diff --git a/e107_handlers/e_parse_class.php b/e107_handlers/e_parse_class.php
index 867afdbb0..f93a1a69b 100644
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -4800,8 +4800,17 @@ class e_parse
 
 	/**
 	 * Filters/Validates using the PHP5 filter_var() method.
+	 *
 	 * @param string|array $text
-	 * @param string $type string str|int|email|url|w|wds|file
+	 * @param string $type str|int|email|url|w|wds|file
+	 *
+	 *                     If the type is "str" (default), HTML tags are stripped, and quotation marks are escaped for
+	 *                     HTML with the intention of making the string safe to use in both concatenated SQL queries and
+	 *                     HTML code.
+	 *
+	 *                     Despite the intention, strings returned by this function should still be specified as values
+	 *                     in SQL prepared statements or surrounded by {@see mysqli_real_escape_string()} if the string
+	 *                     is to be written to the database.
 	 * @return string|boolean| array
 	 */
 	public function filter($text, $type = 'str', $validate = false)
@@ -4859,7 +4868,10 @@ class e_parse
 				{
 					$filterTypes = array(
 						'int'   => FILTER_SANITIZE_NUMBER_INT,
-						'str'   => function($input) { return strip_tags($input); },
+						'str'   => function($input)
+						{
+							return htmlspecialchars(strip_tags($input), ENT_QUOTES);
+						},
 						'email' => FILTER_SANITIZE_EMAIL,
 						'url'   => FILTER_SANITIZE_URL,
 						'enc'   => FILTER_SANITIZE_ENCODED
diff --git a/e107_tests/tests/unit/e_parseTest.php b/e107_tests/tests/unit/e_parseTest.php
index 18aedb6ec..76f5b9e68 100644
--- a/e107_tests/tests/unit/e_parseTest.php
+++ b/e107_tests/tests/unit/e_parseTest.php
@@ -2589,7 +2589,22 @@ Your browser does not support the audio tag.
 
 		}
 
+		/**
+		 * e107 v0.6.0 requires strings to be passed around with quotation marks escaped for HTML as a way to prevent
+		 * both SQL injection and cross-site scripting. Although {@see e_parse::toDB()} is supposed to do that, some
+		 * usages, specifically {@see e_front_model::sanitizeValue()} call {@see e_parse::filter()} instead.
+		 *
+		 * @version 2.3.1
+		 */
+		public function testFilterStr()
+		{
+			$input = "<strong>\"e107's\"</strong>";
+			$expected = "&quot;e107&#039;s&quot;";
 
+			$actual = $this->tp->filter($input, 'str');
+
+			$this->assertEquals($expected, $actual);
+		}
 
 		public function testCleanHtml()
 		{