diff --git a/modules/Users/actions/SaveAjax.php b/modules/Users/actions/SaveAjax.php
index 5188833bbf57d126b0247fac44e7853ad9f0fc46..86fdfbe4684a8b93a6d67391e7059434d9bad291 100644
--- a/modules/Users/actions/SaveAjax.php
+++ b/modules/Users/actions/SaveAjax.php
@@ -104,6 +104,13 @@ class Users_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 				$recordModel->set($fieldName,$existingRecordModel->get($fieldName));
 			}
 		}
+        if($fieldName == 'signature'){
+            $fieldValue = $request->getRaw($fieldName);
+            $purifiedContent = vtlib_purify(decode_html($fieldValue));
+            // Purify malicious html event attributes
+            $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+            $recordModel->set($fieldName,$fieldValue);
+        }
 		return $recordModel;
 	}
 
diff --git a/modules/Vtiger/actions/SaveAjax.php b/modules/Vtiger/actions/SaveAjax.php
index 49ec727dac8c4cbea38a539dc8272d587e736ca4..af467fe726dfe86de38e139dafd9b69c1b13e7e6 100644
--- a/modules/Vtiger/actions/SaveAjax.php
+++ b/modules/Vtiger/actions/SaveAjax.php
@@ -106,6 +106,12 @@ class Vtiger_SaveAjax_Action extends Vtiger_Save_Action {
 				if ($fieldDataType == 'time' && $fieldValue !== null) {
 					$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 				}
+                if($fieldName == 'notecontent' && $fieldValue !== null){
+                    $fieldValue = $request->getRaw($fieldName);
+                    $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                    // Purify malicious html event attributes
+                    $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+                }
 				if ($fieldValue !== null) {
 					if (!is_array($fieldValue)) {
 						$fieldValue = trim($fieldValue);
diff --git a/packages/vtiger/optional/ModComments.zip b/packages/vtiger/optional/ModComments.zip
index 81440773285a7750b449e9b874d1943b390f20c2..adafd7048a486f9e73fec17d88fd03a61e34d675 100644
Binary files a/packages/vtiger/optional/ModComments.zip and b/packages/vtiger/optional/ModComments.zip differ
diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
index b5e7feecda33cd3f5b0ab66c404e547d60638bf8..bb6126d2ead8236bd6bae1d7f094ebe2e7fce588 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
@@ -74,7 +74,11 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	public function getRecordModelFromRequest(Vtiger_Request $request) {
 		$recordModel = parent::getRecordModelFromRequest($request);
 		
-		$recordModel->set('commentcontent', $request->getRaw('commentcontent'));
+        $commentContent = $request->getRaw('commentcontent');
+        $purifiedContent = vtlib_purify(decode_html($commentContent));
+        // Purify malicious html event attributes
+        $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+		$recordModel->set('commentcontent', $fieldValue);
         $recordModel->set('is_private', $request->get('is_private'));
 
 		return $recordModel;