diff --git a/html/user/team_members.php b/html/user/team_members.php
index 07ffd58bb7..4fc054613d 100644
--- a/html/user/team_members.php
+++ b/html/user/team_members.php
@@ -24,6 +24,7 @@ check_get_args(array("sort_by", "offset", "teamid"));
 
 if (isset($_GET["sort_by"])) {
     $sort_by = $_GET["sort_by"];
+    $sort_by = strip_tags($sort_by);    // remove XSS nonsense
 } else {
     $sort_by = "expavg_credit";
 }