diff --git a/src/controllers/mods.js b/src/controllers/mods.js
index 4976dd9e82..c0abc18fe8 100644
--- a/src/controllers/mods.js
+++ b/src/controllers/mods.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const _ = require('lodash');
+const validator = require('validator');
 
 const user = require('../user');
 const groups = require('../groups');
@@ -43,9 +44,9 @@ modsController.flags.list = async function (req, res) {
 	filters = filters.reduce((memo, cur) => {
 		if (req.query.hasOwnProperty(cur)) {
 			if (typeof req.query[cur] === 'string' && req.query[cur].trim() !== '') {
-				memo[cur] = req.query[cur].trim();
+				memo[cur] = validator.escape(String(req.query[cur].trim()));
 			} else if (Array.isArray(req.query[cur]) && req.query[cur].length) {
-				memo[cur] = req.query[cur];
+				memo[cur] = req.query[cur].map(item => validator.escape(String(item).trim()));
 			}
 		}
 
diff --git a/test/flags.js b/test/flags.js
index ee150a10c4..aad4802e7a 100644
--- a/test/flags.js
+++ b/test/flags.js
@@ -928,6 +928,11 @@ describe('Flags', () => {
 				assert.strictEqual(flagData.reports[0].value, '"<script>alert('ok');</script>');
 			});
 
+			it('should escape filters', async () => {
+				const { body } = await request.get(`${nconf.get('url')}/api/flags?quick="<script>alert('foo');</script>`, { jar });
+				assert.strictEqual(body.filters.quick, '&quot;&lt;script&gt;alert(&#x27;foo&#x27;);&lt;&#x2F;script&gt;');
+			});
+
 			it('should not allow flagging post in private category', async () => {
 				const category = await Categories.create({ name: 'private category' });
 
@@ -1185,5 +1190,7 @@ describe('Flags', () => {
 				}
 			});
 		});
+
+
 	});
 });