diff --git a/brouter-server/src/main/java/btools/server/RouteServer.java b/brouter-server/src/main/java/btools/server/RouteServer.java
index 1754129..a4536cf 100644
--- a/brouter-server/src/main/java/btools/server/RouteServer.java
+++ b/brouter-server/src/main/java/btools/server/RouteServer.java
@@ -392,7 +392,7 @@ public class RouteServer extends Thread
     bw.write( "Content-Type: " + mimeType + "; charset=utf-8\n" );
     if ( fileName != null )
     {
-      bw.write( "Content-Disposition: attachment; filename=" + fileName + "\n" );
+      bw.write( "Content-Disposition: attachment; filename=\"" + fileName + "\"\n" );
     }
     bw.write( "Access-Control-Allow-Origin: *\n" );
     if ( headers != null )
diff --git a/brouter-server/src/main/java/btools/server/request/ServerHandler.java b/brouter-server/src/main/java/btools/server/request/ServerHandler.java
index 48b508c..9fc4c63 100644
--- a/brouter-server/src/main/java/btools/server/request/ServerHandler.java
+++ b/brouter-server/src/main/java/btools/server/request/ServerHandler.java
@@ -191,7 +191,7 @@ public class ServerHandler extends RequestHandler {
 
     if ( format != null )
     {
-      fileName = ( params.get( "trackname" ) == null ? "brouter" : params.get( "trackname" ) ) + "." + format;
+      fileName = ( params.get( "trackname" ) == null ? "brouter" : params.get( "trackname" ).replaceAll("[^a-zA-Z0-9 \\._\\-]+", "") ) + "." + format;
     }
 
     return fileName;