diff --git a/application/cmdbabstract.class.inc.php b/application/cmdbabstract.class.inc.php
index e50e37d35..959e497d2 100644
--- a/application/cmdbabstract.class.inc.php
+++ b/application/cmdbabstract.class.inc.php
@@ -1371,7 +1371,7 @@ abstract class cmdbAbstractObject extends CMDBObject implements iDisplay
 				if (is_null($aAllowedValues))
 				{
 					// Any value is possible, display an input box
-					$sHtml .= "<label>".MetaModel::GetFilterLabel($sClassName, $sFilterCode).":</label>&nbsp;<input class=\"textSearch\" name=\"$sFilterCode\" value=\"$sFilterValue\"/>\n";
+					$sHtml .= "<label>".MetaModel::GetFilterLabel($sClassName, $sFilterCode).":</label>&nbsp;<input class=\"textSearch\" name=\"$sFilterCode\" value=\"".htmlentities($sFilterValue, ENT_QUOTES, 'utf-8')."\"/>\n";
 				}
 				else
 				{
diff --git a/datamodels/1.x/itop-attachments/ajax.attachment.php b/datamodels/1.x/itop-attachments/ajax.attachment.php
index dd7285260..98a21504c 100644
--- a/datamodels/1.x/itop-attachments/ajax.attachment.php
+++ b/datamodels/1.x/itop-attachments/ajax.attachment.php
@@ -102,7 +102,8 @@ try
 }
 catch (Exception $e)
 {
-	echo $e->GetMessage();
+	// note: transform to cope with XSS attacks
+	echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8');
 	IssueLog::Error($e->getMessage());
 }
 ?>
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index fd168b6b7..72494880d 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -875,7 +875,8 @@ try
 }
 catch (Exception $e)
 {
-	echo $e->GetMessage();
+	// note: transform to cope with XSS attacks
+	echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8');
 	echo "<p>Debug trace: <pre>".print_r($e->getTrace(), true)."</pre></p>\n";
 	IssueLog::Error($e->getMessage());
 }