diff --git a/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php b/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
index 6a3ba048b1f..7089b28d532 100644
--- a/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
+++ b/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
@@ -346,14 +346,14 @@ public function doGetGridColumnConfig(Request $request, Config $config, $isDelet
                 $gridConfigId = $savedGridConfig->getId();
                 $gridConfig = $savedGridConfig->getConfig();
                 $gridConfig = json_decode($gridConfig, true);
-                $gridConfigName = $savedGridConfig->getName();
+                $gridConfigName = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getName());
                 $owner = $savedGridConfig->getOwnerId();
                 $ownerObject = User::getById($owner);
                 if ($ownerObject instanceof User) {
                     $owner = $ownerObject->getName();
                 }
                 $modificationDate = $savedGridConfig->getModificationDate();
-                $gridConfigDescription = $savedGridConfig->getDescription();
+                $gridConfigDescription = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getDescription());
                 $sharedGlobally = $savedGridConfig->isShareGlobally();
                 $setAsFavourite = $savedGridConfig->isSetAsFavourite();
 
@@ -951,8 +951,8 @@ public function gridSaveColumnConfigAction(Request $request)
                 }
 
                 if ($metadata) {
-                    $gridConfig->setName($metadata['gridConfigName']);
-                    $gridConfig->setDescription($metadata['gridConfigDescription']);
+                    $gridConfig->setName(SecurityHelper::convertHtmlSpecialChars($metadata['gridConfigName']));
+                    $gridConfig->setDescription(SecurityHelper::convertHtmlSpecialChars($metadata['gridConfigDescription']));
                     $gridConfig->setShareGlobally($metadata['shareGlobally'] && $this->getAdminUser()->isAdmin());
                     $gridConfig->setSetAsFavourite($metadata['setAsFavourite'] && $this->getAdminUser()->isAdmin());
                 }
@@ -968,8 +968,8 @@ public function gridSaveColumnConfigAction(Request $request)
 
                 $settings = $this->getShareSettings($gridConfig->getId());
                 $settings['gridConfigId'] = (int)$gridConfig->getId();
-                $settings['gridConfigName'] = $gridConfig->getName();
-                $settings['gridConfigDescription'] = $gridConfig->getDescription();
+                $settings['gridConfigName'] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getName());
+                $settings['gridConfigDescription'] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getDescription());
                 $settings['shareGlobally'] = $gridConfig->isShareGlobally();
                 $settings['setAsFavourite'] = $gridConfig->isSetAsFavourite();
                 $settings['isShared'] = $gridConfig->getOwnerId() != $this->getAdminUser()->getId() && !$this->getAdminUser()->isAdmin();
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js b/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js
index 86a8603a0ec..d2ca9d2f56a 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js
@@ -24,7 +24,10 @@ pimcore.element.helpers.gridColumnConfig = {
             fieldLabel: t('name'),
             length: 50,
             allowBlank: false,
-            value: this.settings.gridConfigName ? this.settings.gridConfigName : defaultName
+            value: this.settings.gridConfigName ? this.settings.gridConfigName : defaultName,
+            listeners: {
+                change: pimcore.helpers.htmlEncodeTextField
+            }
         });
 
         var descriptionField = new Ext.form.TextArea({
@@ -126,9 +129,9 @@ pimcore.element.helpers.gridColumnConfig = {
         for (var i = 0; i < list.length; i++) {
             var disabled = false;
             var config = list[i];
-            var text = config["name"];
+            let text = `<span>${Ext.util.Format.htmlEncode(config["name"])}</span>`;
             if (config.id == this.settings.gridConfigId) {
-                text = this.settings.gridConfigName;
+                text = Ext.util.Format.htmlEncode(this.settings.gridConfigName);
                 if (!onlyConfigs) {
                     text = "<b>" + text + "</b>";
                     disabled = true;
diff --git a/lib/Security/SecurityHelper.php b/lib/Security/SecurityHelper.php
index 4ba989380af..bc1f9f537c4 100644
--- a/lib/Security/SecurityHelper.php
+++ b/lib/Security/SecurityHelper.php
@@ -15,6 +15,9 @@
 
 namespace Pimcore\Security;
 
+/**
+ * @internal
+ */
 class SecurityHelper
 {
     public static function convertHtmlSpecialChars(?string $text): ?string