diff --git a/inc/fields/class-shortcode-ui-field-post-select.php b/inc/fields/class-shortcode-ui-field-post-select.php
index d2b95797..284b963b 100644
--- a/inc/fields/class-shortcode-ui-field-post-select.php
+++ b/inc/fields/class-shortcode-ui-field-post-select.php
@@ -94,6 +94,12 @@ public function action_wp_ajax_shortcode_ui_post_field() {
 		$requested_shortcode = isset( $_GET['shortcode'] ) ? sanitize_text_field( $_GET['shortcode'] ) : null;
 		$requested_attr      = isset( $_GET['attr'] ) ? sanitize_text_field( $_GET['attr'] ) : null;
 
+		$include = filter_input( INPUT_GET, 'include', FILTER_SANITIZE_NUMBER_INT, FILTER_REQUIRE_ARRAY );
+		if ( ! is_array( $include ) ) {
+			$include = (array) explode( ',', filter_input( INPUT_GET, 'include', FILTER_SANITIZE_STRING ) );
+		}
+		$include = array_filter( array_map( 'intval', $include ) );
+
 		$response = array(
 			'items'          => array(),
 			'found_items'    => 0,
@@ -136,9 +142,8 @@ public function action_wp_ajax_shortcode_ui_post_field() {
 			$query_args['s'] = sanitize_text_field( $_GET['s'] );
 		}
 
-		if ( ! empty( $_GET['include'] ) ) {
-			$post__in                          = is_array( $_GET['include'] ) ? $_GET['include'] : explode( ',', $_GET['include'] );
-			$query_args['post__in']            = array_map( 'intval', $post__in );
+		if ( ! empty( $include ) ) {
+			$query_args['post__in']            = $include;
 			$query_args['orderby']             = 'post__in';
 			$query_args['ignore_sticky_posts'] = true;
 		}
diff --git a/inc/fields/class-shortcode-ui-field-term-select.php b/inc/fields/class-shortcode-ui-field-term-select.php
index 075cb85c..d43decd3 100644
--- a/inc/fields/class-shortcode-ui-field-term-select.php
+++ b/inc/fields/class-shortcode-ui-field-term-select.php
@@ -99,12 +99,19 @@ public function output_templates() {
 	 */
 	public function action_wp_ajax_shortcode_ui_term_field() {
 
+		$args                = array();
 		$nonce               = isset( $_GET['nonce'] ) ? sanitize_text_field( $_GET['nonce'] ) : null;
 		$requested_shortcode = isset( $_GET['shortcode'] ) ? sanitize_text_field( $_GET['shortcode'] ) : null;
 		$requested_attr      = isset( $_GET['attr'] ) ? sanitize_text_field( $_GET['attr'] ) : null;
 		$page                = isset( $_GET['page'] ) ? absint( $_GET['page'] ) : null;
 		$search              = isset( $_GET['s'] ) ? sanitize_text_field( $_GET['s'] ) : '';
 
+		$include = filter_input( INPUT_GET, 'include', FILTER_SANITIZE_NUMBER_INT, FILTER_REQUIRE_ARRAY );
+		if ( ! is_array( $include ) ) {
+			$include = (array) explode( ',', filter_input( INPUT_GET, 'include', FILTER_SANITIZE_STRING ) );
+		}
+		$include = array_filter( array_map( 'intval', $include ) );
+
 		$response = array(
 			'items'          => array(),
 			'found_items'    => 0,
@@ -142,10 +149,9 @@ public function action_wp_ajax_shortcode_ui_term_field() {
 		$args['hide_empty'] = false;
 		$args['number']     = 10;
 
-		if ( ! empty( $_GET['include'] ) ) {
-			$term__in        = is_array( $_GET['include'] ) ? $_GET['include'] : explode( ',', $_GET['include'] );
-			$args['number']  = count( $term__in );
-			$args['include'] = array_map( 'intval', $term__in );
+		if ( ! empty( $include ) ) {
+			$args['number']  = count( $include );
+			$args['include'] = $include;
 			$args['orderby'] = 'tag__in';
 		}