diff --git src/bp-members/bp-members-template.php src/bp-members/bp-members-template.php
index 345d9e5..ca83258 100644
--- src/bp-members/bp-members-template.php
+++ src/bp-members/bp-members-template.php
@@ -462,6 +462,10 @@ function bp_has_members( $args = '' ) {
 			$search_terms = false;
 	}
 
+	if ( ! empty( $search_terms ) ) {
+		$search_terms = htmlentities2( $search_terms );
+	}
+
 	// Set per_page to max if max is larger than per_page
 	if ( !empty( $max ) && ( $per_page > $max ) )
 		$per_page = $max;
diff --git src/bp-templates/bp-legacy/buddypress-functions.php src/bp-templates/bp-legacy/buddypress-functions.php
index 8e621a5..8690958 100644
--- src/bp-templates/bp-legacy/buddypress-functions.php
+++ src/bp-templates/bp-legacy/buddypress-functions.php
@@ -535,7 +535,7 @@ function bp_legacy_theme_ajax_querystring( $query_string, $object ) {
 
 	$object_search_text = bp_get_search_default_text( $object );
  	if ( ! empty( $_POST['search_terms'] ) && $object_search_text != $_POST['search_terms'] && 'false' != $_POST['search_terms'] && 'undefined' != $_POST['search_terms'] )
-		$qs[] = 'search_terms=' . $_POST['search_terms'];
+		$qs[] = 'search_terms=' . urlencode( $_POST['search_terms'] );
 
 	// Now pass the querystring to override default values.
 	$query_string = empty( $qs ) ? '' : join( '&', (array) $qs );