diff --git a/main/exercise/exercise_show.php b/main/exercise/exercise_show.php
index 56ac9d9b6f..9cc4df0a73 100755
--- a/main/exercise/exercise_show.php
+++ b/main/exercise/exercise_show.php
@@ -953,6 +953,9 @@ if ('export' === $action) {
     if (ob_get_contents()) {
         ob_clean();
     }
+
+    $content = Security::remove_XSS($content);
+
     $params = [
         'filename' => api_replace_dangerous_char(
             $objExercise->name.' '.