diff --git a/views/bootstrap/class.Search.php b/views/bootstrap/class.Search.php
index f403c91fe..b5494ccc6 100644
--- a/views/bootstrap/class.Search.php
+++ b/views/bootstrap/class.Search.php
@@ -998,7 +998,7 @@ $(document).ready(function() {
 										$option = array($v, getReadableDate($v));
 										break;
 									default:
-										$option = array($v, $v);
+										$option = array(htmlspecialchars($v), htmlspecialchars($v));
 									}
 									if(isset($attributes[$facetname]) && is_array($attributes[$facetname]) && in_array($v, $attributes[$facetname]))
 										$option[] = true;
@@ -1111,9 +1111,9 @@ $(document).ready(function() {
 									if($oldvalue) {
 										unset($allparams['attributes'][$facetname]);
 										$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
-										$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' = '.implode(', ', $oldvalue), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
+										$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' = '.htmlspecialchars(implode(', ', $oldvalue)), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
 										foreach($oldvalue as $ov)
-											echo '<input type="hidden" name="attributes['.$facetname.'][]" value="'.$ov.'" />';
+											echo '<input type="hidden" name="attributes['.$facetname.'][]" value="'.htmlspecialchars($ov).'" />';
 									}
 								}
 							}
@@ -1169,9 +1169,9 @@ $(document).ready(function() {
 							if($oldvalue) {
 								unset($allparams[$facetname]);
 								$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
-								$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.getMLText($facetname).' = '.implode(', ', $oldtransval), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
+								$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.getMLText($facetname).' = '.htmlspecialchars(implode(', ', $oldtransval)), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
 								foreach($oldvalue as $ok=>$ov)
-									echo '<input type="hidden" name="'.$facetname.'['.$ok.']" value="'.$ov.'" />';
+									echo '<input type="hidden" name="'.$facetname.'['.$ok.']" value="'.htmlspecialchars($ov).'" />';
 							}
 						}
 					}
@@ -1495,7 +1495,7 @@ $(document).ready(function() {
 								$attrstr .= $arr;
 							} else {
 								$attrdef = $lcattribute->getAttributeDefinition();
-								$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars(implode(', ', $lcattribute->getValueAsArray()))."</td></tr>\n";
+								$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars($lcattribute->getValueAsString())."</td></tr>\n";
 								// TODO: better use printAttribute()
 								// $this->printAttribute($lcattribute);
 							}
@@ -1548,7 +1548,7 @@ $(document).ready(function() {
 						$attrstr .= "<tr><th>".getMLText('name')."</th><th>".getMLText('attribute_value')."</th></tr>";
 						foreach($folderattributes as $folderattribute) {
 							$attrdef = $folderattribute->getAttributeDefinition();
-							$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars(implode(', ', $folderattribute->getValueAsArray()))."</td></tr>\n";
+							$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars($folderattribute->getValueAsString())."</td></tr>\n";
 						}
 						$attrstr .= "</table>";
 					}