diff --git a/cms/templates/certificates.html b/cms/templates/certificates.html
index 12243fa231..13792d216b 100644
--- a/cms/templates/certificates.html
+++ b/cms/templates/certificates.html
@@ -1,9 +1,11 @@
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "certificates" %></%def>
 <%namespace name='static' file='static_content.html'/>
 <%!
 from contentstore import utils
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
 from openedx.core.djangolib.js_utils import (
     dump_js_escaped_json, js_escaped_string
 )
@@ -25,8 +27,8 @@ from openedx.core.djangolib.js_utils import (
 window.CMS = window.CMS || {};
 CMS.URL = CMS.URL || {};
 CMS.User = CMS.User || {};
-CMS.URL.UPLOAD_ASSET = '${upload_asset_url}';
-CMS.User.isGlobalStaff = '${is_global_staff}'=='True' ? true : false;
+CMS.URL.UPLOAD_ASSET = '${upload_asset_url | n, js_escaped_string}';
+CMS.User.isGlobalStaff = '${is_global_staff | n, js_escaped_string}'=='True' ? true : false;
 </script>
 </%block>
 
@@ -88,13 +90,13 @@ CMS.User.isGlobalStaff = '${is_global_staff}'=='True' ? true : false;
             <h3 class="title-3">${_("Working with Certificates")}</h3>
             <p>${_("Specify a course title to use on the certificate if the course's official title is too long to be displayed well.")}</p>
             <p>${_("For verified certificates, specify between one and four signatories and upload the associated images.")}</p>
-            <p>${_("To edit or delete a certificate before it is activated, hover over the top right corner of the form and select {em_start}Edit{em_end} or the delete icon.").format(em_start="<strong>", em_end="</strong>")}</p>
-            <p>${_("To view a sample certificate, choose a course mode and select {em_start}Preview Certificate{em_end}.").format(em_start='<strong>', em_end="</strong>")}</p>
+            <p>${Text(_("To edit or delete a certificate before it is activated, hover over the top right corner of the form and select {em_start}Edit{em_end} or the delete icon.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
+            <p>${Text(_("To view a sample certificate, choose a course mode and select {em_start}Preview Certificate{em_end}.")).format(em_start=HTML('<strong>'), em_end=HTML("</strong>"))}</p>
 
             <h3 class="title-3">${_("Issuing Certificates to Learners")}</h3>
-            <p>${_("To begin issuing course certificates, a course team member with either the Staff or Admin role selects {em_start}Activate{em_end}. Only course team members with these roles can edit or delete an activated certificate.").format(em_start="<strong>", em_end="</strong>")}</p>
-            <p>${_("{em_start}Do not{em_end} delete certificates after a course has started; learners who have already earned certificates will no longer be able to access them.").format(em_start="<strong>", em_end="</strong>")}</p>
-            <p><a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about certificates")}</a></p>
+            <p>${Text(_("To begin issuing course certificates, a course team member with either the Staff or Admin role selects {em_start}Activate{em_end}. Only course team members with these roles can edit or delete an activated certificate.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
+            <p>${Text(_("{em_start}Do not{em_end} delete certificates after a course has started; learners who have already earned certificates will no longer be able to access them.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
+            <p><a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about certificates")}</a></p>
           </div>
         </div>
         <div class="bit">
@@ -108,7 +110,7 @@ CMS.User.isGlobalStaff = '${is_global_staff}'=='True' ? true : false;
         <h2 class="title-3">${_("Other Course Settings")}</h2>
           <nav class="nav-related" aria-label="${_('Other Course Settings')}">
             <ul>
-              <li class="nav-item"><a href="${details_url}">${_("Details &amp; Schedule")}</a></li>
+              <li class="nav-item"><a href="${details_url}">${_("Details & Schedule")}</a></li>
               <li class="nav-item"><a href="${grading_url}">${_("Grading")}</a></li>
               <li class="nav-item"><a href="${course_team_url}">${_("Course Team")}</a></li>
               <li class="nav-item"><a href="${advanced_settings_url}">${_("Advanced Settings")}</a></li>
diff --git a/cms/templates/container.html b/cms/templates/container.html
index f180c92537..ecaa9110e2 100644
--- a/cms/templates/container.html
+++ b/cms/templates/container.html
@@ -155,7 +155,7 @@ from openedx.core.djangolib.markup import HTML, Text
                             <h5 class="title">${_("Location ID")}</h5>
                             <p class="unit-id">
                                 <span class="unit-id-value" id="unit-location-id-input">${unit.location.block_id}</span>
-                                <span class="tip"><span class="sr">Tip: </span>${_('To create a link to this unit from an HTML component in this course, enter "/jump_to_id/<location ID>" as the URL value.')}</span>
+                                <span class="tip"><span class="sr">Tip: </span>${Text(_('To create a link to this unit from an HTML component in this course, enter "/jump_to_id/<location ID>" as the URL value.'))}</span>
                             </p>
                         </div>
                         <div class="wrapper-unit-tree-location bar-mod-content">
diff --git a/cms/templates/js/certificate-web-preview.underscore b/cms/templates/js/certificate-web-preview.underscore
index 16452fb96f..566a1544f8 100644
--- a/cms/templates/js/certificate-web-preview.underscore
+++ b/cms/templates/js/certificate-web-preview.underscore
@@ -1,17 +1,17 @@
-<label for="course-modes"><%= gettext("Choose mode") %></label>
+<label for="course-modes"><%- gettext("Choose mode") %></label>
 <select id="course-modes">
 <% _.each(course_modes, function(course_mode) { %>
-     <option value= "<%= course_mode %>"><%= course_mode %></option>
+     <option value= "<%- course_mode %>"><%- course_mode %></option>
 <% }); %>
 </select>
-<a href=<%= certificate_web_view_url %> class="button preview-certificate-link" target="_blank">
-    <%= gettext("Preview Certificate") %>
+<a href=<%- certificate_web_view_url %> class="button preview-certificate-link" rel="noopener" target="_blank">
+    <%- gettext("Preview Certificate") %>
 </a>
 <button class="button activate-cert">
     <span>
     <% if(!is_active) { %>
-        <%= gettext("Activate") %></span>
+        <%- gettext("Activate") %></span>
     <% } else { %>
-        <%= gettext("Deactivate") %></span>
+        <%- gettext("Deactivate") %></span>
     <% } %>
 </button>
diff --git a/cms/templates/js/license-selector.underscore b/cms/templates/js/license-selector.underscore
index 90230b11a7..2245f7deb0 100644
--- a/cms/templates/js/license-selector.underscore
+++ b/cms/templates/js/license-selector.underscore
@@ -1,6 +1,6 @@
 <div class="wrapper-license">
     <h3 class="label setting-label">
-        <%= gettext("License Type") %>
+        <%- gettext("License Type") %>
     </h3>
     <ul class="license-types">
         <% var link_start_tpl = '<a href="{url}" target="_blank">'; %>
@@ -14,8 +14,8 @@
                 </button>
                 <p class="tip">
                     <% if(license.url) { %>
-                        <a href="<%- license.url %>" target="_blank">
-                            <%= gettext("Learn more about {license_name}")
+                        <a href="<%- license.url %>" rel="noopener" target="_blank">
+                            <%- gettext("Learn more about {license_name}")
                                         .replace("{license_name}", license.name)
                             %>
                         </a>
@@ -71,15 +71,15 @@
 <% if (showPreview) { %>
     <div class="wrapper-license-preview">
         <h4 class="label setting-label">
-            <%= gettext("License Display") %>
+            <%- gettext("License Display") %>
         </h4>
         <p class="tip">
-            <%= gettext("The following message will be displayed at the bottom of the courseware pages within your course:") %>
+            <%- gettext("The following message will be displayed at the bottom of the courseware pages within your course:") %>
         </p>
         <div class="license-preview">
         <% // keep this synchronized with the contents of common/templates/license.html %>
         <% if (model.type === "all-rights-reserved") { %>
-            © <span class="license-text"><%= gettext("All Rights Reserved") %></span>
+            © <span class="license-text"><%- gettext("All Rights Reserved") %></span>
         <% } else if (model.type === "creative-commons") {
              var possible = ["by", "nc", "nd", "sa"];
              var enabled = _.filter(possible, function(option) {
@@ -98,16 +98,16 @@
                     />
             <% } else { %>
 	        <% //<span> must come before <i> icon or else spacing gets messed up %>
-                <span class="sr"><%= gettext("Creative Commons licensed content, with terms as follow:") %>&nbsp;</span><span aria-hidden="true" class="icon-cc"></span>
+                <span class="sr"><%- gettext("Creative Commons licensed content, with terms as follow:") %>&nbsp;</span><span aria-hidden="true" class="icon-cc"></span>
                 <% _.each(enabled, function(option) { %>
                         <span class="sr"><%- license.options[option.toUpperCase()].name %>&nbsp;</span><span aria-hidden="true" class="icon-cc-<%- option %>"></span>
                 <% }); %>
-                <span class="license-text"><%= gettext("Some Rights Reserved") %></span>
+                <span class="license-text"><%- gettext("Some Rights Reserved") %></span>
             <% } %>
         <% } else { %>
-            <%= typeof licenseString == "string" ? licenseString : "" %>
+            <%- typeof licenseString == "string" ? licenseString : "" %>
             <% // Default to ARR license %>
-            © <span class="license-text"><%= gettext("All Rights Reserved") %></span>
+            © <span class="license-text"><%- gettext("All Rights Reserved") %></span>
         <% } %>
         </a>
     </div>
diff --git a/cms/templates/js/metadata-file-uploader-item.underscore b/cms/templates/js/metadata-file-uploader-item.underscore
index 45e08c1b7b..7c7637c073 100644
--- a/cms/templates/js/metadata-file-uploader-item.underscore
+++ b/cms/templates/js/metadata-file-uploader-item.underscore
@@ -1,3 +1,3 @@
-<a href="#" class="upload-action upload-setting"><%= model.get('value') ? gettext('Replace') : gettext('Upload') %>
-</a><% if (model.get('value')) { %><a href="<%= model.get("value") %>" target="_blank" class="download-action download-setting"><%= gettext("Download") %>
+<a href="#" class="upload-action upload-setting"><%- model.get('value') ? gettext('Replace') : gettext('Upload') %>
+</a><% if (model.get('value')) { %><a href="<%- model.get("value") %>" rel="noopener" target="_blank" class="download-action download-setting"><%- gettext("Download") %>
 </a><% } %>
diff --git a/cms/templates/textbooks.html b/cms/templates/textbooks.html
index 2a5c955224..7cd12cbc7e 100644
--- a/cms/templates/textbooks.html
+++ b/cms/templates/textbooks.html
@@ -1,9 +1,10 @@
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "textbooks" %></%def>
 <%namespace name='static' file='static_content.html'/>
 <%!
 from django.utils.translation import ugettext as _
-from openedx.core.djangolib.js_utils import dump_js_escaped_json
+from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>
 
 <%block name="title">${_("Textbooks")}</%block>
@@ -21,9 +22,9 @@ from openedx.core.djangolib.js_utils import dump_js_escaped_json
 <script type="text/javascript">
 window.CMS = window.CMS || {};
 CMS.URL = CMS.URL || {};
-CMS.URL.UPLOAD_ASSET = "${upload_asset_url}"
-CMS.URL.TEXTBOOKS = "${textbook_url}"
-CMS.URL.LMS_BASE = "${settings.LMS_BASE}"
+CMS.URL.UPLOAD_ASSET = "${upload_asset_url | n, js_escaped_string}"
+CMS.URL.TEXTBOOKS = "${textbook_url | n, js_escaped_string}"
+CMS.URL.LMS_BASE = "${settings.LMS_BASE | n, js_escaped_string}"
 </script>
 </%block>
 
diff --git a/common/lib/xmodule/xmodule/lti_module.py b/common/lib/xmodule/xmodule/lti_module.py
index 248adfb58b..b439f335ae 100644
--- a/common/lib/xmodule/xmodule/lti_module.py
+++ b/common/lib/xmodule/xmodule/lti_module.py
@@ -80,6 +80,7 @@ from xmodule.editing_module import MetadataOnlyEditingDescriptor
 from xmodule.lti_2_util import LTI20ModuleMixin, LTIError
 from xmodule.raw_module import EmptyDataRawDescriptor
 from xmodule.x_module import XModule, module_attr
+from openedx.core.djangolib.markup import HTML, Text
 
 log = logging.getLogger(__name__)
 
@@ -87,6 +88,7 @@ DOCS_ANCHOR_TAG_OPEN = (
     "<a target='_blank' "
     "href='https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/lti_component.html'>"
 )
+BREAK_TAG = '<br />'
 
 # Make '_' a no-op so we can scrape strings. Using lambda instead of
 #  `django.utils.translation.ugettext_noop` because Django cannot be imported in this file
@@ -124,39 +126,42 @@ class LTIFields(object):
     )
     lti_id = String(
         display_name=_("LTI ID"),
-        help=_(
+        help=Text(_(
             "Enter the LTI ID for the external LTI provider.  "
             "This value must be the same LTI ID that you entered in the "
             "LTI Passports setting on the Advanced Settings page."
-            "<br />See {docs_anchor_open}the edX LTI documentation{anchor_close} for more details on this setting."
-        ).format(
-            docs_anchor_open=DOCS_ANCHOR_TAG_OPEN,
-            anchor_close="</a>"
+            "{break_tag}See {docs_anchor_open}the edX LTI documentation{anchor_close} for more details on this setting."
+        )).format(
+            break_tag=HTML(BREAK_TAG),
+            docs_anchor_open=HTML(DOCS_ANCHOR_TAG_OPEN),
+            anchor_close=HTML("</a>")
         ),
         default='',
         scope=Scope.settings
     )
     launch_url = String(
         display_name=_("LTI URL"),
-        help=_(
+        help=Text(_(
             "Enter the URL of the external tool that this component launches. "
             "This setting is only used when Hide External Tool is set to False."
-            "<br />See {docs_anchor_open}the edX LTI documentation{anchor_close} for more details on this setting."
-        ).format(
-            docs_anchor_open=DOCS_ANCHOR_TAG_OPEN,
-            anchor_close="</a>"
+            "{break_tag}See {docs_anchor_open}the edX LTI documentation{anchor_close} for more details on this setting."
+        )).format(
+            break_tag=HTML(BREAK_TAG),
+            docs_anchor_open=HTML(DOCS_ANCHOR_TAG_OPEN),
+            anchor_close=HTML("</a>")
         ),
         default='http://www.example.com',
         scope=Scope.settings)
     custom_parameters = List(
         display_name=_("Custom Parameters"),
-        help=_(
+        help=Text(_(
             "Add the key/value pair for any custom parameters, such as the page your e-book should open to or "
             "the background color for this component."
-            "<br />See {docs_anchor_open}the edX LTI documentation{anchor_close} for more details on this setting."
-        ).format(
-            docs_anchor_open=DOCS_ANCHOR_TAG_OPEN,
-            anchor_close="</a>"
+            "{break_tag}See {docs_anchor_open}the edX LTI documentation{anchor_close} for more details on this setting."
+        )).format(
+            break_tag=HTML(BREAK_TAG),
+            docs_anchor_open=HTML(DOCS_ANCHOR_TAG_OPEN),
+            anchor_close=HTML("</a>")
         ),
         scope=Scope.settings)
     open_in_a_new_page = Boolean(
diff --git a/lms/static/js/student_account/views/RegisterView.js b/lms/static/js/student_account/views/RegisterView.js
index 9daa4720c7..70191b66e2 100644
--- a/lms/static/js/student_account/views/RegisterView.js
+++ b/lms/static/js/student_account/views/RegisterView.js
@@ -133,23 +133,24 @@
 
                 render: function(html) {
                     var fields = html || '',
-                        formErrorsTitle = gettext('An error occurred.');
+                        formErrorsTitle = gettext('An error occurred.'),
+                        renderHtml = _.template(this.tpl)({
+                            /* We pass the context object to the template so that
+                             * we can perform variable interpolation using sprintf
+                             */
+                            context: {
+                                fields: fields,
+                                currentProvider: this.currentProvider,
+                                syncLearnerProfileData: this.syncLearnerProfileData,
+                                providers: this.providers,
+                                hasSecondaryProviders: this.hasSecondaryProviders,
+                                platformName: this.platformName,
+                                autoRegisterWelcomeMessage: this.autoRegisterWelcomeMessage,
+                                registerFormSubmitButtonText: this.registerFormSubmitButtonText
+                            }
+                        });
 
-                    $(this.el).html(_.template(this.tpl)({
-                    /* We pass the context object to the template so that
-                     * we can perform variable interpolation using sprintf
-                     */
-                        context: {
-                            fields: fields,
-                            currentProvider: this.currentProvider,
-                            syncLearnerProfileData: this.syncLearnerProfileData,
-                            providers: this.providers,
-                            hasSecondaryProviders: this.hasSecondaryProviders,
-                            platformName: this.platformName,
-                            autoRegisterWelcomeMessage: this.autoRegisterWelcomeMessage,
-                            registerFormSubmitButtonText: this.registerFormSubmitButtonText
-                        }
-                    }));
+                    HtmlUtils.setHtml($(this.el), HtmlUtils.HTML(renderHtml));
 
                     this.postRender();
 
diff --git a/lms/templates/api_admin/catalogs/edit.html b/lms/templates/api_admin/catalogs/edit.html
index a12dca712b..713fd6b805 100644
--- a/lms/templates/api_admin/catalogs/edit.html
+++ b/lms/templates/api_admin/catalogs/edit.html
@@ -4,6 +4,7 @@
 <%!
 from django.urls import reverse
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import js_escaped_string
 %>
 
 <%namespace name='static' file='/static_content.html'/>
@@ -13,8 +14,8 @@ from django.utils.translation import ugettext as _
 <%block name="js_extra">
 <%static:require_module module_name="js/api_admin/catalog_preview_factory" class_name="CatalogPreviewFactory">
   CatalogPreviewFactory({
-    previewUrl: "${preview_url}",
-    catalogApiUrl: "${catalog_api_url}",
+    previewUrl: "${preview_url | n, js_escaped_string}",
+    catalogApiUrl: "${catalog_api_url | n, js_escaped_string}",
   });
 </%static:require_module>
 </%block>
@@ -37,7 +38,7 @@ from django.utils.translation import ugettext as _
           <input type="checkbox" id="delete-catalog" name="delete-catalog" />
           <label class="api-checkbox-label" for="delete-catalog">${_("Delete this catalog")}</label>
         </p>
-        ${form.as_p() | n}
+        ${form.as_p() | n, decode.utf8}
         <input id="catalog-create-submit" type="submit" value="${_('Update Catalog')}"/>
       </form>
     </div>
diff --git a/lms/templates/api_admin/catalogs/list.html b/lms/templates/api_admin/catalogs/list.html
index 843b710294..ae7e9df906 100644
--- a/lms/templates/api_admin/catalogs/list.html
+++ b/lms/templates/api_admin/catalogs/list.html
@@ -4,6 +4,7 @@
 <%!
 from django.urls import reverse
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import js_escaped_string
 %>
 
 <%namespace name='static' file='/static_content.html'/>
@@ -13,8 +14,8 @@ from django.utils.translation import ugettext as _
 <%block name="js_extra">
 <%static:require_module module_name="js/api_admin/catalog_preview_factory" class_name="CatalogPreviewFactory">
 CatalogPreviewFactory({
-  previewUrl: "${preview_url}",
-  catalogApiUrl: "${catalog_api_url}",
+  previewUrl: "${preview_url | n, js_escaped_string}",
+  catalogApiUrl: "${catalog_api_url | n, js_escaped_string}",
 });
 </%static:require_module>
 </%block>
@@ -38,7 +39,7 @@ CatalogPreviewFactory({
     <div class="api-form-container">
       <form class="api-form" id="catalog-create" action="${reverse('api_admin:catalog-list', args={'username': username})}" method="post">
         <input type="hidden" id="csrf_token" name="csrfmiddlewaretoken" value="${csrf_token}">
-        ${form.as_p() | n}
+        ${form.as_p() | n, decode.utf8}
         <input id="catalog-create-submit" type="submit" value="${_('Create Catalog')}"/>
       </form>
     </div>
diff --git a/lms/templates/certificates/_badges-modal.html b/lms/templates/certificates/_badges-modal.html
index ae50e1c632..70a24e785f 100644
--- a/lms/templates/certificates/_badges-modal.html
+++ b/lms/templates/certificates/_badges-modal.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
 <script src="${static.url('js/lms-base-vendor.js')}"></script>
 <script src="${static.url('js/certificates/certificates.js')}"></script>
diff --git a/openedx/core/lib/license/templates/license.html b/openedx/core/lib/license/templates/license.html
index 52bcfcbfb1..fe1141e9b9 100644
--- a/openedx/core/lib/license/templates/license.html
+++ b/openedx/core/lib/license/templates/license.html
@@ -1,4 +1,4 @@
-<%page args="license, button=False, button_size='88x31'"/>
+<%page args="license, button=False, button_size='88x31'" expression_filter="h"/>
 ## keep this synchronized with the contents of cms/templates/js/license-selector.underscore
 <%!
 from django.utils.translation import ugettext as _
diff --git a/openedx/features/learner_profile/static/learner_profile/templates/share_modal.underscore b/openedx/features/learner_profile/static/learner_profile/templates/share_modal.underscore
index 6034e3e8bf..b71e89823b 100644
--- a/openedx/features/learner_profile/static/learner_profile/templates/share_modal.underscore
+++ b/openedx/features/learner_profile/static/learner_profile/templates/share_modal.underscore
@@ -7,21 +7,32 @@
     <hr class="modal-hr"/>
     <img class="backpack-logo" src="<%- badgeMeta.badges_logo %>" alt="">
     <ol class="badges-steps">
-        <li class="step"><%=
-        interpolate(
-          gettext("Create a %(link_start)sMozilla Backpack%(link_end)s account, or log in to your existing account"),
-          {link_start: '<a href="https://backpack.openbadges.org/" target="_blank">', link_end: '</a>'},
-          true
-        )%>
-        </li>
-        <li class="step"><%=
-        interpolate(
-          gettext("%(download_link_start)sDownload this image (right-click or option-click, save as)%(link_end)s and then %(upload_link_start)supload%(link_end)s it to your backpack.</li>"), {
-            download_link_start: '<a class="badge-link" href="' + image_url + '" target="_blank">',
-            link_end: '</a>', upload_link_start: '<a href="https://backpack.openbadges.org/backpack/add" target="_blank">'
-          },
-          true
-        )%>
+      <li class="step">
+        <%= edx.HtmlUtils.interpolateHtml(
+            gettext("Create a {link_start}Mozilla Backpack{link_end} account, or log in to your existing account"),
+            {
+              link_start: edx.HtmlUtils.HTML('<a href="https://backpack.openbadges.org/" rel="noopener" target="_blank">'),
+              link_end: edx.HtmlUtils.HTML('</a>')
+            }
+          )
+        %>
+      </li>
+
+      <li class="step">
+        <%= edx.HtmlUtils.interpolateHtml(
+            gettext("{download_link_start}Download this image (right-click or option-click, save as){link_end} and then {upload_link_start}upload{link_end} it to your backpack."),
+            {
+              download_link_start: edx.HtmlUtils.joinHtml(
+                edx.HtmlUtils.HTML('<a class="badge-link" href="'),
+                image_url,
+                edx.HtmlUtils.HTML('" rel="noopener" target="_blank">'),
+              ),
+              link_end: edx.HtmlUtils.HTML('</a>'),
+              upload_link_start: edx.HtmlUtils.HTML('<a href="https://backpack.openbadges.org/backpack/add" rel="noopener" target="_blank">')
+            }
+        )
+        %>
+      </li>
     </ol>
     <div class="image-container">
         <img class="badges-backpack-example" src="<%- badgeMeta.backpack_ui_img %>" alt="">
diff --git a/themes/stanford-style/lms/templates/register-shib.html b/themes/stanford-style/lms/templates/register-shib.html
index 80e8db77a2..effa820b15 100644
--- a/themes/stanford-style/lms/templates/register-shib.html
+++ b/themes/stanford-style/lms/templates/register-shib.html
@@ -1,8 +1,10 @@
+<%page expression_filter="h" />
 <%inherit file="main.html" />
 <%!
 from django.utils.translation import ugettext as _
 from django.urls import reverse
 from openedx.core.djangolib.js_utils import js_escaped_string
+from openedx.core.djangolib.markup import HTML, Text
 %>
 
 <%block name="pagetitle">${_("Preferences for {platform_name}").format(platform_name=settings.PLATFORM_NAME)}</%block>
@@ -51,8 +53,10 @@ from openedx.core.djangolib.js_utils import js_escaped_string
       $('#register-form').on('ajax:error', function(event, jqXHR, textStatus) {
         toggleSubmitButton(true);
         json = $.parseJSON(jqXHR.responseText);
+        var submission_message = $('.status.message.submission-error .message-copy');
         $('.status.message.submission-error').addClass('is-shown').focus();
-        $('.status.message.submission-error .message-copy').html(json.value).stop().css("display", "block");
+        edx.HtmlUtils.setHtml(submission_message, edx.HtmlUtils.ensureHtml(json.value));
+        submission_message.stop().css("display", "block");
         $(".field-error").removeClass('field-error');
         $("[data-field='"+json.field+"']").addClass('field-error')
       });
@@ -102,9 +106,13 @@ from openedx.core.djangolib.js_utils import js_escaped_string
       </div>
 
       <p class="instructions">
-        ${_('Required fields are noted by <strong class="indicator">bold text and an asterisk (*)</strong>.')}
+        ${Text(_('Required fields are noted by {strong_indicator}bold text and an asterisk (*).{strong_close}')).format(
+          strong_indicator=HTML('<strong class="indicator">'),
+          strong_close=HTML('</strong>')
+        )}
       </p>
-
+      
+        
       <fieldset class="group group-form group-form-requiredinformation">
         <legend class="sr">${_('Required Information')}</legend>
 
@@ -153,10 +161,10 @@ from openedx.core.djangolib.js_utils import js_escaped_string
 
             <div class="field required checkbox" id="field-tos">
               <input id="tos-yes" type="checkbox" name="terms_of_service" value="true" required aria-required="true" />
-              <label for="tos-yes">${_('I agree to the {link_start}Terms of Service{link_end}').format(
-                link_start='<a href="{url}" class="new-vp">'.format(url=marketing_link('TOS')),
-                link_end='</a>')}</label>
-            </div>
+              <label for="tos-yes">${Text(_('I agree to the {link_start}Terms of Service{link_end}')).format(
+                link_start=HTML('<a href="{url}" class="new-vp">').format(url=marketing_link('TOS')),
+                link_end=HTML('</a>'))}</label>
+           </div>
 
             % endif
 
@@ -165,17 +173,17 @@ from openedx.core.djangolib.js_utils import js_escaped_string
               <%
                 honor_code_path = marketing_link('TOS') + "#honor"
               %>
-              <label for="honorcode-yes">${_('I agree to the {link_start}Honor Code{link_end}').format(
-                link_start='<a href="{url}" class="new-vp">'.format(url=honor_code_path),
-                link_end='</a>')}</label>
+              <label for="honorcode-yes">${Text(_('I agree to the {link_start}Honor Code{link_end}')).format(
+                link_start=HTML('<a href="{url}" class="new-vp">').format(url=honor_code_path),
+                link_end=HTML('</a>'))}</label>
             </div>
           </li>
         </ol>
       </fieldset>
 
 % if course_id and enrollment_action:
-      <input type="hidden" name="enrollment_action" value="${enrollment_action | h}" />
-      <input type="hidden" name="course_id" value="${course_id | h}" />
+      <input type="hidden" name="enrollment_action" value="${enrollment_action}" />
+      <input type="hidden" name="course_id" value="${course_id}" />
 % endif
 
       <div class="form-actions">