diff --git a/phpmyfaq/ajaxservice.php b/phpmyfaq/ajaxservice.php
index 427f87a12e..dca80db2f4 100644
--- a/phpmyfaq/ajaxservice.php
+++ b/phpmyfaq/ajaxservice.php
@@ -200,7 +200,7 @@
                 ->setType($type)
                 ->setUsername($username)
                 ->setEmail($mailer)
-                ->setComment(nl2br($comment))
+                ->setComment(nl2br(strip_tags($comment)))
                 ->setDate($_SERVER['REQUEST_TIME']);
 
             if ($oComment->addComment($commentEntity)) {
diff --git a/phpmyfaq/src/phpMyFAQ/Comments.php b/phpmyfaq/src/phpMyFAQ/Comments.php
index 695a077057..bf14602ecf 100644
--- a/phpmyfaq/src/phpMyFAQ/Comments.php
+++ b/phpmyfaq/src/phpMyFAQ/Comments.php
@@ -83,7 +83,7 @@ public function getComments(int $id, string $type): string
             $output .= sprintf(
                 '<strong><a href="mailto:%s">%s</a></strong>',
                 $mail->safeEmail($item->getEmail()),
-                $item->getUsername()
+                Strings::htmlentities($item->getUsername())
             );
             $output .= sprintf(' <span class="text-muted">(%s)</span>', $date->format($item->getDate()));
             $output .= '     </div>';