diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 6cb7024e7849655093401f6f3b8562e86af678c2..274343ff1191e312224488bf029b1d376522ded1 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -709,7 +709,7 @@ function vtlib_purify($input, $ignore = false) {
             if (is_array($input)) {
                 $value = array();
                 foreach ($input as $k => $v) {
-                    $value[$k] = str_replace('&', '&', vtlib_purify($v, $ignore));
+                    $value[$k] = vtlib_purify($v, $ignore);
                 }
             } else { // Simple type
                 $value = $__htmlpurifier_instance->purify($input);
@@ -717,12 +717,27 @@ function vtlib_purify($input, $ignore = false) {
             }
         }
         $purified_cache[$md5OfInput] = $value;
+    }
+    
+    if(is_array($value)) {
+        $value = str_replace_json('&', '&', $value);
     } else {
         $value = str_replace('&', '&', $value);
     }
     return $value;
 }
 
+/**
+ * Function to replace values in multi dimentional array (str_replace will support only one level of array)
+ * @param type $search
+ * @param type $replace
+ * @param type $subject
+ * @return <array>
+ */
+function str_replace_json($search, $replace, $subject){
+    return json_decode(str_replace($search, $replace,  json_encode($subject)), true);
+}
+
 /**
  * To purify malicious html event attributes
  * @param <String> $value