diff --git a/interface/web/themes/default/assets/javascripts/ispconfig.js b/interface/web/themes/default/assets/javascripts/ispconfig.js
index fcd5167a885847119270013db5294bc6b95ec71f..e18bd20f584c03bb3c8d02c6db348ddbdf65ba1a 100644
--- a/interface/web/themes/default/assets/javascripts/ispconfig.js
+++ b/interface/web/themes/default/assets/javascripts/ispconfig.js
@@ -103,13 +103,13 @@ var ISPConfig = {
 				width: 'element',
 				selectOnBlur: true,
 				allowClear: true,
-				formatResult: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatResult: function(o, cont, qry, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				},
-				formatSelection: function(o) {
-					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + o.text + '</span>';
-					else return o.text;
+				formatSelection: function(o, cont, escapeMarkup) {
+					if(o.id && $(o.element).parent().hasClass('flags')) return '<span class="flags flag-' + o.id.toLowerCase() + '">' + escapeMarkup(o.text) + '</span>';
+					else return escapeMarkup(o.text);
 				}
 			}).on('change', function(e) {
 				if ($("#pageForm .table #Filter").length > 0) {