diff --git a/api/classes/organizr.class.php b/api/classes/organizr.class.php
index c0143590b..d9ba9d791 100644
--- a/api/classes/organizr.class.php
+++ b/api/classes/organizr.class.php
@@ -5149,6 +5149,8 @@ public function addTab($array)
 		if (!array_key_exists('image', $array)) {
 			$this->setAPIResponse('error', 'Tab image was not supplied', 422);
 			return false;
+		} else {
+			$array['image'] = $this->sanitizeUserString($array['image']);
 		}
 		$response = [
 			array(
@@ -5197,6 +5199,9 @@ public function updateTab($id, $array)
 				$this->clearTabDefault();
 			}
 		}
+		if (array_key_exists('image', $array)) {
+			$array['image'] = $this->sanitizeUserString($array['image']);
+		}
 		if (array_key_exists('group_id', $array)) {
 			$groupCheck = (array_key_exists('group_id_max', $array)) ? $array['group_id_max'] : $tabInfo['group_id_max'];
 			if ($array['group_id'] < $groupCheck) {
@@ -6782,6 +6787,7 @@ public function updateGroup($id, $array)
 				$this->setAPIResponse('error', 'Image was set but empty', 409);
 				return false;
 			}
+			$array['image'] = $this->sanitizeUserString($array['image']);
 		}
 		if (array_key_exists('default', $array)) {
 			if ($groupInfo['group_id'] == 0 || $groupInfo['group_id'] == 999) {
@@ -6868,6 +6874,7 @@ public function addGroup($array)
 				$this->setAPIResponse('error', 'Group image cannot be empty', 422);
 				return false;
 			}
+			$array['image'] = $this->sanitizeUserString($array['image']);
 		} else {
 			$this->setAPIResponse('error', 'Group image was not supplied', 422);
 			return false;