diff --git a/scripts/pi-hole/js/groups-clients.js b/scripts/pi-hole/js/groups-clients.js
index 07432638..268017d5 100644
--- a/scripts/pi-hole/js/groups-clients.js
+++ b/scripts/pi-hole/js/groups-clients.js
@@ -260,7 +260,7 @@ function initTable() {
 }
 
 function addClient() {
-  var ip = $("#select").val().trim();
+  var ip = utils.escapeHtml($("#select").val().trim());
   var comment = utils.escapeHtml($("#new_comment").val());
 
   utils.disableAll();
@@ -385,7 +385,7 @@ function editClient() {
 function deleteClient() {
   var tr = $(this).closest("tr");
   var id = tr.attr("data-id");
-  var ip = tr.find("#ip_" + id).text();
+  var ip = utils.escapeHtml(tr.find("#ip_" + id).text());
   var name = utils.escapeHtml(tr.find("#name_" + id).text());
 
   if (name.length > 0) {
diff --git a/scripts/pi-hole/php/groups.php b/scripts/pi-hole/php/groups.php
index c7d61d81..29b8b5c8 100644
--- a/scripts/pi-hole/php/groups.php
+++ b/scripts/pi-hole/php/groups.php
@@ -347,6 +347,8 @@ if ($_POST['action'] == 'get_groups') {
         }
 
         foreach ($ips as $ip) {
+            // Encode $ip variable to prevent XSS
+            $ip = htmlspecialchars($ip);
             // Silently skip this entry when it is empty or not a string (e.g. NULL)
             if(!is_string($ip) || strlen($ip) == 0) {
                 continue;