diff --git a/lib/ajax/service.php b/lib/ajax/service.php
index ce58f01d026..e72f1650ef2 100644
--- a/lib/ajax/service.php
+++ b/lib/ajax/service.php
@@ -82,6 +82,12 @@ foreach ($requests as $request) {
         $result = call_user_func_array($callable,
                                        array_values($params));
 
+        // Validate the return parameters.
+        if ($externalfunctioninfo->returns_desc !== null) {
+            $callable = array($externalfunctioninfo->classname, 'clean_returnvalue');
+            $result = call_user_func($callable, $externalfunctioninfo->returns_desc, $result);
+        }
+
         $response['error'] = false;
         $response['data'] = $result;
         $responses[$index] = $response;
diff --git a/lib/upgrade.txt b/lib/upgrade.txt
index bc76325580d..e93691cbbd1 100644
--- a/lib/upgrade.txt
+++ b/lib/upgrade.txt
@@ -8,6 +8,9 @@ information provided here is intended especially for developers.
                                         context_user $context, stdClass $course,
                                         context_course $coursecontext)
 * The function notify() now throws a debugging message - see MDL-50269.
+* Ajax calls going through lib/ajax/* now validate the return values before sending
+  the response. If the validation does not pass an exception is raised. This behaviour
+  is consistent with web services.
 
 === 3.0 ===