diff --git a/classes/comment.php b/classes/comment.php
index efe42e1..0726da4 100644
--- a/classes/comment.php
+++ b/classes/comment.php
@@ -170,7 +170,7 @@ public function save() {
         global $DB, $USER;
 
         $this->timemodified = time();
-        $this->content = html_to_text($this->content, 5000, false);
+        $this->content = clean_param(html_to_text($this->content, 5000, false), PARAM_TEXT);
 
         if ($this->id > 0) {
             $DB->update_record('board_comments', $this);
diff --git a/classes/tables/comments_table.php b/classes/tables/comments_table.php
index a7e5027..7aaf509 100644
--- a/classes/tables/comments_table.php
+++ b/classes/tables/comments_table.php
@@ -134,6 +134,17 @@ public function other_cols($colname, $value) {
         }
     }
 
+    /**
+     * Format each row of returned data.
+     *
+     * @param array|object $row row of data from db used to make one row of the table.
+     * @return array one row for the table with sanitised content.
+     */
+    public function format_row($row): array {
+        $row->content = clean_param($row->content, PARAM_TEXT);
+        return parent::format_row($row);
+    }
+
     /**
      * Displays the table.
      */
diff --git a/external.php b/external.php
index c35cac0..53eefde 100755
--- a/external.php
+++ b/external.php
@@ -708,7 +708,7 @@ public static function get_comments($noteid) {
             $comment = (object)[];
             $comment->id = $note->id;
             $comment->noteid = $note->noteid;
-            $comment->content = $note->content;
+            $comment->content = clean_param($note->content, PARAM_TEXT);
             $comment->candelete = (($canpost && $note->userid === $USER->id) || $candeleteall) ? true : false;
             $comment->date = userdate($note->timecreated);
             $comments[] = $comment;