diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..5915114dc5
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+
+- [Security Policy](#security-policy)
+  - [Supported Versions](#supported-versions)
+  - [Reporting a Vulnerability](#reporting-a-vulnerability)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities. Which versions are eligible
+receiving such patches depend on the CVSS v3.0 Rating:
+
+| CVSS v3.0 | Supported Versions                                 |
+| --------- | -------------------------------------------------- |
+| 7.3       | 3.5.5                                              |
+
+## Reporting a Vulnerability
+
+Please report (suspected) security vulnerabilities to
+**[jekkos](mailto:jekkos@opensourcepos.org)**. You will receive a response from
+us within 48 hours. If the issue is confirmed, we will release a patch as soon
+as possible depending on complexity but historically within a few days.
diff --git a/application/controllers/Attributes.php b/application/controllers/Attributes.php
index 8a07a32f09..22fc607afb 100644
--- a/application/controllers/Attributes.php
+++ b/application/controllers/Attributes.php
@@ -24,7 +24,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? definition.definition_name : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$attributes = $this->Attribute->search($search, $limit, $offset, $sort, $order);
@@ -189,4 +189,4 @@ public function delete()
 			echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('attributes_definition_cannot_be_deleted')));
 		}
 	}
-}
\ No newline at end of file
+}
diff --git a/application/controllers/Cashups.php b/application/controllers/Cashups.php
index fe295bc971..57b598d943 100644
--- a/application/controllers/Cashups.php
+++ b/application/controllers/Cashups.php
@@ -25,7 +25,7 @@ public function search()
 		$search   = $this->input->get('search');
 		$limit    = $this->input->get('limit');
 		$offset   = $this->input->get('offset');
-		$sort     = $this->input->get('sort');
+		$sort     = $this->input->post('sort') === NULL ? 'cashup_id' : $this->db->escape($this->input->get('sort'));
 		$order    = $this->input->get('order');
 		$filters  = array(
 					 'start_date' => $this->input->get('start_date'),
diff --git a/application/controllers/Customers.php b/application/controllers/Customers.php
index 5f446da762..32205515e3 100644
--- a/application/controllers/Customers.php
+++ b/application/controllers/Customers.php
@@ -58,7 +58,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? LAST_NAME : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$customers = $this->Customer->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Employees.php b/application/controllers/Employees.php
index d101dc75ca..06c0239b7e 100644
--- a/application/controllers/Employees.php
+++ b/application/controllers/Employees.php
@@ -17,7 +17,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort = $this->input->post('sort') === NULL ? LAST_NAME : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$employees = $this->Employee->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Expenses.php b/application/controllers/Expenses.php
index f419bf6225..fcc61f86be 100644
--- a/application/controllers/Expenses.php
+++ b/application/controllers/Expenses.php
@@ -30,7 +30,7 @@ public function search()
 		$search   = $this->input->get('search');
 		$limit    = $this->input->get('limit');
 		$offset   = $this->input->get('offset');
-		$sort     = $this->input->get('sort');
+		$sort     = $this->input->post('sort') === NULL ? 'expense_id' : $this->db->escape($this->input->get('sort'));
 		$order    = $this->input->get('order');
 		$filters  = array(
 					 'start_date' => $this->input->get('start_date'),
diff --git a/application/controllers/Expenses_categories.php b/application/controllers/Expenses_categories.php
index e7af652608..1fc68599f4 100644
--- a/application/controllers/Expenses_categories.php
+++ b/application/controllers/Expenses_categories.php
@@ -24,7 +24,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort = $this->input->post('sort') === NULL ? 'category_name' : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$expense_categories = $this->Expense_category->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Giftcards.php b/application/controllers/Giftcards.php
index a988361b8e..ef1e97fdc3 100644
--- a/application/controllers/Giftcards.php
+++ b/application/controllers/Giftcards.php
@@ -24,7 +24,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? 'giftcard_number' : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$giftcards = $this->Giftcard->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Item_kits.php b/application/controllers/Item_kits.php
index 3349a14f79..1ba2c8abf1 100644
--- a/application/controllers/Item_kits.php
+++ b/application/controllers/Item_kits.php
@@ -59,7 +59,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? NAME : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$item_kits = $this->Item_kit->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Items.php b/application/controllers/Items.php
index 3526d99762..68f7c7cdea 100644
--- a/application/controllers/Items.php
+++ b/application/controllers/Items.php
@@ -40,7 +40,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort = $this->input->get('sort');
+		$sort = $this->input->post('sort') === NULL ? NAME : $this->db->escape($this->input->get('sort'));
 		$order = $this->input->get('order');
 
 		$this->item_lib->set_item_location($this->input->get('stock_location'));
diff --git a/application/controllers/Sales.php b/application/controllers/Sales.php
index 2bdf80a907..ce3cd610d3 100644
--- a/application/controllers/Sales.php
+++ b/application/controllers/Sales.php
@@ -54,10 +54,10 @@ public function get_row($row_id)
 	public function search()
 	{
 		$search = $this->input->get('search');
-		$limit = $this->input->get('limit');
+		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort = $this->input->get('sort');
-		$order = $this->input->get('order');
+		$sort   = $this->input->post('sort') === NULL ? 'sales.sale_time' : $this->db->escape($this->input->get('sort'));
+		$order  = $this->input->get('order');
 
 		$filters = array('sale_type' => 'all',
 						 'location_id' => 'all',
diff --git a/application/controllers/Suppliers.php b/application/controllers/Suppliers.php
index 36b6f58ee2..54deeaec54 100644
--- a/application/controllers/Suppliers.php
+++ b/application/controllers/Suppliers.php
@@ -35,7 +35,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? LAST_NAME : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$suppliers = $this->Supplier->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Tax_categories.php b/application/controllers/Tax_categories.php
index 952b166dfc..453ff4776a 100644
--- a/application/controllers/Tax_categories.php
+++ b/application/controllers/Tax_categories.php
@@ -25,7 +25,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? 'tax_category' : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$tax_categories = $this->Tax_category->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Tax_codes.php b/application/controllers/Tax_codes.php
index af21db6968..68b3727128 100644
--- a/application/controllers/Tax_codes.php
+++ b/application/controllers/Tax_codes.php
@@ -29,7 +29,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? 'tax_code_name' : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$tax_codes = $this->Tax_code->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Tax_jurisdictions.php b/application/controllers/Tax_jurisdictions.php
index 7059f7bcf7..53ed549312 100644
--- a/application/controllers/Tax_jurisdictions.php
+++ b/application/controllers/Tax_jurisdictions.php
@@ -25,7 +25,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit  = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort   = $this->input->get('sort');
+		$sort   = $this->input->post('sort') === NULL ? 'jurisdiction_name' : $this->db->escape($this->input->get('sort'));
 		$order  = $this->input->get('order');
 
 		$tax_jurisdictions = $this->Tax_jurisdiction->search($search, $limit, $offset, $sort, $order);
diff --git a/application/controllers/Taxes.php b/application/controllers/Taxes.php
index c4adc08d87..da52500a1f 100644
--- a/application/controllers/Taxes.php
+++ b/application/controllers/Taxes.php
@@ -57,7 +57,7 @@ public function search()
 		$search = $this->input->get('search');
 		$limit = $this->input->get('limit');
 		$offset = $this->input->get('offset');
-		$sort = $this->input->get('sort');
+		$sort  = $this->input->post('sort') === NULL ? 'tax_code_name' : $this->db->escape($this->input->get('sort'));
 		$order = $this->input->get('order');
 
 		$tax_rates = $this->Tax->search($search, $limit, $offset, $sort, $order);