diff --git a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser
new file mode 100644
index 00000000..098257e1
Binary files /dev/null and b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser differ
diff --git a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.15.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.15.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser
new file mode 100644
index 00000000..b97b9748
Binary files /dev/null and b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.15.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser differ
diff --git a/portal/portal_post.php b/portal/portal_post.php
index 985ffc13..dac1df40 100644
--- a/portal/portal_post.php
+++ b/portal/portal_post.php
@@ -11,19 +11,13 @@ if (isset($_POST['add_ticket'])) {
     // Get ticket prefix/number
     $sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = 1");
     $row = mysqli_fetch_array($sql_settings);
-    $config_ticket_prefix = $row['config_ticket_prefix'];
+    $config_ticket_prefix = santizeInput($row['config_ticket_prefix']);
     $config_ticket_next_number = intval($row['config_ticket_next_number']);
 
-    // HTML Purifier
-    require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
-    $purifier_config = HTMLPurifier_Config::createDefault();
-    $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
-    $purifier = new HTMLPurifier($purifier_config);
-
     $client_id = intval($session_client_id);
     $contact = intval($session_contact_id);
     $subject = sanitizeInput($_POST['subject']);
-    $details = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['details'])))));
+    $details = mysqli_real_escape_string($mysqli,($_POST['details']));
 
     // Ensure priority is low/med/high (as can be user defined)
     if ($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High") {
@@ -48,18 +42,13 @@ if (isset($_POST['add_ticket'])) {
 }
 
 if (isset($_POST['add_ticket_comment'])) {
-    // HTML Purifier
-    require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
-    $purifier_config = HTMLPurifier_Config::createDefault();
-    $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
-    $purifier = new HTMLPurifier($purifier_config);
 
     $ticket_id = intval($_POST['ticket_id']);
 
     // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
     // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
     // So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
-    $comment = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
+    $comment = mysqli_real_escape_string($mysqli, $_POST['comment']);
 
     // After stripping bad HTML, check the comment isn't just empty
     if (empty($comment)) {
diff --git a/portal/ticket.php b/portal/ticket.php
index 7ad5ab6a..d1843d7c 100644
--- a/portal/ticket.php
+++ b/portal/ticket.php
@@ -6,6 +6,12 @@
 
 require_once("inc_portal.php");
 
+//Initialize the HTML Purifier to prevent XSS
+require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
 if (isset($_GET['id']) && intval($_GET['id'])) {
     $ticket_id = intval($_GET['id']);
 
@@ -24,7 +30,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
         $ticket_status = htmlentities($ticket_row['ticket_status']);
         $ticket_priority = htmlentities($ticket_row['ticket_priority']);
         $ticket_subject = htmlentities($ticket_row['ticket_subject']);
-        $ticket_details = $ticket_row['ticket_details'];
+        $ticket_details = $purifier->purify($ticket_row['ticket_details']);
         $ticket_feedback = htmlentities($ticket_row['ticket_feedback']);
 
         ?>
@@ -111,9 +117,9 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
 
         while ($row = mysqli_fetch_array($sql)) {
             $ticket_reply_id = intval($row['ticket_reply_id']);
-            $ticket_reply = $row['ticket_reply'];
-            $ticket_reply_created_at = $row['ticket_reply_created_at'];
-            $ticket_reply_updated_at = $row['ticket_reply_updated_at'];
+            $ticket_reply = $purifier->purify($row['ticket_reply']);
+            $ticket_reply_created_at = htmlentities($row['ticket_reply_created_at']);
+            $ticket_reply_updated_at = htmlentities($row['ticket_reply_updated_at']);
             $ticket_reply_by = intval($row['ticket_reply_by']);
             $ticket_reply_type = $row['ticket_reply_type'];
 
@@ -121,7 +127,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
                 $ticket_reply_by_display = htmlentities($row['contact_name']);
                 $user_initials = initials($row['contact_name']);
                 $user_avatar = $row['contact_photo'];
-                $avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
+                $avatar_link = "../uploads/clients/$session_client_id/$user_avatar";
             } else {
                 $ticket_reply_by_display = htmlentities($row['user_name']);
                 $user_id = intval($row['user_id']);