diff --git a/common/lib/xmodule/xmodule/video_module/video_module.py b/common/lib/xmodule/xmodule/video_module/video_module.py
index 96cc2ffcea..6c25904b05 100644
--- a/common/lib/xmodule/xmodule/video_module/video_module.py
+++ b/common/lib/xmodule/xmodule/video_module/video_module.py
@@ -108,6 +108,8 @@ class VideoModule(VideoFields, VideoTranscriptsMixin, VideoStudentViewHandlers,
     # To make sure that js files are called in proper order we use numerical
     # index. We do that to avoid issues that occurs in tests.
     module = __name__.replace('.video_module', '', 2)
+
+    #TODO: For each of the following, ensure that any generated html is properly escaped.
     js = {
         'js': [
             resource_string(module, 'js/src/video/00_component.js'),
diff --git a/lms/templates/video.html b/lms/templates/video.html
index 622b342839..c25a21bb60 100644
--- a/lms/templates/video.html
+++ b/lms/templates/video.html
@@ -1,5 +1,9 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
 
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import js_escaped_string
+%>
 % if display_name is not UNDEFINED and display_name is not None:
     <h3 class="hd hd-2">${display_name}</h3>
 % endif
@@ -89,27 +93,29 @@
 </div>
 % if cdn_eval:
 <script>
+  //TODO: refactor this js into a separate file.
   function sendPerformanceBeacon(id, expgroup, value, event_name) {
     var data = {event: event_name, id: id, expgroup: expgroup, value: value, page: "html5vid"};
     $.ajax({method: "POST", url: "/performance", data: data});
   }
   var cdnStartTime;
   var salt = Math.floor((1 + Math.random()) * 0x100000).toString(36);
+  var id = "${id | n, js_escaped_string}";
   function initializeCDNExperiment() {
-    sendPerformanceBeacon("${id}_" + salt, ${cdn_exp_group}, "", "load");
+    sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, "", "load");
     cdnStartTime = Date.now();
     $.each(['loadstart', 'abort', 'error', 'stalled', 'loadedmetadata',
                     'loadeddata', 'canplay', 'canplaythrough', 'seeked'],
                     function(index, eventName) {
-      $("#video_${id}").bind("html5:" + eventName, null, function() {
+      $("#video_" + id).bind("html5:" + eventName, null, function() {
         timeElapsed = Date.now() - cdnStartTime;
-        sendPerformanceBeacon("${id}_" + salt, ${cdn_exp_group}, timeElapsed, eventName);
+        sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, timeElapsed, eventName);
       });
     });
   }
-  $("#video_${id}").bind("initialize", null, initializeCDNExperiment);
-  if ($("#video_${id}").hasClass("is-initialized")) {
+  $("#video_" + id).bind("initialize", null, initializeCDNExperiment);
+  if ($("#video_" + id).hasClass("is-initialized")) {
     initializeCDNExperiment();
   }
 </script>
-% endif;
+% endif;
\ No newline at end of file
