diff --git a/src/privileges/helpers.js b/src/privileges/helpers.js
index 81659d510d..c332315873 100644
--- a/src/privileges/helpers.js
+++ b/src/privileges/helpers.js
@@ -2,10 +2,12 @@
 'use strict';
 
 const _ = require('lodash');
+const validator = require('validator');
 
 const groups = require('../groups');
 const user = require('../user');
 const plugins = require('../plugins');
+const translator = require('../translator');
 
 const helpers = module.exports;
 
@@ -126,7 +128,8 @@ helpers.getGroupPrivileges = async function (cid, hookName, groupPrivilegeList)
 			memberPrivs[groupPrivileges[x]] = memberSets[x].includes(member);
 		}
 		return {
-			name: member,
+			name: validator.escape(member),
+			nameEscaped: translator.escape(validator.escape(member)),
 			privileges: memberPrivs,
 			isPrivate: groupData[index] && !!groupData[index].private,
 		};
diff --git a/src/socket.io/admin/categories.js b/src/socket.io/admin/categories.js
index b1fa0ee83e..563043ee75 100644
--- a/src/socket.io/admin/categories.js
+++ b/src/socket.io/admin/categories.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const groups = require('../../groups');
+const user = require('../../user');
 const categories = require('../../categories');
 const privileges = require('../../privileges');
 const plugins = require('../../plugins');
@@ -51,6 +52,14 @@ Categories.setPrivilege = async function (socket, data) {
 	if (!data) {
 		throw new Error('[[error:invalid-data]]');
 	}
+	const [userExists, groupExists] = await Promise.all([
+		user.exists(data.member),
+		groups.exists(data.member),
+	]);
+
+	if (!userExists && !groupExists) {
+		throw new Error('[[error:no-user-or-group]]');
+	}
 
 	if (Array.isArray(data.privilege)) {
 		await Promise.all(data.privilege.map(privilege => groups[data.set ? 'join' : 'leave']('cid:' + data.cid + ':privileges:' + privilege, data.member)));
diff --git a/src/views/admin/partials/categories/privileges.tpl b/src/views/admin/partials/categories/privileges.tpl
index 66874922d5..1e798e4e5e 100644
--- a/src/views/admin/partials/categories/privileges.tpl
+++ b/src/views/admin/partials/categories/privileges.tpl
@@ -27,7 +27,7 @@
 						</thead>
 						<tbody>
 							<!-- BEGIN privileges.groups -->
-							<tr data-group-name="{privileges.groups.name}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
+							<tr data-group-name="{privileges.groups.nameEscaped}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
 								<td>
 									<!-- IF privileges.groups.isPrivate -->
 									<i class="fa fa-lock text-muted" title="[[admin/manage/categories:privileges.group-private]]"></i>
diff --git a/src/views/admin/partials/global/privileges.tpl b/src/views/admin/partials/global/privileges.tpl
index eadc53decb..7c4fc0e5fa 100644
--- a/src/views/admin/partials/global/privileges.tpl
+++ b/src/views/admin/partials/global/privileges.tpl
@@ -13,7 +13,7 @@
 						</thead>
 						<tbody>
 							<!-- BEGIN privileges.groups -->
-							<tr data-group-name="{privileges.groups.name}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
+							<tr data-group-name="{privileges.groups.nameEscaped}" data-private="<!-- IF privileges.groups.isPrivate -->1<!-- ELSE -->0<!-- ENDIF privileges.groups.isPrivate -->">
 								<td>
 									<!-- IF privileges.groups.isPrivate -->
 									<i class="fa fa-lock text-muted" title="[[admin/manage/categories:privileges.group-private]]"></i>