diff --git a/src/main/java/org/olat/modules/fo/ForumController.java b/src/main/java/org/olat/modules/fo/ForumController.java
index 6946ae486b0b59f5b18a237aefb98974826ad828..1d0f2bcdbdc0ac50f93bb9aa5fc46976dc84c237 100644
--- a/src/main/java/org/olat/modules/fo/ForumController.java
+++ b/src/main/java/org/olat/modules/fo/ForumController.java
@@ -653,7 +653,9 @@ public class ForumController extends BasicController implements GenericEventList
 		attachments.addAll((Collection<VFSItem>) messageMap.get("attachments"));
 		VFSItem vI = attachments.get(pos - 1);
 		VFSLeaf vl = (VFSLeaf) vI;
-		ureq.getDispatchResult().setResultingMediaResource(new VFSMediaResource(vl));
+		VFSMediaResource res = new VFSMediaResource(vl);
+		res.setDownloadable(true); // prevent XSS attack
+		ureq.getDispatchResult().setResultingMediaResource(res);
 	}
 
 	private void doDeleteMessage(UserRequest ureq) {