diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index c7f108a2b8d5ad9dc33aa7ceb085bc8b2ae77174..d2ee7d15c715283859ea7ae1705334cf91089468 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -698,6 +698,10 @@ function vtlib_purify($input, $ignore=false) {
 				}
 			} else { // Simple type
 				$value = $__htmlpurifier_instance->purify($input);
+                global $log;
+                $log->fatal('else loop call to purifyHtmlEventAttributes');
+                $log->fatal('$value passed => ');
+                $log->fatal($value);
 				$value = purifyHtmlEventAttributes($value);
 			}
 		}
@@ -721,14 +725,23 @@ function purifyHtmlEventAttributes($value,$replaceAll = false){
 						"onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow";
     
     // remove malicious html attributes with its value.
+    global $log;
+    $log->fatal('$replaceAll value is => ');
+    $log->fatal($replaceAll);
+    $log->fatal('$value => ');
+    $log->fatal($value);
     if ($replaceAll) {
-        $regex = '\s*=\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
+        $log->fatal('if loop');
+        $regex = '\s*(=|&#61;|&amp;#61;|&amp;#x26;#61;|&#x26;#61;)\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
         $value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
     } else {
-        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
+        $log->fatal('else loop');
+        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*(=|&#61;|&amp;#61;|&amp;#x26;#61;|&#x26;#61;)/i", $value)) {
             $value = str_replace("=", "&equals;", $value);
         }
     }
+    $log->fatal('Final value => ');
+    $log->fatal($value);
     return $value;
 }
 
diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index 433479214a62bb9435fd1dd12877f31fc6e4f8e9..bbe106565344b8870df76dac3b3a789fbfc1592b 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -76,7 +76,11 @@ class Users_Save_Action extends Vtiger_Save_Action {
 			if ($fieldName == 'roleid' && !($currentUserModel->isAdminUser())) {
 				$fieldValue = null;
 			}
-
+            if($fieldName == 'signature' && $fieldValue !== null){
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+			}
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue)) {
 					$fieldValue = trim($fieldValue);
diff --git a/modules/Vtiger/actions/Save.php b/modules/Vtiger/actions/Save.php
index 4e3ac8e5ca92a0323d131877b1f8792933d7b071..33a714782f31ccf9128589ab8e27c16aeaa4bde3 100644
--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -160,6 +160,12 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 			if($fieldDataType == 'time' && $fieldValue !== null){
 				$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 			}
+            $ckeditorFields = array('commentcontent', 'notecontent');
+            if((in_array($fieldName, $ckeditorFields)) && $fieldValue !== null){
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+			}
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue) && $fieldDataType != 'currency') {
 					$fieldValue = trim($fieldValue);
diff --git a/modules/Vtiger/actions/SaveAjax.php b/modules/Vtiger/actions/SaveAjax.php
index 49ec727dac8c4cbea38a539dc8272d587e736ca4..ca95ff928a7933de0ebe1c44912f79292291c82b 100644
--- a/modules/Vtiger/actions/SaveAjax.php
+++ b/modules/Vtiger/actions/SaveAjax.php
@@ -106,6 +106,12 @@ class Vtiger_SaveAjax_Action extends Vtiger_Save_Action {
 				if ($fieldDataType == 'time' && $fieldValue !== null) {
 					$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 				}
+                $ckeditorFields = array('commentcontent', 'notecontent', 'signature');
+                if((in_array($fieldName, $ckeditorFields)) && $fieldValue !== null){
+                    $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                    // Purify malicious html event attributes
+                    $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+                }
 				if ($fieldValue !== null) {
 					if (!is_array($fieldValue)) {
 						$fieldValue = trim($fieldValue);
@@ -138,6 +144,11 @@ class Vtiger_SaveAjax_Action extends Vtiger_Save_Action {
 				if ($fieldDataType == 'time' && $fieldValue !== null) {
 					$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 				}
+                if($fieldName == 'notecontent' && $fieldValue !== null){
+                    $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                    // Purify malicious html event attributes
+                    $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+                }
 				if ($fieldValue !== null) {
 					if (!is_array($fieldValue)) {
 						$fieldValue = trim($fieldValue);
diff --git a/packages/vtiger/optional/ModComments.zip b/packages/vtiger/optional/ModComments.zip
index 4dd6cf47a20001315c969f5234c1331e089382a0..2c2ac439ff0615df00c8ee46bdb049437ec1011c 100644
Binary files a/packages/vtiger/optional/ModComments.zip and b/packages/vtiger/optional/ModComments.zip differ
diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/Save.php b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/Save.php
index 0fbd23762d053df6976bc97a85873472d844b67e..49a586197b9858b92aef9653ad723dc823f43956 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/Save.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/Save.php
@@ -65,7 +65,6 @@ class ModComments_Save_Action extends Vtiger_Save_Action {
 	protected function getRecordModelFromRequest(Vtiger_Request $request) {
 		$recordModel = parent::getRecordModelFromRequest($request);
 		
-		$recordModel->set('commentcontent', $request->getRaw('commentcontent'));
 		$recordModel->set('reasontoedit', $request->getRaw('reasontoedit'));
 
 		return $recordModel;
diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
index 94f853b97a5b167f37c7250bc01e9572b886337f..2a44e8dab96e5828ecfffa0d70d8866d03ecd401 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
@@ -73,7 +73,6 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	 */
 	public function getRecordModelFromRequest(Vtiger_Request $request) {
 		$recordModel = parent::getRecordModelFromRequest($request);
-		$recordModel->set('commentcontent', $request->getRaw('commentcontent'));
         $recordModel->set('is_private', $request->get('is_private'));
 
 		return $recordModel;