diff --git a/app/coffeescripts/gradebook2/SubmissionCell.coffee b/app/coffeescripts/gradebook2/SubmissionCell.coffee
index f87822d3e78..26c528ecb0f 100644
--- a/app/coffeescripts/gradebook2/SubmissionCell.coffee
+++ b/app/coffeescripts/gradebook2/SubmissionCell.coffee
@@ -1,10 +1,11 @@
 define [
   'compiled/gradebook2/GRADEBOOK_TRANSLATIONS'
+  'str/htmlEscape'
   'jquery'
   'underscore'
   'compiled/gradebook2/Turnitin'
   'jquery.ajaxJSON'
-], (GRADEBOOK_TRANSLATIONS, $, _, {extractData}) ->
+], (GRADEBOOK_TRANSLATIONS, htmlEscape,$, _, {extractData}) ->
 
   class SubmissionCell
 
@@ -23,7 +24,7 @@ define [
       @$input.focus()
 
     loadValue: () ->
-      @val = @opts.item[@opts.column.field].grade || ""
+      @val = htmlEscape @opts.item[@opts.column.field].grade || ""
       @$input.val(@val)
       @$input[0].defaultValue = @val
       @$input.select()
@@ -32,7 +33,7 @@ define [
       @$input.val()
 
     applyValue: (item, state) ->
-      item[@opts.column.field].grade = state
+      item[@opts.column.field].grade = htmlEscape state
       @wrapper?.remove()
       @postValue(item, state)
       # TODO: move selection down to the next row, same column
diff --git a/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee b/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee
new file mode 100644
index 00000000000..20050bbf925
--- /dev/null
+++ b/spec/coffeescripts/gradebook2/SubmissionCellSpec.coffee
@@ -0,0 +1,34 @@
+define [
+  'compiled/gradebook2/SubmissionCell'
+  'str/htmlEscape'
+  'jquery'
+], (SubmissionCell,htmlEscape,$) ->
+
+  dangerousHTML= '"><img src=/ onerror=alert(document.cookie);>'
+  escapedDangerousHTML = htmlEscape dangerousHTML
+
+  module "SubmissionCell",
+    setup: ->
+      @opts =
+        item:
+            'whatever': {}
+        column:
+            field: 'whatever'
+            object: {}
+        container: $('#fixtures')[0]
+      @cell = new SubmissionCell @opts
+    teardown: -> $('#fixtures').empty()
+
+  test "#applyValue escapes html in passed state", ->
+    item = whatever: {grade: '1'}
+    state = dangerousHTML
+    sinon.stub @cell, 'postValue'
+    @cell.applyValue(item,state)
+    equal item.whatever.grade, escapedDangerousHTML
+
+  test "#loadValue escapes html", ->
+    @opts.item.whatever.grade = dangerousHTML
+    @cell.loadValue()
+    equal @cell.$input.val(), escapedDangerousHTML
+    equal @cell.$input[0].defaultValue, escapedDangerousHTML
+