diff --git a/passman-dev/php/passman/notes.php b/passman-dev/php/passman/notes.php
index 2cadfba..59487ec 100644
--- a/passman-dev/php/passman/notes.php
+++ b/passman-dev/php/passman/notes.php
@@ -83,12 +83,17 @@ $result = $conn->query($sql_query);
 echo "<h3>List of notes/comments</h3>";
 
 if (!empty($result) && $result->num_rows >= 1) {
-	while ($row = $result -> fetch_assoc()) {
-		echo "<div class='note'>";
-		echo	"<div class='note-content'>" . $row["note"] . "</div>";
-		echo	"<div class='note-signature'> by " . $row["username"] . "</div>";
-		echo "</div>";
-	}
+    while ($row = $result -> fetch_assoc()) {
+        // Escape output to prevent stored XSS (DB content must be treated as untrusted).
+        $safe_note = htmlspecialchars($row["note"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+        $safe_user = htmlspecialchars($row["username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+
+        echo "<div class='note'>";
+        echo    "<div class='note-content'>" . $safe_note . "</div>";
+        echo    "<div class='note-signature'> by " . $safe_user . "</div>";
+        echo "</div>";
+    }
+
 
 	// Free result set
 	$result -> free_result();