diff --git a/eme-events.php b/eme-events.php
index d698a80b..3f2e2f6a 100644
--- a/eme-events.php
+++ b/eme-events.php
@@ -4694,6 +4694,9 @@ function eme_get_events_list_shortcode( $atts ) {
 
 	// if format is given as argument, sometimes people need url-encoded strings inside so WordPress doesn't get confused, so we decode them here again
 	$format = urldecode( $format );
+	// to avoid shortcode-XSS by a contributor (eme_strip_js is identical to eme_kses, so we call that)
+	$format = eme_kses( $format );
+
 	// for format: sometimes people want to give placeholders as options, but when using the shortcode inside
 	// another (e.g. when putting[eme_events format="#_EVENTNAME"] inside the "display single event" setting,
 	// the replacement of the placeholders happens too soon (placeholders get replaced first, before any other
diff --git a/readme.txt b/readme.txt
index a41b22d5..0fa3ba18 100644
--- a/readme.txt
+++ b/readme.txt
@@ -101,6 +101,7 @@ See the FAQ section at the [Official site](https://www.e-dynamics.be/wordpress/)
 = 2.4.19 (2023//) =
 * Added a new recurrence period "specific months", so you can choose on which months something transpires and repeat per year
 * Avoid php warnings if an image for an event/person/location/... no longer exists
+* Avoid possible XSS via shortcode eme_events and the format option
 
 = 2.4.18 (2023/12/10) =
 * Fix a php warning