diff --git a/cms/static/js/spec/views/module_edit_spec.js b/cms/static/js/spec/views/module_edit_spec.js
index 04f2d2797e..11a1b3c487 100644
--- a/cms/static/js/spec/views/module_edit_spec.js
+++ b/cms/static/js/spec/views/module_edit_spec.js
@@ -213,11 +213,11 @@ describe('ModuleEdit', function() {
                 return expect(this.moduleEdit.delegateEvents).toHaveBeenCalled();
             });
             it('loads inline css from fragments', function() {
-                var args = "<style type='text/css'>inline-css</style>";
+                var args = '<style type="text/css">inline-css</style>';
                 return expect($('head').append).toHaveBeenCalledWith(args);
             });
             it('loads css urls from fragments', function() {
-                var args = "<link rel='stylesheet' href='css-url' type='text/css'>";
+                var args = '<link rel="stylesheet" href="css-url" type="text/css">';
                 return expect($('head').append).toHaveBeenCalledWith(args);
             });
             it('loads inline js from fragments', function() {
diff --git a/cms/static/js/views/xblock.js b/cms/static/js/views/xblock.js
index 8436ec8c3f..235d2d4b97 100644
--- a/cms/static/js/views/xblock.js
+++ b/cms/static/js/views/xblock.js
@@ -1,5 +1,10 @@
-define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/views/baseview', 'xblock/runtime.v1'],
-    function($, _, ViewUtils, BaseView, XBlock) {
+define(['jquery',
+    'underscore',
+    'common/js/components/utils/view_utils',
+    'js/views/baseview',
+    'xblock/runtime.v1',
+    'edx-ui-toolkit/js/utils/html-utils'],
+    function($, _, ViewUtils, BaseView, XBlock, HtmlUtils) {
         'use strict';
 
         var XBlockView = BaseView.extend({
@@ -157,7 +162,7 @@ define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/vie
              * @param html The desired HTML.
              */
             updateHtml: function(element, html) {
-                element.html(html);
+                HtmlUtils.setHtml(element, HtmlUtils.HTML(html));
             },
 
             /**
@@ -214,19 +219,22 @@ define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/vie
                     data = resource.data;
                 if (mimetype === 'text/css') {
                     if (kind === 'text') {
-                        $head.append("<style type='text/css'>" + data + '</style>');
+                        // xss-lint: disable=javascript-jquery-append,javascript-concat-html
+                        $head.append('<style type="text/css">' + data + '</style>');
                     } else if (kind === 'url') {
-                        $head.append("<link rel='stylesheet' href='" + data + "' type='text/css'>");
+                        // xss-lint: disable=javascript-jquery-append,javascript-concat-html
+                        $head.append('<link rel="stylesheet" href="' + data + '" type="text/css">');
                     }
                 } else if (mimetype === 'application/javascript') {
                     if (kind === 'text') {
+                        // xss-lint: disable=javascript-jquery-append,javascript-concat-html
                         $head.append('<script>' + data + '</script>');
                     } else if (kind === 'url') {
                         return ViewUtils.loadJavaScript(data);
                     }
                 } else if (mimetype === 'text/html') {
                     if (placement === 'head') {
-                        $head.append(data);
+                        HtmlUtils.append($head, HtmlUtils.HTML(data));
                     }
                 }
                 // Return an already resolved promise for synchronous updates
diff --git a/cms/templates/component.html b/cms/templates/component.html
index c42e371898..ccf3c58225 100644
--- a/cms/templates/component.html
+++ b/cms/templates/component.html
@@ -37,4 +37,4 @@
     </ul>
 </div>
 <span data-tooltip="${_("Drag to reorder")}" class="drag-handle action"></span>
-${preview | n}
+${preview | n, decode.utf8}