diff --git a/settings/admin.php b/settings/admin.php
index 03befdba66fc7e922d2a07772bd50fcb909318b7..6b93e6e3f03ccc82d88c050573b982a51be2d1a9 100755
--- a/settings/admin.php
+++ b/settings/admin.php
@@ -58,7 +58,8 @@ $tmpl->assign('shareEnforceExpireDate', OC_Appconfig::getValue('core', 'shareapi
 $excludeGroups = OC_Appconfig::getValue('core', 'shareapi_exclude_groups', 'no') === 'yes' ? true : false;
 $tmpl->assign('shareExcludeGroups', $excludeGroups);
 $excludedGroupsList = OC_Appconfig::getValue('core', 'shareapi_exclude_groups_list', '');
-$tmpl->assign('shareExcludedGroupsList', $excludedGroupsList);
+$excludedGroupsList = explode(',', $excludedGroupsList); // FIXME: this should be JSON!
+$tmpl->assign('shareExcludedGroupsList', implode('|', $excludedGroupsList));
 
 // Check if connected using HTTPS
 $tmpl->assign('isConnectedViaHTTPS', OC_Request::serverProtocol() === 'https');
diff --git a/settings/js/admin.js b/settings/js/admin.js
index 943bf78e024ab68b697636238cfb59a6dd933fff..95be13d228862122949b401805f8c06b32e4c244 100644
--- a/settings/js/admin.js
+++ b/settings/js/admin.js
@@ -20,6 +20,15 @@ $(document).ready(function(){
 
 	$('#excludedGroups').each(function (index, element) {
 		OC.Settings.setupGroupsSelect($(element));
+		$(element).change(function(ev) {
+			var groups = ev.val || [];
+			if (groups.length > 0) {
+				groups = ev.val.join(','); // FIXME: make this JSON
+			} else {
+				groups = '';
+			}
+			OC.AppConfig.setValue('core', $(this).attr('name'), groups);
+		});
 	});
 
 
@@ -42,7 +51,7 @@ $(document).ready(function(){
 		$('#shareAPI p:not(#enable)').toggleClass('hidden', !this.checked);
 	});
 
-	$('#shareAPI input').change(function() {
+	$('#shareAPI input:not(#excludedGroups)').change(function() {
 		if ($(this).attr('type') === 'checkbox') {
 			if (this.checked) {
 				var value = 'yes';
diff --git a/settings/js/apps.js b/settings/js/apps.js
index 20b0c5ce18fe18f9f51f01ca4316e76b58f4e08d..22bac1eaf3eb2c2bc16e0263e147cd8de5576f57 100644
--- a/settings/js/apps.js
+++ b/settings/js/apps.js
@@ -123,10 +123,10 @@ OC.Settings.Apps = OC.Settings.Apps || {
 			page.find("label[for='groups_enable']").hide();
 			page.find("#groups_enable").attr('checked', null);
 		} else {
-			$('#group_select').val((app.groups || []).join(','));
 			if (app.active) {
 				if (app.groups.length) {
 					OC.Settings.Apps.setupGroupsSelect();
+					$('#group_select').select2('val', app.groups || []);
 					page.find("#groups_enable").attr('checked','checked');
 				} else {
 					page.find("#groups_enable").attr('checked', null);
@@ -378,14 +378,10 @@ $(document).ready(function(){
 		}
 	});
 
-	$('#group_select').change(function() {
+	$('#group_select').change(function(ev) {
 		var element = $('#app-content input.enable');
-		var groups = $(this).val();
-		if (groups && groups !== '') {
-			groups = groups.split(',');
-		} else {
-			groups = [];
-		}
+		// getting an array of values from select2
+		var groups = ev.val || [];
 		var appid = element.data('appid');
 		if (appid) {
 			OC.Settings.Apps.enableApp(appid, false, element, groups);
diff --git a/settings/js/settings.js b/settings/js/settings.js
index 85e8996ae7fdec5ad63603abe44b43c606fd1c34..6e44c473185aff53f90e4045d2bbc72c25fd69ba 100644
--- a/settings/js/settings.js
+++ b/settings/js/settings.js
@@ -7,6 +7,11 @@ OC.Settings = OC.Settings || {};
 OC.Settings = _.extend(OC.Settings, {
 	/**
 	 * Setup selection box for group selection.
+	 *
+	 * Values need to be separated by a pipe "|" character.
+	 * (mostly because a comma is more likely to be used
+	 * for groups)
+	 *
 	 * @param $elements jQuery element (hidden input) to setup select2 on
 	 * @param [extraOptions] extra options hash to pass to select2
 	 */
@@ -18,6 +23,7 @@ OC.Settings = _.extend(OC.Settings, {
 				placeholder: t('core', 'Groups'),
 				allowClear: true,
 				multiple: true,
+				separator: '|',
 				ajax: {
 					url: OC.generateUrl('/settings/ajax/grouplist'),
 					dataType: 'json',
@@ -50,7 +56,7 @@ OC.Settings = _.extend(OC.Settings, {
 				},
 				initSelection: function(element, callback) {
 					var selection =
-						_.map(($(element).val() || []).split(',').sort(),
+						_.map(($(element).val() || []).split('|').sort(),
 							function(groupName) {
 						return {
 							id: groupName,
@@ -60,10 +66,14 @@ OC.Settings = _.extend(OC.Settings, {
 					callback(selection);
 				},
 				formatResult: function (element) {
-					return element.displayname;
+					return escapeHTML(element.displayname);
 				},
 				formatSelection: function (element) {
-					return element.displayname;
+					return escapeHTML(element.displayname);
+				},
+				escapeMarkup: function(m) {
+					// prevent double markup escape
+					return m;
 				}
 			}, extraOptions || {}));
 		}