diff --git a/src/plus/qrcode.php b/src/plus/qrcode.php
index 63e4ea4..1d42d70 100755
--- a/src/plus/qrcode.php
+++ b/src/plus/qrcode.php
@@ -5,7 +5,7 @@ require_once(dirname(__FILE__).'/../include/common.inc.php');
 require_once(DEDEINC.'/qrcode.class.php');
 
 $action = isset($action)? $action : '';
-$type = isset($type)? $type : '';
+$type = isset($type)? RemoveXSS(HtmlReplace($type,3)) : '';
 $id = (isset($id) && is_numeric($id)) ? $id : 0;
 if ( !in_array($type,array('list','arc','index')) ) $url = "http://2v.dedecms.com";