diff --git a/app/controllers/user_my_modules_controller.rb b/app/controllers/user_my_modules_controller.rb
index 1e2302ad8..05fc01a42 100644
--- a/app/controllers/user_my_modules_controller.rb
+++ b/app/controllers/user_my_modules_controller.rb
@@ -54,7 +54,7 @@ class UserMyModulesController < ApplicationController
         render json: {
           user: {
             id: @um.user.id,
-            full_name: @um.user.full_name,
+            full_name: escape_input(@um.user.full_name),
             avatar_url: avatar_path(@um.user, :icon_small),
             user_module_id: @um.id
           }
diff --git a/app/views/shared/smart_annotation/_experiment_items.html.erb b/app/views/shared/smart_annotation/_experiment_items.html.erb
index 891b8b3d7..df987a447 100644
--- a/app/views/shared/smart_annotation/_experiment_items.html.erb
+++ b/app/views/shared/smart_annotation/_experiment_items.html.erb
@@ -7,10 +7,10 @@
     </div>
     <div class="items">
       <% experiment_group[:experiments].each do |experiment| %>
-        <li class="item" data-name="<%= experiment.name %>" data-id="<%= experiment.id.base62_encode %>" data-type="exp">
+        <li class="item" data-name="<%= sanitize_input(experiment.name) %>" data-id="<%= experiment.id.base62_encode %>" data-type="exp">
           <span class='sa-type'><%= experiment.code %></span>
           <span class="dot">&middot;</span>
-          <span class="item-text"><%= experiment.name %></span>
+          <span class="item-text"><%= sanitize_input(experiment.name) %></span>
           <%= render partial: 'shared/smart_annotation/atwho_control_buttons' %>
         </li>
       <% end %>
diff --git a/app/views/shared/smart_annotation/_my_module_items.html.erb b/app/views/shared/smart_annotation/_my_module_items.html.erb
index 2c705c550..6e2c72338 100644
--- a/app/views/shared/smart_annotation/_my_module_items.html.erb
+++ b/app/views/shared/smart_annotation/_my_module_items.html.erb
@@ -9,10 +9,10 @@
     </div>
     <div class="items">
       <% task_group[:tasks].each do |task| %>
-        <li class="item" data-name="<%= task.name %>" data-id="<%= task.id.base62_encode %>" data-type="tsk">
+        <li class="item" data-name="<%= sanitize_input(task.name) %>" data-id="<%= task.id.base62_encode %>" data-type="tsk">
           <span class='sa-type'><%= task.code %></span>
           <span class="dot">&middot;</span>
-          <span class="item-text"><%= task.name %></span>
+          <span class="item-text"><%= sanitize_input(task.name) %></span>
           <%= render partial: 'shared/smart_annotation/atwho_control_buttons' %>
         </li>
       <% end %>
diff --git a/app/views/shared/smart_annotation/_project_items.html.erb b/app/views/shared/smart_annotation/_project_items.html.erb
index bbfe46f3a..919c1ed04 100644
--- a/app/views/shared/smart_annotation/_project_items.html.erb
+++ b/app/views/shared/smart_annotation/_project_items.html.erb
@@ -1,10 +1,10 @@
 <% limit_reached = projects.length == Constants::ATWHO_SEARCH_LIMIT + 1 %>
 <div class="atwho-scroll-container">
   <% projects.limit(Constants::ATWHO_SEARCH_LIMIT).each do |project| %>
-    <li class="item" data-name="<%= project.name %>" data-id="<%= project.id.base62_encode %>" data-type="prj">
+    <li class="item" data-name="<%= sanitize_input(project.name) %>" data-id="<%= project.id.base62_encode %>" data-type="prj">
       <span class='sa-type'><%= project.code %></span>
       <span class="dot">&middot;</span>
-      <span class="item-text"><%= project.name %></span>
+      <span class="item-text"><%= sanitize_input(project.name) %></span>
       <%= render partial: 'shared/smart_annotation/atwho_control_buttons' %>
     </li>
   <% end %>
diff --git a/app/views/shared/smart_annotation/_repository_items.html.erb b/app/views/shared/smart_annotation/_repository_items.html.erb
index 87cabd85f..0b453ee24 100644
--- a/app/views/shared/smart_annotation/_repository_items.html.erb
+++ b/app/views/shared/smart_annotation/_repository_items.html.erb
@@ -1,10 +1,10 @@
 <% limit_reached = repository_rows.length == Constants::ATWHO_SEARCH_LIMIT + 1 %>
 <div class="atwho-scroll-container">
   <% repository_rows.take(Constants::ATWHO_SEARCH_LIMIT).each do |row| %>
-    <li class="item" data-name="<%= row[:name] %>" data-id="<%= row[:id_encoded] %>" data-type="rep_item">
+    <li class="item" data-name="<%= sanitize_input(row[:name]) %>" data-id="<%= row[:id_encoded] %>" data-type="rep_item">
       <span class='sa-type'><%= row[:code] %></span>
       <span class="dot">&middot;</span>
-      <span class="item-text"><%= row[:name] %></span>
+      <span class="item-text"><%= sanitize_input(row[:name]) %></span>
       <%= render partial: 'shared/smart_annotation/atwho_control_buttons', locals: { row: row, repository: repository } %>
     </li>
   <% end %>
diff --git a/app/views/shared/smart_annotation/_users.html.erb b/app/views/shared/smart_annotation/_users.html.erb
index 8e2c2c8a4..ce01f9e93 100644
--- a/app/views/shared/smart_annotation/_users.html.erb
+++ b/app/views/shared/smart_annotation/_users.html.erb
@@ -5,10 +5,10 @@
 </div>
 <div class="atwho-scroll-container">
   <% users.limit(Constants::ATWHO_SEARCH_LIMIT).each do |user| %>
-    <li class="atwho-user" data-full-name="<%= user.full_name %>" data-id="<%= user.id.base62_encode %>" data-type="rep_item">
+    <li class="atwho-user" data-full-name="<%= sanitize_input(user.full_name) %>" data-id="<%= user.id.base62_encode %>" data-type="rep_item">
       <img src="<%= avatar_path(user, :icon_small) %>" class="avatar" />
       <div class="user-info">
-        <div class="user-name item-text"><%= user.full_name %></div>
+        <div class="user-name item-text"><%= sanitize_input(user.full_name) %></div>
         <div class="user-email item-text"><%= user.email %></div>
       </div>
     </li>