diff --git a/tbl_create.php b/tbl_create.php
index 4d3171ad9..c40238658 100644
--- a/tbl_create.php
+++ b/tbl_create.php
@@ -287,7 +287,9 @@ if (isset($_REQUEST['do_save_data'])) {
             $new_table_string .= '<td align="center"> <input type="checkbox" id="checkbox_tbl_" name="selected_tbl[]" value="'.htmlspecialchars($table).'" /> </td>' . "\n";
 
             $new_table_string .= '<th>';
-            $new_table_string .= '<a href="sql.php' . PMA_generate_common_url($tbl_url_params) . '">'. $table . '</a>';
+            $new_table_string .= '<a href="sql.php'
+                . PMA_generate_common_url($tbl_url_params) . '">'
+                . htmlspecialchars($table) . '</a>';
 
             if (PMA_Tracker::isActive()) {
                 $truename = str_replace(' ', '&nbsp;', htmlspecialchars($table));