).'</a>';
+            $content .= '<a href="'.$this->html()->encode($value).'" target="_blank">'.basename($this->html()->encode($value)).'</a>';
             $content .= '</div>';
         }