diff --git a/legal.module b/legal.module
index f520046..6bdc703 100644
--- a/legal.module
+++ b/legal.module
@@ -748,8 +748,7 @@ function legal_display_changes($form, $uid) {
   }
 
   foreach ($result as $term) {
-
-    $changes = Xss::filterAdmin($term->changes);
+    $changes = Xss::filterAdmin($term->changes ?? '');
 
     if (!empty($changes)) {
       $bullet_points = array_merge($bullet_points, explode("\r\n", $changes));
@@ -857,8 +856,8 @@ function legal_user_is_exempt($account) {
 
   $settings = \Drupal::config('legal.settings');
 
-  $exempt_roles = $settings->get('except_roles');
-  $account_roles = $account->getRoles(TRUE);
+  $exempt_roles = $settings->get('except_roles') ?? [];
+  $account_roles = $account->getRoles(TRUE) ?? [];
 
   if (count(array_intersect($exempt_roles, $account_roles))) {
     return TRUE;
diff --git a/tests/src/Functional/LoginTest.php b/tests/src/Functional/LoginTest.php
index 9b08594..b7f152a 100644
--- a/tests/src/Functional/LoginTest.php
+++ b/tests/src/Functional/LoginTest.php
@@ -24,7 +24,7 @@ class LoginTest extends LegalTestBase {
 
     // Check user is redirected to T&C acceptance page.
     $current_url = $this->getUrl();
-    $expected_url = substr($current_url, strlen($this->baseUrl), 20);
+    $expected_url = substr($current_url, mb_strlen($this->baseUrl), 20);
     $this->assertEquals($expected_url, '/legal_accept?token=');
     $this->assertResponse(200);