diff --git a/cms/templates/base.html b/cms/templates/base.html
index 0ec319c1fa..1a81e9192c 100644
--- a/cms/templates/base.html
+++ b/cms/templates/base.html
@@ -1,5 +1,6 @@
 ## -*- coding: utf-8 -*-
 <%! from django.utils.translation import ugettext as _ %>
+<%! from django.template.defaultfilters import escapejs %>
 <%namespace name='static' file='static_content.html'/>
 
 <!doctype html>
@@ -14,7 +15,7 @@
         <%block name="title"></%block> |
         % if context_course:
         <% ctx_loc = context_course.location %>
-        ${context_course.display_name_with_default} |
+        ${context_course.display_name_with_default | h} |
         % endif
         edX Studio
     </title>
@@ -329,7 +330,7 @@
         <script type="text/javascript">
         require(['js/models/course'], function(Course) {
             window.course = new Course({
-                id: "${context_course.id}",
+                id: "${context_course.id | escapejs}",
                 name: "${context_course.display_name_with_default | h}",
                 url_name: "${context_course.location.name | h}",
                 org: "${context_course.location.org | h}",
diff --git a/cms/templates/container.html b/cms/templates/container.html
index d6524d66b6..1de6dcff75 100644
--- a/cms/templates/container.html
+++ b/cms/templates/container.html
@@ -115,7 +115,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal",
 
             <article class="content-primary">
                 <div class="container-message wrapper-message"></div>
-                <section class="wrapper-xblock level-page is-hidden studio-xblock-wrapper" data-locator="${xblock_locator}" data-course-key="${xblock_locator.course_key}">
+                <section class="wrapper-xblock level-page is-hidden studio-xblock-wrapper" data-locator="${xblock_locator | h}" data-course-key="${xblock_locator.course_key | h}">
                 </section>
                 <div class="ui-loading">
                     <p><span class="spin"><i class="icon-refresh"></i></span> <span class="copy">${_("Loading...")}</span></p>
@@ -147,7 +147,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal",
                         <div class="wrapper-unit-id bar-mod-content">
                             <h5 class="title">${_("Location ID")}</h5>
                             <p class="unit-id">
-                                <span class="unit-id-value" id="unit-location-id-input">${unit.location.name}</span>
+                                <span class="unit-id-value" id="unit-location-id-input">${unit.location.name | h}</span>
                                 <span class="tip"><span class="sr">Tip: </span>${_("Use this ID when you create links to this unit from other course content. You enter the ID in the URL field.")}</span>
                             </p>
                         </div>
diff --git a/cms/templates/course-create-rerun.html b/cms/templates/course-create-rerun.html
index 04bd8044b7..cfa4260b17 100644
--- a/cms/templates/course-create-rerun.html
+++ b/cms/templates/course-create-rerun.html
@@ -2,6 +2,7 @@
 <%def name="online_help_token()"><% return "course_rerun" %></%def>
 <%! from django.utils.translation import ugettext as _ %>
 <%! from django.core.urlresolvers import reverse %>
+<%! from django.template.defaultfilters import escapejs %>
 
 <%block name="title">${_("Create a Course Rerun of:")}</%block>
 <%block name="bodyclass">is-signedin view-course-create view-course-create-rerun</%block>
@@ -13,7 +14,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
 });
 </script>
 <script type="text/javascript">
-    var source_course_key = "${source_course_key}"
+    var source_course_key = "${source_course_key | escapejs}"
 </script>
 
 </%block>
@@ -37,7 +38,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
 
       <h2 class="page-header-super course-original">
         <span class="sr">${_("You are creating a re-run from:")}</span>
-        <span class="course-original-title-id">${source_course_key.org} ${source_course_key.course} ${source_course_key.run}</span>
+        <span class="course-original-title-id">${source_course_key.org | h} ${source_course_key.course | h} ${source_course_key.run | h}</span>
         <span class="course-original-title">${display_name}</span>
       </h2>
     </header>
@@ -79,7 +80,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
                     </li>
                     <li class="field text required" id="field-organization">
                       <label for="rerun-course-org">${_("Organization")}</label>
-                      <input class="rerun-course-org" id="rerun-course-org" type="text" name="rerun-course-org" aria-required="true" value="${source_course_key.org}" placeholder="${_('e.g. UniversityX or OrganizationX')}" />
+                      <input class="rerun-course-org" id="rerun-course-org" type="text" name="rerun-course-org" aria-required="true" value="${source_course_key.org | h}" placeholder="${_('e.g. UniversityX or OrganizationX')}" />
                       <span class="tip">
                         ${_("The name of the organization sponsoring the new course. (This name is often the same as the original organization name.)")}
                         <strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong>
@@ -90,7 +91,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
                     <li class="row">
                       <div class="column field text required" id="field-course-number">
                         <label for="rerun-course-number">${_("Course Number")}</label>
-                        <input class="rerun-course-number" id="rerun-course-number" type="text" name="rerun-course-number" aria-required="true" value="${source_course_key.course}" placeholder="${_('e.g. CS101')}" />
+                        <input class="rerun-course-number" id="rerun-course-number" type="text" name="rerun-course-number" aria-required="true" value="${source_course_key.course | h}" placeholder="${_('e.g. CS101')}" />
                         <span class="tip">
                           ${_("The unique number that identifies the new course within the organization.  (This number is often the same as the original course number.)")}
                           <strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong>
diff --git a/cms/templates/course_info.html b/cms/templates/course_info.html
index 7a44f142e3..71e3149566 100644
--- a/cms/templates/course_info.html
+++ b/cms/templates/course_info.html
@@ -1,5 +1,6 @@
-<%! 
+<%!
     from django.utils.translation import ugettext as _
+    from django.template.defaultfilters import escapejs
 %>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "updates" %></%def>
@@ -20,7 +21,7 @@
 
 <%block name="jsextra">
   <script type="text/javascript" charset="utf-8">
-  
+
 require(["domReady!", "jquery", "js/collections/course_update", "js/models/module_info", "js/models/course_info", "js/views/course_info_edit"],
   function(doc, $, CourseUpdateCollection, ModuleInfoModel, CourseInfoModel, CourseInfoEditView) {
     var course_updates = new CourseUpdateCollection();
@@ -28,7 +29,7 @@ require(["domReady!", "jquery", "js/collections/course_update", "js/models/modul
     course_updates.fetch({reset: true});
 
     var course_handouts = new ModuleInfoModel({
-        id: '${handouts_locator}'
+        id: '${handouts_locator | escapejs}'
       });
 
     var editor = new CourseInfoEditView({
diff --git a/cms/templates/course_outline.html b/cms/templates/course_outline.html
index b1eafdea2e..b24752a603 100644
--- a/cms/templates/course_outline.html
+++ b/cms/templates/course_outline.html
@@ -73,7 +73,7 @@ from contentstore.utils import reverse_usage_url
             <h3 class="sr">${_("Page Actions")}</h3>
             <ul>
                 <li class="nav-item">
-                    <a href="#" class="button button-new" data-category="chapter" data-parent="${context_course.location}" data-default-name="${_('Section')}" title="${_('Click to add a new section')}">
+                    <a href="#" class="button button-new" data-category="chapter" data-parent="${context_course.location | h}" data-default-name="${_('Section')}" title="${_('Click to add a new section')}">
                         <i class="icon-plus"></i>${_('New Section')}
                     </a>
                 </li>
@@ -116,7 +116,7 @@ from contentstore.utils import reverse_usage_url
                 course_locator = context_course.location
                 %>
                 <h2 class="sr">${_("Course Outline")}</h2>
-                <article class="outline outline-complex outline-course" data-locator="${course_locator}" data-course-key="${course_locator.course_key}">
+                <article class="outline outline-complex outline-course" data-locator="${course_locator | h}" data-course-key="${course_locator.course_key | h}">
                 </article>
             </div>
             <div class="ui-loading">
@@ -139,7 +139,7 @@ from contentstore.utils import reverse_usage_url
             <div class="bit external-help">
                 <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>
             </div>
-             
+
         </aside>
     </section>
 </div>
diff --git a/cms/templates/edit-tabs.html b/cms/templates/edit-tabs.html
index bc1a4294ae..ff3abca634 100644
--- a/cms/templates/edit-tabs.html
+++ b/cms/templates/edit-tabs.html
@@ -5,6 +5,7 @@
   from django.utils.translation import ugettext as _
   from django.core.urlresolvers import reverse
   from xmodule.tabs import StaticTab
+  from django.template.defaultfilters import escapejs
 %>
 <%block name="title">${_("Pages")}</%block>
 <%block name="bodyclass">is-signedin course view-static-pages</%block>
@@ -24,7 +25,7 @@
             function (TabsModel, TabsEditView, xmoduleLoader) {
                 xmoduleLoader.done(function () {
                     var model = new TabsModel({
-                        id: "${context_course.location}",
+                        id: "${context_course.location | escapejs}",
                         explicit_url: "${reverse('contentstore.views.tabs_handler', kwargs={'course_key_string': context_course.id})}"
                     });
 
@@ -86,7 +87,7 @@
                 %>
 
                 % if isinstance(tab, StaticTab):
-                    <li class="component ${css_class}" data-locator="${tab.locator}" data-tab-id="${tab.tab_id}"></li>
+                    <li class="component ${css_class}" data-locator="${tab.locator | h}" data-tab-id="${tab.tab_id | h}"></li>
 
                 % else:
                     <li class="course-nav-item ${css_class}" data-tab-id="${tab.tab_id}">
diff --git a/cms/templates/export_git.html b/cms/templates/export_git.html
index f66088b8c3..608663752c 100644
--- a/cms/templates/export_git.html
+++ b/cms/templates/export_git.html
@@ -60,7 +60,7 @@
     <aside class="content-supplementary" role="complimentary">
       <dl class="export-git-info-block">
         <dt>${_("Your course:")}</dt>
-        <dd class="course_text">${context_course.id}</dd>
+        <dd class="course_text">${context_course.id | h}</dd>
         <dt>${_("Course git url:")}</dt>
         <dd class="giturl_text">${context_course.giturl}</dd>
       </dl>
diff --git a/cms/templates/index.html b/cms/templates/index.html
index eed1669c58..7a60b85fe3 100644
--- a/cms/templates/index.html
+++ b/cms/templates/index.html
@@ -140,7 +140,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
             %for course_info in sorted(in_process_course_actions, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''):
             <!-- STATE: re-run is processing -->
             %if course_info['is_in_progress']:
-            <li class="wrapper-course has-status" data-course-key="${course_info['course_key']}">
+            <li class="wrapper-course has-status" data-course-key="${course_info['course_key'] | h}">
               <div class="course-item course-rerun is-processing">
                 <div class="course-details" href="#">
                   <h3 class="course-title">${course_info['display_name']}</h3>
@@ -178,7 +178,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
 
             <!-- STATE: re-run has error -->
             %if course_info['is_failed']:
-            <li class="wrapper-course has-status" data-course-key="${course_info['course_key']}">
+            <li class="wrapper-course has-status" data-course-key="${course_info['course_key'] | h}">
               <div class="course-item course-rerun has-error">
                 <div class="course-details" href="#">
                   <h3 class="course-title">${course_info['display_name']}</h3>
@@ -229,7 +229,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
       <div class="courses">
         <ul class="list-courses">
           %for course_info in sorted(courses, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''):
-          <li class="course-item" data-course-key="${course_info['course_key']}">
+          <li class="course-item" data-course-key="${course_info['course_key'] | h}">
             <a class="course-link" href="${course_info['url']}">
               <h3 class="course-title">${course_info['display_name']}</h3>
 
diff --git a/cms/templates/studio_xblock_wrapper.html b/cms/templates/studio_xblock_wrapper.html
index 263c8922c1..1f578f405c 100644
--- a/cms/templates/studio_xblock_wrapper.html
+++ b/cms/templates/studio_xblock_wrapper.html
@@ -13,9 +13,9 @@ label = xblock.display_name or xblock.scope_ids.block_type
 
 % if not is_root:
     % if is_reorderable:
-    <li class="studio-xblock-wrapper is-draggable" data-locator="${xblock.location}" data-course-key="${xblock.location.course_key}">
+    <li class="studio-xblock-wrapper is-draggable" data-locator="${xblock.location | h}" data-course-key="${xblock.location.course_key | h}">
     % else:
-    <div class="studio-xblock-wrapper" data-locator="${xblock.location}" data-course-key="${xblock.location.course_key}">
+    <div class="studio-xblock-wrapper" data-locator="${xblock.location | h}" data-course-key="${xblock.location.course_key | h}">
     % endif
 
     <section class="wrapper-xblock ${section_class} ${collapsible_class}">
diff --git a/cms/templates/widgets/segment-io.html b/cms/templates/widgets/segment-io.html
index ce966b795b..70cd59974a 100644
--- a/cms/templates/widgets/segment-io.html
+++ b/cms/templates/widgets/segment-io.html
@@ -1,3 +1,5 @@
+<%! from django.template.defaultfilters import escapejs %>
+
 % if context_course:
 <%
     locator = context_course.id
@@ -9,7 +11,7 @@
 <script type="text/javascript">
   // if inside course, inject the course location into the JS namespace
   %if context_course:
-      var course_location_analytics = "${locator}";
+      var course_location_analytics = "${locator | escapejs}";
   %endif
 
   var analytics=analytics||[];analytics.load=function(e){var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=("https:"===document.location.protocol?"https://":"http://")+"d2dq2ahtl5zl1z.cloudfront.net/analytics.js/v1/"+e+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(t,n);var r=function(e){return function(){analytics.push([e].concat(Array.prototype.slice.call(arguments,0)))}},i=["identify","track","trackLink","trackForm","trackClick","trackSubmit","pageview","ab","alias","ready"];for(var s=0;s<i.length;s++)analytics[i[s]]=r(i[s])};
@@ -28,7 +30,7 @@
 <!-- dummy segment.io -->
 <script type="text/javascript">
   %if context_course:
-  var course_location_analytics = "${locator}";
+  var course_location_analytics = "${locator | escapejs}";
   %endif
   var analytics = {
     "track": function() {}
diff --git a/lms/templates/course.html b/lms/templates/course.html
index 7ea104ff77..a0dc6ea6f5 100644
--- a/lms/templates/course.html
+++ b/lms/templates/course.html
@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse
 from courseware.courses import course_image_url, get_course_about_section
 %>
 <%page args="course" />
-<article id="${course.id.to_deprecated_string()}" class="course">
+<article id="${course.id | h}" class="course">
   %if course.is_newish:
     <span class="status">${_("New")}</span>
   %endif
diff --git a/lms/templates/courseware/course_about.html b/lms/templates/courseware/course_about.html
index 280212a2b0..cf5a3cbfb1 100644
--- a/lms/templates/courseware/course_about.html
+++ b/lms/templates/courseware/course_about.html
@@ -81,7 +81,7 @@
       if(xhr.status == 200) {
         location.href = "${reverse('dashboard')}";
       } else if (xhr.status == 403) {
-        location.href = "${reverse('course-specific-register', args=[course.id.to_deprecated_string()])}?course_id=${course.id.to_deprecated_string()}&enrollment_action=enroll";
+        location.href = "${reverse('course-specific-register', args=[course.id.to_deprecated_string()])}?course_id=${course.id | u}&enrollment_action=enroll";
       } else if (xhr.status == 400) { //This means the user did not have permission
         $('#register_error').html("${perms_error}").css("display", "block");
       } else {
@@ -348,7 +348,7 @@
   <div style="display: none;">
     <form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}">
       <fieldset class="enroll_fieldset">
-        <input name="course_id" type="hidden" value="${course.id.to_deprecated_string()}">
+        <input name="course_id" type="hidden" value="${course.id | h}">
         <input name="enrollment_action" type="hidden" value="enroll">
       </fieldset>
       <div class="submit">
diff --git a/lms/templates/courseware/courseware.html b/lms/templates/courseware/courseware.html
index 030e80300b..4a07bf31da 100644
--- a/lms/templates/courseware/courseware.html
+++ b/lms/templates/courseware/courseware.html
@@ -1,4 +1,5 @@
 <%! from django.utils.translation import ugettext as _ %>
+<%! from django.template.defaultfilters import escapejs %>
 <%! from microsite_configuration import page_title_breadcrumbs %>
 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
@@ -58,7 +59,7 @@ ${page_title_breadcrumbs(course_name())}
   % endif
 
   <script type="text/javascript">
-    var $$course_id = "${course.id.to_deprecated_string()}";
+    var $$course_id = "${course.id | escapejs}";
 
     $(function(){
         $(".ui-accordion-header a, .ui-accordion-content .subtitle").each(function() {
diff --git a/lms/templates/courseware/mktg_coming_soon.html b/lms/templates/courseware/mktg_coming_soon.html
index f1e1d97241..8ef8875776 100644
--- a/lms/templates/courseware/mktg_coming_soon.html
+++ b/lms/templates/courseware/mktg_coming_soon.html
@@ -7,7 +7,7 @@
 
 <%inherit file="../mktg_iframe.html" />
 
-<%block name="pagetitle">${_("About {course_id}").format(course_id=course_id)}</%block>
+<%block name="pagetitle">${_("About {course_id}").format(course_id=course_id) | h}</%block>
 
 <%block name="bodyclass">view-iframe-content view-partial-mktgregister</%block>
 
diff --git a/lms/templates/courseware/mktg_course_about.html b/lms/templates/courseware/mktg_course_about.html
index cb195b47f1..67962dc8b9 100644
--- a/lms/templates/courseware/mktg_course_about.html
+++ b/lms/templates/courseware/mktg_course_about.html
@@ -29,7 +29,7 @@
           window.top.location.href = "${reverse('dashboard')}";
         }
       } else if (xhr.status == 403) {
-        window.top.location.href = "${reverse('register_user')}?course_id=${course.id.to_deprecated_string()}&enrollment_action=enroll";
+        window.top.location.href = "${reverse('register_user')}?course_id=${course.id | u}&enrollment_action=enroll";
       } else {
         $('#register_error').html(
             (xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}")
@@ -77,7 +77,7 @@
   <div style="display: none;">
     <form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}">
       <fieldset class="enroll_fieldset">
-        <input name="course_id" type="hidden" value="${course.id.to_deprecated_string()}">
+        <input name="course_id" type="hidden" value="${course.id | h}">
         <input name="enrollment_action" type="hidden" value="enroll">
         <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
       </fieldset>
diff --git a/lms/templates/courseware/progress.html b/lms/templates/courseware/progress.html
index b7b0c36c48..36957afd6b 100644
--- a/lms/templates/courseware/progress.html
+++ b/lms/templates/courseware/progress.html
@@ -2,6 +2,7 @@
 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
 
+
 <%block name="headextra">
 <%static:css group='style-course-vendor'/>
 <%static:css group='style-course'/>
@@ -19,6 +20,7 @@
 <%!
 from util.date_utils import get_time_display
 from django.conf import settings
+from django.utils.http import urlquote_plus
 %>
 
 <%block name="js_extra">
@@ -51,7 +53,9 @@ from django.conf import settings
       %if settings.FEATURES.get("SHOW_PROGRESS_SUCCESS_BUTTON"):
         <%
           SUCCESS_BUTTON_URL = settings.PROGRESS_SUCCESS_BUTTON_URL.format(
-            course_id=course.id.to_deprecated_string(), student_id=student.id)
+            course_id=urlquote_plus(unicode(course.id)),
+            student_id=urlquote_plus(student.id)
+          )
           nonzero_cutoffs = [cutoff for cutoff in course.grade_cutoffs.values() if cutoff > 0]
           success_cutoff = min(nonzero_cutoffs) if nonzero_cutoffs else None
         %>
diff --git a/lms/templates/courseware/xqa_interface.html b/lms/templates/courseware/xqa_interface.html
index 1066483df1..1bc88878fb 100644
--- a/lms/templates/courseware/xqa_interface.html
+++ b/lms/templates/courseware/xqa_interface.html
@@ -5,18 +5,18 @@
 <script type="text/javascript">
 
 function setup_debug(element_id, edit_link, staff_context){
-    $('#' + element_id + '_trig').leanModal(); 
-    $('#' + element_id + '_xqa_log').leanModal();        
+    $('#' + element_id + '_trig').leanModal();
+    $('#' + element_id + '_xqa_log').leanModal();
     $('#' + element_id + '_xqa_form').submit(function () {sendlog(element_id, edit_link, staff_context);});
 
     $("#" + element_id + "_history_trig").leanModal();
-    
+
     $('#' + element_id + '_history_form').submit(
         function () {
             var username = $("#" + element_id + "_history_student_username").val();
             var location = $("#" + element_id + "_history_location").val();
 
-            $("#" + element_id + "_history_text").load('/courses/' + "${unicode(course.id)}" + 
+            $("#" + element_id + "_history_text").load('/courses/' + "${unicode(course.id) | u}" +
                 "/submission_history/" + username + "/" + location);
             return false;
         }
@@ -36,7 +36,7 @@ function sendlog(element_id, edit_link, staff_context){
             tag:$('#' + element_id + '_xqa_tag').val(),
             entry: $('#' + element_id + '_xqa_entry').val()
         };
-            
+
     $.ajax({
         url: '${xqa_server}/log',
         type: 'GET',
@@ -44,7 +44,7 @@ function sendlog(element_id, edit_link, staff_context){
         data: JSON.stringify(xqaLog),
         crossDomain: true,
         dataType: 'jsonp',
-        beforeSend: function (xhr) { 
+        beforeSend: function (xhr) {
             xhr.setRequestHeader ("Authorization", "Basic eHFhOmFnYXJ3YWw="); },
         timeout : 1000,
         success: function(result) {
diff --git a/lms/templates/dashboard.html b/lms/templates/dashboard.html
index b431e79351..11b3e54e2b 100644
--- a/lms/templates/dashboard.html
+++ b/lms/templates/dashboard.html
@@ -70,7 +70,7 @@
         location.href = "${reverse('dashboard')}";
       } else if (xhr.status == 403) {
         location.href = "${reverse('signin_user')}?course_id=" +
-          $("#unenroll_course_id").val() + "&enrollment_action=unenroll";
+          encodeURIComponont($("#unenroll_course_id").val()) + "&enrollment_action=unenroll";
       } else {
         $('#unenroll_error').html(
           xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}"
diff --git a/lms/templates/dashboard/_dashboard_course_listing.html b/lms/templates/dashboard/_dashboard_course_listing.html
index 7000f93384..20e86d887a 100644
--- a/lms/templates/dashboard/_dashboard_course_listing.html
+++ b/lms/templates/dashboard/_dashboard_course_listing.html
@@ -119,7 +119,7 @@
                   <a class="action action-upgrade" href="${reverse('course_modes_choose', kwargs={'course_id': course.id.to_deprecated_string()})}?upgrade=True">
                     <img class="deco-graphic" src="${static.url('images/vcert-ribbon-s.png')}" alt="ID Verified Ribbon/Badge">
                     <span class="wrapper-copy">
-                      <span class="copy" id="upgrade-to-verified" data-course-id="${course.id.to_deprecated_string()}" data-user="${user.username}">${_("Upgrade to Verified Track")}</span>
+                      <span class="copy" id="upgrade-to-verified" data-course-id="${course.id | h}" data-user="${user.username | h}">${_("Upgrade to Verified Track")}</span>
                     </span>
                   </a>
                 </li>
@@ -130,7 +130,7 @@
       % if is_course_blocked:
         <p id="block-course-msg" class="course-block">
             ${_('You can no longer access this course because payment has not yet been received. you can <a href="#">contact the account holder</a> to request payment, or you can')}
-            <a id="unregister_block_course" rel="leanModal" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" href="#unenroll-modal" > ${_('unregister')} </a>
+            <a id="unregister_block_course" rel="leanModal" data-course-id="${course.id | h}" data-course-number="${course.number | h}" href="#unenroll-modal" > ${_('unregister')} </a>
             ${_('for this course.')}
         </p>
       %endif
@@ -154,12 +154,12 @@
       % if is_paid_course and show_refund_option:
         ## Translators: The course's name will be added to the end of this sentence.
         % if not is_course_blocked:
-        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
+        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
         document.getElementById('refund-info').innerHTML=gettext('You will be refunded the amount you paid.')">
           ${_('Unregister')}
         </a>
         % else:
-        <a class="disable-look-unregister" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
+        <a class="disable-look-unregister" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
         document.getElementById('refund-info').innerHTML=gettext('You will be refunded the amount you paid.')">
           ${_('Unregister')}
         </a>
@@ -167,12 +167,12 @@
       % elif is_paid_course and not show_refund_option:
         ## Translators: The course's name will be added to the end of this sentence.
         % if not is_course_blocked:
-        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
+        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
         document.getElementById('refund-info').innerHTML=gettext('You will not be refunded the amount you paid.')">
           ${_('Unregister')}
         </a>
         % else:
-        <a class="disable-look-unregister" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
+        <a class="disable-look-unregister" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the purchased course")}';
         document.getElementById('refund-info').innerHTML=gettext('You will not be refunded the amount you paid.')">
           ${_('Unregister')}
         </a>
@@ -180,23 +180,23 @@
       % elif enrollment.mode != "verified":
         ## Translators: The course's name will be added to the end of this sentence.
         % if not is_course_blocked:
-        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from")}'; document.getElementById('refund-info').innerHTML=''">
+        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from")}'; document.getElementById('refund-info').innerHTML=''">
           ${_('Unregister')}
         </a>
         % else:
-        <a class="disable-look-unregister" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from")}'; document.getElementById('refund-info').innerHTML=''">
+        <a class="disable-look-unregister" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from")}'; document.getElementById('refund-info').innerHTML=''">
           ${_('Unregister')}
         </a>
         % endif
       % elif show_refund_option:
         ## Translators: The course's name will be added to the end of this sentence.
         % if not is_course_blocked:
-        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
+        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
         document.getElementById('refund-info').innerHTML=gettext('You will be refunded the amount you paid.')">
           ${_('Unregister')}
         </a>
         % else:
-        <a class="disable-look-unregister" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
+        <a class="disable-look-unregister" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
         document.getElementById('refund-info').innerHTML=gettext('You will be refunded the amount you paid.')">
           ${_('Unregister')}
         </a>
@@ -204,12 +204,12 @@
       % else:
         ## Translators: The course's name will be added to the end of this sentence.
         % if not is_course_blocked:
-        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
+        <a href="#unenroll-modal" class="unenroll" rel="leanModal" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
         document.getElementById('refund-info').innerHTML=gettext('The refund deadline for this course has passed, so you will not receive a refund.')">
           ${_('Unregister')}
         </a>
         % else:
-        <a class="disable-look-unregister" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
+        <a class="disable-look-unregister" data-course-id="${course.id | h}" data-course-number="${course.number | h}" onclick="document.getElementById('track-info').innerHTML='${_("Are you sure you want to unregister from the verified {cert_name_long} track of").format(cert_name_long=cert_name_long)}';
         document.getElementById('refund-info').innerHTML=gettext('The refund deadline for this course has passed, so you will not receive a refund.')">
           ${_('Unregister')}
         </a>
@@ -218,9 +218,9 @@
 
 % if show_email_settings:
         % if not is_course_blocked:
-        <a href="#email-settings-modal" class="email-settings" rel="leanModal" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" data-optout="${course.id.to_deprecated_string() in course_optouts}">${_('Email Settings')}</a>
+        <a href="#email-settings-modal" class="email-settings" rel="leanModal" data-course-id="${course.id | h}" data-course-number="${course.number | h}" data-optout="${unicode(course.id) in course_optouts}">${_('Email Settings')}</a>
         % else:
-        <a class="disable-look-settings" data-course-id="${course.id.to_deprecated_string()}" data-course-number="${course.number}" data-optout="${course.id.to_deprecated_string() in course_optouts}">${_('Email Settings')}</a>
+        <a class="disable-look-settings" data-course-id="${course.id| h}" data-course-number="${course.number | h}" data-optout="${unicode(course.id) in course_optouts}">${_('Email Settings')}</a>
         % endif
 % endif
 
diff --git a/lms/templates/dashboard/_dashboard_refund.html b/lms/templates/dashboard/_dashboard_refund.html
index 34590a8268..b42494f9fd 100644
--- a/lms/templates/dashboard/_dashboard_refund.html
+++ b/lms/templates/dashboard/_dashboard_refund.html
@@ -37,7 +37,7 @@ strong {
             {% csrf_token %}
             {{form.as_p}}
             <p>
-            <input type="button" value="Cancel" onclick="javascript:location=location"/> <input type="submit" value="{% if cert %}Refund{% else %}Confirm{% endif %}" /> 
+            <input type="button" value="Cancel" onclick="javascript:location=location"/> <input type="submit" value="{% if cert %}Refund{% else %}Confirm{% endif %}" />
             </p>
         </form>
         {% if cert %}
@@ -49,7 +49,7 @@ strong {
                 <strong>{% trans "Order Id:" %}</strong> {{cert.order.id}}
             </p>
             <p>
-                <strong>{% trans "Enrollment:" %}</strong> {{enrollment.course_id}} {{enrollment.mode}} ({% if enrollment.is_active %}{% trans "enrolled" %}{% else %}{% trans "unenrolled" %}{% endif %})
+                <strong>{% trans "Enrollment:" %}</strong> {{enrollment.course_id|escape}} {{enrollment.mode}} ({% if enrollment.is_active %}{% trans "enrolled" %}{% else %}{% trans "unenrolled" %}{% endif %})
             </p>
             <p>
                 <strong>{% trans "Cost:" %}</strong> {{cert.unit_cost}} {{cert.currency}}
diff --git a/lms/templates/discussion/index.html b/lms/templates/discussion/index.html
index 38eddd692d..74dd83c9f5 100644
--- a/lms/templates/discussion/index.html
+++ b/lms/templates/discussion/index.html
@@ -25,7 +25,7 @@
 
 <section class="discussion container" id="discussion-container"
          data-roles="${roles}"
-         data-course-id="${course_id}"
+         data-course-id="${course_id | h}"
          data-user-info="${user_info}"
          data-threads="${threads}"
          data-thread-pages="${thread_pages}"
diff --git a/lms/templates/discussion/user_profile.html b/lms/templates/discussion/user_profile.html
index e0a01d573d..03b3aa71f3 100644
--- a/lms/templates/discussion/user_profile.html
+++ b/lms/templates/discussion/user_profile.html
@@ -32,7 +32,7 @@
       </nav>
     </section>
 
-    <section class="course-content container discussion-user-threads" data-course-id="${course.id.to_deprecated_string() | h}" data-threads="${threads}" data-user-info="${user_info}" data-page="${page}" data-num-pages="${num_pages}"/>
+    <section class="course-content container discussion-user-threads" data-course-id="${course.id | h}" data-threads="${threads}" data-user-info="${user_info}" data-page="${page}" data-num-pages="${num_pages}"/>
   </div>
 </section>
 
diff --git a/lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html b/lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html
index c832d1f94d..82990bd8e5 100644
--- a/lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html
+++ b/lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html
@@ -46,7 +46,7 @@
 
             <li class="field" id="add-coupon-modal-field-course_id">
               <label for="coupon_course_id">${_("Course ID")}</label>
-              <input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id']}"
+              <input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id'] | h}"
                      readonly aria-required="true"/>
             </li>
 
diff --git a/lms/templates/instructor/instructor_dashboard_2/course_info.html b/lms/templates/instructor/instructor_dashboard_2/course_info.html
index 3e00ebf5bb..bd6462934f 100644
--- a/lms/templates/instructor/instructor_dashboard_2/course_info.html
+++ b/lms/templates/instructor/instructor_dashboard_2/course_info.html
@@ -30,17 +30,17 @@
   <ul class="list-input">
     <li class="field text is-not-editable" id="field-course-organization">
       <label for="course-organization">${_("Organization:")}</label>
-      <b>${ section_data['course_id'].org }</b>
+      <b>${ section_data['course_id'].org | h}</b>
     </li>
 
     <li class="field text is-not-editable" id="field-course-number">
       <label for="course-number">${_("Course Number:")}</label>
-      <b>${ section_data['course_id'].course }</b>
+      <b>${ section_data['course_id'].course | h}</b>
     </li>
 
     <li class="field text is-not-editable" id="field-course-name">
       <label for="course-name">${_("Course Name:")}</label>
-      <b>${ section_data['course_id'].run }</b>
+      <b>${ section_data['course_id'].run | h}</b>
     </li>
 
     <li class="field text is-not-editable" id="field-course-display-name">
diff --git a/lms/templates/instructor/instructor_dashboard_2/metrics.html b/lms/templates/instructor/instructor_dashboard_2/metrics.html
index 535750ba15..f8a1946f2a 100644
--- a/lms/templates/instructor/instructor_dashboard_2/metrics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/metrics.html
@@ -1,4 +1,5 @@
-  <%! from django.utils.translation import ugettext as _ %>
+<%! from django.utils.translation import ugettext as _ %>
+<%! from django.template.defaultfilters import escapejs %>
 
 <%page args="section_data"/>
 
@@ -20,7 +21,7 @@
        <h2>${_("Subsection Data")}</h2>
        <p>${_("Each bar shows the number of students that opened the subsection.")}</p>
        <p>${_("You can click on any of the bars to list the students that opened the subsection.")}</p>
-       <p>${_("You can also download this data as a CSV file.")}</p> 
+       <p>${_("You can also download this data as a CSV file.")}</p>
        <p><input type="button" id="download_subsection_data" value="${_("Download Subsection Data for all Subsections as a CSV")}" /></p>
      </div>
      <div class="metrics-right-header">
@@ -69,10 +70,10 @@
       $('.metrics-container').on("click", '.metrics-left .stacked-bar', function () {
         var module_id = $('rect', this).attr('id');
         var metrics_overlay = $(this).closest('.metrics-left').siblings('.metrics-overlay');
-          
+
         // Set module_id attribute on metrics_overlay
         metrics_overlay.data("module-id", module_id);
-          
+
         var header = $(this).closest('.metrics-left').siblings('.metrics-tooltip').text();
         var overlay_content = '<h3 class="metrics-overlay-title">' + header + '</h3>';
         $('.metrics-overlay-content', metrics_overlay).before(overlay_content);
@@ -86,7 +87,7 @@
           success: function(response) {
             overlay_content = "<tr class='header'><th>${_('Name')}</th><th>${_('Username')}</th></tr>";
             $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
-                    
+
             $.each(response.results, function(index, value ){
               overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + '</td></tr>';
               $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
@@ -101,19 +102,19 @@
         metrics_overlay.find('.metrics-student-opened').show();
         metrics_overlay.show();
       });
-     
+
       // Click handler for right bars
       $('.metrics-container').on("click", '.metrics-right .stacked-bar', function () {
         var module_id = $('rect', this).attr('id');
         var metrics_overlay = $(this).closest('.metrics-right').siblings('.metrics-overlay');
-          
+
         //Set module_id attribute on metrics_overlay
         metrics_overlay.data("module-id", module_id);
-          
+
         var header = $(this).closest('.metrics-right').siblings('.metrics-tooltip').text();
         var far_index = header.indexOf(' - ');
         var title = header.substring(0, far_index);
-          
+
         var overlay_content = '<h3 class="metrics-overlay-title">' + title + '</h3>';
         $('.metrics-overlay-content', metrics_overlay).before(overlay_content);
 
@@ -141,12 +142,12 @@
         metrics_overlay.find('.metrics-student-grades').show();
         metrics_overlay.show();
       });
-     
+
       loadGraphs = function() {
         $('#graph_reload').hide();
         $('.metrics-header-container').hide();
         $('.loading').remove();
-        
+
 
         var nothingText = "${_('There are no problems in this section.')}";
         var loadingText = "${_('Loading...')}";
@@ -169,7 +170,7 @@
 
         ${all_section_metrics.body("metric_opened_", "metric_grade_", "metric_attempts_", "metric_tooltip_", course.id, allSubsectionTooltipArr, allProblemTooltipArr)}
       }
-      
+
       // For downloading subsection and problem data as csv
       download_csv_data = function(event) {
 
@@ -191,25 +192,25 @@
         var data = {}
         data['sections'] = JSON.stringify(allSectionArr);
         data['tooltips'] = JSON.stringify(allTooltipArr);
-        data['course_id'] = "${section_data['course_id']}";
+        data['course_id'] = "${section_data['course_id'] | escapejs}";
         data['data_type'] = event.type;
-        
+
         var input_data = document.createElement("input");
         input_data.name = 'data';
         input_data.value = JSON.stringify(data);
-        
+
         var csrf_token_input = document.createElement("input");
         csrf_token_input.name = 'csrfmiddlewaretoken';
         csrf_token_input.value = "${ csrf_token }"
-        
+
         // Send data as a POST so it doesn't create a huge url
         var form = document.createElement("form");
         form.action = "${section_data['post_metrics_data_csv_url']}";
         form.method = 'post'
-          
+
         form.appendChild(input_data);
         form.appendChild(csrf_token_input)
-          
+
         document.body.appendChild(form);
         form.submit();
       }
@@ -222,17 +223,17 @@
           $('.metrics-header-container').show();
         }
       });
-      
+
       $('#graph_reload').click(function () {
         loadGraphs();
         $('#graph_reload').show();
         $('.metrics-header-container').show();
       });
-      
+
       $('#download_subsection_data').click(function() {
         download_csv_data({'type': 'subsection'});
       });
-      
+
       $('#download_problem_data').click(function() {
         download_csv_data({'type': 'problem'});
       });
@@ -242,12 +243,12 @@
         $('#graph_reload').hide();
         $('.metrics-header-container').hide();
       }
-      
+
       $(document).ajaxStop(function() {
           $('#graph_reload').show();
           $('.metrics-header-container').show();
       });
-      
+
     });
     $('.metrics-overlay .close-button').click(function(event) {
       event.preventDefault();
@@ -259,14 +260,14 @@
     });
   $('.metrics-overlay .download-csv').click(function(event) {
 
-    var module_id = $(this).closest('.metrics-overlay').data("module-id");     
+    var module_id = $(this).closest('.metrics-overlay').data("module-id");
     var tooltip = $(this).closest('.metrics-container').children('.metrics-tooltip').text();
     var attributes = '?module_id=' + module_id + '&csv=true' + '&tooltip=' + tooltip;
     var url = $(this).data("endpoint");
     url += attributes;
 
     return location.href = url;
-    
+
   });
 
   </script>
diff --git a/lms/templates/main.html b/lms/templates/main.html
index 4c5d50ef1c..c3895de287 100644
--- a/lms/templates/main.html
+++ b/lms/templates/main.html
@@ -11,7 +11,7 @@
 <%! from microsite_configuration import page_title_breadcrumbs %>
 
 <%namespace name='static' file='static_content.html'/>
-<%! from django.utils import html %>
+<%! from django.utils.http import urlquote_plus %>
 
 ## Define a couple of helper functions to make life easier when
 ## embedding theme conditionals into templates. All inheriting
@@ -148,7 +148,7 @@
 
 <%def name="login_query()">${
   u"?course_id={0}&enrollment_action={1}".format(
-    html.escape(course_id),
-    html.escape(enrollment_action)
+    urlquote_plus(course_id),
+    urlquote_plus(enrollment_action)
   ) if course_id and enrollment_action else ""
 }</%def>
diff --git a/lms/templates/peer_grading/peer_grading.html b/lms/templates/peer_grading/peer_grading.html
index 172360c9e2..d868347445 100644
--- a/lms/templates/peer_grading/peer_grading.html
+++ b/lms/templates/peer_grading/peer_grading.html
@@ -41,7 +41,7 @@ criteria.{end_li_tag}
                             %if problem['closed']:
                                 ${problem['problem_name']}
                             %else:
-                                <a href="#problem" data-location="${problem['location'].to_deprecated_string()}" class="problem-button">${problem['problem_name']}</a>
+                                <a href="#problem" data-location="${problem['location'] | h}" class="problem-button">${problem['problem_name']}</a>
                             %endif
                         </td>
                         <td>
diff --git a/lms/templates/peer_grading/peer_grading_problem.html b/lms/templates/peer_grading/peer_grading_problem.html
index 52c6f6ced0..67d575dc4f 100644
--- a/lms/templates/peer_grading/peer_grading_problem.html
+++ b/lms/templates/peer_grading/peer_grading_problem.html
@@ -1,6 +1,6 @@
 <%! from django.utils.translation import ugettext as _ %>
 <section class="container peer-grading-container">
-    <div class="peer-grading" data-ajax-url="${ajax_url}" data-location="${problem_location.to_deprecated_string()}" data-use-single-location="${use_single_location}">
+    <div class="peer-grading" data-ajax-url="${ajax_url}" data-location="${problem_location | h}" data-use-single-location="${use_single_location}">
         <div class="error-container"></div>
 
         <section class="content-panel">
@@ -48,7 +48,7 @@
                         <textarea name="feedback" placeholder="Feedback for student" class="feedback-area" cols="70" ></textarea>
                         <div class="flag-student-container">
                             <br />
-                            <input type="checkbox" class="flag-checkbox" value="student_is_flagged"> 
+                            <input type="checkbox" class="flag-checkbox" value="student_is_flagged">
                             ${_("This submission has explicit, offensive, or (I suspect) plagiarized content. ")}
                         </div>
                     </div>
diff --git a/lms/templates/shoppingcart/receipt.html b/lms/templates/shoppingcart/receipt.html
index 7a35bc014f..f393473143 100644
--- a/lms/templates/shoppingcart/receipt.html
+++ b/lms/templates/shoppingcart/receipt.html
@@ -52,7 +52,7 @@
               % if item.status == "purchased":
                 <td>${item.qty}</td>
                 <td>${item.line_desc}</td>
-                <td><a href="${course_id}" class="enter-course">${_('View Course')}</a></td>
+                <td><a href="${course_id | h}" class="enter-course">${_('View Course')}</a></td>
                 <td>${"{0:0.2f}".format(item.unit_cost)}
                     % if item.list_price != None:
                         <span class="old-price"> ${"{0:0.2f}".format(item.list_price)}</span>
diff --git a/lms/templates/staff_problem_info.html b/lms/templates/staff_problem_info.html
index 6bed4a7d68..75d2789d7c 100644
--- a/lms/templates/staff_problem_info.html
+++ b/lms/templates/staff_problem_info.html
@@ -1,4 +1,5 @@
 <%! from django.utils.translation import ugettext as _ %>
+<%! from django.template.defaultfilters import escapejs %>
 <%namespace name='static' file='/static_content.html'/>
 
 ## The JS for this is defined in xqa_interface.html
@@ -9,10 +10,10 @@ ${block_content}
       <a href="${edit_link}">Edit</a>
       % if xqa_key:
           / <a href="#${element_id}_xqa-modal" onclick="javascript:getlog('${element_id}', {
-          'location': '${location}',
-          'xqa_key': '${xqa_key}',
-          'category': '${category}',
-          'user': '${user}'
+          'location': '${location | h}',
+          'xqa_key': '${xqa_key | h}',
+          'category': '${category | h}',
+          'user': '${user | h}'
        })" id="${element_id}_xqa_log">QA</a>
       % endif
   </div>
@@ -58,10 +59,10 @@ ${block_content}
     <div class="staff_actions">
       <h3>${_('Actions')}</h3>
       <div>
-        <label for="sd_fu_${location.name}">${_('Username')}:</label>
-        <input type="text" id="sd_fu_${location.name}" placeholder="${user.username}"/>
+        <label for="sd_fu_${location.name | h}">${_('Username')}:</label>
+        <input type="text" id="sd_fu_${location.name | h}" placeholder="${user.username}"/>
       </div>
-      <div data-location="${location.to_deprecated_string()}" data-location-name="${location.name}">
+      <div data-location="${location | h}" data-location-name="${location.name | h}">
         [
         <a href="#" class="staff-debug-reset">${_('Reset Student Attempts')}</a>
         % if has_instructor_access:
@@ -72,7 +73,7 @@ ${block_content}
         % endif
         ]
       </div>
-      <div id="result_${location.name}"/>
+      <div id="result_${location.name | h}"/>
     </div>
 
     <div class="staff_info" style="display:block">
@@ -106,7 +107,7 @@ category = ${category | h}
     <form id="${element_id}_history_form">
       <label for="${element_id}_history_student_username">${_("User:")}</label>
       <input id="${element_id}_history_student_username" type="text" placeholder=""/>
-      <input type="hidden" id="${element_id}_history_location" value="${location.to_deprecated_string()}"/>
+      <input type="hidden" id="${element_id}_history_location" value="${location | h}"/>
       <div class="submit">
         <button name="submit" type="submit">${_("View History")}</button>
       </div>
@@ -129,7 +130,7 @@ $(function () {
         null,
         %endif
         {
-            'location': '${location.to_deprecated_string()}',
+            'location': '${location | escapejs}',
             'xqa_key': '${xqa_key}',
             'category': '${category}',
             'user': '${user}'
diff --git a/lms/templates/sysadmin_dashboard_gitlogs.html b/lms/templates/sysadmin_dashboard_gitlogs.html
index fbc3ea3b77..6217114a78 100644
--- a/lms/templates/sysadmin_dashboard_gitlogs.html
+++ b/lms/templates/sysadmin_dashboard_gitlogs.html
@@ -75,7 +75,7 @@ textarea {
 
       %if course_id is not None:
           ## Translators: Git is a version-control system; see http://git-scm.com/about
-          <h2>${_('Recent git load activity for {course_id}').format(course_id=course_id)}</h2>
+          <h2>${_('Recent git load activity for {course_id}').format(course_id=course_id) | h}</h2>
           %if error_msg:
               <h3>${_('Error')}:</h3>
               <p>${error_msg}</p>
@@ -100,15 +100,13 @@ textarea {
           %>
           % for cil in logs:
               <%
-                  course_id_string = cil.course_id.to_deprecated_string() if cil.course_id else None
-
                   # Appropriate datetime string for current locale and timezone
                   date = get_time_display(cil.created.replace(tzinfo=UTC),
                                           DEFAULT_DATE_TIME_FORMAT, coerce_tz=settings.TIME_ZONE)
               %>
               <tr>
                 <td>${date}</td>
-                <td><a href="${reverse('gitlogs')}/${course_id_string}">${course_id_string}</a></td>
+                <td><a href="${reverse('gitlogs_detail', kwargs={'course_id': unicode(cil.course_id)})}">${cil.course_id | h}</a></td>
                 <td>${cil.git_log}</td>
               </tr>
           %endfor
diff --git a/lms/templates/verify_student/midcourse_photo_reverification.html b/lms/templates/verify_student/midcourse_photo_reverification.html
index e1bca374e2..177c7ca8ce 100644
--- a/lms/templates/verify_student/midcourse_photo_reverification.html
+++ b/lms/templates/verify_student/midcourse_photo_reverification.html
@@ -174,7 +174,7 @@
                   <li class="wizard-step step-proceed">
                     <form id="reverify_form" method="post">
                       <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
-                      <input type="hidden" name="course_id" value="${course_id}">
+                      <input type="hidden" name="course_id" value="${course_id | h}">
                       <input class="action-primary disabled" type="button" id="midcourse_reverify_button" value="${_('Submit photos &amp; re-verify')}" name="payment">
                     </form>
                   </li>
diff --git a/lms/templates/verify_student/verified.html b/lms/templates/verify_student/verified.html
index 8059db32f1..d90da34f35 100644
--- a/lms/templates/verify_student/verified.html
+++ b/lms/templates/verify_student/verified.html
@@ -1,5 +1,6 @@
 <%! from django.utils.translation import ugettext as _ %>
 <%! from django.core.urlresolvers import reverse %>
+<%! from django.template.defaultfilters import escapejs %>
 
 <%inherit file="../main.html" />
 <%namespace name='static' file='/static_content.html'/>
@@ -14,7 +15,7 @@ var submitToPaymentProcessing = function(event) {
     var xhr = $.post(
       "${create_order_url}",
       {
-        "course_id" : "${course_id}",
+        "course_id" : "${course_id | escapejs}",
       },
       function(data) {
         for (prop in data) {