diff --git a/cms/djangoapps/contentstore/views/preview.py b/cms/djangoapps/contentstore/views/preview.py
index deef6a27c9..4eb118e031 100644
--- a/cms/djangoapps/contentstore/views/preview.py
+++ b/cms/djangoapps/contentstore/views/preview.py
@@ -1,7 +1,9 @@
 import logging
 import sys
 from functools import partial
+import re
 
+from django.conf import settings
 from django.http import HttpResponse, Http404, HttpResponseBadRequest, HttpResponseForbidden
 from django.core.urlresolvers import reverse
 from django.contrib.auth.decorators import login_required
@@ -21,6 +23,7 @@ import static_replace
 from .session_kv_store import SessionKeyValueStore
 from .requests import render_from_lms
 from .access import has_access
+from ..utils import get_course_for_item
 
 __all__ = ['preview_dispatch', 'preview_component']
 
@@ -93,6 +96,20 @@ def preview_module_system(request, preview_id, descriptor):
             MongoUsage(preview_id, descriptor.location.url()),
         )
 
+    # unfortunately this is duplicate code from module_render.py (LMS)
+    # refactoring this to be more DRY means having the change the call signature
+    # to pass along a course_id, however, deep in the code where the call is actually made, we don't always have
+    # access to the course_id
+    course_id = get_course_for_item(descriptor.location).location.course_id
+
+    def can_execute_unsafe_code():
+        # To decide if we can run unsafe code, we check the course id against
+        # a list of regexes configured on the server.
+        for regex in settings.COURSES_WITH_UNSAFE_CODE:
+            if re.match(regex, course_id):
+                return True
+        return False
+
     return ModuleSystem(
         ajax_url=reverse('preview_dispatch', args=[preview_id, descriptor.location.url(), '']).rstrip('/'),
         # TODO (cpennington): Do we want to track how instructors are using the preview problems?
@@ -104,6 +121,7 @@ def preview_module_system(request, preview_id, descriptor):
         replace_urls=partial(static_replace.replace_static_urls, data_directory=None, course_namespace=descriptor.location),
         user=request.user,
         xblock_model_data=preview_model_data,
+        can_execute_unsafe_code=can_execute_unsafe_code,
     )