diff --git a/src/ChurchCRM/utils/InputUtils.php b/src/ChurchCRM/utils/InputUtils.php
index 1e1dc082e7..7061ed7e6a 100644
--- a/src/ChurchCRM/utils/InputUtils.php
+++ b/src/ChurchCRM/utils/InputUtils.php
@@ -43,6 +43,11 @@ public static function filterString($sInput): string
         return strip_tags(trim($sInput));
     }
 
+    public static function filterSanitizeString($sInput): string
+    {
+        return filter_var(trim($sInput), FILTER_SANITIZE_SPECIAL_CHARS);
+    }
+
     public static function filterHTML($sInput): string
     {
         return strip_tags(trim($sInput), self::$AllowedHTMLTags);
diff --git a/src/session/index.php b/src/session/index.php
index 3558b46b77..32055b3ee9 100644
--- a/src/session/index.php
+++ b/src/session/index.php
@@ -7,6 +7,7 @@
 use ChurchCRM\Authentication\Requests\LocalUsernamePasswordRequest;
 use ChurchCRM\dto\SystemURLs;
 use ChurchCRM\Slim\Middleware\VersionMiddleware;
+use ChurchCRM\Utils\InputUtils;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Slim\Factory\AppFactory;
@@ -80,8 +81,8 @@ function beginSession(Request $request, Response $response, array $args): Respon
     $renderer = new PhpRenderer('templates/');
 
     // Determine if appropriate to pre-fill the username field
-    $pageArgs['prefilledUserName'] = $request->getQueryParams()['username'] ??
-        $request->getServerParams()['username'] ??
+    $pageArgs['prefilledUserName'] = InputUtils::filterSanitizeString($request->getQueryParams()['username']) ??
+    InputUtils::filterSanitizeString($request->getServerParams()['username']) ??
         '';
 
     return $renderer->render($response, 'begin-session.php', $pageArgs);