diff --git a/cms/djangoapps/contentstore/tests/test_contentstore.py b/cms/djangoapps/contentstore/tests/test_contentstore.py
index a978d3617b..5e1aabb791 100644
--- a/cms/djangoapps/contentstore/tests/test_contentstore.py
+++ b/cms/djangoapps/contentstore/tests/test_contentstore.py
@@ -681,6 +681,16 @@ class MiscCourseTests(ContentStoreTestCase):
         for expected in expected_types:
             self.assertIn(expected, resp.content)
 
+    @ddt.data("<script>alert(1)</script>", "alert('hi')", "</script><script>alert(1)</script>")
+    def test_container_handler_xss_prevent(self, malicious_code):
+        """
+        Test that XSS attack is prevented
+        """
+        resp = self.client.get_html(get_url('container_handler', self.vert_loc) + '?action=' + malicious_code)
+        self.assertEqual(resp.status_code, 200)
+        # Test that malicious code does not appear in html
+        self.assertNotIn(malicious_code, resp.content)
+
     @patch('django.conf.settings.DEPRECATED_ADVANCED_COMPONENT_TYPES', [])
     def test_advanced_components_in_edit_unit(self):
         # This could be made better, but for now let's just assert that we see the advanced modules mentioned in the page
diff --git a/cms/templates/container.html b/cms/templates/container.html
index 4f2cc15da9..75b11c8241 100644
--- a/cms/templates/container.html
+++ b/cms/templates/container.html
@@ -13,28 +13,28 @@ import json
 from contentstore.views.helpers import xblock_studio_url, xblock_type_display_name
 from django.utils.translation import ugettext as _
 %>
-<%block name="title">${xblock.display_name_with_default} ${xblock_type_display_name(xblock)}</%block>
+<%block name="title">${xblock.display_name_with_default} ${xblock_type_display_name(xblock) | h}</%block>
 <%block name="bodyclass">is-signedin course container view-container</%block>
 
 <%namespace name='static' file='static_content.html'/>
 
 <%block name="header_extras">
 % for template_name in templates:
-<script type="text/template" id="${template_name}-tpl">
+<script type="text/template" id="${template_name | h}-tpl">
     <%static:include path="js/${template_name}.underscore" />
 </script>
 % endfor
 <script type="text/template" id="image-modal-tpl">
     <%static:include path="common/templates/image-modal.underscore" />
 </script>
-<link rel="stylesheet" type="text/css" href="${static.url('js/vendor/timepicker/jquery.timepicker.css')}" />
+<link rel="stylesheet" type="text/css" href="${static.url('js/vendor/timepicker/jquery.timepicker.css') | h}" />
 </%block>
 
 <%block name="requirejs">
     require(["js/factories/container"], function(ContainerFactory) {
         ContainerFactory(
             ${component_templates | n}, ${json.dumps(xblock_info) | n},
-            "${action}",
+            "${action | h}",
             {
                 isUnitPage: ${json.dumps(is_unit_page)},
                 canEdit: true
@@ -55,7 +55,7 @@ from django.utils.translation import ugettext as _
                     ancestor_url = xblock_studio_url(ancestor)
                     %>
                     % if ancestor_url:
-                        <a href="${ancestor_url}" class="navigation-item navigation-link navigation-parent">${ancestor.display_name_with_default | h}</a>
+                        <a href="${ancestor_url | h}" class="navigation-item navigation-link navigation-parent">${ancestor.display_name_with_default | h}</a>
                     % else:
                         <span class="navigation-item navigation-parent">${ancestor.display_name_with_default | h}</span>
                     % endif
@@ -72,12 +72,12 @@ from django.utils.translation import ugettext as _
             <ul>
                 % if is_unit_page:
                     <li class="action-item action-view nav-item">
-                        <a href="${published_preview_link}" class="button button-view action-button is-disabled" aria-disabled="true" rel="external" title="${_('Open the courseware in the LMS')}">
+                        <a href="${published_preview_link | h}" class="button button-view action-button is-disabled" aria-disabled="true" rel="external" title="${_('Open the courseware in the LMS')}">
                             <span class="action-button-text">${_("View Live Version")}</span>
                         </a>
                     </li>
                     <li class="action-item action-preview nav-item">
-                        <a href="${draft_preview_link}" class="button button-preview action-button" rel="external" title="${_('Preview the courseware in the LMS')}">
+                        <a href="${draft_preview_link | h}" class="button button-preview action-button" rel="external" title="${_('Preview the courseware in the LMS')}">
                             <span class="action-button-text">${_("Preview")}</span>
                         </a>
                     </li>
@@ -110,10 +110,10 @@ from django.utils.translation import ugettext as _
                 % if xblock.category == 'split_test':
                     <div class="bit">
                         <h3 class="title-3">${_("Adding components")}</h3>
-                        <p>${_("Select a component type under {em_start}Add New Component{em_end}. Then select a template.").format(em_start='<strong>', em_end="</strong>")}</p>
+                        <p>${_("Select a component type under {em_start}Add New Component{em_end}. Then select a template.").format(em_start='<strong>', em_end="</strong>") | h}</p>
                         <p>${_("The new component is added at the bottom of the page or group. You can then edit and move the component.")}</p>
                         <h3 class="title-3">${_("Editing components")}</h3>
-                        <p>${_("Click the {em_start}Edit{em_end} icon in a component to edit its content.").format(em_start='<strong>', em_end="</strong>")}</p>
+                        <p>${_("Click the {em_start}Edit{em_end} icon in a component to edit its content.").format(em_start='<strong>', em_end="</strong>") | h}</p>
                         <h3 class="title-3">${_("Reorganizing components")}</h3>
                         <p>${_("Drag components to new locations within this component.")}</p>
                         <p>${_("For content experiments, you can drag components to other groups.")}</p>
@@ -121,7 +121,7 @@ from django.utils.translation import ugettext as _
                         <p>${_("Confirm that you have properly configured content in each of your experiment groups.")}</p>
                     </div>
                     <div class="bit external-help">
-                        <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about component containers")}</a>
+                        <a href="${get_online_help_info(online_help_token())['doc_url'] | h}" target="_blank" class="button external-help-button">${_("Learn more about component containers")}</a>
                     </div>
                 % elif is_unit_page:
                     <div id="publish-unit"></div>
diff --git a/lms/djangoapps/courseware/tests/test_views.py b/lms/djangoapps/courseware/tests/test_views.py
index 55e955e171..242b43a2fa 100644
--- a/lms/djangoapps/courseware/tests/test_views.py
+++ b/lms/djangoapps/courseware/tests/test_views.py
@@ -680,6 +680,16 @@ class ProgressPageTests(ModuleStoreTestCase):
         self.section = ItemFactory.create(category='sequential', parent_location=self.chapter.location)
         self.vertical = ItemFactory.create(category='vertical', parent_location=self.section.location)
 
+    @ddt.data('"><script>alert(1)</script>', '<script>alert(1)</script>', '</script><script>alert(1)</script>')
+    def test_progress_page_xss_prevent(self, malicious_code):
+        """
+        Test that XSS attack is prevented
+        """
+        resp = views.progress(self.request, course_id=unicode(self.course.id), student_id=self.user.id)
+        self.assertEqual(resp.status_code, 200)
+        # Test that malicious code does not appear in html
+        self.assertNotIn(malicious_code, resp.content)
+
     def test_pure_ungraded_xblock(self):
         ItemFactory.create(category='acid', parent_location=self.vertical.location)
 
diff --git a/lms/djangoapps/django_comment_client/forum/tests.py b/lms/djangoapps/django_comment_client/forum/tests.py
index eabeba998a..4bd2d30669 100644
--- a/lms/djangoapps/django_comment_client/forum/tests.py
+++ b/lms/djangoapps/django_comment_client/forum/tests.py
@@ -450,7 +450,7 @@ class SingleCohortedThreadTestCase(CohortedTestCase):
         html = response.content
 
         # Verify that the group name is correctly included in the HTML
-        self.assertRegexpMatches(html, r'&quot;group_name&quot;: &quot;student_cohort&quot;')
+        self.assertRegexpMatches(html, r'&#34;group_name&#34;: &#34;student_cohort&#34;')
 
 
 @patch('lms.lib.comment_client.utils.requests.request')
@@ -1152,10 +1152,10 @@ class UserProfileTestCase(ModuleStoreTestCase):
         self.assertRegexpMatches(html, r'data-num-pages="1"')
         self.assertRegexpMatches(html, r'<span>1</span> discussion started')
         self.assertRegexpMatches(html, r'<span>2</span> comments')
-        self.assertRegexpMatches(html, r'&quot;id&quot;: &quot;{}&quot;'.format(self.TEST_THREAD_ID))
-        self.assertRegexpMatches(html, r'&quot;title&quot;: &quot;{}&quot;'.format(self.TEST_THREAD_TEXT))
-        self.assertRegexpMatches(html, r'&quot;body&quot;: &quot;{}&quot;'.format(self.TEST_THREAD_TEXT))
-        self.assertRegexpMatches(html, r'&quot;username&quot;: &quot;{}&quot;'.format(self.student.username))
+        self.assertRegexpMatches(html, r'&#34;id&#34;: &#34;{}&#34;'.format(self.TEST_THREAD_ID))
+        self.assertRegexpMatches(html, r'&#34;title&#34;: &#34;{}&#34;'.format(self.TEST_THREAD_TEXT))
+        self.assertRegexpMatches(html, r'&#34;body&#34;: &#34;{}&#34;'.format(self.TEST_THREAD_TEXT))
+        self.assertRegexpMatches(html, r'&#34;username&#34;: &#34;{}&#34;'.format(self.student.username))
 
     def check_ajax(self, mock_request, **params):
         response = self.get_response(mock_request, params, HTTP_X_REQUESTED_WITH="XMLHttpRequest")
@@ -1326,6 +1326,57 @@ class ForumFormDiscussionUnicodeTestCase(ModuleStoreTestCase, UnicodeTestMixin):
         self.assertEqual(response_data["discussion_data"][0]["body"], text)
 
 
+@ddt.ddt
+@patch('lms.lib.comment_client.utils.requests.request')
+class ForumDiscussionXSSTestCase(UrlResetMixin, ModuleStoreTestCase):
+    @patch.dict("django.conf.settings.FEATURES", {"ENABLE_DISCUSSION_SERVICE": True})
+    def setUp(self):
+        super(ForumDiscussionXSSTestCase, self).setUp()
+
+        username = "foo"
+        password = "bar"
+
+        self.course = CourseFactory.create()
+        self.student = UserFactory.create(username=username, password=password)
+        CourseEnrollmentFactory.create(user=self.student, course_id=self.course.id)
+        self.assertTrue(self.client.login(username=username, password=password))
+
+    @ddt.data('"><script>alert(1)</script>', '<script>alert(1)</script>', '</script><script>alert(1)</script>')
+    @patch('student.models.cc.User.from_django_user')
+    def test_forum_discussion_xss_prevent(self, malicious_code, mock_from_django_user, mock_request):
+        """
+        Test that XSS attack is prevented
+        """
+        reverse_url = "%s%s" % (reverse(
+            "django_comment_client.forum.views.forum_form_discussion",
+            kwargs={"course_id": unicode(self.course.id)}), '/forum_form_discussion'
+        )
+        # Test that malicious code does not appear in html
+        url = "%s?%s=%s" % (reverse_url, 'sort_key', malicious_code)
+        resp = self.client.get(url)
+        self.assertEqual(resp.status_code, 200)
+        self.assertNotIn(malicious_code, resp.content)
+
+    @ddt.data('"><script>alert(1)</script>', '<script>alert(1)</script>', '</script><script>alert(1)</script>')
+    @patch('student.models.cc.User.from_django_user')
+    @patch('student.models.cc.User.active_threads')
+    def test_forum_user_profile_xss_prevent(self, malicious_code, mock_threads, mock_from_django_user, mock_request):
+        """
+        Test that XSS attack is prevented
+        """
+        mock_threads.return_value = [], 1, 1
+        mock_from_django_user.return_value = Mock()
+        mock_request.side_effect = make_mock_request_impl(course=self.course, text='dummy')
+
+        url = reverse('django_comment_client.forum.views.user_profile',
+                      kwargs={'course_id': unicode(self.course.id), 'user_id': str(self.student.id)})
+        # Test that malicious code does not appear in html
+        url_string = "%s?%s=%s" % (url, 'page', malicious_code)
+        resp = self.client.get(url_string)
+        self.assertEqual(resp.status_code, 200)
+        self.assertNotIn(malicious_code, resp.content)
+
+
 class ForumDiscussionSearchUnicodeTestCase(ModuleStoreTestCase, UnicodeTestMixin):
     def setUp(self):
         super(ForumDiscussionSearchUnicodeTestCase, self).setUp()
diff --git a/lms/djangoapps/django_comment_client/forum/views.py b/lms/djangoapps/django_comment_client/forum/views.py
index 484bccd7d8..664b963db3 100644
--- a/lms/djangoapps/django_comment_client/forum/views.py
+++ b/lms/djangoapps/django_comment_client/forum/views.py
@@ -5,7 +5,6 @@ Views handling read (GET) requests for the Discussion tab and inline discussions
 from functools import wraps
 import json
 import logging
-import xml.sax.saxutils as saxutils
 
 from django.contrib.auth.decorators import login_required
 from django.conf import settings
@@ -73,13 +72,6 @@ class DiscussionTab(EnrolledTab):
         return settings.FEATURES.get('ENABLE_DISCUSSION_SERVICE')
 
 
-def _attr_safe_json(obj):
-    """
-    return a JSON string for obj which is safe to embed as the value of an attribute in a DOM node
-    """
-    return saxutils.escape(json.dumps(obj), {'"': '&quot;'})
-
-
 @newrelic.agent.function_trace()
 def make_course_settings(course, user):
     """
@@ -278,28 +270,28 @@ def forum_form_discussion(request, course_key):
             'course': course,
             #'recent_active_threads': recent_active_threads,
             'staff_access': bool(has_access(request.user, 'staff', course)),
-            'threads': _attr_safe_json(threads),
+            'threads': json.dumps(threads),
             'thread_pages': query_params['num_pages'],
-            'user_info': _attr_safe_json(user_info),
-            'can_create_comment': _attr_safe_json(
+            'user_info': json.dumps(user_info, default=lambda x: None),
+            'can_create_comment': json.dumps(
                 has_permission(request.user, "create_comment", course.id)),
-            'can_create_subcomment': _attr_safe_json(
+            'can_create_subcomment': json.dumps(
                 has_permission(request.user, "create_sub_comment", course.id)),
             'can_create_thread': has_permission(request.user, "create_thread", course.id),
             'flag_moderator': bool(
                 has_permission(request.user, 'openclose_thread', course.id) or
                 has_access(request.user, 'staff', course)
             ),
-            'annotated_content_info': _attr_safe_json(annotated_content_info),
+            'annotated_content_info': json.dumps(annotated_content_info),
             'course_id': course.id.to_deprecated_string(),
-            'roles': _attr_safe_json(utils.get_role_ids(course_key)),
+            'roles': json.dumps(utils.get_role_ids(course_key)),
             'is_moderator': has_permission(request.user, "see_all_cohorts", course_key),
             'cohorts': course_settings["cohorts"],  # still needed to render _thread_list_template
             'user_cohort': user_cohort_id,  # read from container in NewPostView
             'is_course_cohorted': is_course_cohorted(course_key),  # still needed to render _thread_list_template
             'sort_preference': user.default_sort_key,
             'category_map': course_settings["category_map"],
-            'course_settings': _attr_safe_json(course_settings)
+            'course_settings': json.dumps(course_settings)
         }
         # print "start rendering.."
         return render_to_response('discussion/index.html', context)
@@ -385,19 +377,19 @@ def single_thread(request, course_key, discussion_id, thread_id):
             'discussion_id': discussion_id,
             'csrf': csrf(request)['csrf_token'],
             'init': '',   # TODO: What is this?
-            'user_info': _attr_safe_json(user_info),
-            'can_create_comment': _attr_safe_json(
+            'user_info': json.dumps(user_info),
+            'can_create_comment': json.dumps(
                 has_permission(request.user, "create_comment", course.id)),
-            'can_create_subcomment': _attr_safe_json(
+            'can_create_subcomment': json.dumps(
                 has_permission(request.user, "create_sub_comment", course.id)),
             'can_create_thread': has_permission(request.user, "create_thread", course.id),
-            'annotated_content_info': _attr_safe_json(annotated_content_info),
+            'annotated_content_info': json.dumps(annotated_content_info),
             'course': course,
             #'recent_active_threads': recent_active_threads,
             'course_id': course.id.to_deprecated_string(),   # TODO: Why pass both course and course.id to template?
             'thread_id': thread_id,
-            'threads': _attr_safe_json(threads),
-            'roles': _attr_safe_json(utils.get_role_ids(course_key)),
+            'threads': json.dumps(threads),
+            'roles': json.dumps(utils.get_role_ids(course_key)),
             'is_moderator': is_moderator,
             'thread_pages': query_params['num_pages'],
             'is_course_cohorted': is_course_cohorted(course_key),
@@ -409,7 +401,7 @@ def single_thread(request, course_key, discussion_id, thread_id):
             'user_cohort': user_cohort,
             'sort_preference': cc_user.default_sort_key,
             'category_map': course_settings["category_map"],
-            'course_settings': _attr_safe_json(course_settings)
+            'course_settings': json.dumps(course_settings)
         }
         return render_to_response('discussion/index.html', context)
 
@@ -458,7 +450,7 @@ def user_profile(request, course_key, user_id):
                 'discussion_data': threads,
                 'page': query_params['page'],
                 'num_pages': query_params['num_pages'],
-                'annotated_content_info': _attr_safe_json(annotated_content_info),
+                'annotated_content_info': json.dumps(annotated_content_info),
             })
         else:
             django_user = User.objects.get(id=user_id)
@@ -467,9 +459,9 @@ def user_profile(request, course_key, user_id):
                 'user': request.user,
                 'django_user': django_user,
                 'profiled_user': profiled_user.to_dict(),
-                'threads': _attr_safe_json(threads),
-                'user_info': _attr_safe_json(user_info),
-                'annotated_content_info': _attr_safe_json(annotated_content_info),
+                'threads': json.dumps(threads),
+                'user_info': json.dumps(user_info, default=lambda x: None),
+                'annotated_content_info': json.dumps(annotated_content_info),
                 'page': query_params['page'],
                 'num_pages': query_params['num_pages'],
                 'learner_profile_page_url': reverse('learner_profile', kwargs={'username': django_user.username})
@@ -546,9 +538,9 @@ def followed_threads(request, course_key, user_id):
                 'user': request.user,
                 'django_user': User.objects.get(id=user_id),
                 'profiled_user': profiled_user.to_dict(),
-                'threads': _attr_safe_json(threads),
-                'user_info': _attr_safe_json(user_info),
-                'annotated_content_info': _attr_safe_json(annotated_content_info),
+                'threads': json.dumps(threads),
+                'user_info': json.dumps(user_info),
+                'annotated_content_info': json.dumps(annotated_content_info),
                 #                'content': content,
             }
 
diff --git a/lms/djangoapps/django_comment_client/tests/group_id.py b/lms/djangoapps/django_comment_client/tests/group_id.py
index 374dc534cd..f5eca815d3 100644
--- a/lms/djangoapps/django_comment_client/tests/group_id.py
+++ b/lms/djangoapps/django_comment_client/tests/group_id.py
@@ -24,10 +24,10 @@ class GroupIdAssertionMixin(object):
 
     def _assert_html_response_contains_group_info(self, response):
         group_info = {"group_id": None, "group_name": None}
-        match = re.search(r'&quot;group_id&quot;: ([\d]*)', response.content)
+        match = re.search(r'&#34;group_id&#34;: ([\d]*)', response.content)
         if match and match.group(1) != '':
             group_info["group_id"] = int(match.group(1))
-        match = re.search(r'&quot;group_name&quot;: &quot;([^&]*)&quot;', response.content)
+        match = re.search(r'&#34;group_name&#34;: &#34;([^&]*)&#34;', response.content)
         if match:
             group_info["group_name"] = match.group(1)
         self._assert_thread_contains_group_info(group_info)
diff --git a/lms/templates/courseware/progress.html b/lms/templates/courseware/progress.html
index 1f2806994f..72885a92c8 100644
--- a/lms/templates/courseware/progress.html
+++ b/lms/templates/courseware/progress.html
@@ -21,13 +21,13 @@ from django.utils.http import urlquote_plus
 <%block name="nav_skip">#course-info-progress</%block>
 
 <%block name="js_extra">
-<script type="text/javascript" src="${static.url('js/vendor/flot/jquery.flot.js')}"></script>
-<script type="text/javascript" src="${static.url('js/vendor/flot/jquery.flot.stack.js')}"></script>
-<script type="text/javascript" src="${static.url('js/vendor/flot/jquery.flot.symbol.js')}"></script>
-<script type="text/javascript" src="${static.url('js/courseware/certificates_api.js')}"></script>
-<script type="text/javascript" src="${static.url('js/courseware/credit_progress.js')}"></script>
+<script type="text/javascript" src="${static.url('js/vendor/flot/jquery.flot.js') | h}"></script>
+<script type="text/javascript" src="${static.url('js/vendor/flot/jquery.flot.stack.js') | h}"></script>
+<script type="text/javascript" src="${static.url('js/vendor/flot/jquery.flot.symbol.js') | h}"></script>
+<script type="text/javascript" src="${static.url('js/courseware/certificates_api.js') | h}"></script>
+<script type="text/javascript" src="${static.url('js/courseware/credit_progress.js') | h}"></script>
 <script>
-  ${progress_graph.body(grade_summary, course.grade_cutoffs, "grade-detail-graph", not course.no_grade, not course.no_grade)}
+  ${progress_graph.body(grade_summary, course.grade_cutoffs, "grade-detail-graph", not course.no_grade, not course.no_grade) | h}
 </script>
 </%block>
 
@@ -40,12 +40,12 @@ from django.utils.http import urlquote_plus
     <div class="course-info" id="course-info-progress" aria-label="${_('Course Progress')}">
       % if staff_access and studio_url is not None:
         <div class="wrap-instructor-info">
-          <a class="instructor-info-action studio-view" href="${studio_url}">${_("View Grading in studio")}</a>
+          <a class="instructor-info-action studio-view" href="${studio_url | h}">${_("View Grading in studio")}</a>
         </div>
       % endif
 
       <header class="progress-certificates">
-        <h1 class="progress-certificates-title">${_("Course Progress for Student '{username}' ({email})").format(username=student.username, email=student.email)}</h1>
+        <h1 class="progress-certificates-title">${_("Course Progress for Student '{username}' ({email})").format(username=student.username, email=student.email) | h}</h1>
       </header>
 
       %if show_generate_cert_btn:
@@ -64,11 +64,11 @@ from django.utils.http import urlquote_plus
               </div>
               <div class="msg-actions">
                 %if show_cert_web_view and cert_web_view_url:
-                <a class="btn" href="${cert_web_view_url}" target="_blank" title="${_('View certificate in a new browser window or tab.')}">
+                <a class="btn" href="${cert_web_view_url | h}" target="_blank" title="${_('View certificate in a new browser window or tab.')}">
                   ${_("View Certificate")}
                 </a>
                 %elif download_url:
-                <a class="btn" href="${download_url}" target="_blank" title="${_('PDF will open in a new browser window or tab.')}">
+                <a class="btn" href="${download_url | h}" target="_blank" title="${_('PDF will open in a new browser window or tab.')}">
                   ${_("Download Your Certificate")}
                 </a>
                 %endif
@@ -86,7 +86,7 @@ from django.utils.http import urlquote_plus
                 <p class="copy">${_("You can keep working for a higher grade, or request your certificate now.")}</p>
               </div>
               <div class="msg-actions">
-                <button class="btn generate_certs" data-endpoint="${post_url}" id="btn_generate_cert">${_('Request Certificate')}</button>
+                <button class="btn generate_certs" data-endpoint="${post_url | h}" id="btn_generate_cert">${_('Request Certificate')}</button>
               </div>
               %endif
           </div>
@@ -106,25 +106,25 @@ from django.utils.http import urlquote_plus
                     <h2>${_("Requirements for Course Credit")}</h2>
                 </div>
                 %if credit_course_requirements['eligibility_status'] == 'not_eligible':
-                    <span class="eligibility_msg">${_("{student_name}, you are no longer eligible for credit in this course.").format(student_name=student.profile.name)}</span>
+                    <span class="eligibility_msg">${_("{student_name}, you are no longer eligible for credit in this course.").format(student_name=student.profile.name) | h}</span>
                 %elif credit_course_requirements['eligibility_status'] == 'eligible':
-                    <span class="eligibility_msg">${_("{student_name}, you have met the requirements for credit in this course.").format(student_name=student.profile.name)}
+                    <span class="eligibility_msg">${_("{student_name}, you have met the requirements for credit in this course.").format(student_name=student.profile.name) | h}
                         ${_("{a_start}Go to your dashboard{a_end} to purchase course credit.").format(
 		             a_start=u"<a href={url}>".format(url=reverse('dashboard')),
 			     a_end="</a>"
-		      )}
+		      ) | h}
                     </span>
                 %elif credit_course_requirements['eligibility_status'] == 'partial_eligible':
-                    <span>${_("{student_name}, you have not yet met the requirements for credit.").format(student_name=student.profile.name)}</span>
+                    <span>${_("{student_name}, you have not yet met the requirements for credit.").format(student_name=student.profile.name) | h}</span>
                 %endif
-                <a href="${settings.CREDIT_HELP_LINK_URL}" class="credit-help"><i class="fa fa-question"></i><span class="sr">${_("Information about course credit requirements")}</span></a><br>
-                <div class="requirement-container" data-eligible="${credit_course_requirements['eligibility_status']}">
+                <a href="${settings.CREDIT_HELP_LINK_URL | h}" class="credit-help"><i class="fa fa-question"></i><span class="sr">${_("Information about course credit requirements")}</span></a><br>
+                <div class="requirement-container" data-eligible="${credit_course_requirements['eligibility_status'] | h}">
                 %for requirement in credit_course_requirements['requirements']:
                     <div class="requirement">
                         <div class="requirement-name">
-                            ${_(requirement['display_name'])}
+                            ${_(requirement['display_name']) | h}
                             %if requirement['namespace'] == 'grade':
-                                <span>${int(requirement['criteria']['min_grade'] * 100)}%</span>
+                                <span>${int(requirement['criteria']['min_grade'] * 100) | h}%</span>
                             %endif
                         </div>
                         <div class="requirement-status">
@@ -137,9 +137,9 @@ from django.utils.http import urlquote_plus
                                 %elif requirement['status'] == 'satisfied':
                                     <i class="fa fa-check"></i>
                                     % if requirement['namespace'] == 'reverification':
-                                    <span>Verified on ${get_time_display(requirement['status_date'], DEFAULT_SHORT_DATE_FORMAT, settings.TIME_ZONE)}</span>
+                                    <span>Verified on ${get_time_display(requirement['status_date'], DEFAULT_SHORT_DATE_FORMAT, settings.TIME_ZONE) | h}</span>
                                     % elif requirement['namespace'] == 'grade' and 'final_grade' in requirement['reason']:
-                                    <span>${int(requirement['reason']['final_grade'] * 100)}%</span>
+                                    <span>${int(requirement['reason']['final_grade'] * 100) | h}%</span>
                                     % else:
                                     <span>Completed</span>
                                     % endif
@@ -162,7 +162,7 @@ from django.utils.http import urlquote_plus
         %for chapter in courseware_summary:
         %if not chapter['display_name'] == "hidden":
         <section>
-          <h2>${ chapter['display_name'] }</h2>
+          <h2>${ chapter['display_name'] | h}</h2>
 
           <div class="sections">
             %for section in chapter['sections']:
@@ -173,20 +173,20 @@ from django.utils.http import urlquote_plus
               percentageString = "{0:.0%}".format( float(earned)/total) if earned > 0 and total > 0 else ""
               %>
 
-              <h3><a href="${reverse('courseware_section', kwargs=dict(course_id=course.id.to_deprecated_string(), chapter=chapter['url_name'], section=section['url_name']))}">
-                ${ section['display_name'] }
+              <h3><a href="${reverse('courseware_section', kwargs=dict(course_id=course.id.to_deprecated_string(), chapter=chapter['url_name'], section=section['url_name'])) | h}">
+                ${ section['display_name'] | h}
                 %if total > 0 or earned > 0:
                   <span class="sr">
-                    ${_("{earned} of {total} possible points").format(earned='{:.3n}'.format(float(earned)), total='{:.3n}'.format(float(total)))}
+                    ${_("{earned} of {total} possible points").format(earned='{:.3n}'.format(float(earned)), total='{:.3n}'.format(float(total))) | h}
                   </span>
                 %endif
                 </a>
                 %if total > 0 or earned > 0:
-                  <span> ${"({0:.3n}/{1:.3n}) {2}".format( float(earned), float(total), percentageString )}</span>
+                  <span> ${"({0:.3n}/{1:.3n}) {2}".format( float(earned), float(total), percentageString ) | h}</span>
                 %endif
               </h3>
               <p>
-                ${section['format']}
+                ${section['format'] | h}
 
                 %if section.get('due') is not None:
                   <%
@@ -194,7 +194,7 @@ from django.utils.http import urlquote_plus
                       due_date = '' if len(formatted_string)==0 else _(u'due {date}').format(date=formatted_string)
                   %>
                   <em>
-                  ${due_date}
+                  ${due_date | h}
                   </em>
                 %endif
               </p>
@@ -204,7 +204,7 @@ from django.utils.http import urlquote_plus
                   <h3> ${ _("Problem Scores: ") if section['graded'] else _("Practice Scores: ")} </h3>
                   <ol>
                     %for score in section['scores']:
-                    <li>${"{0:.3n}/{1:.3n}".format(float(score.earned),float(score.possible))}</li>
+                    <li>${"{0:.3n}/{1:.3n}".format(float(score.earned),float(score.possible)) | h}</li>
                     %endfor
                   </ol>
                 %else:
diff --git a/lms/templates/discussion/index.html b/lms/templates/discussion/index.html
index 00fdfd773d..3363f6ac83 100644
--- a/lms/templates/discussion/index.html
+++ b/lms/templates/discussion/index.html
@@ -25,20 +25,20 @@ from django.core.urlresolvers import reverse
 <%include file="_discussion_course_navigation.html" args="active_page='discussion'" />
 
 <section class="discussion container" id="discussion-container"
-         data-roles="${roles}"
+         data-roles="${roles | h}"
          data-course-id="${course_id | h}"
-         data-course-name="${course.display_name_with_default}"
-         data-user-info="${user_info}"
-         data-user-create-comment="${can_create_comment}"
-         data-user-create-subcomment="${can_create_subcomment}"
+         data-course-name="${course.display_name_with_default | h}"
+         data-user-info="${user_info | h}"
+         data-user-create-comment="${can_create_comment | h}"
+         data-user-create-subcomment="${can_create_subcomment | h}"
          data-read-only="false"
-         data-threads="${threads}"
-         data-thread-pages="${thread_pages}"
-         data-content-info="${annotated_content_info}"
-         data-sort-preference="${sort_preference}"
-         data-flag-moderator="${flag_moderator}"
-         data-user-cohort-id="${user_cohort}"
-         data-course-settings="${course_settings}">
+         data-threads="${threads | h}"
+         data-thread-pages="${thread_pages | h}"
+         data-content-info="${annotated_content_info | h}"
+         data-sort-preference="${sort_preference | h}"
+         data-flag-moderator="${flag_moderator | h}"
+         data-user-cohort-id="${user_cohort | h}"
+         data-course-settings="${course_settings | h}">
     <div class="discussion-body">
         <div class="forum-nav" role="complementary" aria-label="${_("Discussion thread list")}"></div>
         <div class="discussion-column" role="main" aria-label="Discussion" id="discussion-column">
diff --git a/lms/templates/discussion/user_profile.html b/lms/templates/discussion/user_profile.html
index eb4bd94ade..a60ce07c99 100644
--- a/lms/templates/discussion/user_profile.html
+++ b/lms/templates/discussion/user_profile.html
@@ -33,8 +33,7 @@ from django.template.defaultfilters import escapejs
 
       </nav>
     </section>
-
-    <section class="course-content container discussion-user-threads" data-course-id="${course.id | h}" data-course-name="${course.display_name_with_default}" data-threads="${threads}" data-user-info="${user_info}" data-page="${page}" data-num-pages="${num_pages}"/>
+    <section class="course-content container discussion-user-threads" data-course-id="${course.id | h}" data-course-name="${course.display_name_with_default | h}" data-threads="${threads | h}" data-user-info="${user_info | h}" data-page="${page | h}" data-num-pages="${num_pages | h}"/>
   </div>
 </section>
 
