diff --git a/code/modules/ext_scripts/irc.dm b/code/modules/ext_scripts/irc.dm
index 4b125a9604..455b709ec3 100644
--- a/code/modules/ext_scripts/irc.dm
+++ b/code/modules/ext_scripts/irc.dm
@@ -1,7 +1,7 @@
 /proc/send2irc(var/channel, var/msg)
 	if (config.use_irc_bot)
 		if (config.use_node_bot)
-			shell("node bridge.js -h \"[config.irc_bot_host]\" -p \"[config.irc_bot_port]\" -c \"[channel]\" -m \"[msg]\"")
+			shell("node bridge.js -h \"[config.irc_bot_host]\" -p \"[config.irc_bot_port]\" -c \"[channel]\" -m \"[escape_shell_arg(msg)]\"")
 		else
 			if (config.irc_bot_host)
 				if(config.irc_bot_export)
@@ -16,10 +16,10 @@
 							nudge_lib = "lib/nudge.so"
 
 						spawn(0)
-							call(nudge_lib, "nudge")("[config.comms_password]","[config.irc_bot_host]","[channel]","[msg]")
+							call(nudge_lib, "nudge")("[config.comms_password]","[config.irc_bot_host]","[channel]","[escape_shell_arg(msg)]")
 					else
 						spawn(0)
-							ext_python("ircbot_message.py", "[config.comms_password] [config.irc_bot_host] [channel] [msg]")
+							ext_python("ircbot_message.py", "[config.comms_password] [config.irc_bot_host] [channel] [escape_shell_arg(msg)]")
 	return
 
 /proc/send2mainirc(var/msg)
diff --git a/code/modules/ext_scripts/python.dm b/code/modules/ext_scripts/python.dm
index 9b798d80ca..07cd5f0aa2 100644
--- a/code/modules/ext_scripts/python.dm
+++ b/code/modules/ext_scripts/python.dm
@@ -1,9 +1,27 @@
+// Ported from /vg/.
+/proc/escape_shell_arg(var/arg)
+	// RCE prevention
+	// - Encloses arg in single quotes
+	// - Escapes single quotes
+	// Also escapes %, ! on windows
+	if(world.system_type == MS_WINDOWS)
+		arg = replacetext(arg, "^", "^^") // Escape char
+		arg = replacetext(arg, "%", "%%") // %PATH% -> %%PATH%%
+		arg = replacetext(arg, "!", "^!") // !PATH!, delayed variable expansion on Windows
+		arg = replacetext(arg, "\"", "^\"")
+		arg = "\"[arg]\""
+	else
+		arg = replacetext(arg, "\\", "\\\\'") // Escape char
+		arg = replacetext(arg, "'", "\\'")    // No breaking out of the single quotes.
+		arg = "'[arg]'"
+	return arg
+
 /proc/ext_python(var/script, var/args, var/scriptsprefix = 1)
-	if(scriptsprefix) script = "scripts/" + script
+	if(scriptsprefix)
+		script = "scripts/" + script
 
 	if(world.system_type == MS_WINDOWS)
 		script = replacetext(script, "/", "\\")
 
 	var/command = config.python_path + " " + script + " " + args
-
-	return shell(command)
+	return shell(command)
\ No newline at end of file