diff --git a/data/web/inc/ajax/qitem_details.php b/data/web/inc/ajax/qitem_details.php
index 4f398083..db47f339 100644
--- a/data/web/inc/ajax/qitem_details.php
+++ b/data/web/inc/ajax/qitem_details.php
@@ -96,7 +96,8 @@ if (!empty($_GET['id']) && ctype_alnum($_GET['id'])) {
       }
     }
     if (isset($_GET['eml'])) {
-      $dl_filename = str_replace('/', '_', $data['subject']);
+      $dl_filename = preg_replace('/[^a-z\d]/i', '_', $data['subject']);
+      $dl_filename = strlen($dl_filename) > 30 ? substr($dl_filename,0,30) : $dl_filename;
       header('Pragma: public');
       header('Expires: 0');
       header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
@@ -113,7 +114,8 @@ if (!empty($_GET['id']) && ctype_alnum($_GET['id'])) {
         exit(json_encode('Forbidden'));
       }
       $dl_id = intval($_GET['att']);
-      $dl_filename = $data['attachments'][$dl_id][0];
+      $dl_filename = preg_replace('/[^a-z\d]/i', '_', $data['attachments'][$dl_id][0]);
+      $dl_filename = strlen($dl_filename) > 30 ? substr($dl_filename,0,30) : $dl_filename;
       if (!is_dir($tmpdir . $dl_filename) && file_exists($tmpdir . $dl_filename)) {
         header('Pragma: public');
         header('Expires: 0');