2 files changed, 2 insertions, 2 deletions

diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php
index b2c1b5109..31619bf80 100755
--- a/app/Controllers/configureController.php
+++ b/app/Controllers/configureController.php
@@ -347,7 +347,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController {
 		if (Minz_Request::isPost()) {
 			$params = array_filter(Minz_Request::param('query', []));
 			if (!empty($params['search'])) {
-				$params['search'] = urldecode($params['search']);
+				$params['search'] = htmlspecialchars_decode($params['search'], ENT_QUOTES);
 			}
 			if (!empty($params['state'])) {
 				$params['state'] = array_sum($params['state']);
diff --git a/app/views/helpers/configure/query.phtml b/app/views/helpers/configure/query.phtml
index 7298a0a9a..38a1a715c 100644
--- a/app/views/helpers/configure/query.phtml
+++ b/app/views/helpers/configure/query.phtml
@@ -19,7 +19,7 @@
 		<div class="form-group">
 			<label class="group-name" for=""><?= _t('conf.query.filter.search') ?></label>
 			<div class="group-controls">
-				<input type="text" id="query_search" name="query[search]"  class="extend" value="<?= urldecode($this->query->getSearch()) ?>"/>
+				<input type="text" id="query_search" name="query[search]"  class="extend" value="<?= htmlspecialchars($this->query->getSearch(), ENT_COMPAT, 'UTF-8') ?>"/>
 			</div>
 		</div>
 		<div class="form-group">