diff --git a/modules/content_management/class/class_content_manager_tools_Abstract.php b/modules/content_management/class/class_content_manager_tools_Abstract.php
index f807699bdd1e77a311e30dc956a0fea91e1c54d4..ea18599f0119595bc02eefd808e2ed75d528544e 100755
--- a/modules/content_management/class/class_content_manager_tools_Abstract.php
+++ b/modules/content_management/class/class_content_manager_tools_Abstract.php
@@ -451,7 +451,7 @@ abstract class content_management_tools_Abstract
         $jnlp_balise->appendChild($jnlp_attribute2);
 
         $jnlp_attribute3 = $docXML->createAttribute('href');
-        $jnlp_attribute3->value = $jnlp_name;
+        $jnlp_attribute3->value = htmlentities($jnlp_name);
         $jnlp_balise->appendChild($jnlp_attribute3);
 
         //"{$pathUrl}/rest/jnlp?fileName={$jnlp_name}";
diff --git a/src/app/contentManagement/controllers/JnlpController.php b/src/app/contentManagement/controllers/JnlpController.php
index 1ab441993d2133985550ca5c6126468ae377d55e..fb5155d15829b996e5d6eaae003b38e67832787e 100644
--- a/src/app/contentManagement/controllers/JnlpController.php
+++ b/src/app/contentManagement/controllers/JnlpController.php
@@ -182,7 +182,7 @@ class JnlpController
 
     public function renderJnlp(Request $request, Response $response, array $aArgs)
     {
-        if (explode('.', $aArgs['jnlpUniqueId'])[1] != 'jnlp') {
+        if (strtoupper(pathinfo($aArgs['jnlpUniqueId'], PATHINFO_EXTENSION)) != 'JNLP') {
             return $response->withStatus(403)->withJson(['errors' => 'File extension forbidden']);
         }