diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
index 20f33f3..222a96c 100644
--- a/ldapauthenticator/ldapauthenticator.py
+++ b/ldapauthenticator/ldapauthenticator.py
@@ -258,7 +258,7 @@ def resolve_username(self, username_supplied_by_user):
 
         search_filter = self.lookup_dn_search_filter.format(
             login_attr=self.user_attribute,
-            login=username_supplied_by_user,
+            login=escape_filter_chars(username_supplied_by_user),
         )
         self.log.debug(
             "Looking up user with:\n",
@@ -392,7 +392,7 @@ def authenticate(self, handler, data):
 
         if self.search_filter:
             search_filter = self.search_filter.format(
-                userattr=self.user_attribute, username=username
+                userattr=self.user_attribute, username=escape_filter_chars(username)
             )
             conn.search(
                 search_base=self.user_search_base,
@@ -424,7 +424,10 @@ def authenticate(self, handler, data):
                     "(memberUid={uid})"
                     ")"
                 )
-                group_filter = group_filter.format(userdn=userdn, uid=username)
+                group_filter = group_filter.format(
+                    userdn=escape_filter_chars(userdn),
+                    uid=escape_filter_chars(username),
+                )
                 group_attributes = ["member", "uniqueMember", "memberUid"]
                 found = conn.search(
                     group,