diff --git a/lib/ntbb-session.lib.php b/lib/ntbb-session.lib.php
index 27b82f1134..bc0212a52c 100644
--- a/lib/ntbb-session.lib.php
+++ b/lib/ntbb-session.lib.php
@@ -209,7 +209,7 @@ private function passwordVerifyInner($userid, $pass, $user) {
 
 		if (substr(@$user['email'], -1) === '@') {
 			// Forgive me, gods, for I have hardcoded way more than I really should have
-			$valResult = shell_exec("cd /var/www/html/play.pokemonshowdown.com && node lib/validate-token.js \"$pass\"");
+			$valResult = shell_exec("cd /var/www/html/play.pokemonshowdown.com && node lib/validate-token.js " . escapeshellarg($pass));
 			$payload = json_decode($valResult, true);
 			if (!$payload) return false;
 			if (strpos($payload['aud'], $psconfig['gapi_clientid']) === false) return false;
diff --git a/src/battle-animations.ts b/src/battle-animations.ts
index 43bc0edcfa..50f36176c6 100644
--- a/src/battle-animations.ts
+++ b/src/battle-animations.ts
@@ -1214,7 +1214,7 @@ class BattleScene {
 		//this.preloadImage(Tools.fxPrefix + 'bg.jpg');
 	}
 	preloadBgm(bgmNum = 0) {
-		if (!bgmNum) bgmNum = this.numericId % 13;
+		if (!bgmNum) bgmNum = 1 + this.numericId % 14;
 		this.bgmNum = bgmNum;
 
 		let ext = window.nodewebkit ? '.ogg' : '.mp3';