diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..6a7fc201fa4525801a723016a7383732c91e10c4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.env
+htmlcov
diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
index 388364c4ad5e891554a2c03ca69566a1db8dc725..5557b7fdaf837a0d78f6bb5254fc9db1c90d8044 100755
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@@ -2,9 +2,16 @@
 ''''[ -z $LOG ] && export LOG=/dev/stdout # '''
 ''''which python  >/dev/null && exec python  -u "$0" "$@" >> $LOG 2>&1 # '''
 
-# Copyright (C) 2014-2015 Nginx, Inc.
+# Copyright (C) 2014-2022 Nginx, Inc.
+
+import sys
+import os
+import signal
+import base64
+import ldap
+from ldap.filter import escape_filter_chars
+import argparse
 
-import sys, os, signal, base64, ldap, argparse
 if sys.version_info.major == 2:
     from Cookie import BaseCookie
     from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
@@ -23,6 +30,7 @@ if not hasattr(__builtins__, "basestring"): basestring = (str, bytes)
 # -----------------------------------------------------------------------------
 # Requests are processed in separate thread
 import threading
+
 if sys.version_info.major == 2:
     from SocketServer import ThreadingMixIn
 elif sys.version_info.major == 3:
@@ -88,9 +96,9 @@ class AuthHandler(BaseHTTPRequestHandler):
         except:
             self.auth_failed(ctx)
             return True
-
-        ctx['user'] = user
+       
         ctx['pass'] = passwd
+        ctx['user'] = ldap.filter.escape_filter_chars(user)
 
         # Continue request processing
         return False
@@ -228,7 +236,7 @@ class LDAPAuthHandler(AuthHandler):
             ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
 
             ctx['action'] = 'preparing search filter'
-            searchfilter = ctx['template'] % { 'username': ctx['user'] }
+            searchfilter = ctx['template'] % {'username': ctx['user']}
 
             self.log_message(('searching on server "%s" with base dn ' + \
                               '"%s" with filter "%s"') %
diff --git a/t/README b/t/README.md
similarity index 93%
rename from t/README
rename to t/README.md
index deff24dd047ed2585982af810a3e52c032cc1f18..74e8e5f81918b26ab05c6831f12e67ca775ac775 100644
--- a/t/README
+++ b/t/README.md
@@ -1,12 +1,16 @@
 To run tests use supplied Dockerfile.test:
 
-docker build -f Dockerfile.test -t my-tag
+```shell
+docker build -t my-tag -f Dockerfile.test .
+```
 
 If you desire to use a container with Python3, you can supply an appropriate
 build argument:
 
+```shell
 docker build -f Dockerfile.test -t my-tag --build-arg PYTHON_VERSION=3 .
 docker run my-tag
+```
 
 To run without Docker:
 
diff --git a/t/ldap-auth.t b/t/ldap-auth.t
index 5c5648b2599b892b5e4794187a3edbb31a42093c..732ae60f0968a7ec64facda07b65237b41684052 100644
--- a/t/ldap-auth.t
+++ b/t/ldap-auth.t
@@ -105,6 +105,15 @@ http {
             proxy_pass http://backend/;
         }
 
+        location /query-injection {
+            auth_request /auth-query-injection;
+	    
+	    error_page 401 =200 /login;
+	    
+	    proxy_pass http://backend/;
+       
+        }
+
         location /login {
             proxy_pass http://backend/login;
 
@@ -221,6 +230,24 @@ http {
             proxy_set_header Cookie nginxauth=$cookie_nginxauth;
         }
 
+        location = /auth-query-injection {
+            internal;
+
+            proxy_pass http://127.0.0.1:8888;
+
+            proxy_pass_request_body off;
+            proxy_set_header Content-Length "";
+
+            proxy_set_header X-Ldap-URL      "ldap://127.0.0.1:8083";
+            proxy_set_header X-Ldap-BaseDN   "ou=Users,dc=test,dc=local";
+            proxy_set_header X-Ldap-BindDN   "cn=root,dc=test,dc=local";
+            proxy_set_header X-Ldap-BindPass "secret";
+           
+            proxy_set_header X-CookieName "nginxauth";
+            proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+	    
+            proxy_set_header X-Ldap-Template '(|(&(memberOf=superadmin)(cn=%(username)s))(&(memberOf=admin)(cn=%(username)s)))';
+        }
     }
 }
 
@@ -321,7 +348,7 @@ EOF
 $t->write_file_expand("initial.ldif", <<'EOF');
 dn: dc=test,dc=local
 dc: test
-description: BlaBlaBla
+description: Test-OU
 objectClass: dcObject
 objectClass: organization
 o: Example, Inc.
@@ -333,7 +360,7 @@ objectclass: organizationalunit
 
 dn: cn=user1,ou=Users,dc=test,dc=local
 objectclass: inetOrgPerson
-cn: User number one
+cn: User1
 sn: u1
 uid: user1
 userpassword: user1secret
@@ -343,7 +370,7 @@ ou: Users
 
 dn: cn=user2,ou=Users,dc=test,dc=local
 objectclass: inetOrgPerson
-cn: User number one
+cn: User2
 sn: u2
 uid: user2
 userpassword: user2secret
@@ -353,7 +380,7 @@ ou: Users
 
 dn: cn=user3,ou=Users,dc=test,dc=local
 objectclass: inetOrgPerson
-cn: User number one
+cn: User3
 sn: u3
 uid: user3
 userpassword: user3secret
@@ -378,13 +405,13 @@ objectclass: organizationalunit
 
 dn: ou=more,ou=Users,dc=test,dc=local
 dc: test
-description: BlaBlaBla
+description: Test-OU
 objectClass: dcObject
 objectClass: organizationalUnit
 
 dn: cn=user4, ou=more, ou=Users,dc=test,dc=local
 objectclass: inetOrgPerson
-cn: User number one
+cn: User4
 sn: u4
 uid: user4
 userpassword: user4secret
@@ -441,7 +468,7 @@ $t->run_daemon('/bin/sh', "$d/auth_daemon.sh");
 $t->waitforsocket('127.0.0.1:' . port(8888))
 	or die "Can't start auth daemon";
 
-$t->plan(21);
+$t->plan(22);
 
 $t->run();
 
@@ -500,10 +527,17 @@ like(http_get_auth('/ref1', 'user4', 'user4secret'), qr!LOGIN PAGE!,
 	'server2 user via referral on server1');
 
 # unknown user on referred server, result is empty dn
-like(http_get_auth('/ref1', 'userx', 'blah'), qr!LOGIN PAGE!,
+like(http_get_auth('/ref1', 'unknow_user', 'unknowpassword'), qr!LOGIN PAGE!,
 	'unknown user with referral on server1');
 
 
+# LDAP Query Injection result in 401
+like(http_get_auth('/query-injection', 'user1))(|(cn=user1', 'user1secret'), qr!LOGIN PAGE!,
+	'Injection Attempt in Username will be escaped and blocked.');
+
+
+
+
 ###############################################################################
 
 sub http_get_auth {