diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 9f8ba17d2438ffd50425cb69d18190a35aad40c5..c7f108a2b8d5ad9dc33aa7ceb085bc8b2ae77174 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -712,16 +712,24 @@ function vtlib_purify($input, $ignore=false) {
  * @param <String> $value
  * @return <String>
  */
-function purifyHtmlEventAttributes($value){
+function purifyHtmlEventAttributes($value,$replaceAll = false){
 	$htmlEventAttributes = "onerror|onblur|onchange|oncontextmenu|onfocus|oninput|oninvalid|".
-						"onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
-						"onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
-						"ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
-						"onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste";
-	if(preg_match("/\s*(".$htmlEventAttributes.")\s*=/i", $value)) {
-		$value = str_replace("=", "&equals;", $value);
-	}
-	return $value;
+                        "onreset|onsearch|onselect|onsubmit|onkeydown|onkeypress|onkeyup|".
+                        "onclick|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|".
+                        "ondragstart|ondrop|onmousedown|onmousemove|onmouseout|onmouseover|".
+						"onmouseup|onmousewheel|onscroll|onwheel|oncopy|oncut|onpaste|onload|".
+						"onselectionchange|onabort|onselectstart|onstart|onfinish|onloadstart|onshow";
+    
+    // remove malicious html attributes with its value.
+    if ($replaceAll) {
+        $regex = '\s*=\s*(?:"[^"]*"[\'"]*|\'[^\']*\'[\'"]*|[^]*[\s\/>])*/i';
+        $value = preg_replace("/\s*(" . $htmlEventAttributes . ")" . $regex, '', $value);
+    } else {
+        if (preg_match("/\s*(" . $htmlEventAttributes . ")\s*=/i", $value)) {
+            $value = str_replace("=", "&equals;", $value);
+        }
+    }
+    return $value;
 }
 
 /**
diff --git a/modules/Emails/models/Mailer.php b/modules/Emails/models/Mailer.php
index e2e7c72a1cb32a81c9b082843cf5c974e2af6610..1a42c7495e9946e628fe693b8dce55c43d84e0af 100644
--- a/modules/Emails/models/Mailer.php
+++ b/modules/Emails/models/Mailer.php
@@ -135,6 +135,7 @@ class Emails_Mailer_Model extends Vtiger_Mailer {
 	public static function getProcessedContent($content) {
 		// remove script tags from whole html content
 		$processedContent = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $content);
+        $processedContent = purifyHtmlEventAttributes($processedContent,TRUE);
 		return $processedContent;
 	}
 
diff --git a/modules/Emails/views/MassSaveAjax.php b/modules/Emails/views/MassSaveAjax.php
index 8b9472efca9bfaad3a1e0741437830989d716a87..c9fbf23b81e352cdb8023a08c9aaa9ff15c2a08a 100644
--- a/modules/Emails/views/MassSaveAjax.php
+++ b/modules/Emails/views/MassSaveAjax.php
@@ -134,7 +134,7 @@ class Emails_MassSaveAjax_View extends Vtiger_Footer_View {
 		$content = $request->getRaw('description');
 		$processedContent = Emails_Mailer_Model::getProcessedContent($content); // To remove script tags
 		$mailerInstance = Emails_Mailer_Model::getInstance();
-		$processedContentWithURLS = decode_html($mailerInstance->convertToValidURL($processedContent));
+		$processedContentWithURLS = $mailerInstance->convertToValidURL($processedContent);
 		$recordModel->set('description', $processedContentWithURLS);
 		$recordModel->set('subject', $request->get('subject'));
 		$recordModel->set('toMailNamesList',$request->get('toMailNamesList'));
diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index 433479214a62bb9435fd1dd12877f31fc6e4f8e9..2d2088431c1cfa7983aff4f9992f395453864755 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -76,6 +76,12 @@ class Users_Save_Action extends Vtiger_Save_Action {
 			if ($fieldName == 'roleid' && !($currentUserModel->isAdminUser())) {
 				$fieldValue = null;
 			}
+            if($fieldName == 'signature' && $fieldValue !== null){
+                $fieldValue = $request->getRaw($fieldName);
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+			}
 
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue)) {
diff --git a/modules/Vtiger/actions/Save.php b/modules/Vtiger/actions/Save.php
index 4e3ac8e5ca92a0323d131877b1f8792933d7b071..5a7c00d1b16cde1208a7493e8bcedd6305bb39fa 100644
--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -160,6 +160,12 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 			if($fieldDataType == 'time' && $fieldValue !== null){
 				$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 			}
+            if($fieldName == 'notecontent' && $fieldValue !== null){
+                $fieldValue = $request->getRaw($fieldName);
+                $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                // Purify malicious html event attributes
+                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+			}
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue) && $fieldDataType != 'currency') {
 					$fieldValue = trim($fieldValue);