diff --git a/cms/templates/js/metadata-file-uploader-entry.underscore b/cms/templates/js/metadata-file-uploader-entry.underscore
index a7f2078a24..af0bd1101f 100644
--- a/cms/templates/js/metadata-file-uploader-entry.underscore
+++ b/cms/templates/js/metadata-file-uploader-entry.underscore
@@ -1,9 +1,9 @@
 <div class="wrapper-comp-setting file-uploader">
-  <label class="label setting-label"><%= model.get('display_name') %></label>
-  <input type="hidden" id="<%= uniqueId %>" class="input setting-input" value="<%= model.get("value") %>">
+  <label class="label setting-label"><%- model.get('display_name') %></label>
+  <input type="hidden" id="<%- uniqueId %>" class="input setting-input" value="<%- model.get("value") %>">
   <div class="wrapper-uploader-actions"></div>
-  <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
-        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
+  <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
+        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
     </button>
 </div>
-<span class="tip setting-help"><%= model.get('help') %></span>
+<span class="tip setting-help"><%- model.get('help') %></span>
diff --git a/cms/templates/js/metadata-list-entry.underscore b/cms/templates/js/metadata-list-entry.underscore
index 073a512780..b37ec383ba 100644
--- a/cms/templates/js/metadata-list-entry.underscore
+++ b/cms/templates/js/metadata-list-entry.underscore
@@ -1,17 +1,17 @@
 <div class="wrapper-comp-setting metadata-list-enum">
-  <label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name')%></label>
-  <div id="<%= uniqueId %>" class="wrapper-list-settings">
+  <label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name')%></label>
+  <div id="<%- uniqueId %>" class="wrapper-list-settings">
     <ol class="list-settings">
 
     </ol>
 
     <a href="#" class="create-action create-setting">
-      <span class="icon fa fa-plus" aria-hidden="true"></span><%= gettext("Add") %> <span class="sr"><%= model.get('display_name')%></span>
+      <span class="icon fa fa-plus" aria-hidden="true"></span><%- gettext("Add") %> <span class="sr"><%- model.get('display_name')%></span>
     </a>
   </div>
-  <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
+  <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
     <span class="icon fa fa-undo" aria-hidden="true"></span>
-    <span class="sr">"<%= gettext("Clear Value") %>"</span>
+    <span class="sr">"<%- gettext("Clear Value") %>"</span>
   </button>
 </div>
-<span class="tip setting-help"><%= model.get('help') %></span>
+<span class="tip setting-help"><%- model.get('help') %></span>
diff --git a/cms/templates/js/metadata-number-entry.underscore b/cms/templates/js/metadata-number-entry.underscore
index 8621ab528c..7f8572e1e8 100644
--- a/cms/templates/js/metadata-number-entry.underscore
+++ b/cms/templates/js/metadata-number-entry.underscore
@@ -1,8 +1,8 @@
 <div class="wrapper-comp-setting">
-	<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name') %></label>
-	<input class="input setting-input setting-input-number" type="number" id="<%= uniqueId %>" value='<%= model.get("value") %>'/>
-    <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
-        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
+	<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name') %></label>
+	<input class="input setting-input setting-input-number" type="number" id="<%- uniqueId %>" value='<%- model.get("value") %>'/>
+    <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
+        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
     </button>
 </div>
-<span class="tip setting-help"><%= model.get('help') %></span>
+<span class="tip setting-help"><%- model.get('help') %></span>
diff --git a/cms/templates/js/video/metadata-translations-entry.underscore b/cms/templates/js/video/metadata-translations-entry.underscore
index 1afef78cd9..90615f8e48 100644
--- a/cms/templates/js/video/metadata-translations-entry.underscore
+++ b/cms/templates/js/video/metadata-translations-entry.underscore
@@ -1,11 +1,11 @@
 <div class="wrapper-comp-setting metadata-video-translations">
-  <label class="label setting-label"><%= model.get('display_name')%></label>
+  <label class="label setting-label"><%- model.get('display_name')%></label>
   <input class="upload-transcript-input is-hidden" type="file" name="file" accept=".srt"/>
   <div class="wrapper-translations-settings">
     <ol class="list-settings"></ol>
     <a href="#" class="create-action create-setting">
-      <span class="icon fa fa-plus" aria-hidden="true"></span><%= gettext("Add") %> <span class="sr"><%= model.get('display_name')%></span>
+      <span class="icon fa fa-plus" aria-hidden="true"></span><%- gettext("Add") %> <span class="sr"><%- model.get('display_name')%></span>
     </a>
   </div>
 </div>
-<span class="tip setting-help"><%= model.get('help') %></span>
+<span class="tip setting-help"><%- model.get('help') %></span>
diff --git a/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore b/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore
index d626443964..f7ae0a4c21 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore
@@ -1,17 +1,17 @@
 <div class="transcripts-message-status status-error">
     <span class="icon fa fa-remove" aria-hidden="true"></span>
-    <%= gettext("Timed Transcript Conflict") %>
+    <%- gettext("Timed Transcript Conflict") %>
 </div>
 
 <p class="transcripts-message">
-    <%= gettext("The timed transcript for the first video file does not appear to be the same as the timed transcript for the second video file.") %>
+    <%- gettext("The timed transcript for the first video file does not appear to be the same as the timed transcript for the second video file.") %>
     <strong>
-        <%= gettext("Which timed transcript would you like to use?") %>
+        <%- gettext("Which timed transcript would you like to use?") %>
     </strong>
 </p>
 
 <p class="transcripts-error-message is-invisible">
-    <%= gettext("Error.") %>
+    <%- gettext("Error.") %>
 </p>
 
 <div class="wrapper-transcripts-buttons">
@@ -28,12 +28,12 @@
             class="action setting-choose"
             type="button"
             name="setting-choose"
-            data-video-id="<%= value %>"
-            value="<%= message %>"
-            data-tooltip="<%= message %>"
+            data-video-id="<%- value %>"
+            value="<%- message %>"
+            data-tooltip="<%- message %>"
         >
             <span>
-                <%= message %>
+                <%= message %> <% // xss-lint: disable=underscore-not-escaped %>
             </span>
         </button>
     <% }) %>
diff --git a/cms/templates/js/video/transcripts/messages/transcripts-found.underscore b/cms/templates/js/video/transcripts/messages/transcripts-found.underscore
index a803a453f7..e42706953b 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-found.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-found.underscore
@@ -1,16 +1,16 @@
-<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%= gettext("Timed Transcript Found") %></div>
+<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%- gettext("Timed Transcript Found") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX has a timed transcript for this video. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript. If you want to replace this transcript, upload a new .srt transcript file.") %>
+<%- gettext("EdX has a timed transcript for this video. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript. If you want to replace this transcript, upload a new .srt transcript file.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New .srt Transcript") %>">
-        <span><%= gettext("Upload New Transcript") %></span>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New .srt Transcript") %>">
+        <span><%- gettext("Upload New Transcript") %></span>
     </button>
-    <a class="action setting-download" href="/transcripts/download?locator=<%= component_locator %>" data-tooltip="<%= gettext("Download Transcript for Editing") %>">
-        <span><%= gettext("Download Transcript for Editing") %></span>
+    <a class="action setting-download" href="/transcripts/download?locator=<%- component_locator %>" data-tooltip="<%- gettext("Download Transcript for Editing") %>">
+        <span><%- gettext("Download Transcript for Editing") %></span>
     </a>
 </div>
diff --git a/cms/templates/js/video/transcripts/metadata-videolist-entry.underscore b/cms/templates/js/video/transcripts/metadata-videolist-entry.underscore
index 2e0719711b..6c22c6f04c 100644
--- a/cms/templates/js/video/transcripts/metadata-videolist-entry.underscore
+++ b/cms/templates/js/video/transcripts/metadata-videolist-entry.underscore
@@ -1,20 +1,20 @@
 <div class="wrapper-comp-setting metadata-videolist-enum">
-  <label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name')%></label>
+  <label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name')%></label>
   <div class="wrapper-videolist-settings">
-    <div class="wrapper-videolist-url videolist-settings-item"><input type="text" id="<%= uniqueId %>"  class="input videolist-url" value="<%= model.get('value')[0] %>"></div>
-    <div class="tip videolist-url-tip setting-help"><%= model.get('help') %></div>
+    <div class="wrapper-videolist-url videolist-settings-item"><input type="text" id="<%- uniqueId %>"  class="input videolist-url" value="<%- model.get('value')[0] %>"></div>
+    <div class="tip videolist-url-tip setting-help"><%- model.get('help') %></div>
     <div class="wrapper-videolist-urls">
       <a href="#" class="collapse-action collapse-setting">
-        <span class="icon fa fa-plus" aria-hidden="true"></span><%= gettext("Add URLs for additional versions") %> <span class="sr"><%= model.get('display_name')%></span>
+        <span class="icon fa fa-plus" aria-hidden="true"></span><%- gettext("Add URLs for additional versions") %> <span class="sr"><%- model.get('display_name')%></span>
       </a>
       <div class="videolist-extra-videos">
-        <span class="tip videolist-extra-videos-tip setting-help"><%= gettext("To be sure all students can access the video, we recommend providing both an .mp4 and a .webm version of your video. Click below to add a URL for another version. These URLs cannot be YouTube URLs. The first listed video that's compatible with the student's computer will play.") %></span>
+        <span class="tip videolist-extra-videos-tip setting-help"><%- gettext("To be sure all students can access the video, we recommend providing both an .mp4 and a .webm version of your video. Click below to add a URL for another version. These URLs cannot be YouTube URLs. The first listed video that's compatible with the student's computer will play.") %></span>
         <ol class="videolist-settings">
             <li class="videolist-settings-item">
-              <input type="text" class="input" value="<%= model.get('value')[1] %>">
+              <input type="text" class="input" value="<%- model.get('value')[1] %>">
             </li>
             <li class="videolist-settings-item">
-              <input type="text" class="input" value="<%= model.get('value')[2] %>">
+              <input type="text" class="input" value="<%- model.get('value')[2] %>">
             </li>
         </ol>
       </div>
@@ -22,6 +22,6 @@
   </div>
 </div>
 <div class="transcripts-status is-invisible">
-    <label class="label setting-label transcripts-label"><%= gettext("Default Timed Transcript") %></label>
+    <label class="label setting-label transcripts-label"><%- gettext("Default Timed Transcript") %></label>
     <div class="wrapper-transcripts-message"></div>
 </div>
diff --git a/cms/templates/js/xblock-string-field-editor.underscore b/cms/templates/js/xblock-string-field-editor.underscore
index ced86dfa65..70ea7b2692 100644
--- a/cms/templates/js/xblock-string-field-editor.underscore
+++ b/cms/templates/js/xblock-string-field-editor.underscore
@@ -7,10 +7,10 @@
 <div class="xblock-string-field-editor incontext-editor-form">
   <form>
     <% var formLabel = gettext("Edit %(display_name)s (required)"); %>
-    <label><span class="sr"><%= interpolate(formLabel, {display_name: fieldDisplayName}, true) %></span>
-      <input type="text" value="<%= value %>" class="xblock-field-input incontext-editor-input" data-metadata-name="<%= fieldName %>">
+    <label><span class="sr"><%= interpolate(formLabel, {display_name: fieldDisplayName}, true) %></span> <% // xss-lint: disable=underscore-not-escaped %>
+      <input type="text" value="<%= value %>" class="xblock-field-input incontext-editor-input" data-metadata-name="<%- fieldName %>"> <% // xss-lint: disable=underscore-not-escaped %>
     </label>
-    <button class="sr action action-primary" name="submit" type="submit"><%= gettext("Save") %></button>
-    <button class="sr action action-secondary" name="cancel" type="button"><%= gettext("Cancel") %></button>
+    <button class="sr action action-primary" name="submit" type="submit"><%- gettext("Save") %></button>
+    <button class="sr action action-secondary" name="cancel" type="button"><%- gettext("Cancel") %></button>
   </form>
 </div>
diff --git a/common/lib/xmodule/xmodule/block_metadata_utils.py b/common/lib/xmodule/xmodule/block_metadata_utils.py
index acc29055b8..8db6e37bc2 100644
--- a/common/lib/xmodule/xmodule/block_metadata_utils.py
+++ b/common/lib/xmodule/xmodule/block_metadata_utils.py
@@ -6,6 +6,8 @@ allows us to share code between the XModuleMixin and CourseOverview and
 BlockStructure.
 """
 
+from markupsafe import escape
+
 
 def url_name_for_block(block):
     """
@@ -77,4 +79,4 @@ def display_name_with_default_escaped(block):
     # This escaping is incomplete.  However, rather than switching this to use
     # markupsafe.escape() and fixing issues, better to put that energy toward
     # migrating away from this method altogether.
-    return display_name_with_default(block).replace('<', '&lt;').replace('>', '&gt;')
+    return escape(display_name_with_default(block))