diff --git a/app/Http/Controllers/ProfilesController.php b/app/Http/Controllers/ProfilesController.php
index 42c160ce..efe96a62 100644
--- a/app/Http/Controllers/ProfilesController.php
+++ b/app/Http/Controllers/ProfilesController.php
@@ -11,6 +11,7 @@
 use App\Helpers\Contracts\LdapHelperContract;
 use App\Http\Requests\ProfileBannerImageRequest;
 use App\Http\Requests\ProfileImageRequest;
+use App\Http\Requests\ProfileSearchRequest;
 use App\Http\Requests\ProfileUpdateRequest;
 use App\School;
 use Illuminate\Contracts\View\View as ViewContract;
@@ -67,9 +68,11 @@ public function __construct()
     /**
      * Display a listing of profiles.
      */
-    public function index(Request $request): View|ViewContract|RedirectResponse
+    public function index(ProfileSearchRequest $request): View|ViewContract|RedirectResponse
     {
-        $search = $request->input('search');
+        $input_search = $request->input('search');
+
+        $search = htmlspecialchars($input_search, FILTER_FLAG_NO_ENCODE_QUOTES);
 
         /** @var EloquentCollection */
         $profiles = Profile::where('full_name', 'LIKE', "%$search%")
diff --git a/app/Http/Requests/ProfileSearchRequest.php b/app/Http/Requests/ProfileSearchRequest.php
new file mode 100644
index 00000000..af9de6c4
--- /dev/null
+++ b/app/Http/Requests/ProfileSearchRequest.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class ProfileSearchRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Search validation rules
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'search' => [
+                'sometimes',
+                'string',
+                // letters, marks, numbers, spaces, commas, periods, dashes,
+                // and non-consecutive apostrophes that are preceded and followed by a letter
+                "regex:/^([\p{L}\p{M}\p{N}\p{Zs},\.-]|(?<=[\p{L}])'(?!')(?=[\p{L}]))*$/u",
+                'min:3',
+                'max: 100',
+            ],
+        ];
+    }
+
+    public function messages()
+    {
+        return [
+            'search.string' => 'The :attribute value must be a string',
+            'search.regex' => 'The :attribute must only contain letters, numbers, and allowed characters.',
+        ];
+    }
+}
diff --git a/resources/views/_search.blade.php b/resources/views/_search.blade.php
index ed66c652..716b2226 100644
--- a/resources/views/_search.blade.php
+++ b/resources/views/_search.blade.php
@@ -8,3 +8,11 @@
     </div>
   </div>
 {!! Form::close() !!}
+
+@if($errors->has('search'))
+  @pushOnce('scripts')
+    @foreach($errors->get('search') as $error)
+      <script>profiles.toast('<strong>Sorry, there was a problem with your search:</strong> {{ $error }}', 'danger');</script>
+    @endforeach
+  @endPushOnce
+@endif
\ No newline at end of file