diff --git a/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee b/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
index b978a050ad..b1eac64569 100644
--- a/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
+++ b/app/assets/javascripts/admin/taxons/directives/taxon_autocomplete.js.coffee
@@ -1,4 +1,4 @@
-angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons) ->
+angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons, $sanitize) ->
   # Adapted from Spree's existing taxon autocompletion
   scope: true
   link: (scope,element,attrs) ->
@@ -18,7 +18,7 @@ angular.module("admin.taxons").directive "ofnTaxonAutocomplete", (Taxons) ->
         query: (query) ->
           query.callback { results: Taxons.findByTerm(query.term) }
         formatResult: (taxon) ->
-          taxon.name
+          $sanitize(taxon.name)
         formatSelection: (taxon) ->
           taxon.name
 
diff --git a/app/assets/javascripts/admin/taxons/taxons.js.coffee b/app/assets/javascripts/admin/taxons/taxons.js.coffee
index 863e6e8125..07de167ccf 100644
--- a/app/assets/javascripts/admin/taxons/taxons.js.coffee
+++ b/app/assets/javascripts/admin/taxons/taxons.js.coffee
@@ -1 +1 @@
-angular.module("admin.taxons", [])
\ No newline at end of file
+angular.module("admin.taxons", ['ngSanitize'])
\ No newline at end of file
diff --git a/app/assets/javascripts/admin/users/directives/user_select.js.coffee b/app/assets/javascripts/admin/users/directives/user_select.js.coffee
index bde54fd6d0..787ef2124b 100644
--- a/app/assets/javascripts/admin/users/directives/user_select.js.coffee
+++ b/app/assets/javascripts/admin/users/directives/user_select.js.coffee
@@ -1,4 +1,4 @@
-angular.module("admin.users").directive "userSelect", ->
+angular.module("admin.users").directive "userSelect", ($sanitize) ->
   scope:
     user: '&userSelect'
     model: '=ngModel'
@@ -11,9 +11,10 @@ angular.module("admin.users").directive "userSelect", ->
         ajax:
           url: '/admin/search/known_users'
           datatype: 'json'
-          data:(term, page) ->
+          data: (term, page) ->
             { q: term }
           results: (data, page) ->
+            item.email = $sanitize(item.email) for item in data
             { results: data }
         formatResult: (user) ->
           user.email