diff --git a/app/coffeescripts/PaginatedList.coffee b/app/coffeescripts/PaginatedList.coffee
index a7651e05c5f..ebee94b5604 100644
--- a/app/coffeescripts/PaginatedList.coffee
+++ b/app/coffeescripts/PaginatedList.coffee
@@ -31,7 +31,7 @@
 # PaginatedList expects an empty <ul> wrapped in a <div>. The element
 # passed to the constructor should be the <div>.
 
-define ['jquery', 'i18n!paginated_list', 'vendor/spin'], ($, I18n, Spinner) ->
+define ['jquery', 'i18n!paginated_list', 'vendor/spin', 'str/htmlEscape'], ($, I18n, Spinner, htmlEscape) ->
   class PaginatedList
     ##
     # I18n keys used by class
@@ -132,11 +132,11 @@ define ['jquery', 'i18n!paginated_list', 'vendor/spin'], ($, I18n, Spinner) ->
     ##
     # animate loaded results
     # @api private
-    animateInResults: (results) ->
+    animateInResults: ($results) ->
       empty = @el.list.children().length == 0
-      results.css('display', 'none')
-      @el.list.append results
-      results.slideDown()
+      $results.css('display', 'none')
+      @el.list.append $results
+      $results.slideDown()
 
     ##
     # keep track of what page we're on. when the last page
@@ -146,7 +146,7 @@ define ['jquery', 'i18n!paginated_list', 'vendor/spin'], ($, I18n, Spinner) ->
       if @hasNextPage()
         @options.requestParams.page++
         unless @pageLinkPresent
-          @el.wrapper.append @viewMoreLink()
+          @el.wrapper.append @viewMoreLinkHtml()
           @pageLinkPresent = true
       else
         @el.wrapper.find('.view-more-link').remove()
@@ -162,12 +162,12 @@ define ['jquery', 'i18n!paginated_list', 'vendor/spin'], ($, I18n, Spinner) ->
     # template for view more link
     # @return String
     # @api private
-    viewMoreLink: ->
-      '<a class="view-more-link" href="#">' + @keys.viewMore + '</a>'
+    viewMoreLinkHtml: ->
+      '<a class="view-more-link" href="#">' + htmlEscape(@keys.viewMore) + '</a>'
 
     ##
     # template for no results notification
     # @return String
     # @api private
     noResults: ->
-      @el.list.append "<li>#{@keys.noResults}</li>"
+      @el.list.append "<li>#{htmlEscape @keys.noResults}</li>"
diff --git a/app/coffeescripts/backbone-ext/Backbone.syncWithMultipart.coffee b/app/coffeescripts/backbone-ext/Backbone.syncWithMultipart.coffee
index b97231851f7..c032982e451 100644
--- a/app/coffeescripts/backbone-ext/Backbone.syncWithMultipart.coffee
+++ b/app/coffeescripts/backbone-ext/Backbone.syncWithMultipart.coffee
@@ -5,7 +5,12 @@ define [
   'underscore'
   'jquery'
   'compiled/behaviors/authenticity_token'
-], (Backbone, _, $, authenticity_token) ->
+  'str/htmlEscape'
+], (Backbone, _, $, authenticity_token, htmlEscape) ->
+  ###
+  xsslint safeString.identifier iframeId httpMethod
+  xsslint jqueryObject.identifier el
+  ###
 
   Backbone.syncWithoutMultipart = Backbone.sync
   Backbone.syncWithMultipart = (method, model, options) ->
@@ -35,7 +40,7 @@ define [
           $el[0]
       _.flatten(inputs)
     $form = $("""
-      <form enctype='multipart/form-data' target='#{iframeId}' action='#{options.url ? model.url()}' method='POST'>
+      <form enctype='multipart/form-data' target='#{iframeId}' action='#{htmlEscape options.url ? model.url()}' method='POST'>
       </form>
     """).hide()
 
@@ -43,7 +48,7 @@ define [
     if options.proxyAttachment
       $form.prepend """
         <input type='hidden' name='_method' value='#{httpMethod}' />
-        <input type='hidden' name='authenticity_token' value='#{authenticity_token()}' />
+        <input type='hidden' name='authenticity_token' value='#{htmlEscape authenticity_token()}' />
         """
 
     _.each toForm(model.toJSON()), (el) ->
diff --git a/app/coffeescripts/backbone-ext/View.coffee b/app/coffeescripts/backbone-ext/View.coffee
index 479ba7ca470..06c2650f9f5 100644
--- a/app/coffeescripts/backbone-ext/View.coffee
+++ b/app/coffeescripts/backbone-ext/View.coffee
@@ -250,6 +250,10 @@ define [
     #
     # @api private
 
+    ###
+    xsslint safeString.method format
+    ###
+
     createBindings: (index, el) =>
       @$('[data-bind]').each (index, el) =>
         $el = $ el
diff --git a/app/coffeescripts/badge_counts.coffee b/app/coffeescripts/badge_counts.coffee
index 29d4ac26627..acdc627a375 100644
--- a/app/coffeescripts/badge_counts.coffee
+++ b/app/coffeescripts/badge_counts.coffee
@@ -4,5 +4,5 @@ define ['jquery'], ($) ->
       for type, unread of ENV.badge_counts
         if unread > 0
           type = "grades" if type is "submissions"
-          $badge = $("<b/>").append(unread).addClass("nav-badge")
+          $badge = $("<b/>").text(unread).addClass("nav-badge")
           $("#section-tabs .#{type}").append($badge)
diff --git a/app/coffeescripts/behaviors/SyllabusBehaviors.coffee b/app/coffeescripts/behaviors/SyllabusBehaviors.coffee
index a2d75a749e8..b78b308338d 100644
--- a/app/coffeescripts/behaviors/SyllabusBehaviors.coffee
+++ b/app/coffeescripts/behaviors/SyllabusBehaviors.coffee
@@ -231,6 +231,9 @@ define [
         $course_syllabus.loadingImage()
 
       success: (data) ->
+        ###
+        xsslint safeString.property syllabus_body
+        ###
         $course_syllabus.loadingImage('remove').html data.course.syllabus_body
         $course_syllabus.data('syllabus_body', data.course.syllabus_body)
         $course_syllabus_details.hide()
diff --git a/app/coffeescripts/behaviors/favicon.coffee b/app/coffeescripts/behaviors/favicon.coffee
index a5ed75f511f..7b13784f20f 100644
--- a/app/coffeescripts/behaviors/favicon.coffee
+++ b/app/coffeescripts/behaviors/favicon.coffee
@@ -1,14 +1,14 @@
 define ['jquery', 'INST'], ($, INST) ->
-  link = null
+  $link = null
   set = (env) ->
-    link.remove() if link
+    $link.remove() if $link
     favicon = if env == 'development'
       '/favicon-green.ico'
     else if env == 'test'
       '/favicon-yellow.ico'
     else
       '/favicon.ico'
-    link = $('<link />').attr(rel: 'icon', type: 'image/x-icon', href: favicon)
-    $(document.head).append(link)
+    $link = $('<link />').attr(rel: 'icon', type: 'image/x-icon', href: favicon)
+    $(document.head).append($link)
   set(INST?.environment)
   set
diff --git a/app/coffeescripts/behaviors/ujsLinks.coffee b/app/coffeescripts/behaviors/ujsLinks.coffee
index dfc5adb6e71..c98d412e631 100644
--- a/app/coffeescripts/behaviors/ujsLinks.coffee
+++ b/app/coffeescripts/behaviors/ujsLinks.coffee
@@ -1,7 +1,7 @@
 # copied from
 # https://github.com/rails/jquery-ujs
 
-define ['jquery', 'compiled/behaviors/authenticity_token'], ($, authenticity_token) ->
+define ['jquery', 'compiled/behaviors/authenticity_token', 'str/htmlEscape'], ($, authenticity_token, htmlEscape) ->
 
   ##
   # Handles "data-method" on links such as:
@@ -11,12 +11,12 @@ define ['jquery', 'compiled/behaviors/authenticity_token'], ($, authenticity_tok
     href = link.data('url') || link.attr('href')
     method = link.data('method')
     target = link.attr('target')
-    form = $("<form method='post' action='#{href}'></form>")
-    metadataInput = "<input name='_method' value='#{method }' type='hidden' />"
-    metadataInput += "<input name='authenticity_token' type='hidden' />"
+    form = $("<form method='post' action='#{htmlEscape href}'></form>")
+    metadataInputHtml = "<input name='_method' value='#{htmlEscape method}' type='hidden' />"
+    metadataInputHtml += "<input name='authenticity_token' type='hidden' />"
 
     form.attr('target', target) if target
-    form.hide().append(metadataInput).appendTo('body').submit()
+    form.hide().append(metadataInputHtml).appendTo('body').submit()
 
 
   # For 'data-confirm' attribute:
diff --git a/app/coffeescripts/bundles/dashboard.coffee b/app/coffeescripts/bundles/dashboard.coffee
index 0f788c1432e..780938c0ea6 100644
--- a/app/coffeescripts/bundles/dashboard.coffee
+++ b/app/coffeescripts/bundles/dashboard.coffee
@@ -11,8 +11,8 @@ require [
   if ENV.DASHBOARD_SIDEBAR_URL
     rightSide = $('#right-side')
     rightSide.disableWhileLoading(
-      $.get ENV.DASHBOARD_SIDEBAR_URL , (data) ->
-        rightSide.html data
+      $.get ENV.DASHBOARD_SIDEBAR_URL , (html) ->
+        rightSide.html html
         newCourseForm()
     )
 
diff --git a/app/coffeescripts/bundles/legacy/courses_show.coffee b/app/coffeescripts/bundles/legacy/courses_show.coffee
index 3c64098af6a..684d7479f0b 100644
--- a/app/coffeescripts/bundles/legacy/courses_show.coffee
+++ b/app/coffeescripts/bundles/legacy/courses_show.coffee
@@ -39,9 +39,9 @@ require [
       $link.hide()
       $.ajaxJSON $(this).attr("href"), "GET", {}, (data) ->
         $("#home_page").loadingImage "remove"
-        body = htmlEscape($.trim(data.wiki_page.body))
-        body = htmlEscape(I18n.t("empty_body", "No Content")) if body.length is 0
-        $("#home_page_content").html body
+        bodyHtml = htmlEscape($.trim(data.wiki_page.body))
+        bodyHtml = htmlEscape(I18n.t("empty_body", "No Content")) if bodyHtml.length is 0
+        $("#home_page_content").html bodyHtml
         $("html,body").scrollTo $("#home_page")
 
     $(".dashboard_view_link").click (event) ->
diff --git a/app/coffeescripts/bundles/legacy/user_outcome_results.coffee b/app/coffeescripts/bundles/legacy/user_outcome_results.coffee
index 7e262a1d8cf..46d977d23bd 100644
--- a/app/coffeescripts/bundles/legacy/user_outcome_results.coffee
+++ b/app/coffeescripts/bundles/legacy/user_outcome_results.coffee
@@ -7,7 +7,7 @@ require [
     showAllArtifacts.click (event) ->
       event.preventDefault()
       $("tr.artifact_details").toggle()
-      if showAllArtifacts.html() is I18n.t("#buttons.show_all_artifacts", "Show All Artifacts")
-        showAllArtifacts.html I18n("#buttons.hide_all_artifacts", "Hide All Artifacts")
+      if showAllArtifacts.text() is I18n.t("#buttons.show_all_artifacts", "Show All Artifacts")
+        showAllArtifacts.text I18n("#buttons.hide_all_artifacts", "Hide All Artifacts")
       else
-        showAllArtifacts.html I18n.t("#buttons.show_all_artifacts", "Show All Artifacts")
\ No newline at end of file
+        showAllArtifacts.text I18n.t("#buttons.show_all_artifacts", "Show All Artifacts")
diff --git a/app/coffeescripts/bundles/profile_show.coffee b/app/coffeescripts/bundles/profile_show.coffee
index 4746b6c5f45..c278d7c9be5 100644
--- a/app/coffeescripts/bundles/profile_show.coffee
+++ b/app/coffeescripts/bundles/profile_show.coffee
@@ -80,10 +80,10 @@ require [
       @$linkFields ?= @$ '#profile_link_fields'
       $row = $ """
         <tr>
-          <td><input aria-label="#{I18n.t("Link title")}" type="text" maxlength="255" name="link_titles[]" value="#{htmlEscape title}"></td>
+          <td><input aria-label="#{htmlEscape I18n.t("Link title")}" type="text" maxlength="255" name="link_titles[]" value="#{htmlEscape title}"></td>
           <td>→</td>
-          <td><input aria-label="#{I18n.t("Link Url")}" type="text" name="link_urls[]" value="#{htmlEscape url}"></td>
-          <td><a href="#" data-event="removeLinkRow"><span class="screenreader-only">#{I18n.t("Remove")}</span><i class="icon-end"></i></a></td>
+          <td><input aria-label="#{htmlEscape I18n.t("Link Url")}" type="text" name="link_urls[]" value="#{htmlEscape url}"></td>
+          <td><a href="#" data-event="removeLinkRow"><span class="screenreader-only">#{htmlEscape I18n.t("Remove")}</span><i class="icon-end"></i></a></td>
         </tr>
       """
       @$linkFields.append $row
diff --git a/app/coffeescripts/bundles/quiz_show.coffee b/app/coffeescripts/bundles/quiz_show.coffee
index 02fab2cc4e3..cfdce0dff4d 100644
--- a/app/coffeescripts/bundles/quiz_show.coffee
+++ b/app/coffeescripts/bundles/quiz_show.coffee
@@ -20,8 +20,8 @@ require [
     if ENV.SUBMISSION_VERSIONS_URL && !ENV.IS_SURVEY
       versions = $("#quiz-submission-version-table")
       versions.css(height: "100px")
-      dfd = $.get ENV.SUBMISSION_VERSIONS_URL, (data) ->
-        versions.html(data)
+      dfd = $.get ENV.SUBMISSION_VERSIONS_URL, (html) ->
+        versions.html(html)
         versions.css(height: "auto")
       versions.disableWhileLoading(dfd)
 
diff --git a/app/coffeescripts/bundles/zip_file_imports.coffee b/app/coffeescripts/bundles/zip_file_imports.coffee
index eff6ce3924d..67bfea94294 100644
--- a/app/coffeescripts/bundles/zip_file_imports.coffee
+++ b/app/coffeescripts/bundles/zip_file_imports.coffee
@@ -1,12 +1,13 @@
 require [
   'i18n!zip_file_imports' # I18n
   'jquery' # $
+  'str/htmlEscape'
   'jquery.ajaxJSON' # getJSON
   'jquery.instructure_forms' # ajaxJSONFiles
   'jqueryui/dialog'
   'compiled/jquery.rails_flash_notifications'
   'jqueryui/progressbar' # /\.progressbar/
-], (I18n, $) ->
+], (I18n, $, htmlEscape) ->
 
   $(document).ready ->
     $zipFile = $("#zip_file_import_form #zip_file")
@@ -73,7 +74,7 @@ require [
             importFailed []
           else if zfi.workflow_state == 'imported'
             $("#uploading_progressbar").progressbar 'value', 100
-            $("#uploading_please_wait_dialog").prepend I18n.t('notices.uploading_complete', "Uploading complete!")
+            $("#uploading_please_wait_dialog").prepend htmlEscape I18n.t('notices.uploading_complete', "Uploading complete!")
             location.href = $("#return_to").val()
           else
             pollImport.errorCount = 0
diff --git a/app/coffeescripts/calendar/Calendar.coffee b/app/coffeescripts/calendar/Calendar.coffee
index e6260fd91f3..aaf2dfda4e6 100644
--- a/app/coffeescripts/calendar/Calendar.coffee
+++ b/app/coffeescripts/calendar/Calendar.coffee
@@ -156,7 +156,7 @@ define [
         dayClick: @dayClick
         addEventClick: @addEventClick
         titleFormat:
-          week: "MMM d[ yyyy]{ '&ndash;'[ MMM] d, yyyy}"
+          week: "MMM d[ yyyy]{ '–'[ MMM] d, yyyy}"
         viewDisplay: @viewDisplay
         windowResize: @windowResize
         drop: @drop
@@ -275,8 +275,8 @@ define [
           I18n.t('event_event_title', 'Event Title:')
 
       $element.attr('title', $.trim("#{timeString}\n#{$element.find('.fc-event-title').text()}\n\n#{I18n.t('calendar_title', 'Calendar:')} #{htmlEscape(event.contextInfo.name)}"))
-      $element.find('.fc-event-inner').prepend($("<span class='screenreader-only'>#{I18n.t('calendar_title', 'Calendar:')} #{htmlEscape(event.contextInfo.name)}</span>"))
-      $element.find('.fc-event-title').prepend($("<span class='screenreader-only'>#{screenReaderTitleHint} </span>"))
+      $element.find('.fc-event-inner').prepend($("<span class='screenreader-only'>#{htmlEscape I18n.t('calendar_title', 'Calendar:')} #{htmlEscape(event.contextInfo.name)}</span>"))
+      $element.find('.fc-event-title').prepend($("<span class='screenreader-only'>#{htmlEscape screenReaderTitleHint} </span>"))
       $element.find('.fc-event-title').toggleClass('calendar__event--completed', event.isCompleted())
       element.find('.fc-event-inner').prepend($('<i />', {'class': "icon-#{event.iconType()}"}))
       true
@@ -408,20 +408,20 @@ define [
     drawNowLine: =>
       return unless @currentView == 'week'
 
-      if !@nowLine
-        @nowLine = $('<div />', {'class': 'calendar-nowline'})
-      $('.fc-agenda-slots').parent().append(@nowLine)
+      if !@$nowLine
+        @$nowLine = $('<div />', {'class': 'calendar-nowline'})
+      $('.fc-agenda-slots').parent().append(@$nowLine)
 
       now = $.fudgeDateForProfileTimezone(new Date)
       midnight = new Date(now.getTime())
       midnight.setHours(0, 0, 0)
       seconds = (now.getTime() - midnight.getTime())/1000
 
-      @nowLine.toggle(@isSameWeek(@getCurrentDate(), now))
+      @$nowLine.toggle(@isSameWeek(@getCurrentDate(), now))
 
-      @nowLine.css('width', $('.fc-agenda-slots .fc-widget-content:first').css('width'))
+      @$nowLine.css('width', $('.fc-agenda-slots .fc-widget-content:first').css('width'))
       secondHeight = $('.fc-agenda-slots').css('height').replace('px', '')/24/3600
-      @nowLine.css('top', seconds*secondHeight + 'px')
+      @$nowLine.css('top', seconds*secondHeight + 'px')
 
     setDateTitle: (title) =>
       @header.setHeaderText(title)
@@ -642,7 +642,7 @@ define [
       @agenda.fetch(@visibleContextList, start)
 
     renderDateRange: (start, end) =>
-      @setDateTitle(I18n.l('#date.formats.medium', start)+' &ndash; '+I18n.l('#date.formats.medium', end))
+      @setDateTitle(I18n.l('#date.formats.medium', start)+' – '+I18n.l('#date.formats.medium', end))
       # for "load more" with voiceover, we want the alert to happen later so
       # the focus change doesn't interrupt it.
       window.setTimeout =>
@@ -671,15 +671,16 @@ define [
 
     colorizeContexts: =>
       colors = colorSlicer.getColors(@contextCodes.length, 275, {unsafe: !ENV.SETTINGS.use_high_contrast})
-      html = for contextCode, index in @contextCodes
+      html = (for contextCode, index in @contextCodes
         color = colors[index]
         ".group_#{contextCode}{
            color: #{color};
            border-color: #{color};
            background-color: #{color};
         }"
+      ).join('')
 
-      $styleContainer.html "<style>#{html.join('')}</style>"
+      $styleContainer.html "<style>#{html}</style>"
 
     dataFromDocumentHash: () =>
       data = {}
diff --git a/app/coffeescripts/calendar/EditAssignmentDetails.coffee b/app/coffeescripts/calendar/EditAssignmentDetails.coffee
index d86fd6a1fa3..cbbb5f6f98e 100644
--- a/app/coffeescripts/calendar/EditAssignmentDetails.coffee
+++ b/app/coffeescripts/calendar/EditAssignmentDetails.coffee
@@ -13,24 +13,24 @@ define [
     constructor: (selector, @event, @contextChangeCB, @closeCB) ->
       @currentContextInfo = null
       tpl = if @event.override then editAssignmentOverrideTemplate else editAssignmentTemplate
-      @form = $(tpl({
+      @$form = $(tpl({
         title: @event.title
         contexts: @event.possibleContexts()
       }))
-      $(selector).append @form
+      $(selector).append @$form
 
       @setupTimeAndDatePickers()
 
-      @form.submit @formSubmit
-      @form.find(".more_options_link").click @moreOptionsClick
-      @form.find("select.context_id").change @contextChange
-      @form.find("select.context_id").triggerHandler('change', false)
+      @$form.submit @formSubmit
+      @$form.find(".more_options_link").click @moreOptionsClick
+      @$form.find("select.context_id").change @contextChange
+      @$form.find("select.context_id").triggerHandler('change', false)
 
       # Hide the context selector completely if this is an existing event, since it can't be changed.
       if !@event.isNewEvent()
-        @form.find(".context_select").hide()
-        @form.attr('method', 'PUT')
-        @form.attr('action', $.replaceTags(@event.contextInfo.assignment_url, 'id', @event.object.id))
+        @$form.find(".context_select").hide()
+        @$form.attr('method', 'PUT')
+        @$form.attr('action', $.replaceTags(@event.contextInfo.assignment_url, 'id', @event.object.id))
 
     contextInfoForCode: (code) ->
       for context in @event.possibleContexts()
@@ -39,14 +39,14 @@ define [
       return null
 
     activate: () =>
-      @form.find("select.context_id").change()
+      @$form.find("select.context_id").change()
       if @event.assignment?.assignment_group_id
-        @form.find(".assignment_group_select .assignment_group").val(@event.assignment.assignment_group_id)
+        @$form.find(".assignment_group_select .assignment_group").val(@event.assignment.assignment_group_id)
 
     moreOptionsClick: (jsEvent) =>
       jsEvent.preventDefault()
       pieces = $(jsEvent.target).attr('href').split("#")
-      data = @form.getFormData( object_name: 'assignment' )
+      data = @$form.getFormData( object_name: 'assignment' )
       params = {}
       if data.title then params['title'] = data.title
       if data.due_at then params['due_at'] = data.due_at
@@ -56,7 +56,7 @@ define [
       window.location.href = pieces.join("#")
 
     setContext: (newContext) =>
-      @form.find("select.context_id").val(newContext).triggerHandler('change', false)
+      @$form.find("select.context_id").val(newContext).triggerHandler('change', false)
 
     contextChange: (jsEvent, propagate) =>
       return if @ignoreContextChange
@@ -72,30 +72,30 @@ define [
       # TODO: support adding a new assignment group from this select box
       assignmentGroupsSelectOptionsInfo =
         collection: @currentContextInfo.assignment_groups
-      @form.find(".assignment_group").html(genericSelectOptionsTemplate(assignmentGroupsSelectOptionsInfo))
+      @$form.find(".assignment_group").html(genericSelectOptionsTemplate(assignmentGroupsSelectOptionsInfo))
 
       # Update the edit and more options links with the new context
-      @form.attr('action', @currentContextInfo.create_assignment_url)
+      @$form.attr('action', @currentContextInfo.create_assignment_url)
       moreOptionsUrl = if @event.assignment
                            "#{@event.assignment.html_url}/edit"
                          else
                            @currentContextInfo.new_assignment_url
-      @form.find(".more_options_link").attr('href', moreOptionsUrl)
+      @$form.find(".more_options_link").attr('href', moreOptionsUrl)
 
     setupTimeAndDatePickers: () =>
-      @form.find(".datetime_field").datetime_field()
+      @$form.find(".datetime_field").datetime_field()
 
       startDate = @event.startDate()
       endDate = @event.endDate()
 
       if @event.allDay
-        @form.find(".datetime_field").val(startDate.toString('MMM d, yyyy')).change()
+        @$form.find(".datetime_field").val(startDate.toString('MMM d, yyyy')).change()
       else if startDate
-        @form.find(".datetime_field").val(startDate.toString('MMM d, yyyy h:mmtt')).change()
+        @$form.find(".datetime_field").val(startDate.toString('MMM d, yyyy h:mmtt')).change()
 
     formSubmit: (e) =>
       e.preventDefault()
-      form = @form.getFormData()
+      form = @$form.getFormData()
       if form['assignment[due_at]']? then @submitAssignment(form) else @submitOverride(form)
 
     submitAssignment: (form) ->
@@ -104,12 +104,12 @@ define [
       if dueAtString == ''
         dueAt = null
       else
-        dueAt = @form.find("#assignment_due_at").data('date')
+        dueAt = @$form.find("#assignment_due_at").data('date')
       params = {
-        'assignment[name]': @form.find("#assignment_title").val()
-        'assignment[published]': @form.find("#assignment_published").val() if @form.find("#assignment_published").is(':checked')
+        'assignment[name]': @$form.find("#assignment_title").val()
+        'assignment[published]': @$form.find("#assignment_published").val() if @$form.find("#assignment_published").is(':checked')
         'assignment[due_at]': if dueAt then $.unfudgeDateForProfileTimezone(dueAt).toISOString() else ''
-        'assignment[assignment_group_id]': @form.find(".assignment_group").val()
+        'assignment[assignment_group_id]': @$form.find(".assignment_group").val()
       }
 
       if @event.isNewEvent()
@@ -117,7 +117,7 @@ define [
           assignment:
             title: params['assignment[name]']
             due_at: if dueAt then dueAt.toISOString() else null
-            context_code: @form.find(".context_id").val()
+            context_code: @$form.find(".context_id").val()
         newEvent = commonEventFactory(objectData, @event.possibleContexts())
         newEvent.save(params)
       else
@@ -129,7 +129,7 @@ define [
 
     submitOverride: (form) ->
       dueAt  = form['assignment_override[due_at]']
-      dueAt  = if dueAt is '' then null else @form.find('#assignment_override_due_at').data('date')
+      dueAt  = if dueAt is '' then null else @$form.find('#assignment_override_due_at').data('date')
       params = 'assignment_override[due_at]': if dueAt then $.unfudgeDateForProfileTimezone(dueAt).toISOString() else ''
       @event.start = dueAt
       @event.save(params)
diff --git a/app/coffeescripts/calendar/EditCalendarEventDetails.coffee b/app/coffeescripts/calendar/EditCalendarEventDetails.coffee
index 3803137a677..dfd420b7eaf 100644
--- a/app/coffeescripts/calendar/EditCalendarEventDetails.coffee
+++ b/app/coffeescripts/calendar/EditCalendarEventDetails.coffee
@@ -14,24 +14,24 @@ define [
   class EditCalendarEventDetails
     constructor: (selector, @event, @contextChangeCB, @closeCB) ->
       @currentContextInfo = null
-      @form = $(editCalendarEventTemplate({
+      @$form = $(editCalendarEventTemplate({
         title: @event.title
         contexts: @event.possibleContexts()
         lockedTitle: @event.lockedTitle
         location_name: @event.location_name
       }))
-      $(selector).append @form
+      $(selector).append @$form
 
       @setupTimeAndDatePickers()
 
-      @form.submit @formSubmit
-      @form.find(".more_options_link").click @moreOptionsClick
-      @form.find("select.context_id").change @contextChange
-      @form.find("select.context_id").triggerHandler('change', false)
+      @$form.submit @formSubmit
+      @$form.find(".more_options_link").click @moreOptionsClick
+      @$form.find("select.context_id").change @contextChange
+      @$form.find("select.context_id").triggerHandler('change', false)
 
       # Hide the context selector completely if this is an existing event, since it can't be changed.
       if !@event.isNewEvent()
-        @form.find(".context_select").hide()
+        @$form.find(".context_select").hide()
 
     contextInfoForCode: (code) ->
       for context in @event.possibleContexts()
@@ -40,20 +40,20 @@ define [
       return null
 
     activate: () =>
-      @form.find("select.context_id").change()
+      @$form.find("select.context_id").change()
 
     getFormData: =>
-      data = @form.getFormData(object_name: 'calendar_event')
+      data = @$form.getFormData(object_name: 'calendar_event')
       data = _.omit(data, 'date', 'start_time', 'end_time')
 
-      date = @form.find('input[name=date]').data('date')
+      date = @$form.find('input[name=date]').data('date')
       if date
-        start_time = @form.find('input[name=start_time]').data('date')
+        start_time = @$form.find('input[name=start_time]').data('date')
         start_at = date.toString('yyyy-MM-dd')
         start_at += start_time.toString(' HH:mm') if start_time
         data.start_at = tz.parse(start_at)
 
-        end_time = @form.find('input[name=end_time]').data('date')
+        end_time = @$form.find('input[name=end_time]').data('date')
         end_at = date.toString('yyyy-MM-dd')
         end_at += end_time.toString(' HH:mm') if end_time
         data.end_at = tz.parse(end_at)
@@ -69,9 +69,9 @@ define [
       data = @getFormData()
 
       # override parsed input with user input (for 'More Options' only)
-      data.start_date = @form.find('input[name=date]').val()
-      data.start_time = @form.find('input[name=start_time]').val()
-      data.end_time = @form.find('input[name=end_time]').val()
+      data.start_date = @$form.find('input[name=date]').val()
+      data.start_time = @$form.find('input[name=start_time]').val()
+      data.end_time = @$form.find('input[name=end_time]').val()
 
       if data.title then params['title'] = data.title
       if data.location_name then params['location_name'] = data.location_name
@@ -84,7 +84,7 @@ define [
       window.location.href = pieces.join("#")
 
     setContext: (newContext) =>
-      @form.find("select.context_id").val(newContext).triggerHandler('change', false)
+      @$form.find("select.context_id").val(newContext).triggerHandler('change', false)
 
     contextChange: (jsEvent, propagate) =>
       context = $(jsEvent.target).val()
@@ -101,21 +101,21 @@ define [
         moreOptionsHref = @currentContextInfo.new_calendar_event_url
       else
         moreOptionsHref = @event.fullDetailsURL() + '/edit'
-      @form.find(".more_options_link").attr 'href', moreOptionsHref
+      @$form.find(".more_options_link").attr 'href', moreOptionsHref
 
     setupTimeAndDatePickers: () =>
-      @form.find(".date_field").date_field()
+      @$form.find(".date_field").date_field()
       # TODO: Refactor this logic that forms a relationship between two time fields into a module
-      @form.find(".time_field").time_field().
+      @$form.find(".time_field").time_field().
         blur (jsEvent) =>
-          start_time = @form.find(".time_field.start_time").next(".datetime_suggest").text()
-          if @form.find(".time_field.start_time").next(".datetime_suggest").hasClass('invalid_datetime')
+          start_time = @$form.find(".time_field.start_time").next(".datetime_suggest").text()
+          if @$form.find(".time_field.start_time").next(".datetime_suggest").hasClass('invalid_datetime')
             start_time = null
-          start_time ?= @form.find(".time_field.start_time").val()
-          end_time = @form.find(".time_field.end_time").next(".datetime_suggest").text()
-          if @form.find(".time_field.end_time").next(".datetime_suggest").hasClass('invalid_datetime')
+          start_time ?= @$form.find(".time_field.start_time").val()
+          end_time = @$form.find(".time_field.end_time").next(".datetime_suggest").text()
+          if @$form.find(".time_field.end_time").next(".datetime_suggest").hasClass('invalid_datetime')
             end_time = null
-          end_time ?= @form.find(".time_field.end_time").val()
+          end_time ?= @$form.find(".time_field.end_time").val()
 
           startDate = Date.parse(start_time)
           endDate = Date.parse(end_time)
@@ -128,21 +128,21 @@ define [
           else
             if endDate < startDate then endDate = startDate
           if startDate
-            @form.find(".time_field.start_time").val(startDate.toString('h:mmtt').toLowerCase())
+            @$form.find(".time_field.start_time").val(startDate.toString('h:mmtt').toLowerCase())
           if endDate
-            @form.find(".time_field.end_time").val(endDate.toString('h:mmtt').toLowerCase())
+            @$form.find(".time_field.end_time").val(endDate.toString('h:mmtt').toLowerCase())
 
       startDate = @event.startDate()
       endDate = @event.endDate()
 
       if !@event.allDay
         if startDate
-          @form.find(".time_field.start_time").val(startDate.toString('h:mmtt')).change().blur()
+          @$form.find(".time_field.start_time").val(startDate.toString('h:mmtt')).change().blur()
         if endDate
-          @form.find(".time_field.end_time").val(endDate.toString('h:mmtt')).change().blur()
+          @$form.find(".time_field.end_time").val(endDate.toString('h:mmtt')).change().blur()
 
       if startDate
-        @form.find(".date_field").val(startDate.toString('MMM d, yyyy')).change()
+        @$form.find(".date_field").val(startDate.toString('MMM d, yyyy')).change()
 
     formSubmit: (jsEvent) =>
       jsEvent.preventDefault()
@@ -165,7 +165,7 @@ define [
             start_at: if data.start_at then data.start_at.toISOString() else null
             end_at: if data.end_at then data.end_at.toISOString() else null
             location_name: location_name
-            context_code: @form.find(".context_id").val()
+            context_code: @$form.find(".context_id").val()
         newEvent = commonEventFactory(objectData, @event.possibleContexts())
         newEvent.save(params)
       else
diff --git a/app/coffeescripts/developer_keys.coffee b/app/coffeescripts/developer_keys.coffee
index f5432720a90..f6efe51ef6d 100644
--- a/app/coffeescripts/developer_keys.coffee
+++ b/app/coffeescripts/developer_keys.coffee
@@ -7,7 +7,7 @@ define [
   'jquery.ajaxJSON'
   'jquery.instructure_date_and_time'
   'jqueryui/dialog'
-], (I18n, $, developer_key, developer_key_form, preventDefault) ->
+], (I18n, $, developer_key, developerKeyFormTemplate, preventDefault) ->
   page = 0
   buildKey = (key) ->
     key.icon_image_url = key.icon_url || "/images/blank.png"
@@ -20,7 +20,7 @@ define [
     $key.data('key', key)
     
   buildForm = (key, $orig) ->
-    $form = $(developer_key_form(key || {}))
+    $form = $(developerKeyFormTemplate(key || {}))
     $form.formSubmit({
       beforeSubmit: ->
         $("#edit_dialog button.submit").text(I18n.t('button.saving', "Saving Key..."))
@@ -72,7 +72,7 @@ define [
     $form = buildForm()
     $("#edit_dialog").empty().append($form).dialog('open')
   )
-  $("#edit_dialog").html(developer_key_form({})).dialog({
+  $("#edit_dialog").html(developerKeyFormTemplate({})).dialog({
     autoOpen: false,
     width: 350
   }).on('click', '.cancel', () ->
diff --git a/app/coffeescripts/discussions/EntryEditor.coffee b/app/coffeescripts/discussions/EntryEditor.coffee
index 23929a0717e..457c8bfae30 100644
--- a/app/coffeescripts/discussions/EntryEditor.coffee
+++ b/app/coffeescripts/discussions/EntryEditor.coffee
@@ -48,7 +48,7 @@ define [
 
     createCancelButton: ->
       $('<a/>')
-        .html(I18n.t('cancel', 'Cancel'))
+        .text(I18n.t('cancel', 'Cancel'))
         .css(marginLeft: '5px')
         .attr('href', 'javascript:')
         .addClass('cancel_button')
diff --git a/app/coffeescripts/discussions/Reply.coffee b/app/coffeescripts/discussions/Reply.coffee
index f30bae4c27a..f4f8ea4c44e 100644
--- a/app/coffeescripts/discussions/Reply.coffee
+++ b/app/coffeescripts/discussions/Reply.coffee
@@ -8,8 +8,9 @@ define [
   'jst/discussions/_reply_attachment'
   'compiled/fn/preventDefault'
   'compiled/views/editor/KeyboardShortcuts'
+  'str/stripTags'
   'tinymce.editor_box'
-], (Backbone, _, I18n, $, Entry, htmlEscape, replyAttachmentTemplate, preventDefault, KeyboardShortcuts) ->
+], (Backbone, _, I18n, $, Entry, htmlEscape, replyAttachmentTemplate, preventDefault, KeyboardShortcuts, stripTags) ->
 
   class Reply
 
@@ -87,7 +88,7 @@ define [
     submit: =>
       @hide()
       @textArea._setContentCode ''
-      @view.model.set 'notification', "<div class='alert alert-info'>#{I18n.t 'saving_reply', 'Saving reply...'}</div>"
+      @view.model.set 'notification', "<div class='alert alert-info'>#{htmlEscape I18n.t 'saving_reply', 'Saving reply...'}</div>"
       entry = new Entry @getModelAttributes()
       entry.save null,
         success: @onPostReplySuccess
@@ -112,7 +113,7 @@ define [
       now = new Date().getTime()
       # TODO: remove this summary, server should send it in create response and no further
       # work is required
-      summary: $('<div/>').html(@content).text()
+      summary: stripTags(@content)
       message: @content
       parent_id: if @options.topLevel then null else @view.model.get 'id'
       user_id: ENV.current_user_id
diff --git a/app/coffeescripts/editor/EditorToggle.coffee b/app/coffeescripts/editor/EditorToggle.coffee
index c5d6572abae..8c654683fcb 100644
--- a/app/coffeescripts/editor/EditorToggle.coffee
+++ b/app/coffeescripts/editor/EditorToggle.coffee
@@ -7,6 +7,10 @@ define [
   'tinymce.editor_box'
 ], (_, I18n, $, Backbone, preventDefault) ->
 
+  ###
+  xsslint safeString.property content
+  ###
+
   ##
   # Toggles an element between a rich text editor and itself
   class EditorToggle
@@ -103,7 +107,7 @@ define [
     # @api private
     createDone: ->
       $('<a/>')
-        .html(@options.doneText)
+        .text(@options.doneText)
         .attr('href', '#')
         .addClass('btn edit-html-done edit_html_done')
         .attr('title', I18n.t('done.title', 'Click to finish editing the rich text area'))
diff --git a/app/coffeescripts/editor/editorAccessibility.coffee b/app/coffeescripts/editor/editorAccessibility.coffee
index 0c7aa7f11f1..de2188f6cb6 100644
--- a/app/coffeescripts/editor/editorAccessibility.coffee
+++ b/app/coffeescripts/editor/editorAccessibility.coffee
@@ -1,7 +1,8 @@
 define [
   'i18n!editor_accessibility'
   'jquery'
-], (I18n, $) ->
+  'str/htmlEscape'
+], (I18n, $, htmlEscape) ->
   ##
   # Used to insert accessibility titles into core TinyMCE components
   class EditorAccessiblity
@@ -32,7 +33,7 @@ define [
 
       @$el.find("##{@id_prepend}_instructure_record").attr('aria-disabled', 'true')
       @$el.find("##{@id_prepend}_instructure_record").removeAttr('role')
-      @$el.find("##{@id_prepend}_instructure_record_voice").append('<br/>').append(I18n.t('accessibles.record', 'This feature is inaccessible for screen readers.'))
+      @$el.find("##{@id_prepend}_instructure_record_voice").append('<br/>').append(htmlEscape(I18n.t('accessibles.record', 'This feature is inaccessible for screen readers.')))
       @$el.find("##{@id_prepend}_instructure_record img").attr('alt',
         @$el.find("##{@id_prepend}_instructure_record img").attr('alt') + ", " + I18n.t('accessibles.record', 'This feature is inaccessible for screen readers.'));
 
diff --git a/app/coffeescripts/gradebook2/CurveGradesDialog.coffee b/app/coffeescripts/gradebook2/CurveGradesDialog.coffee
index aa1604deb12..6a70bdd57e9 100644
--- a/app/coffeescripts/gradebook2/CurveGradesDialog.coffee
+++ b/app/coffeescripts/gradebook2/CurveGradesDialog.coffee
@@ -2,13 +2,14 @@ define [
   'i18n!gradebook2'
   'jquery'
   'jst/CurveGradesDialog'
+  'str/htmlEscape'
   'jquery.disableWhileLoading'
   'jquery.instructure_forms'
   'jqueryui/dialog'
   'jquery.instructure_misc_plugins'
   'compiled/jquery/fixDialogButtons'
   'vendor/jquery.ba-tinypubsub'
-], (I18n, $, curveGradesDialogTemplate) ->
+], (I18n, $, curveGradesDialogTemplate, htmlEscape) ->
 
   class CurveGradesDialog
     constructor: ({@assignment, @students, context_url}) ->
@@ -133,12 +134,12 @@ define [
             pct = (users.length / maxCount)
             cnt = users.length
           color = (if idx == 0 then "#a03536" else "#007ab8")
-          $("#results_list").prepend "<td style='padding: 1px;'><div title='" + cnt + " student" + (if cnt == 1 then "" else "s") + " will get " + idx + " points' style='border: 1px solid #888; background-color: " + color + "; width: " + width + "px; height: " + (100 * pct) + "px; margin-top: " + (100 * (1 - pct)) + "px;'>&nbsp;</div></td>"
-          $("#results_values").prepend "<td style='text-align: center;'>" + idx + "</td>"
+          $("#results_list").prepend "<td style='padding: 1px;'><div title='" + htmlEscape(I18n.t({one: "1 student will get %{num} points", other: "%{count} students will get %{num} points"}, {count: cnt, num: idx})) + "' style='border: 1px solid #888; background-color: " + htmlEscape(color) + "; width: " + htmlEscape(width) + "px; height: " + htmlEscape(100 * pct) + "px; margin-top: " + htmlEscape(100 * (1 - pct)) + "px;'>&nbsp;</div></td>"
+          $("#results_values").prepend "<td style='text-align: center;'>" + htmlEscape(idx) + "</td>"
           skipCount = 0
         else
           skipCount++
         idx--
-      $("#results_list").prepend "<td><div style='height: 100px; position: relative; width: 30px; font-size: 0.8em;'><img src='/images/number_of_students.png' alt='# of students'/><div style='position: absolute; top: 0; right: 3px;'>" + maxCount + "</div><div style='position: absolute; bottom: 0; right: 3px;'>0</div></div></td>"
+      $("#results_list").prepend "<td><div style='height: 100px; position: relative; width: 30px; font-size: 0.8em;'><img src='/images/number_of_students.png' alt='" + htmlEscape(I18n.t("# of students")) + "'/><div style='position: absolute; top: 0; right: 3px;'>" + htmlEscape(maxCount) + "</div><div style='position: absolute; bottom: 0; right: 3px;'>0</div></div></td>"
       $("#results_values").prepend "<td>&nbsp;</td>"
       finalScores
diff --git a/app/coffeescripts/gradebook2/Gradebook.coffee b/app/coffeescripts/gradebook2/Gradebook.coffee
index c976905b95f..f2300f5f271 100644
--- a/app/coffeescripts/gradebook2/Gradebook.coffee
+++ b/app/coffeescripts/gradebook2/Gradebook.coffee
@@ -410,16 +410,15 @@ define [
       window.location.reload()
 
     assignmentGroupHtml: (group_name, group_weight) =>
-      escaped_group_name = htmlEscape(group_name)
       if @weightedGroups()
         percentage = I18n.toPercentage(group_weight, precision: 2)
         """
-          #{escaped_group_name}<div class='assignment-points-possible'>
-            #{I18n.t 'percent_of_grade', "%{percentage} of grade", percentage: percentage}
+          #{htmlEscape(group_name)}<div class='assignment-points-possible'>
+            #{htmlEscape I18n.t 'percent_of_grade', "%{percentage} of grade", percentage: percentage}
           </div>
         """
       else
-        "#{escaped_group_name}"
+        htmlEscape(group_name)
 
     # filter, sort, and build the dataset for slickgrid to read from, then force
     # a full redraw
@@ -536,7 +535,7 @@ define [
             (SubmissionCell[assignment.grading_type] || SubmissionCell).formatter(row, col, submission, assignment)
 
     staticCellFormatter: (row, col, val) =>
-      "<div class='cell-content gradebook-cell'>#{val}</div>"
+      "<div class='cell-content gradebook-cell'>#{htmlEscape(val)}</div>"
 
     uneditableCellFormatter: (row, col) =>
       "<div class='cell-content gradebook-cell grayed-out'></div>"
@@ -654,7 +653,7 @@ define [
       columnDef.name = columnDef.unminimizedName
       columnDef.minimized = false
       @$grid.find(".l#{colIndex}").add($columnHeader).removeClass('minimized')
-      $columnHeader.find('.slick-column-name').html(columnDef.name)
+      $columnHeader.find('.slick-column-name').html($.raw(columnDef.name))
       @assignmentsToHide = $.grep @assignmentsToHide, (el) -> el != columnDef.id
       userSettings.contextSet('hidden_columns', _.uniq(@assignmentsToHide))
 
@@ -678,7 +677,7 @@ define [
         # add lines for dropped, late, resubmitted
         Array::push.apply htmlLines, $.map(SubmissionCell.classesBasedOnSubmission(submission, assignment), (c)=> GRADEBOOK_TRANSLATIONS["#submission_tooltip_#{c}"])
       else if assignment.points_possible?
-        htmlLines.push I18n.t('points_out_of', "out of %{points_possible}", points_possible: assignment.points_possible)
+        htmlLines.push htmlEscape(I18n.t('points_out_of', "out of %{points_possible}", points_possible: assignment.points_possible))
 
       $hoveredCell.data('tooltip', $("<span />",
         class: 'gradebook-tooltip'
@@ -687,7 +686,7 @@ define [
           top: offset.top
           zIndex: 10000
           display: 'block'
-        html: htmlLines.join('<br />')
+        html: $.raw(htmlLines.join('<br />'))
       ).appendTo('body')
       .css('top', (i, top) -> parseInt(top) - $(this).outerHeight()))
 
@@ -972,7 +971,7 @@ define [
 
       @parentColumns = [
         id: 'student'
-        name: I18n.t 'student_name', 'Student Name'
+        name: htmlEscape I18n.t 'student_name', 'Student Name'
         field: 'display_name'
         width: 150
         cssClass: "meta-cell"
@@ -981,7 +980,7 @@ define [
         formatter: @htmlContentFormatter
       ,
         id: 'secondary_identifier'
-        name: I18n.t 'secondary_id', 'Secondary ID'
+        name: htmlEscape I18n.t 'secondary_id', 'Secondary ID'
         field: 'secondary_identifier'
         width: 100
         cssClass: "meta-cell secondary_identifier_cell"
@@ -1046,7 +1045,7 @@ define [
         field: "total_grade"
         formatter: @groupTotalFormatter
         name: """
-          #{total}
+          #{htmlEscape total}
           <div id=total_column_header></div>
         """
         toolTip: total
@@ -1208,6 +1207,10 @@ define [
         else
           @totalGradeWarning = null
 
+    ###
+    xsslint jqueryObject.identifier createLink
+    xsslint jqueryObject.function showLink hideLink
+    ###
     showCustomColumnDropdownOption: ->
       linkContainer = $("<li>").appendTo(".gradebook_drop_down")
 
diff --git a/app/coffeescripts/gradebook2/OutcomeGradebookGrid.coffee b/app/coffeescripts/gradebook2/OutcomeGradebookGrid.coffee
index af8d296e5e6..2b415a60e9b 100644
--- a/app/coffeescripts/gradebook2/OutcomeGradebookGrid.coffee
+++ b/app/coffeescripts/gradebook2/OutcomeGradebookGrid.coffee
@@ -9,6 +9,10 @@ define [
   'jst/gradebook2/outcome_gradebook_student_cell'
 ], (I18n, $, _, HeaderFilterView, OutcomeColumnView, numberCompare, cellTemplate, studentCellTemplate) ->
 
+  ###
+  xsslint safeString.method cellHtml
+  ###
+
   Grid =
     filter: ['mastery', 'near-mastery', 'remedial']
 
diff --git a/app/coffeescripts/gradebook2/SubmissionCell.coffee b/app/coffeescripts/gradebook2/SubmissionCell.coffee
index 57035669650..b38b9982e6c 100644
--- a/app/coffeescripts/gradebook2/SubmissionCell.coffee
+++ b/app/coffeescripts/gradebook2/SubmissionCell.coffee
@@ -15,7 +15,7 @@ define [
 
     init: () ->
       submission = @opts.item[@opts.column.field]
-      @$wrapper = $(@cellWrapper("<input #{@ariaLabel(submission.submission_type)} class='grade'/>")).appendTo(@opts.container)
+      @$wrapper = $(@cellWrapper("<input #{htmlEscape @ariaLabel(submission.submission_type)} class='grade'/>")).appendTo(@opts.container)
       @$input = @$wrapper.find('input').focus().select()
 
     destroy: () ->
@@ -82,15 +82,15 @@ define [
 
       if turnitin = extractData(opts.submission)
         specialClasses.push('turnitin')
-        innerContents += "<span class='gradebook-cell-turnitin #{turnitin.state}-score' />"
+        innerContents += "<span class='gradebook-cell-turnitin #{htmlEscape turnitin.state}-score' />"
 
       tooltipText = $.map(specialClasses, (c)-> GRADEBOOK_TRANSLATIONS["submission_tooltip_#{c}"]).join ', '
 
       """
-      #{ if tooltipText then '<div class="gradebook-tooltip">'+ tooltipText + '</div>' else ''}
-      <div class="gradebook-cell #{ if opts.editable then 'gradebook-cell-editable focus' else ''} #{opts.classes} #{specialClasses.join(' ')}">
+      #{$.raw if tooltipText then '<div class="gradebook-tooltip">'+ htmlEscape(tooltipText) + '</div>' else ''}
+      <div class="gradebook-cell #{htmlEscape if opts.editable then 'gradebook-cell-editable focus' else ''} #{htmlEscape opts.classes} #{htmlEscape specialClasses.join(' ')}">
         <a href="#" data-user-id=#{opts.submission.user_id} data-assignment-id=#{opts.assignment.id} class="gradebook-cell-comment"><span class="gradebook-cell-comment-label">submission comments</span></a>
-        #{innerContents}
+        #{$.raw innerContents}
       </div>
       """
 
@@ -112,7 +112,7 @@ define [
 
     @submissionIcon: (submission_type) ->
       klass = SubmissionCell.iconFromSubmissionType(submission_type)
-      "<i class='icon-#{klass}' ></i>"
+      "<i class='icon-#{htmlEscape klass}' ></i>"
 
     @iconFromSubmissionType: (submission_type) ->
       switch submission_type
@@ -135,7 +135,7 @@ define [
       @$wrapper = $(@cellWrapper("""
         <div class="overflow-wrapper">
           <div class="grade-and-outof-wrapper">
-            <input type="text" #{@ariaLabel(submission.submission_type)} class="grade"/><span class="outof"><span class="divider">/</span>#{@opts.column.object.points_possible}</span>
+            <input type="text" #{htmlEscape @ariaLabel(submission.submission_type)} class="grade"/><span class="outof"><span class="divider">/</span>#{htmlEscape @opts.column.object.points_possible}</span>
           </div>
         </div>
       """, { classes: 'gradebook-cell-out-of-formatter' })).appendTo(@opts.container)
@@ -144,7 +144,7 @@ define [
   class SubmissionCell.letter_grade extends SubmissionCell
     @formatter: (row, col, submission, assignment) ->
       innerContents = if submission.score
-        "#{submission.grade}<span class='letter-grade-points'>#{submission.score}</span>"
+        "#{htmlEscape submission.grade}<span class='letter-grade-points'>#{htmlEscape submission.score}</span>"
       else
         submission.grade
 
@@ -165,7 +165,7 @@ define [
     htmlFromSubmission: (options={}) ->
       cssClass = classFromSubmission(options.submission)
       SubmissionCell::cellWrapper("""
-        <a data-value="#{cssClass}" class="gradebook-checkbox gradebook-checkbox-#{cssClass} #{'editable' if options.editable}" href="#">#{cssClass}</a>
+        <a data-value="#{htmlEscape cssClass}" class="gradebook-checkbox gradebook-checkbox-#{htmlEscape cssClass} #{htmlEscape('editable' if options.editable)}" href="#">#{htmlEscape cssClass}</a>
       """, options)
 
     # htmlFromSubmission = (submission, editable = false) ->
diff --git a/app/coffeescripts/handlebars_helpers.coffee b/app/coffeescripts/handlebars_helpers.coffee
index 01b4b3cea54..b9837f53002 100644
--- a/app/coffeescripts/handlebars_helpers.coffee
+++ b/app/coffeescripts/handlebars_helpers.coffee
@@ -53,7 +53,7 @@ define [
         courseText = I18n.t('#helpers.course', 'Course')
         courseDatetime = $.datetimeString(datetime, timezone: ENV.CONTEXT_TIMEZONE)
         if localDatetime != courseDatetime
-          titleText = "#{localText}: #{localDatetime}<br>#{courseText}: #{courseDatetime}"
+          titleText = "#{htmlEscape localText}: #{htmlEscape localDatetime}<br>#{htmlEscape courseText}: #{htmlEscape courseDatetime}"
 
       if justText
         new Handlebars.SafeString titleText
@@ -71,7 +71,7 @@ define [
       else
         timeTitle = $.datetimeString(datetime)
 
-      new Handlebars.SafeString "<time data-tooltip title='#{timeTitle}' datetime='#{datetime.toISOString()}' #{'pubdate' if pubdate}>#{$.friendlyDatetime(fudged)}</time>"
+      new Handlebars.SafeString "<time data-tooltip title='#{htmlEscape timeTitle}' datetime='#{datetime.toISOString()}' #{$.raw('pubdate' if pubdate)}>#{$.friendlyDatetime(fudged)}</time>"
 
 
 
@@ -79,7 +79,7 @@ define [
     formattedDate : (datetime, format, {hash: {pubdate}}) ->
       return unless datetime?
       datetime = tz.parse(datetime) unless _.isDate datetime
-      new Handlebars.SafeString "<time data-tooltip title='#{$.datetimeString(datetime)}' datetime='#{datetime.toISOString()}' #{'pubdate' if pubdate}>#{datetime.toString(format)}</time>"
+      new Handlebars.SafeString "<time data-tooltip title='#{$.datetimeString(datetime)}' datetime='#{datetime.toISOString()}' #{$.raw('pubdate' if pubdate)}>#{htmlEscape datetime.toString(format)}</time>"
 
     # IMPORTANT: these next two handlebars helpers emit profile-timezone
     # human-formatted strings. don't send them as is to the server (you can
@@ -332,11 +332,11 @@ define [
       attributes = for key, val of inputProps when val?
         "#{htmlEscape key}=\"#{htmlEscape val}\""
 
-      hiddenDisabled = if inputProps.disabled then "disabled" else ""
+      hiddenDisabledHtml = if inputProps.disabled then "disabled" else ""
 
       new Handlebars.SafeString """
-        <input name="#{htmlEscape inputProps.name}" type="hidden" value="0" #{hiddenDisabled}>
-        <input #{attributes.join ' '} />
+        <input name="#{htmlEscape inputProps.name}" type="hidden" value="0" #{hiddenDisabledHtml}>
+        <input #{$.raw attributes.join ' '} />
       """
 
     toPercentage: (number) ->
diff --git a/app/coffeescripts/helpDialog.coffee b/app/coffeescripts/helpDialog.coffee
index 954f04f85ea..fee033ca524 100644
--- a/app/coffeescripts/helpDialog.coffee
+++ b/app/coffeescripts/helpDialog.coffee
@@ -85,9 +85,9 @@ define [
       if newTitle = @$dialog.find("a[href='#{panelId}'] .text").text()
         newTitle = $("
           <a class='ui-dialog-header-backlink' href='#help-dialog-options'>
-            #{I18n.t('Back', 'Back')}
+            #{htmlEscape(I18n.t('Back', 'Back'))}
           </a>
-          <span>#{newTitle}</span>
+          <span>#{htmlEscape(newTitle)}</span>
         ")
       else
         newTitle = @defaultTitle
@@ -114,11 +114,12 @@ define [
                 @$dialog.dialog('close')
 
         $.when(coursesDfd, @helpLinksDfd).done ([courses]) ->
-          options = $.map courses, (c) ->
-            "<option value='course_#{c.id}_admins' #{if ENV.context_id is c.id then 'selected' else ''}>
+          optionsHtml = $.map(courses, (c) ->
+            "<option value='course_#{c.id}_admins' #{$.raw if ENV.context_id is c.id then 'selected' else ''}>
               #{htmlEscape(c.name)}
             </option>"
-          $form.find('[name="recipients[]"]').html(options.join '')
+          ).join('')
+          $form.find('[name="recipients[]"]').html(optionsHtml)
 
     initTriggers: ->
       $('.help_dialog_trigger').click preventDefault @open
diff --git a/app/coffeescripts/jobs.coffee b/app/coffeescripts/jobs.coffee
index 869e9e53528..0419f84cdcb 100644
--- a/app/coffeescripts/jobs.coffee
+++ b/app/coffeescripts/jobs.coffee
@@ -5,6 +5,9 @@ define [
   'jquery.ajaxJSON'
   'jqueryui/dialog'
 ], (I18n, $, Slick) ->
+  ###
+  xsslint safeString.identifier klass d out_of runtime_string
+  ###
 
   fillin_job_data = (job) ->
     $('#show-job .show-field').each (idx, field) =>
diff --git a/app/coffeescripts/jquery.rails_flash_notifications.coffee b/app/coffeescripts/jquery.rails_flash_notifications.coffee
index 5bc6e555ac5..81bd232c82d 100644
--- a/app/coffeescripts/jquery.rails_flash_notifications.coffee
+++ b/app/coffeescripts/jquery.rails_flash_notifications.coffee
@@ -23,6 +23,9 @@ define [
       $this.stop(true, true).remove()
   initFlashContainer() # look for the container on script load
 
+  ###
+  xsslint safeString.function escapeContent
+  ###
   escapeContent = (content) ->
     if content.hasOwnProperty('html') then content.html else htmlEscape(content)
 
@@ -37,10 +40,10 @@ define [
 
   flashBox = (type, content, timeout, cssOptions = {}) ->
     $node = $("""
-      <li class="ic-flash-#{type}">
+      <li class="ic-flash-#{htmlEscape(type)}">
         <i></i>
         #{escapeContent(content)}
-        <a href="#" class="close_link icon-end">#{I18n.t("close", "Close")}</a>
+        <a href="#" class="close_link icon-end">#{htmlEscape I18n.t("close", "Close")}</a>
       </li>
     """)
 
diff --git a/app/coffeescripts/jquery/mediaCommentThumbnail.coffee b/app/coffeescripts/jquery/mediaCommentThumbnail.coffee
index 6c6bf9a356e..bde7ba77891 100644
--- a/app/coffeescripts/jquery/mediaCommentThumbnail.coffee
+++ b/app/coffeescripts/jquery/mediaCommentThumbnail.coffee
@@ -26,8 +26,8 @@ define [
                       "#{dimensions.width}/height/#{dimensions.height}/bgcolor/000000/type/2/vid_sec/5"
 
       $thumbnail = $ "<span
-                        style='background-image: url(#{backgroundUrl});'
-                        class='media_comment_thumbnail media_comment_thumbnail-#{size}'
+                        style='background-image: url(#{htmlEscape(backgroundUrl)});'
+                        class='media_comment_thumbnail media_comment_thumbnail-#{htmlEscape(size)}'
                       >
                         <span class='media_comment_thumbnail_play_button'>
                           #{htmlEscape I18n.t 'click_to_view', 'Click to view'}
diff --git a/app/coffeescripts/media_comments/file_input_manager.coffee b/app/coffeescripts/media_comments/file_input_manager.coffee
index 114cf11fcd9..3484ccb456f 100644
--- a/app/coffeescripts/media_comments/file_input_manager.coffee
+++ b/app/coffeescripts/media_comments/file_input_manager.coffee
@@ -16,8 +16,8 @@ define [
       if @$fileInput
         @$fileInput.off 'change', callback
         @$fileInput.remove()
-      fileInput = "<input id='#{id}' type='file' style='display: none;'>"
-      $(parentId).append(fileInput)
+      fileInputHtml = "<input id='#{id}' type='file' style='display: none;'>"
+      $(parentId).append(fileInputHtml)
       @$fileInput = $("##{id}")
       @$fileInput.on 'change', callback
 
diff --git a/app/coffeescripts/media_comments/upload_view_manager.coffee b/app/coffeescripts/media_comments/upload_view_manager.coffee
index a0a9c1eb593..c8eadd8c650 100644
--- a/app/coffeescripts/media_comments/upload_view_manager.coffee
+++ b/app/coffeescripts/media_comments/upload_view_manager.coffee
@@ -68,7 +68,7 @@ define [
     showErrorMessage: (message) ->
       @hideProgBar()
       $('#media_upload_feedback').css('visibility', 'visible')
-      $("#media_upload_feedback_text").html(message)
+      $("#media_upload_feedback_text").text(message)
 
     showProgBar: ->
       $('#media_upload_progress').css('visibility', 'visible').progressbar()
diff --git a/app/coffeescripts/models/DiscussionTopic.coffee b/app/coffeescripts/models/DiscussionTopic.coffee
index 20b13461af4..8c7e0bb37a3 100644
--- a/app/coffeescripts/models/DiscussionTopic.coffee
+++ b/app/coffeescripts/models/DiscussionTopic.coffee
@@ -7,7 +7,8 @@ define [
   'compiled/collections/DiscussionEntriesCollection'
   'compiled/models/Assignment'
   'compiled/models/DateGroup'
-], (I18n, Backbone, $, _, ParticipantCollection, DiscussionEntriesCollection, Assignment, DateGroup) ->
+  'str/stripTags'
+], (I18n, Backbone, $, _, ParticipantCollection, DiscussionEntriesCollection, Assignment, DateGroup, stripTags) ->
 
   class DiscussionTopic extends Backbone.Model
     resourceName: 'discussion_topics'
@@ -116,7 +117,7 @@ define [
         @entries.reset(entries)
 
     summary: ->
-      $('<div/>').html(@get('message')).text() || ''
+      stripTags @get('message')
 
     # TODO: this would belong in Backbone.model, but I dont know of others are going to need it much
     # or want to commit to this api so I am just putting it here for now
diff --git a/app/coffeescripts/models/Entry.coffee b/app/coffeescripts/models/Entry.coffee
index 3a01bbfbf84..c7e22254f47 100644
--- a/app/coffeescripts/models/Entry.coffee
+++ b/app/coffeescripts/models/Entry.coffee
@@ -7,8 +7,9 @@ define [
   'jquery'
   'underscore'
   'Backbone'
+  'str/stripTags'
   'jquery.ajaxJSON'
-], (I18n, $, _, Backbone) ->
+], (I18n, $, _, Backbone, stripTags) ->
 
   ##
   # Model representing an entry in discussion topic
@@ -172,8 +173,7 @@ define [
     ##
     # Computed attribute
     summary: ->
-      @escapeDiv ||= $('<div/>')
-      @escapeDiv.html(@get('message')).text()
+      stripTags @get('message')
 
     ##
     # Not familiar enough with Backbone.sync to do this, using ajaxJSON
diff --git a/app/coffeescripts/registration/signupDialog.coffee b/app/coffeescripts/registration/signupDialog.coffee
index 0570277a4bd..1f01ac6f08e 100644
--- a/app/coffeescripts/registration/signupDialog.coffee
+++ b/app/coffeescripts/registration/signupDialog.coffee
@@ -8,10 +8,11 @@ define [
   'jst/registration/studentDialog'
   'jst/registration/parentDialog'
   'compiled/util/addPrivacyLinkToDialog'
+  'str/htmlEscape'
   'compiled/jquery/validate'
   'jquery.instructure_forms'
   'jquery.instructure_date_and_time'
-], ($, _, I18n, preventDefault, registrationErrors, teacherDialog, studentDialog, parentDialog, addPrivacyLinkToDialog) ->
+], ($, _, I18n, preventDefault, registrationErrors, teacherDialog, studentDialog, parentDialog, addPrivacyLinkToDialog, htmlEscape) ->
 
   $nodes = {}
   templates = {teacherDialog, studentDialog, parentDialog}
@@ -24,19 +25,20 @@ define [
       "teacher_dialog.agree_to_terms_and_pp"
       "You agree to the *terms of use* and acknowledge the **privacy policy**."
       wrappers: [
-        "<a href=\"#{terms_of_use_url}\" target=\"_blank\">$1</a>"
-        "<a href=\"#{privacy_policy_url}\" target=\"_blank\">$1</a>"
+        "<a href=\"#{htmlEscape terms_of_use_url}\" target=\"_blank\">$1</a>"
+        "<a href=\"#{htmlEscape privacy_policy_url}\" target=\"_blank\">$1</a>"
       ]
     )
 
   signupDialog = (id, title) ->
     return unless templates[id]
     $node = $nodes[id] ?= $('<div />')
-    $node.html templates[id](
+    html = templates[id](
       account: ENV.ACCOUNT.registration_settings
       terms_required: ENV.ACCOUNT.terms_required
       terms_html: termsHtml(ENV.ACCOUNT)
     )
+    $node.html html
     $node.find('.date-field').datetime_field()
 
     $node.find('.signup_link').click preventDefault ->
diff --git a/app/coffeescripts/str/TextHelper.coffee b/app/coffeescripts/str/TextHelper.coffee
index 974bb283dc0..86521fee4c0 100644
--- a/app/coffeescripts/str/TextHelper.coffee
+++ b/app/coffeescripts/str/TextHelper.coffee
@@ -52,9 +52,9 @@ define [
   th = 
     quoteClump: (lines) ->
       "<div class='quoted_text_holder'>
-        <a href='#' class='show_quoted_text_link'>#{I18n.t("quoted_text_toggle", "show quoted text")}</a>
+        <a href='#' class='show_quoted_text_link'>#{htmlEscape I18n.t("quoted_text_toggle", "show quoted text")}</a>
         <div class='quoted_text' style='display: none;'>
-          #{lines.join "\n"}
+          #{$.raw lines.join "\n"}
         </div>
       </div>"
   
diff --git a/app/coffeescripts/str/convertApiUserContent.coffee b/app/coffeescripts/str/convertApiUserContent.coffee
index 78348acb82b..8e7cf4424cd 100644
--- a/app/coffeescripts/str/convertApiUserContent.coffee
+++ b/app/coffeescripts/str/convertApiUserContent.coffee
@@ -1,7 +1,8 @@
 define [
   'jquery'
   'underscore'
-], ($, _) ->
+  'str/htmlEscape'
+], ($, _, htmlEscape) ->
 
   # use this method to process any user content fields returned in api responses
   # this is important to handle object/embed tags safely, and to properly display audio/video tags
@@ -9,9 +10,9 @@ define [
     $dummy = $('<div />').html(html)
     # finds any <video/audio class="instructure_inline_media_comment"> and turns them into media comment thumbnails
     $dummy.find('video.instructure_inline_media_comment,audio.instructure_inline_media_comment').replaceWith ->
-      $node = $("<a id='media_comment_#{$(this).data('media_comment_id')}'
-            data-media_comment_type='#{$(this).data('media_comment_type')}'
-            class='instructure_inline_media_comment #{this.nodeName.toLowerCase()}_comment' />")
+      $node = $("<a id='media_comment_#{htmlEscape($(this).data('media_comment_id'))}'
+            data-media_comment_type='#{htmlEscape($(this).data('media_comment_type'))}'
+            class='instructure_inline_media_comment #{htmlEscape(this.nodeName.toLowerCase())}_comment' />")
       $node.html $(this).html()
       $node
 
@@ -34,11 +35,11 @@ define [
         uuid = _.uniqueId("uc_")
         action = "/object_snippet"
         action = "//#{ENV.files_domain}#{action}" if ENV.files_domain
-        $form = $("<form action='#{action}' method='post' class='user_content_post_form' target='#{uuid}' id='form-#{uuid}' />")
+        $form = $("<form action='#{htmlEscape(action)}' method='post' class='user_content_post_form' target='#{htmlEscape(uuid)}' id='form-#{htmlEscape(uuid)}' />")
         $form.append($("<input type='hidden'/>").attr({name: 'object_data', value: $this.data('uc_snippet')}))
         $form.append($("<input type='hidden'/>").attr({name: 's', value: $this.data('uc_sig')}))
         $('body').append($form)
         setTimeout((-> $form.submit()), 0)
-        $("<iframe class='user_content_iframe' name='#{uuid}' style='width: #{$this.data('uc_width')}; height: #{$this.data('uc_height')};' frameborder='0' />")
+        $("<iframe class='user_content_iframe' name='#{htmlEscape(uuid)}' style='width: #{htmlEscape($this.data('uc_width'))}; height: #{htmlEscape($this.data('uc_height'))};' frameborder='0' />")
 
     $dummy.html()
diff --git a/app/coffeescripts/util/BlobFactory.coffee b/app/coffeescripts/util/BlobFactory.coffee
index 8ee23074996..b3ecaed0f2d 100644
--- a/app/coffeescripts/util/BlobFactory.coffee
+++ b/app/coffeescripts/util/BlobFactory.coffee
@@ -18,6 +18,10 @@
 
 define ['underscore'], (_) ->
 
+  ###
+  xsslint xssable.receiver.whitelist builder
+  ###
+
   BlobFactory =
     fromCanvas: (canvas, type = 'image/jpeg') ->
       url    = canvas.toDataURL(type)
diff --git a/app/coffeescripts/util/contextColors.coffee b/app/coffeescripts/util/contextColors.coffee
index 62fec3fedb2..bbf18a6b32e 100644
--- a/app/coffeescripts/util/contextColors.coffee
+++ b/app/coffeescripts/util/contextColors.coffee
@@ -31,5 +31,5 @@ define [
         }
 
       """
-    $('<div/>').html("<style>#{css.join('')}</style>").appendTo(document.body)
+    $('<div/>').html("<style>#{$.raw(css.join(''))}</style>").appendTo(document.body)
 
diff --git a/app/coffeescripts/util/contextList.coffee b/app/coffeescripts/util/contextList.coffee
index 4701ee3b4e6..d88702c030a 100644
--- a/app/coffeescripts/util/contextList.coffee
+++ b/app/coffeescripts/util/contextList.coffee
@@ -13,12 +13,12 @@ define [
     context
 
   format = (context, linkToContexts) ->
-    str = h(context.name)
+    html = h(context.name)
     if context.activeFilter
-      str = "<span class='active-filter'>#{str}</span>"
+      html = "<span class='active-filter'>#{html}</span>"
     if linkToContexts and context.type is "course"
-      str = "<a href='#{h(context.url)}'>#{str}</a>"
-    $.raw str
+      html = "<a href='#{h(context.url)}'>#{html}</a>"
+    $.raw html
 
   # given a map of ids by type (e.g. {courses: [1, 2], groups: ...})
   # and a map of possible contexts by type,
diff --git a/app/coffeescripts/util/dateSelect.coffee b/app/coffeescripts/util/dateSelect.coffee
index 512adb6d20f..e19342377f5 100644
--- a/app/coffeescripts/util/dateSelect.coffee
+++ b/app/coffeescripts/util/dateSelect.coffee
@@ -5,6 +5,10 @@ define [
   'str/htmlEscape'
 ], (I18n, $, _, h) ->
 
+  ###
+  xsslint safeString.identifier i
+  ###
+
   builders =
     year: (options, htmlOptions) ->
       step = if options.startYear < options.endYear then 1 else -1
@@ -56,12 +60,11 @@ define [
     for i in [0...options.order.length]
       type = options.order[i]
       tName = name.replace(/(\]?)$/, "(" + position[type] + "i)$1")
-      $result.append(
-        builders[type](
-          options,
-          _.extend({name: tName}, htmlOptions),
-          dateSettings
-        )
+      html = builders[type](
+        options,
+        _.extend({name: tName}, htmlOptions),
+        dateSettings
       )
+      $result.append(html)
       delete htmlOptions.id
     $result
diff --git a/app/coffeescripts/util/kalturaAnalytics.coffee b/app/coffeescripts/util/kalturaAnalytics.coffee
index f94d40de732..7b622f0d254 100644
--- a/app/coffeescripts/util/kalturaAnalytics.coffee
+++ b/app/coffeescripts/util/kalturaAnalytics.coffee
@@ -61,7 +61,7 @@ define [
       for i in [0..count-1]
         iframe = document.createElement('iframe')
         $(iframe).addClass('hidden kaltura-analytics')
-        $(document.body).append(iframe)
+        $(document.body).append($(iframe))
 
         # there is no reliable way to know when a remote url has loaded in an
         # iframe, so just send them every 4 seconds
@@ -160,4 +160,4 @@ define [
     if pluginSettings && pluginSettings.do_analytics
       ka = new KalturaAnalytics(mediaId, mediaElement, pluginSettings)
       ka.addListeners()
-      ka
\ No newline at end of file
+      ka
diff --git a/app/coffeescripts/util/listWithOthers.coffee b/app/coffeescripts/util/listWithOthers.coffee
index 68acb5b024d..f05f438ee7e 100644
--- a/app/coffeescripts/util/listWithOthers.coffee
+++ b/app/coffeescripts/util/listWithOthers.coffee
@@ -17,7 +17,7 @@ define [
           #{h(I18n.t('other', 'other', count: strOrArray.length))}
           <span>
             <ul>
-              #{(('<li>' + h(str) + '</li>') for str in strOrArray).join('')}
+              #{$.raw (('<li>' + h(str) + '</li>') for str in strOrArray).join('')}
             </ul>
           </span>
         </span>
diff --git a/app/coffeescripts/util/semanticDateRange.coffee b/app/coffeescripts/util/semanticDateRange.coffee
index 049f0eca95e..41342446d8e 100644
--- a/app/coffeescripts/util/semanticDateRange.coffee
+++ b/app/coffeescripts/util/semanticDateRange.coffee
@@ -1,10 +1,10 @@
 # requires $.sameDate, $.dateString, $.timeString, $.datetimeString
-define ['i18n!dates', 'jquery', 'timezone', 'jquery.instructure_date_and_time'], (I18n, $, tz) ->
+define ['i18n!dates', 'jquery', 'timezone', 'str/htmlEscape', 'jquery.instructure_date_and_time'], (I18n, $, tz, htmlEscape) ->
   semanticDateRange = (startISO, endISO) ->
     unless startISO
       return """
         <span class="date-range date-range-no-date">
-          #{I18n.t 'no_date', 'No Date'}
+          #{htmlEscape I18n.t 'no_date', 'No Date'}
         </span>
       """
 
diff --git a/app/coffeescripts/views/DiscussionTopic/EntryCollectionView.coffee b/app/coffeescripts/views/DiscussionTopic/EntryCollectionView.coffee
index b3ea51c02f3..180f698e519 100644
--- a/app/coffeescripts/views/DiscussionTopic/EntryCollectionView.coffee
+++ b/app/coffeescripts/views/DiscussionTopic/EntryCollectionView.coffee
@@ -6,7 +6,7 @@ define [
   'jst/discussions/EntryCollectionView'
   'jst/discussions/entryStats'
   'compiled/views/DiscussionTopic/EntryView'
-], (I18n, $, walk, {View}, template, entryStats, EntryView) ->
+], (I18n, $, walk, {View}, template, entryStatsTemplate, EntryView) ->
 
   class EntryCollectionView extends View
 
@@ -110,7 +110,7 @@ define [
           one: "Show one reply"
           other: "Show all %{count} replies"
           {count: stats.total + @collection.options.perPage}
-      @nextLink.html entryStats({stats, moreText, showMore: yes})
+      @nextLink.html entryStatsTemplate({stats, moreText, showMore: yes})
       @nextLink.addClass 'showMore loadNext'
       if @options.threaded
         @nextLink.insertAfter @list
diff --git a/app/coffeescripts/views/DiscussionTopic/EntryView.coffee b/app/coffeescripts/views/DiscussionTopic/EntryView.coffee
index 2bce08fcdf3..fb250d30b36 100644
--- a/app/coffeescripts/views/DiscussionTopic/EntryView.coffee
+++ b/app/coffeescripts/views/DiscussionTopic/EntryView.coffee
@@ -17,7 +17,7 @@ define [
   'compiled/str/convertApiUserContent'
   'jst/_avatar'
   'jst/discussions/_reply_form'
-], ($, _, I18n, MarkAsReadWatcher, walk, Backbone, EntryCollection, entryContentPartial, deletedEntriesTemplate, entryWithRepliesTemplate, entryStats, Reply, EntryEditor, htmlEscape, {publish}, convertApiUserContent) ->
+], ($, _, I18n, MarkAsReadWatcher, walk, Backbone, EntryCollection, entryContentPartial, deletedEntriesTemplate, entryWithRepliesTemplate, entryStatsTemplate, Reply, EntryEditor, htmlEscape, {publish}, convertApiUserContent) ->
 
   class EntryView extends Backbone.View
 
@@ -124,11 +124,11 @@ define [
       stats = @countPosterity()
       html = """
         <div class='new-and-total-badge'>
-          <span class="new-items">#{stats.unread}</span>
-          <span class="total-items">#{stats.total}</span>
+          <span class="new-items">#{htmlEscape stats.unread}</span>
+          <span class="total-items">#{htmlEscape stats.total}</span>
         </div>
         """
-      @$headerBadges.append entryStats({stats})
+      @$headerBadges.append entryStatsTemplate({stats})
       @addedCountsToHeader = true
 
     toggleDeleted: (model, deleted) =>
@@ -179,10 +179,10 @@ define [
 
     renderDescendantsLink: ->
       stats = @countPosterity()
-      @descendantsLink = $ '<div/>'
-      @descendantsLink.html entryStats({stats, showMore: yes})
-      @descendantsLink.addClass 'showMore loadDescendants'
-      @$replies.append @descendantsLink
+      @$descendantsLink = $ '<div/>'
+      @$descendantsLink.html entryStatsTemplate({stats, showMore: yes})
+      @$descendantsLink.addClass 'showMore loadDescendants'
+      @$replies.append @$descendantsLink
 
     countPosterity: ->
       stats = unread: 0, total: 0
diff --git a/app/coffeescripts/views/ExternalTools/AddAppView.coffee b/app/coffeescripts/views/ExternalTools/AddAppView.coffee
index 2a3c3244af1..fbd38366e4b 100644
--- a/app/coffeescripts/views/ExternalTools/AddAppView.coffee
+++ b/app/coffeescripts/views/ExternalTools/AddAppView.coffee
@@ -5,7 +5,8 @@ define [
   'underscore'
   'jst/ExternalTools/AddAppView'
   'jquery.disableWhileLoading'
-], (Backbone, I18n, $, _, template, disableWhileLoading) ->
+  'str/htmlEscape'
+], (Backbone, I18n, $, _, template, disableWhileLoading, htmlEscape) ->
 
   class AddAppView extends Backbone.View
     template: template
@@ -104,14 +105,14 @@ define [
     addError: (input, message) ->
       input = @$(input)
       input.parents('.control-group').addClass('error')
-      input.after("<span class='help-inline'>#{message}</span>")
+      input.after("<span class='help-inline'>#{htmlEscape message}</span>")
       input.one 'keypress', ->
         $(this).parents('.control-group').removeClass('error')
         $(this).parents('.control-group').find('.help-inline').remove()
 
     onSaveFail: (model) =>
       message = I18n.t 'generic_error', 'There was an error in processing your request'
-      @$el.prepend("<div class='alert alert-error'>#{message}</span>")
+      @$el.prepend("<div class='alert alert-error'>#{htmlEscape message}</span>")
 
     onSaveSuccess: (model) =>
       @app.set('is_installed', true)
diff --git a/app/coffeescripts/views/ExternalTools/EditView.coffee b/app/coffeescripts/views/ExternalTools/EditView.coffee
index 7f9f4b0939b..d5053fb9fdd 100644
--- a/app/coffeescripts/views/ExternalTools/EditView.coffee
+++ b/app/coffeescripts/views/ExternalTools/EditView.coffee
@@ -3,8 +3,9 @@ define [
   'jquery'
   'jst/ExternalTools/EditView'
   'compiled/views/ValidatedFormView'
+  'str/htmlEscape'
   'compiled/jquery/fixDialogButtons'
-], (I18n, $, template, ValidatedFormView) ->
+], (I18n, $, template, ValidatedFormView, htmlEscape) ->
 
   class EditView extends ValidatedFormView
     template: template
@@ -64,7 +65,7 @@ define [
     addError: (input, message) ->
       input = $(input)
       input.parents('.control-group').addClass('error')
-      input.after("<span id='#{input.attr("name")}_error_message' class='help-inline'>#{message}</span>")
+      input.after("<span id='#{htmlEscape input.attr("name")}_error_message' class='help-inline'>#{htmlEscape message}</span>")
       input.attr('aria-describedby', "#{input.attr('name')}_error_message")
       input.attr('aria-invalid', 'true')
       input.one 'keypress', ->
@@ -76,7 +77,7 @@ define [
     onSaveFail: (xhr) =>
       super
       message = I18n.t 'generic_error', 'There was an error in processing your request'
-      @$el.prepend("<div class='alert alert-error'>#{message}</span>")
+      @$el.prepend("<div class='alert alert-error'>#{htmlEscape message}</span>")
       delay = (ms, func) -> setTimeout func, ms
       delay 1, -> @$("[aria-invalid='true']").first().focus()
 
diff --git a/app/coffeescripts/views/ExternalTools/IndexView.coffee b/app/coffeescripts/views/ExternalTools/IndexView.coffee
index cec249060ef..3c7b6cf5ff0 100644
--- a/app/coffeescripts/views/ExternalTools/IndexView.coffee
+++ b/app/coffeescripts/views/ExternalTools/IndexView.coffee
@@ -123,7 +123,7 @@ define [
       view = @$(event.currentTarget).closest('.external_tool_item').data('view')
       tool = view.model
       msg = I18n.t 'remove_tool', "Are you sure you want to remove this tool?"
-      dialog = $("<div>#{msg}</div>").dialog
+      dialog = $("<div>#{htmlEscape msg}</div>").dialog
         modal: true,
         resizable: false
         title: I18n.t('delete', 'Delete') + ' ' + tool.get('name') + '?'
@@ -149,4 +149,4 @@ define [
       @$('[data-installed-state]').removeClass('active')
       @$('[data-installed-state="' + @appCenterView.targetInstalledState + '"]').addClass('active')
       @$('[data-installed-state="' + @appCenterView.targetInstalledState + '"] > a').attr('aria-selected', 'true')
-      @appCenterView.render()
\ No newline at end of file
+      @appCenterView.render()
diff --git a/app/coffeescripts/views/ExternalTools/RateToolView.coffee b/app/coffeescripts/views/ExternalTools/RateToolView.coffee
index 0beeaf06279..af1b4987a51 100644
--- a/app/coffeescripts/views/ExternalTools/RateToolView.coffee
+++ b/app/coffeescripts/views/ExternalTools/RateToolView.coffee
@@ -70,4 +70,4 @@ define [
 
     showErrorMessage: ->
       message = I18n.t 'missing_stars', 'You must select a star rating'
-      @$el.prepend("<div class='alert alert-error'>#{message}</span>")
+      @$el.prepend("<div class='alert alert-error'>#{htmlEscape(message)}</span>")
diff --git a/app/coffeescripts/views/FindFlickrImageView.coffee b/app/coffeescripts/views/FindFlickrImageView.coffee
index eee1e5111d8..4f761b26912 100644
--- a/app/coffeescripts/views/FindFlickrImageView.coffee
+++ b/app/coffeescripts/views/FindFlickrImageView.coffee
@@ -44,5 +44,6 @@ define [
           fullsize: "https://farm#{photo.farm}.static.flickr.com/#{photo.server}/#{photo.id}_#{photo.secret}.jpg"
           source:   "https://secure.flickr.com/photos/#{photo.owner}/#{photo.id}"
           title:    photo.title
+      html = html.join('')
 
-      @$('.flickrResults').showIf(!!photos.length).html html.join('')
+      @$('.flickrResults').showIf(!!photos.length).html html
diff --git a/app/coffeescripts/views/KeyboardNavDialog.coffee b/app/coffeescripts/views/KeyboardNavDialog.coffee
index f3904f76cd6..1b227b35a26 100644
--- a/app/coffeescripts/views/KeyboardNavDialog.coffee
+++ b/app/coffeescripts/views/KeyboardNavDialog.coffee
@@ -16,8 +16,8 @@ define [
 
     # you're responsible for rendering the content via HB
     # and passing it in
-    render: (content) ->
-      @$el.html(content)
+    render: (html) ->
+      @$el.html(html)
       @
 
     bindOpenKeys: ->
diff --git a/app/coffeescripts/views/MessageStudentsDialog.coffee b/app/coffeescripts/views/MessageStudentsDialog.coffee
index 7482295acab..16b8b1aba62 100644
--- a/app/coffeescripts/views/MessageStudentsDialog.coffee
+++ b/app/coffeescripts/views/MessageStudentsDialog.coffee
@@ -8,7 +8,7 @@ define [
   'jst/_messageStudentsWhoRecipientList'
   'underscore'
   'compiled/jquery/serializeForm'
-], (I18n, $, DialogFormView, template, wrapperTemplate, Conversation, recipientList, _) ->
+], (I18n, $, DialogFormView, template, wrapperTemplate, Conversation, recipientListTemplate, _) ->
 
   class MessageStudentsDialog extends DialogFormView
 
@@ -76,7 +76,7 @@ define [
     updateListOfRecipients: =>
       groupName = @$recipientGroupName.val()
       {recipients} = @_findRecipientGroupByName groupName
-      @$messageRecipients.html recipientList recipients: recipients
+      @$messageRecipients.html recipientListTemplate recipients: recipients
 
     onSaveSuccess: ->
       @close()
diff --git a/app/coffeescripts/views/MoveDialogSelect.coffee b/app/coffeescripts/views/MoveDialogSelect.coffee
index 91fc904d46e..778d9496b91 100644
--- a/app/coffeescripts/views/MoveDialogSelect.coffee
+++ b/app/coffeescripts/views/MoveDialogSelect.coffee
@@ -32,9 +32,9 @@ define [
       # I'm sorry, Voiceover + jQueryUI made me do it
       # VO won't acknowledge the existance of the re-rendered view
       # but if we render just the options, it's OK
-      fragment = $(@template @toJSON())
-      opts = fragment.filter('select').find('option')
-      @$('select').empty().append(opts)
+      $fragment = $(@template @toJSON())
+      $opts = $fragment.filter('select').find('option')
+      @$('select').empty().append($opts)
 
     value: ->
       @$('select').val()
diff --git a/app/coffeescripts/views/MoveDialogView.coffee b/app/coffeescripts/views/MoveDialogView.coffee
index 7351cb6b356..2b336c952e8 100644
--- a/app/coffeescripts/views/MoveDialogView.coffee
+++ b/app/coffeescripts/views/MoveDialogView.coffee
@@ -98,11 +98,11 @@ define [
 
     # attaches child views to @$childContainer
     attachChildViews: ->
-      container = @$childContainer.detach()
+      $container = @$childContainer.detach()
       if @parentListView
-        container.append(@parentListView.render().el)
-      container.append(@listView.render().el)
-      @$content.append(container)
+        $container.append(@parentListView.render().el)
+      $container.append(@listView.render().el)
+      @$content.append($container)
 
     cleanup: =>
       @parentListView?.remove()
diff --git a/app/coffeescripts/views/PublishButtonView.coffee b/app/coffeescripts/views/PublishButtonView.coffee
index a3ab1794130..5b5f344e57d 100644
--- a/app/coffeescripts/views/PublishButtonView.coffee
+++ b/app/coffeescripts/views/PublishButtonView.coffee
@@ -3,8 +3,9 @@ define [
   'jquery'
   'compiled/fn/preventDefault'
   'Backbone'
+  'str/htmlEscape'
   'jquery.instructure_forms'
-], (I18n, $, preventDefault, Backbone) ->
+], (I18n, $, preventDefault, Backbone, htmlEscape) ->
 
   class PublishButton extends Backbone.View
     disabledClass: 'disabled'
@@ -167,7 +168,7 @@ define [
       @$el.attr 'aria-pressed', options.buttonClass is @publishedClass
       @$icon.addClass options.iconClass
 
-      @$text.html "&nbsp;#{options.text}"
+      @$text.html "&nbsp;#{htmlEscape(options.text)}"
 
       # unpublishable
       if !@model.get('unpublishable')? or @model.get('unpublishable')
diff --git a/app/coffeescripts/views/accounts/settings/ManualQuotasView.coffee b/app/coffeescripts/views/accounts/settings/ManualQuotasView.coffee
index 1907455c7fe..8865b448aaa 100644
--- a/app/coffeescripts/views/accounts/settings/ManualQuotasView.coffee
+++ b/app/coffeescripts/views/accounts/settings/ManualQuotasView.coffee
@@ -85,9 +85,10 @@ define [
         messages = errors[integerField]
         control_group.toggleClass('error', messages?)
         if messages
-          helpInline = $('<span class="help-inline"></span>')
-          helpInline.html((htmlEscape(message) for {message} in messages).join('<br/>'))
-          control_group.find('.controls').append(helpInline)
+          $helpInline = $('<span class="help-inline"></span>')
+          html = (htmlEscape(message) for {message} in messages).join('<br/>')
+          $helpInline.html(html)
+          control_group.find('.controls').append($helpInline)
 
     findItem: ->
       @hideErrors()
diff --git a/app/coffeescripts/views/accounts/settings/QuotasView.coffee b/app/coffeescripts/views/accounts/settings/QuotasView.coffee
index 102c881f43e..6f50a64789c 100644
--- a/app/coffeescripts/views/accounts/settings/QuotasView.coffee
+++ b/app/coffeescripts/views/accounts/settings/QuotasView.coffee
@@ -74,6 +74,7 @@ define [
         messages = errors[integerField]
         control_group.toggleClass('error', messages?)
         if messages
-          helpInline = $('<span class="help-inline"></span>')
-          helpInline.html((htmlEscape(message) for {message} in messages).join('<br/>'))
-          control_group.find('.controls').append(helpInline)
+          $helpInline = $('<span class="help-inline"></span>')
+          html = (htmlEscape(message) for {message} in messages).join('<br/>')
+          $helpInline.html(html)
+          control_group.find('.controls').append($helpInline)
diff --git a/app/coffeescripts/views/assignments/AssignmentSettingsView.coffee b/app/coffeescripts/views/assignments/AssignmentSettingsView.coffee
index 55e0333a643..e33826a3b14 100644
--- a/app/coffeescripts/views/assignments/AssignmentSettingsView.coffee
+++ b/app/coffeescripts/views/assignments/AssignmentSettingsView.coffee
@@ -76,7 +76,7 @@ define [
         total_weight += v.findWeight() || 0
       total_weight = round(total_weight,2)
 
-      @$el.find('#percent_total').html(total_weight + "%")
+      @$el.find('#percent_total').text(total_weight + "%")
 
     clearWeights: ->
       @weights = []
@@ -87,7 +87,7 @@ define [
       for v in @weights
         total_weight += v.findWeight() || 0
       total_weight = round(total_weight,2)
-      @$el.find('#percent_total').html(total_weight + "%")
+      @$el.find('#percent_total').text(total_weight + "%")
 
     toJSON: ->
       data = super
diff --git a/app/coffeescripts/views/assignments/DueDateList.coffee b/app/coffeescripts/views/assignments/DueDateList.coffee
index 9b4791e4fc1..ce771162802 100644
--- a/app/coffeescripts/views/assignments/DueDateList.coffee
+++ b/app/coffeescripts/views/assignments/DueDateList.coffee
@@ -72,7 +72,7 @@ define [
       @dueDateViews.push dueDateView
       @hideOrShowRemoveButtons()
       if render
-        row = dueDateView.render().$el
-        @$el.append row
+        $row = dueDateView.render().$el
+        @$el.append $row
         @reRenderSections()
-        row.find(".section-list").focus()
+        $row.find(".section-list").focus()
diff --git a/app/coffeescripts/views/assignments/TurnitinSettingsDialog.coffee b/app/coffeescripts/views/assignments/TurnitinSettingsDialog.coffee
index 2d7b8adb2d1..9d8b7d93f45 100644
--- a/app/coffeescripts/views/assignments/TurnitinSettingsDialog.coffee
+++ b/app/coffeescripts/views/assignments/TurnitinSettingsDialog.coffee
@@ -3,8 +3,9 @@ define [
   'Backbone'
   'jquery'
   'underscore'
+  'str/htmlEscape'
   'compiled/jquery/fixDialogButtons'
-], (turnitinSettingsDialog, { View }, $, _) ->
+], (turnitinSettingsDialog, { View }, $, _, htmlEscape) ->
 
   class TurnitinSettingsDialog extends View
 
@@ -37,14 +38,15 @@ define [
       json = super
       _.extend json,
         wordsInput: """
-          <input class="span1" id="exclude_small_matches_words_value" name="words" value="#{json.words}" type="text"/>
+          <input class="span1" id="exclude_small_matches_words_value" name="words" value="#{htmlEscape json.words}" type="text"/>
         """
         percentInput: """
-          <input class="span1" id="exclude_small_matches_percent_value" name="percent" value="#{json.percent}" type="text"/>
+          <input class="span1" id="exclude_small_matches_percent_value" name="percent" value="#{htmlEscape json.percent}" type="text"/>
         """
 
     renderEl: =>
-      @$el.html(turnitinSettingsDialog(@toJSON()))
+      html = turnitinSettingsDialog(@toJSON())
+      @$el.html(html)
       @$el.dialog({width: 'auto', modal: true}).fixDialogButtons()
 
     getFormValues: =>
diff --git a/app/coffeescripts/views/calendar/CalendarNavigator.coffee b/app/coffeescripts/views/calendar/CalendarNavigator.coffee
index 7ebd9b06454..0fe9fafa6b0 100644
--- a/app/coffeescripts/views/calendar/CalendarNavigator.coffee
+++ b/app/coffeescripts/views/calendar/CalendarNavigator.coffee
@@ -56,8 +56,7 @@ define [
     hide: => @show(false)
 
     setTitle: (new_text) =>
-      # need to use .html instead of .text so &ndash; will render correctly
-      @$title.html(new_text)
+      @$title.text(new_text)
 
     showPicker: (visible = true) ->
       @_pickerShowing = visible
diff --git a/app/coffeescripts/views/calendar/MissingDateDialogView.coffee b/app/coffeescripts/views/calendar/MissingDateDialogView.coffee
index fded4a92d4e..45adbaa762d 100644
--- a/app/coffeescripts/views/calendar/MissingDateDialogView.coffee
+++ b/app/coffeescripts/views/calendar/MissingDateDialogView.coffee
@@ -4,15 +4,16 @@ define [
   'Backbone'
   'i18n!calendar.edit'
   'jst/calendar/missingDueDateDialog'
+  'str/htmlEscape'
   'jqueryui/dialog'
   'compiled/jquery/fixDialogButtons'
-], ($, _, {View}, I18n, template) ->
+], ($, _, {View}, I18n, template, htmlEscape) ->
 
   class MissingDateDialogView extends View
     dialogTitle: """
       <span>
         <i class="icon-warning"></i>
-        #{I18n.t('titles.warning', 'Warning')}
+        #{htmlEscape I18n.t('titles.warning', 'Warning')}
       </span>
     """
 
diff --git a/app/coffeescripts/views/collaborations/ListView.coffee b/app/coffeescripts/views/collaborations/ListView.coffee
index 2a66ec40378..bd7aa4af424 100644
--- a/app/coffeescripts/views/collaborations/ListView.coffee
+++ b/app/coffeescripts/views/collaborations/ListView.coffee
@@ -58,8 +58,8 @@ define [
 
     render: =>
       @updateFilter([])
-      collaborators = @collection.map(@renderCollaborator)
-      @$el.html(collaborators.join(''))
+      collaboratorsHtml = @collection.map(@renderCollaborator).join('')
+      @$el.html(collaboratorsHtml)
       @updateFocus() if @currentIndex? && @hasFocus
       @hasFocus = false
       super
diff --git a/app/coffeescripts/views/collaborations/MemberListView.coffee b/app/coffeescripts/views/collaborations/MemberListView.coffee
index 71eafb9f223..5f265b01184 100644
--- a/app/coffeescripts/views/collaborations/MemberListView.coffee
+++ b/app/coffeescripts/views/collaborations/MemberListView.coffee
@@ -62,13 +62,14 @@ define [
     render: =>
       @removeCurrentUser() if @options.currentUser
       @updateElementVisibility()
-      collaborators = @collection.map (c) =>
+      collaboratorsHtml = @collection.map (c) =>
         collaboratorTemplate(extend(c.toJSON(),
                                     type: c.modelType or c.get('type'),
                                     id: c.get('collaborator_id') or c.get('id')
                                     name: c.get('sortable_name') or c.get('name')
                                     selected: true))
-      @$list.html(collaborators.join(''))
+      collaboratorsHtml = collaboratorsHtml.join('')
+      @$list.html(collaboratorsHtml)
       @updateFocus() if @currentIndex? && @hasFocus
       @hasFocus = false
 
diff --git a/app/coffeescripts/views/context_modules/context_modules.coffee b/app/coffeescripts/views/context_modules/context_modules.coffee
index f4e09a7e9c4..2f075c6cb23 100644
--- a/app/coffeescripts/views/context_modules/context_modules.coffee
+++ b/app/coffeescripts/views/context_modules/context_modules.coffee
@@ -4,6 +4,10 @@ define [
   'i18n!context_modules'
   'jquery.loadingImg'
 ], (Backbone, $, I18n) ->
+  ###
+  xsslint jqueryObject.identifier dragItem dragModule
+  ###
+
   class ContextModules extends Backbone.View
     @optionProperty 'modules'
 
diff --git a/app/coffeescripts/views/contexts/PageViewView.coffee b/app/coffeescripts/views/contexts/PageViewView.coffee
index 64536de3124..5842dc641a1 100644
--- a/app/coffeescripts/views/contexts/PageViewView.coffee
+++ b/app/coffeescripts/views/contexts/PageViewView.coffee
@@ -36,8 +36,8 @@ define [
     #
     # Returns nothing.
     render: ->
-      html = _.map(@collection.models, @renderPageView)
-      @$el.append(html.join(''))
+      html = _.map(@collection.models, @renderPageView).join('')
+      @$el.append(html)
       super
 
     # Public: Return HTML for a given record.
diff --git a/app/coffeescripts/views/course_settings/NavigationView.coffee b/app/coffeescripts/views/course_settings/NavigationView.coffee
index 04d17461d5f..85cad79a00e 100644
--- a/app/coffeescripts/views/course_settings/NavigationView.coffee
+++ b/app/coffeescripts/views/course_settings/NavigationView.coffee
@@ -1,7 +1,11 @@
 define [
   'jquery'
   'Backbone'
-], ($, Backbone) ->
+  'str/htmlEscape'
+], ($, Backbone, htmlEscape) ->
+  ###
+  xsslint jqueryObject.identifier dragObject current_item
+  ###
 
   class NavigationView extends Backbone.View
 
@@ -47,11 +51,11 @@ define [
       which_list.children('.navitem').each (key, item) ->
         if $(item).attr('aria-label') is which_item.attr('aria-label')
           return
-        options.push('<option value="' + $(item).attr('id') + '">' + $(item).attr('aria-label') + '</option>')
+        options.push('<option value="' + htmlEscape($(item).attr('id')) + '">' + htmlEscape($(item).attr('aria-label')) + '</option>')
       $select = @$move_dialog.children().find('#move_nav_item_select')
       # Clear the options first
       $select.empty()
-      $select.append(options.join(''))
+      $select.append($.raw(options.join('')))
       # Set the name in the dialog
       @$move_name.text which_item.attr('aria-label')
       @$move_dialog.data 'current_item', which_item
@@ -171,4 +175,4 @@ define [
 
     # Internal: returns whether the element is inside the enabled list
     disabled: (el) ->
-      el.parent().attr("id") == @$disabled_list.attr("id")
\ No newline at end of file
+      el.parent().attr("id") == @$disabled_list.attr("id")
diff --git a/app/coffeescripts/views/courses/roster/EditSectionsView.coffee b/app/coffeescripts/views/courses/roster/EditSectionsView.coffee
index a070dd66ff5..33d8a264b23 100644
--- a/app/coffeescripts/views/courses/roster/EditSectionsView.coffee
+++ b/app/coffeescripts/views/courses/roster/EditSectionsView.coffee
@@ -62,8 +62,8 @@ define [
       $link = $token.find('a')
       $link.attr('href', '#')
       $link.attr('title', I18n.t("remove_user_from_course_section", "Remove user from %{course_section}", course_section: $token.find('div').attr('title')))
-      $screenreader_span = $('<span class="screenreader-only"></span>').append(I18n.t("remove_user_from_course_section",
-        "Remove user from %{course_section}", course_section: h($token.find('div').attr('title'))))
+      $screenreader_span = $('<span class="screenreader-only"></span>').append(h(I18n.t("remove_user_from_course_section",
+        "Remove user from %{course_section}", course_section: h($token.find('div').attr('title')))))
       $link.append($screenreader_span)
 
     update: (e) =>
diff --git a/app/coffeescripts/views/outcomes/ContentView.coffee b/app/coffeescripts/views/outcomes/ContentView.coffee
index d62e187b4da..f213a38a7f6 100644
--- a/app/coffeescripts/views/outcomes/ContentView.coffee
+++ b/app/coffeescripts/views/outcomes/ContentView.coffee
@@ -58,10 +58,11 @@ define [
 
     render: ->
       @attachEvents()
-      @$el.html if @innerView
+      html = if @innerView
           @innerView.render().el
         else if @renderInstructions
           @instructionsTemplate()
+      @$el.html html
       this
 
     attachEvents: ->
diff --git a/app/coffeescripts/views/outcomes/OutcomeIconBase.coffee b/app/coffeescripts/views/outcomes/OutcomeIconBase.coffee
index 72893c0afe9..2d488484784 100644
--- a/app/coffeescripts/views/outcomes/OutcomeIconBase.coffee
+++ b/app/coffeescripts/views/outcomes/OutcomeIconBase.coffee
@@ -119,7 +119,7 @@ define [
     # Returns nothing.
     onDrop: (dragObject, $destination) ->
       # TODO: reduce duplication b/w this and OutcomesDirectoryView.initDroppable
-      $target         = dragObject.li
+      $target         = dragObject.$li
       model           = dragObject.model
       destinationView = $destination.data('view')
       originalView    = dragObject.parent
@@ -142,13 +142,13 @@ define [
       $sidebar = $target.parents('.wrapper:first')
       if dragObject = $sidebar.data('drag')
         # drop
-        $target.after(dragObject.li)
+        $target.after(dragObject.$li)
         @onDrop(dragObject, $target.parent())
       else
         # drag
         $target.attr('aria-grabbed', true)
         dragObject =
-          li: $target,
+          $li: $target,
           model: $target.data('view').model
           parent: $target.parent().data('view')
         $sidebar.data('drag', dragObject)
@@ -161,7 +161,7 @@ define [
     onEscapeKey: (e, $target) ->
       $sidebar = $target.parents('.wrapper:first')
       return unless dataObject = $sidebar.data('drag')
-      dataObject.li.data('parent', null).attr('aria-grabbed', false)
+      dataObject.$li.data('parent', null).attr('aria-grabbed', false)
       $sidebar.data('drag', null);
 
     # Internal: Update tabindex on $el and its siblings.
diff --git a/app/coffeescripts/views/outcomes/OutcomeView.coffee b/app/coffeescripts/views/outcomes/OutcomeView.coffee
index 81ad4973889..63975726fc0 100644
--- a/app/coffeescripts/views/outcomes/OutcomeView.coffee
+++ b/app/coffeescripts/views/outcomes/OutcomeView.coffee
@@ -89,10 +89,10 @@ define [
 
     insertRating: (e) =>
       e.preventDefault()
-      rating = $ criterionTemplate description: '', points: '', _index: 99
-      $(e.currentTarget).closest('.rating').after rating
-      rating.find('.show').hide().next().show(200)
-      rating.find('.edit input:first').focus()
+      $rating = $ criterionTemplate description: '', points: '', _index: 99
+      $(e.currentTarget).closest('.rating').after $rating
+      $rating.find('.show').hide().next().show(200)
+      $rating.find('.edit input:first').focus()
       @updateRatings()
 
     # Update rating form field elements and the total.
@@ -106,7 +106,7 @@ define [
           # reset indices
           $(i).attr 'name', i.name.replace /\[[0-9]+\]/, "[#{index}]"
       points = @$('.points_possible')
-      points.html points.html().replace /[0-9/.]+/, total
+      points.html $.raw points.html().replace(/[0-9/.]+/, total)
 
     showRatingDialog: (e) =>
       e.preventDefault()
diff --git a/app/coffeescripts/views/outcomes/OutcomesDirectoryView.coffee b/app/coffeescripts/views/outcomes/OutcomesDirectoryView.coffee
index 02e7f739b1b..ce97dacb6ed 100644
--- a/app/coffeescripts/views/outcomes/OutcomesDirectoryView.coffee
+++ b/app/coffeescripts/views/outcomes/OutcomesDirectoryView.coffee
@@ -26,10 +26,11 @@ define [
   'compiled/collections/OutcomeGroupCollection'
   'compiled/views/outcomes/OutcomeGroupIconView'
   'compiled/views/outcomes/OutcomeIconView'
+  'str/htmlEscape'
   'jquery.disableWhileLoading'
   'jqueryui/droppable'
   'compiled/jquery.rails_flash_notifications'
-], (I18n, $, _, PaginatedView, OutcomeGroup, OutcomeCollection, OutcomeGroupCollection, OutcomeGroupIconView, OutcomeIconView) ->
+], (I18n, $, _, PaginatedView, OutcomeGroup, OutcomeCollection, OutcomeGroupCollection, OutcomeGroupIconView, OutcomeIconView, htmlEscape) ->
 
   # The outcome group "directory" browser.
   class OutcomesDirectoryView extends PaginatedView
@@ -157,11 +158,12 @@ define [
     # Overriding
     paginationLoaderTemplate: ->
       "<li><a href='#' class='loading-more'>
-        #{I18n.t("loading_more_results", "Loading more results")}</a></li>"
+        #{htmlEscape I18n.t("loading_more_results", "Loading more results")}</a></li>"
 
     # Overriding to insert into the ul.
     showPaginationLoader: ->
-      @$el.append(@$paginationLoader ?= $(@paginationLoaderTemplate()))
+      @$paginationLoader ?= $(@paginationLoaderTemplate())
+      @$el.append(@$paginationLoader)
 
     # Fetch outcomes after all the groups have been fetched.
     fetchOutcomes: ->
diff --git a/app/coffeescripts/views/profiles/AvatarDialogView.coffee b/app/coffeescripts/views/profiles/AvatarDialogView.coffee
index 61ba96a3fb1..b3c3008892d 100644
--- a/app/coffeescripts/views/profiles/AvatarDialogView.coffee
+++ b/app/coffeescripts/views/profiles/AvatarDialogView.coffee
@@ -130,6 +130,9 @@ define [
 
       delete @image
 
+      ###
+      xsslint xssable.receiver.whitelist req
+      ###
       req.append(k, v) for k, v of preflightResponse.upload_params
       req.append(preflightResponse.file_param, image, 'profile.jpg')
       dataType = if preflightResponse.success_url then 'xml' else 'json'
diff --git a/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee b/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee
index 1806d563cca..0e7d779dddd 100644
--- a/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee
+++ b/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee
@@ -2,9 +2,10 @@ define [
   "underscore"
   "Backbone"
   "jquery"
-  "jst/quizzes/LDBLoginPopup",
+  "jst/quizzes/LDBLoginPopup"
+  "str/htmlEscape"
   "jquery.toJSON"
-], (_, Backbone, $, Markup) ->
+], (_, Backbone, $, Markup, htmlEscape) ->
 
   # Consumes an event and stops it from propagating.
   consume = (e) ->
@@ -179,7 +180,7 @@ define [
 
         # Inject the stylesheets.
         _(styleSheets).each (href) ->
-          $head.append "<link rel=\"stylesheet\" href=\"" + href + "\" />"
+          $head.append "<link rel=\"stylesheet\" href=\"" + htmlEscape(href) + "\" />"
           return
 
         # Show the form.
@@ -286,4 +287,4 @@ define [
         global: false
         headers:
           'Content-Type': 'application/json'
-          'Accept': 'application/json'
\ No newline at end of file
+          'Accept': 'application/json'
diff --git a/app/coffeescripts/views/roles/ManageRolesView.coffee b/app/coffeescripts/views/roles/ManageRolesView.coffee
index 475445c22f3..dc02a534f38 100644
--- a/app/coffeescripts/views/roles/ManageRolesView.coffee
+++ b/app/coffeescripts/views/roles/ManageRolesView.coffee
@@ -6,7 +6,8 @@ define [
   'jst/roles/manageRoles'
   'compiled/views/roles/PermissionButtonView'
   'compiled/views/roles/RoleHeaderView'
-], (I18n, $, _, Backbone, template, PermissionButtonView, RoleHeaderView) ->
+  'str/htmlEscape'
+], (I18n, $, _, Backbone, template, PermissionButtonView, RoleHeaderView, htmlEscape) ->
   class ManageRolesView extends Backbone.View
     template: template
     className: 'manage-roles-table'
@@ -40,7 +41,7 @@ define [
     #   called, which should get called when role is added or removed.
     # @api private
     renderHeader: -> 
-      @$el.find('thead tr').html "<th>#{I18n.t('permissions', 'Permissions')}</th>"
+      @$el.find('thead tr').html "<th>#{htmlEscape(I18n.t('permissions', 'Permissions'))}</th>"
 
       @collection.each (role) =>
         roleHeaderView = new RoleHeaderView
@@ -94,20 +95,20 @@ define [
 
       _.each @permission_groups, (permission_group) => 
         # Add the headers to the group
-        permission_group_header = """
+        permission_group_header_html = """
                                     <tr class="toolbar">
-                                      <th colspan="#{@collection.length + 1}">#{permission_group.group_name.toUpperCase()}</th>
+                                      <th colspan="#{htmlEscape(@collection.length + 1)}">#{htmlEscape(permission_group.group_name.toUpperCase())}</th>
                                     </tr>
                                   """
 
-        @$el.find('tbody').append permission_group_header
+        @$el.find('tbody').append permission_group_header_html
 
         # Add each permission item.
         _.each permission_group.group_permissions, (permission_row) => 
 
           permission_row_html = """
                             <tr>
-                              <th role="rowheader">#{permission_row.label}</th>
+                              <th role="rowheader">#{htmlEscape(permission_row.label)}</th>
                             </tr>
                            """
 
diff --git a/app/coffeescripts/views/roles/PermissionButtonView.coffee b/app/coffeescripts/views/roles/PermissionButtonView.coffee
index 5c2f6490cd5..14f4378c442 100644
--- a/app/coffeescripts/views/roles/PermissionButtonView.coffee
+++ b/app/coffeescripts/views/roles/PermissionButtonView.coffee
@@ -335,8 +335,8 @@ define [
     #   3 = "disabledLocked"
     # @api private
     setButtonPreview: (selected_radio) -> 
-      icons = @$el.find("label[for=button-#{@cid}-#{selected_radio}] i").clone()
-      @$el.find('a.dropdown-toggle').html icons
+      $icons = @$el.find("label[for=button-#{@cid}-#{selected_radio}] i").clone()
+      @$el.find('a.dropdown-toggle').html $icons
 
     # Method Summary
     #   Sets the button preview for an dropdown button to the enabled icons
diff --git a/app/coffeescripts/views/tinymce/EquationEditorView.coffee b/app/coffeescripts/views/tinymce/EquationEditorView.coffee
index c29aea1f254..c9f5f0cf177 100644
--- a/app/coffeescripts/views/tinymce/EquationEditorView.coffee
+++ b/app/coffeescripts/views/tinymce/EquationEditorView.coffee
@@ -5,10 +5,11 @@ define [
   'Backbone'
   'compiled/views/tinymce/EquationToolbarView'
   'jst/tinymce/EquationEditorView'
+  'str/htmlEscape'
 
   'jqueryui/dialog'
   'mathquill'
-], (I18n, $, _, Backbone, EquationToolbarView, template) ->
+], (I18n, $, _, Backbone, EquationToolbarView, template, htmlEscape) ->
 
   # like $.text() / Sizzle.getText(elems), except it also gets alt attributes from images
   getEquationText = (elems) ->
@@ -46,7 +47,7 @@ define [
       @prevSelection = @editor.selection.getBookmark()
 
       unless @toolbar = @$el.data('toolbar')
-        nodes = $('<span>').html @editor.selection.getContent()
+        nodes = $('<span>').text @editor.selection.getContent()
         equation = getEquationText(nodes).replace(/^\s+|\s+$/g, '')
         @addToolbar(equation)
 
@@ -73,7 +74,7 @@ define [
       @restoreCaret()
 
     initialRender: =>
-      nodes = $('<span>').html @editor.selection.getContent()
+      nodes = $('<span>').text @editor.selection.getContent()
       equation = getEquationText(nodes).replace(/^\s+|\s+$/g, '')
 
       @$mathjaxMessage.empty()
@@ -83,7 +84,7 @@ define [
     addToolbar: (equation) ->
       @$el.append(@template)
 
-      $('#mathjax-preview').html("<script type='math/tex; mode=display'>#{equation}</script>")
+      $('#mathjax-preview').html("<script type='math/tex; mode=display'>#{htmlEscape equation}</script>")
       @toolbar = new EquationToolbarView
         el: @$el
       @toolbar.render()
@@ -138,7 +139,7 @@ define [
           .mathquill('editor')
           .mathquill('write', equation)
         if @$mathquillContainer.mathquill('latex').replace(/\s+/, '') != equation.replace(/\s+/, '')
-          @$mathjaxMessage.html(I18n.t('cannot_render_equation', "This equation cannot be rendered in Basic View."))
+          @$mathjaxMessage.text(I18n.t('cannot_render_equation', "This equation cannot be rendered in Basic View."))
           return false
       else if view == 'mathjax'
         @$mathjaxEditor.val(equation)
diff --git a/app/coffeescripts/views/tinymce/InsertUpdateImageView.coffee b/app/coffeescripts/views/tinymce/InsertUpdateImageView.coffee
index f6963eabc2c..8836e6b4710 100644
--- a/app/coffeescripts/views/tinymce/InsertUpdateImageView.coffee
+++ b/app/coffeescripts/views/tinymce/InsertUpdateImageView.coffee
@@ -131,10 +131,10 @@ define [
       @setSelectedImage src: $(event.currentTarget).val()
 
     generateImageHtml: ->
-      img_tag = @editor.dom.createHTML("img", @getAttributes())
+      imgHtml = @editor.dom.createHTML("img", @getAttributes())
       if @flickr_link
-        img_tag = "<a href='#{@flickr_link}'>#{img_tag}</a>"
-      img_tag
+        imgHtml = "<a href='#{h @flickr_link}'>#{imgHtml}</a>"
+      imgHtml
         
     update: =>
       @editor.selection.moveToBookmark(@prevSelection)
diff --git a/app/coffeescripts/views/wiki/WikiPageReloadView.coffee b/app/coffeescripts/views/wiki/WikiPageReloadView.coffee
index 7deb9b84b55..8828e329958 100644
--- a/app/coffeescripts/views/wiki/WikiPageReloadView.coffee
+++ b/app/coffeescripts/views/wiki/WikiPageReloadView.coffee
@@ -7,7 +7,7 @@ define [
 
   class WikiPageReloadView extends Backbone.View
     setViewProperties: false
-    template: -> "<div class='alert alert-#{if @options.warning then 'warning' else 'info'} reload-changed-page'>#{@reloadMessage}</div>"
+    template: -> "<div class='alert alert-#{$.raw if @options.warning then 'warning' else 'info'} reload-changed-page'>#{$.raw @reloadMessage}</div>"
 
     defaults:
       modelAttributes: ['title', 'url', 'body']
diff --git a/app/coffeescripts/widget/ComboBox.coffee b/app/coffeescripts/widget/ComboBox.coffee
index 4080e4cce40..74bf1188900 100644
--- a/app/coffeescripts/widget/ComboBox.coffee
+++ b/app/coffeescripts/widget/ComboBox.coffee
@@ -116,7 +116,7 @@ define [
     # @api private
     # Build an <option> tag for an item.
     _buildOption: (item) =>
-      "<option value='#{@_value item}'>#{htmlEscape @_label item}</option>"
+      "<option value='#{htmlEscape @_value item}'>#{htmlEscape @_label item}</option>"
 
     ##
     # @api private
diff --git a/app/coffeescripts/widget/ContextSearch.coffee b/app/coffeescripts/widget/ContextSearch.coffee
index 801fd45830e..ab1f8396b8a 100644
--- a/app/coffeescripts/widget/ContextSearch.coffee
+++ b/app/coffeescripts/widget/ContextSearch.coffee
@@ -68,7 +68,8 @@ define [
       $name.append($b, $contextInfo)
       $span = $('<span />', class: 'details')
       if data.common_courses?
-        $span.html(@contextList(courses: data.common_courses, groups: data.common_groups))
+        contextListHtml = (@contextList(courses: data.common_courses, groups: data.common_groups))
+        $span.html contextListHtml
       else if data.user_count?
         $span.text(I18n.t('people_count', 'person', {count: data.user_count}))
       else if data.item_count?
diff --git a/app/coffeescripts/widget/CustomList.coffee b/app/coffeescripts/widget/CustomList.coffee
index bc3b13af170..e589c585990 100644
--- a/app/coffeescripts/widget/CustomList.coffee
+++ b/app/coffeescripts/widget/CustomList.coffee
@@ -97,10 +97,10 @@ define [
     animateGhost: (fromElement, toElement) ->
       from          = fromElement.offset()
       to            = toElement.offset()
-      clone         = fromElement.clone()
+      $clone        = fromElement.clone()
       from.position = 'absolute'
 
-      @ghost.append(clone)
+      @ghost.append($clone)
       @ghost.appendTo(@doc).css(from).animate to, @options.animationDuration, =>
         @ghost.detach().empty()
 
diff --git a/app/coffeescripts/widget/assignmentRubricDialog.coffee b/app/coffeescripts/widget/assignmentRubricDialog.coffee
index de48b271fd4..6a0f540b7ca 100644
--- a/app/coffeescripts/widget/assignmentRubricDialog.coffee
+++ b/app/coffeescripts/widget/assignmentRubricDialog.coffee
@@ -1,9 +1,10 @@
 define [
   'i18n!rubrics'
   'jquery'
+  'str/htmlEscape'
   'jqueryui/dialog'
   'vendor/jquery.ba-tinypubsub'
-], (I18n, $) ->
+], (I18n, $, htmlEscape) ->
 
   assignmentRubricDialog =
 
@@ -23,7 +24,7 @@ define [
     initDialog: ->
       @dialogInited = true
 
-      @$dialog = $("<div><h4>#{I18n.t 'loading', 'Loading...'}</h4></div>").dialog
+      @$dialog = $("<div><h4>#{htmlEscape I18n.t 'loading', 'Loading...'}</h4></div>").dialog
         title: I18n.t("titles.assignment_rubric_details", "Assignment Rubric Details")
         width: 600
         modal: false
diff --git a/app/coffeescripts/widget/slideshow.coffee b/app/coffeescripts/widget/slideshow.coffee
index c56091115ad..6c7c6e076b9 100644
--- a/app/coffeescripts/widget/slideshow.coffee
+++ b/app/coffeescripts/widget/slideshow.coffee
@@ -10,85 +10,85 @@ define [
     constructor: (title, slideshow) ->
       @title = title
       @slideshow = slideshow
-      @body = $('<li/>').addClass('slide')
-      @slideshow.slides.append(@body)
+      @$body = $('<li/>').addClass('slide')
+      @slideshow.slides.append(@$body)
 
       @prevSlide = @slideshow.slideObjects[@slideshow.slideObjects.length - 1]
       @prevSlide?.nextSlide = this
       @nextSlide = null
 
-      @indicator = $("<a/>").addClass('slide').attr('href', '#').attr('title', htmlEscape(@title)).html('&nbsp;')
-      @indicator.data('slide', this)
-      @slideshow.navigation.append(@indicator)
+      @$indicator = $("<a/>").addClass('slide').attr('href', '#').attr('title', htmlEscape(@title)).html('&nbsp;')
+      @$indicator.data('slide', this)
+      @slideshow.navigation.append(@$indicator)
       slide = this
-      @indicator.click ->
+      @$indicator.click ->
         slideshow.showSlide(slide)
         return false
 
       @hide()
 
     addParagraph: (text, klass) ->
-      paragraph = $("<p/>")
-      paragraph.addClass(klass) if klass?
-      paragraph.html(htmlEscape(text))
-      @body.append(paragraph)
+      $paragraph = $("<p/>")
+      $paragraph.addClass(klass) if klass?
+      $paragraph.html(htmlEscape(text))
+      @$body.append($paragraph)
 
     addImage: (src, klass, url) ->
-      image = $("<img/>").attr('src', src)
-      image.addClass(klass) if klass?
+      $image = $("<img/>").attr('src', src)
+      $image.addClass(klass) if klass?
       if url
-        link = $("<a/>").attr('href', url).attr('target', '_blank')
-        link.append(image)
-        @body.append(link)
+        $link = $("<a/>").attr('href', url).attr('target', '_blank')
+        $link.append($image)
+        @$body.append($link)
       else
-        @body.append(image)
+        @$body.append($image)
 
     show: ->
-      @body.show()
-      @indicator.addClass('current_slide')
+      @$body.show()
+      @$indicator.addClass('current_slide')
 
     hide: ->
-      @indicator.removeClass('current_slide')
-      @body.hide()
+      @$indicator.removeClass('current_slide')
+      @$body.hide()
 
   class Slideshow
     constructor: (id) ->
       slideshow = this
-      @dom = $('<div/>').attr('id', id)
+      @$dom = $('<div/>').attr('id', id)
 
-      @slides = $('<ul/>').addClass('slides')
-      @dom.append(@slides)
+      @$slides = $('<ul/>').addClass('slides')
+      @$dom.append(@$slides)
 
-      @separator = $("<div/>").addClass('separator')
-      @dom.append(@separator)
+      @$separator = $("<div/>").addClass('separator')
+      @$dom.append(@$separator)
 
-      @navigation = $("<div/>").addClass('navigation')
-      @dom.append(@navigation)
+      @$navigation = $("<div/>").addClass('navigation')
+      @$dom.append(@$navigation)
 
-      @backButton = $("<a/>").addClass('back').
+      @$backButton = $("<a/>").addClass('back').
         attr('href', '#').
-        attr('title', htmlEscape(I18n.t('titles.back', 'Back'))).
+        attr('title', I18n.t('titles.back', 'Back')).
         html('&nbsp;')
-      @navigation.append(@backButton)
-      @backButton.click ->
+      @$navigation.append(@$backButton)
+      @$backButton.click ->
         slideshow.showPrevSlide()
         return false
 
-      @forwardButton = $("<a/>").addClass('forward').
+      @$forwardButton = $("<a/>").addClass('forward').
         attr('href', '#').
-        attr('title', htmlEscape(I18n.t('titles.forward', 'Forward'))).
+        attr('title', I18n.t('titles.forward', 'Forward')).
         html('&nbsp;')
-      @navigation.append(@forwardButton)
-      @forwardButton.click ->
+      @$navigation.append(@$forwardButton)
+      @$forwardButton.click ->
         slideshow.showNextSlide()
         return false
 
-      @closeButton = $("<a/>").addClass('close').
+      @$closeButton = $("<a/>").addClass('close').
         attr('href', '#').
-        attr('title', htmlEscape(I18n.t('titles.close', 'Close'))).
+        attr('title', I18n.t('titles.close', 'Close')).
         html('&nbsp;')
-      @navigation.append(@closeButton)
-      @closeButton.click ->
+      @$navigation.append(@$closeButton)
+      @$closeButton.click ->
         slideshow.close()
         return false
 
@@ -102,7 +102,7 @@ define [
 
     start: ->
       @showSlide(@slideObjects[0])
-      @dialog = @dom.dialog
+      @$dialog = @$dom.dialog
         dialogClass: 'slideshow_dialog'
         height: 529
         width: 700
@@ -117,13 +117,13 @@ define [
           @slideShown = slide
           @slideShown.show()
         if @slideShown.prevSlide
-          @backButton.removeClass('inactive')
+          @$backButton.removeClass('inactive')
         else
-          @backButton.addClass('inactive')
+          @$backButton.addClass('inactive')
         if @slideShown.nextSlide
-          @forwardButton.removeClass('inactive')
+          @$forwardButton.removeClass('inactive')
         else
-          @forwardButton.addClass('inactive')
+          @$forwardButton.addClass('inactive')
 
     showPrevSlide: ->
       @showSlide(@slideShown?.prevSlide)
@@ -132,8 +132,8 @@ define [
       @showSlide(@slideShown?.nextSlide)
 
     close: ->
-      @dom.dialog('close')
-      @dom.hide()
+      @$dom.dialog('close')
+      @$dom.hide()
       @slideShown?.hide()
       @slideShown = null
 
diff --git a/app/coffeescripts/xhr/RemoteSelect.coffee b/app/coffeescripts/xhr/RemoteSelect.coffee
index bd26e5e06d5..2c26d9df09b 100644
--- a/app/coffeescripts/xhr/RemoteSelect.coffee
+++ b/app/coffeescripts/xhr/RemoteSelect.coffee
@@ -20,6 +20,10 @@
 # Populates a <select> element with data from an ajax call. Takes two arguments.
 # The first is a <select> element, the second is an options hash 
 
+###
+xsslint jqueryObject.property placeholder spinner
+###
+
 define [
   'jquery'
   'underscore'
diff --git a/package.json b/package.json
index 63122da2082..5de0270a633 100644
--- a/package.json
+++ b/package.json
@@ -15,18 +15,20 @@
     "react-tools": "0.11.2"
   },
   "devDependencies": {
-    "loom": "~2.0.0",
     "fleck": "~0.5.1",
-    "testem": "~0.3.30",
-    "karma-qunit": "~0.1.1",
+    "gglobby": "0.0.2",
     "karma": "~0.10.9",
-    "karma-safari-launcher": "~0.1.1",
-    "karma-opera-launcher": "~0.1.0",
+    "karma-coffee-preprocessor": "0.1.3",
     "karma-coverage": "~0.1.4",
-    "karma-ie-launcher": "~0.1.1",
-    "karma-osx-reporter": "0.0.4",
     "karma-firework-reporter": "~0.2.3",
-    "karma-coffee-preprocessor": "0.1.3"
+    "karma-ie-launcher": "~0.1.1",
+    "karma-opera-launcher": "~0.1.0",
+    "karma-osx-reporter": "0.0.4",
+    "karma-qunit": "~0.1.1",
+    "karma-safari-launcher": "~0.1.1",
+    "loom": "~2.0.0",
+    "testem": "~0.3.30",
+    "xsslint": "0.0.2"
   },
   "repository": {
     "type": "git",
diff --git a/public/javascripts/.xssignore b/public/javascripts/.xssignore
new file mode 100644
index 00000000000..ab8601a4d8f
--- /dev/null
+++ b/public/javascripts/.xssignore
@@ -0,0 +1,16 @@
+# top level, and plugin ones too
+jst
+/bower
+/jsx/.module-cache
+/jsx/sample.js
+/mediaelement
+/tinymce/jscripts/tiny_mce/langs
+/tinymce/jscripts/tiny_mce/plugins/*
+!/tinymce/jscripts/tiny_mce/plugins/instructure*
+/tinymce/jscripts/tiny_mce/themes
+/tinymce/jscripts/tiny_mce/tiny_mce*.js
+/tinymce/jscripts/tiny_mce/utils
+/vendor
+
+# need better hinting, skipping this atm due to false positives in vendor code
+/client_apps
diff --git a/public/javascripts/account_authorization_configs.js b/public/javascripts/account_authorization_configs.js
index 57bfb318761..61be4daefad 100644
--- a/public/javascripts/account_authorization_configs.js
+++ b/public/javascripts/account_authorization_configs.js
@@ -61,7 +61,7 @@ define([
   $('#discovery_url_config .delete_url').click(function(){
     $.ajaxJSON( $(this).data('url'), "DELETE", {}, function(){
       $('#discovery_url_input').val("");
-      $('#discovery_url_display').html(I18n.t('no_discovery_url', "None set"));
+      $('#discovery_url_display').text(I18n.t('no_discovery_url', "None set"));
     });
   });
 
@@ -78,4 +78,4 @@ define([
     $("#secondary_ldap_config_disabled").val("1");
     $(".add_secondary_ldap_link").show();
   });
-});  
\ No newline at end of file
+});  
diff --git a/public/javascripts/ajax_errors.js b/public/javascripts/ajax_errors.js
index c1407685932..08696f9787b 100644
--- a/public/javascripts/ajax_errors.js
+++ b/public/javascripts/ajax_errors.js
@@ -108,8 +108,8 @@ define([
       } catch(e) {}
       $.ajaxJSON(location.protocol + '//' + location.host + "/simple_response.json?rnd=" + Math.round(Math.random() * 9999999), 'GET', {}, function() {
         if ($.ajaxJSON.isUnauthenticated(request)) {
-          var message = I18n.t('errors.logged_out', "You are not currently logged in, possibly due to a long period of inactivity.")
-          message += "<br\/><a href='/login' target='_new'>" + I18n.t('links.login', 'Login') + "<\/a>";
+          var message = htmlEscape(I18n.t('errors.logged_out', "You are not currently logged in, possibly due to a long period of inactivity."))
+          message += "<br\/><a href='/login' target='_new'>" + htmlEscape(I18n.t('links.login', 'Login')) + "<\/a>";
           $.flashError({ html: message }, 30000);
         } else {
           ajaxErrorFlash(I18n.t('errors.unhandled', "Oops! The last request didn't work out."), request);
@@ -126,12 +126,12 @@ define([
                 window.frames[$obj.attr('id')].document;
         var $body = $(d).find("body");
         $body.html($("<h1 />").text(I18n.t('error_heading', 'Ajax Error: %{status_code}', {status_code: status})));
-        $body.append(text);
+        $body.append(htmlEscape(text));
         $("#instructure_ajax_error_box").hide();
         var pre = "";
         message = htmlEscape(message);
         if(debugOnly) {
-          message = message + "<br\/><span style='font-size: 0.7em;'>(Development Only)<\/span>";
+          message += "<br\/><span style='font-size: 0.7em;'>(Development Only)<\/span>";
         }
         if(debugOnly || INST.environment != "production") {
           message += "<br\/><a href='#' class='last_error_details_link'>" + htmlEscape(I18n.t('links.details', 'details...')) + "<\/a>";
@@ -161,7 +161,7 @@ define([
                   "&Platform="   + escape(navigator.platform) +
                   "&UserAgent="  + escape(navigator.userAgent) +
                   "&Params="     + escape(data.params || "unknown");
-        $("body").append("<img style='position: absolute; left: -1000px; top: 0;' src='" + INST.ajaxErrorURL + txt.substring(0, 2000) + "' />");
+        $("body").append("<img style='position: absolute; left: -1000px; top: 0;' src='" + htmlEscape(INST.ajaxErrorURL + txt.substring(0, 2000)) + "' />");
       }
     });
     $(".last_error_details_link").live('click', function(event) {
diff --git a/public/javascripts/assignments.js b/public/javascripts/assignments.js
index 9f66960d6f6..e66cf97ae23 100644
--- a/public/javascripts/assignments.js
+++ b/public/javascripts/assignments.js
@@ -152,7 +152,7 @@ define([
     if ( data.multiple_due_dates === "true" && id !== 'assignment_new' ) {
       var $dateInput = $form.find('.input-append');
       $dateInput.before($("<span class=vdd_no_edit>" +
-                           I18n.t('multiple_due_dates','Multiple Due Dates')+
+                           htmlEscape(I18n.t('multiple_due_dates','Multiple Due Dates'))+
                             "</span>"));
       $dateInput.hide();
       $form.find('.ui-datepicker-trigger').hide();
@@ -594,7 +594,7 @@ define([
       $(this).hide();
       $(this).parents(".assignment_group").find(".hide_info_link").show().end()
         .find(".more_info").show();
-      var rules = "";
+      var rulesHtml = "";
       var ruleData = $(this).parents(".assignment_group").find(".rules").text().split("\n");
       $.each(ruleData, function(idx, rule) {
         var parts = rule.split(":");
@@ -602,16 +602,16 @@ define([
           var rule_type = parts[0];
           var value = parts[1];
           if(rule_type == "drop_lowest") {
-            rules += htmlEscape(I18n.t('drop_lowest_scores', "Drop the Lowest %{number} Scores", {number: value})) + "<br/>";
+            rulesHtml += htmlEscape(I18n.t('drop_lowest_scores', "Drop the Lowest %{number} Scores", {number: value})) + "<br/>";
           } else if(rule_type == "drop_highest") {
-            rules += htmlEscape(I18n.t('drop_highest_scores', "Drop the Highest %{number} Scores", {number: value})) + "<br/>";
+            rulesHtml += htmlEscape(I18n.t('drop_highest_scores', "Drop the Highest %{number} Scores", {number: value})) + "<br/>";
           } else if(rule_type == "never_drop") {
             var title = $("#assignment_" + value).find(".title").text();
-            rules += htmlEscape(I18n.t('never_drop_scores', "Never Drop %{assignment_name}", {assignment_name: title})) + "<br/>";
+            rulesHtml += htmlEscape(I18n.t('never_drop_scores', "Never Drop %{assignment_name}", {assignment_name: title})) + "<br/>";
           }
         }
       });
-      $(this).parents(".assignment_group").find(".rule_details").html(rules);
+      $(this).parents(".assignment_group").find(".rule_details").html(rulesHtml);
     });
     $(".hide_info_link").click(function(event) {
       event.preventDefault();
diff --git a/public/javascripts/calendar.js b/public/javascripts/calendar.js
index f952fd678dd..6fb0aade61d 100644
--- a/public/javascripts/calendar.js
+++ b/public/javascripts/calendar.js
@@ -730,7 +730,7 @@ define([
     data.description = $event.data('description');
     $box.fillTemplateData({data: data, htmlValues: ['description']});
     if (data.lock_info) {
-      $box.find(".lock_explanation").html(INST.lockExplanation(data.lock_info, 'assignment'));
+      $box.find(".lock_explanation").html(htmlEscape(INST.lockExplanation(data.lock_info, 'assignment')));
     }
     if ($editEvent.data('dialog')) $editEvent.dialog('close');
     $box.find(".description").css("max-height", Math.max($(window).height() - 200, 150));
diff --git a/public/javascripts/content_exports.js b/public/javascripts/content_exports.js
index 90c93cba2d1..ade2b3bea14 100644
--- a/public/javascripts/content_exports.js
+++ b/public/javascripts/content_exports.js
@@ -18,10 +18,11 @@
 define([
   'i18n!content_exports',
   'jquery' /* $ */,
+  'str/htmlEscape',
   'jquery.ajaxJSON' /* ajaxJSON */,
   'jquery.instructure_forms' /* formSubmit */,
   'jqueryui/progressbar' /* /\.progressbar/ */
-], function(I18n, $) {
+], function(I18n, $, htmlEscape) {
 
 $(document).ready(function(event) {
   var state = 'nothing';
@@ -30,7 +31,7 @@ $(document).ready(function(event) {
       $exporter_form = $('#exporter_form');
 
   function startPoll() {
-    $exporter_form.html(I18n.t('messages.processing', "Processing") + "<div style='font-size: 0.8em;'>" + I18n.t('messages.this_may_take_a_bit', "this may take a bit...") + "</div>")
+    $exporter_form.html(htmlEscape(I18n.t('messages.processing', "Processing")) + "<div style='font-size: 0.8em;'>" + htmlEscape(I18n.t('messages.this_may_take_a_bit', "this may take a bit...")) + "</div>")
        .attr('disabled', true);
     $(".instruction").hide();
     $(".progress_bar_holder").slideDown();
@@ -65,14 +66,14 @@ $(document).ready(function(event) {
         if(content_export.workflow_state == 'exported') {
           $exporter_form.hide();
           $(".export_progress").progressbar('option', 'value', 100);
-          $(".progress_message").html("Your content has been exported.");
-          $("#export_files").append('<p>' + I18n.t('labels.new_export', "New Export:") + ' <a href="' + content_export.download_url + '">' + I18n.t('links.download_plain', "Click here to download") + '</a> </p>')
+          $(".progress_message").text(I18n.t("Your content has been exported."));
+          $("#export_files").append('<p>' + htmlEscape(I18n.t('labels.new_export', "New Export:")) + ' <a href="' + htmlEscape(content_export.download_url) + '">' + htmlEscape(I18n.t('links.download_plain', "Click here to download")) + '</a> </p>')
         } else if(content_export.workflow_state == 'failed') {
           code = "content_export_" + content_export.id;
           $(".progress_bar_holder").hide();
           $exporter_form.hide();
           var message = I18n.t('errors.error', "There was an error exporting your content.  Please notify your system administrator and give them the following export identifier: \"%{code}\"", {code: code});
-          $(".export_messages .error_message").html(message);
+          $(".export_messages .error_message").text(message);
           $(".export_messages").show();
         } else {
           if(progress == lastProgress) {
diff --git a/public/javascripts/content_imports.js b/public/javascripts/content_imports.js
index 4482c9e4755..b602e5d84ad 100644
--- a/public/javascripts/content_imports.js
+++ b/public/javascripts/content_imports.js
@@ -193,7 +193,8 @@ define([
         }
         folderNames = folderNames.sort();
         for (var idx in folderNames) {
-          $("#copy_files_list").append(folders[folderNames[idx]]);
+          var $folder = folders[folderNames[idx]];
+          $("#copy_files_list").append($folder);
         }
       }
       populateItem(null, null, null, null);
diff --git a/public/javascripts/content_locks.js b/public/javascripts/content_locks.js
index 39c9e025307..70aae5e6c95 100644
--- a/public/javascripts/content_locks.js
+++ b/public/javascripts/content_locks.js
@@ -82,10 +82,10 @@ define([
       }
       if ($("#context_modules_url").length > 0) {
         html += "<br/>";
-        html += "<a href='" + $("#context_modules_url").attr('href') + "'>";
-        html += I18n.t('messages.visit_modules_page_for_details', "Visit the modules page for information on how to unlock this content.");
+        html += "<a href='" + htmlEscape($("#context_modules_url").attr('href')) + "'>";
+        html += htmlEscape(I18n.t('messages.visit_modules_page_for_details', "Visit the modules page for information on how to unlock this content."));
         html += "</a>";
-        return html;
+        return $.raw(html);
       }
     }
     else {
@@ -113,7 +113,7 @@ define([
         var data = $(this).data('lock_reason');
         var type = data.type;
         var $reason = $("<div/>");
-        $reason.html(INST.lockExplanation(data, type));
+        $reason.html(htmlEscape(INST.lockExplanation(data, type)));
         var $dialog = $("#lock_reason_dialog");
         if($dialog.length === 0) {
           $dialog = $("<div/>").attr('id', 'lock_reason_dialog');
diff --git a/public/javascripts/context_modules.js b/public/javascripts/context_modules.js
index 1c6ce73f6a2..678b15bd312 100644
--- a/public/javascripts/context_modules.js
+++ b/public/javascripts/context_modules.js
@@ -266,7 +266,7 @@ define([
           moduleSelectOptions.push('<option value="' + id + '">' + htmlEscape(name) + '</option>');
         });
         $('#move_module_item_module_select').empty();
-        $('#move_module_item_module_select').append(moduleSelectOptions.join(''));
+        $('#move_module_item_module_select').append($.raw(moduleSelectOptions.join('')));
 
         // Trigger the change to make sure the list is initally populated.
         $('#move_module_item_module_select').trigger('change');
@@ -307,7 +307,7 @@ define([
 
         var data = $module.getTemplateData({textValues: ['name', 'unlock_at', 'require_sequential_progress', 'publish_final_grade']});
         $('#move_context_module_select').empty();
-        $('#move_context_module_select').append(selectOptions.join(''));
+        $('#move_context_module_select').append($.raw(selectOptions.join('')));
         //$form.fillFormData(data, {object_name: 'context_module'});
         $form.dialog({
           autoOpen: false,
@@ -960,7 +960,7 @@ define([
         var name = $(item).children().find('span.title').text();
         selectItemOptions.push('<option value="' + id + '">' + htmlEscape(name) + '</option>');
       });
-      $('#move_module_item_select').append(selectItemOptions.join(''));
+      $('#move_module_item_select').append($.raw(selectItemOptions.join('')));
 
       // The case where the module has no items.
       if ($('#move_module_item_select').children().length === 0) {
@@ -1550,7 +1550,7 @@ define([
           });
           $row.find(".still_need_completing")
             .append("<b>"+htmlEscape(I18n.t('still_needs_completing', 'Still Needs to Complete'))+"</b><br/>")
-            .append(unfulfilled.join("<br/>"));
+            .append($.raw(unfulfilled.join("<br/>")));
         }
         $row.removeClass('locked').removeClass('in_progress').removeClass('completed')
           .addClass(type);
diff --git a/public/javascripts/course_settings.js b/public/javascripts/course_settings.js
index 349dc589f17..a6fa1d27e20 100644
--- a/public/javascripts/course_settings.js
+++ b/public/javascripts/course_settings.js
@@ -52,22 +52,22 @@ define([
           $publish_grades_error = $("#publish_grades_error");
       if (GradePublishing.status == 'published') {
         $publish_grades_error.hide();
-        $publish_grades_link.html(I18n.t('links.republish', "Republish grades to SIS"));
+        $publish_grades_link.text(I18n.t('links.republish', "Republish grades to SIS"));
         $publish_grades_link.removeClass("disabled");
       } else if (GradePublishing.status == 'publishing' || GradePublishing.status == 'pending') {
         $publish_grades_error.hide();
-        $publish_grades_link.html(I18n.t('links.publishing', "Publishing grades to SIS..."));
+        $publish_grades_link.text(I18n.t('links.publishing', "Publishing grades to SIS..."));
         if (!requestInProgress) {
           setTimeout(GradePublishing.checkup, 5000);
         }
         $publish_grades_link.addClass("disabled");
       } else if (GradePublishing.status == 'unpublished') {
         $publish_grades_error.hide();
-        $publish_grades_link.html(I18n.t('links.publish', "Publish grades to SIS"));
+        $publish_grades_link.text(I18n.t('links.publish', "Publish grades to SIS"));
         $publish_grades_link.removeClass("disabled");
       } else {
         $publish_grades_error.show();
-        $publish_grades_link.html(I18n.t('links.republish', "Republish grades to SIS"));
+        $publish_grades_link.text(I18n.t('links.republish', "Republish grades to SIS"));
         $publish_grades_link.removeClass("disabled");
       }
       $messages = $("#publish_grades_messages");
diff --git a/public/javascripts/datagrid.js b/public/javascripts/datagrid.js
index 81098b83a06..9cf57f8a661 100644
--- a/public/javascripts/datagrid.js
+++ b/public/javascripts/datagrid.js
@@ -16,6 +16,8 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
+// xsslint jqueryObject.method _createCell _templateCellHTML
+
 define([
   'INST' /* INST */,
   'jquery' /* $ */,
diff --git a/public/javascripts/eportfolio.js b/public/javascripts/eportfolio.js
index fbb68fa8e16..b8782fe7773 100644
--- a/public/javascripts/eportfolio.js
+++ b/public/javascripts/eportfolio.js
@@ -199,7 +199,7 @@ define([
             if(section_type == "rich_text") { 
               code = $(this).find(".edit_section").editorBox('get_code');
             }
-            $(this).find(".section_content").html(code);
+            $(this).find(".section_content").html($.raw(code));
           } else if(!$(this).hasClass('read_only')) {
             $(this).remove();
           }
@@ -416,7 +416,7 @@ define([
       },
       error: function(data) {
         var $section = $(this).data("section");
-        $section.find(".uploading_file").html(I18n.t('errors.upload_failed', "Upload Failed."));
+        $section.find(".uploading_file").text(I18n.t('errors.upload_failed', "Upload Failed."));
         $section.addClass('failed');
         $section.formErrors(data.errors || data);
       }
diff --git a/public/javascripts/full_files.js b/public/javascripts/full_files.js
index f01e6c5a8c3..e1af32ab044 100644
--- a/public/javascripts/full_files.js
+++ b/public/javascripts/full_files.js
@@ -192,7 +192,7 @@ define([
                       importFailed(zfi.data.errors);
                     } else if(zfi && zfi.workflow_state == 'imported') {
                       $progress.progressbar('value', 100);
-                      $dialog.append(I18n.t('messages.extraction_complete', "Extraction complete!  Updating..."));
+                      $dialog.append(htmlEscape(I18n.t('messages.extraction_complete', "Extraction complete!  Updating...")));
                       files.refreshContext(folder.context_string, function() {
                         $dialog.dialog('close');
                       });
@@ -587,6 +587,7 @@ define([
           $(ui.helper).find(".header .sub_header").html("&nbsp;");
         }
       },
+      // xsslint jqueryObject.method breadcrumb
       breadcrumb: function() {
         var folders = location.hash.substring(1).replace(/\/\//g, "\\").split("/");
         var $crumbs = $("<div/>");
@@ -1413,11 +1414,11 @@ define([
             if(node.hasClass('node')) {
               var folder_url = $.replaceTags($("." + data.context_string + "_folder_url").attr('href'), 'id', data.id);
               var cancelled = false;
-              var $no_content = $("<li class='message'>" + I18n.t('messages.folder_empty', "Nothing in this Folder") + "</li>");
+              var $no_content = $("<li class='message'>" + htmlEscape(I18n.t('messages.folder_empty', "Nothing in this Folder")) + "</li>");
               if(node.hasClass('folder')) {
                 if(!data || !data.permissions || !data.permissions.read_contents) {
                   $files_content.find(".content_panel:last")
-                                .after("<li class='message'>" + I18n.t('messages.access_denied', "You cannot read the contents of this folder.") + "</li>");
+                                .after("<li class='message'>" + htmlEscape(I18n.t('messages.access_denied', "You cannot read the contents of this folder.")) + "</li>");
                   cancelled = true;
                 } else {
                   // add a control panel to the top for adding files, folders to this
diff --git a/public/javascripts/grade_summary.js b/public/javascripts/grade_summary.js
index bc0bd4e2235..854d39798bb 100644
--- a/public/javascripts/grade_summary.js
+++ b/public/javascripts/grade_summary.js
@@ -23,13 +23,14 @@ define([
   'underscore',
   'compiled/grade_calculator',
   'compiled/util/round',
+  'str/htmlEscape',
   'jquery.ajaxJSON' /* ajaxJSON */,
   'jquery.instructure_forms' /* getFormData */,
   'jquery.instructure_misc_helpers' /* replaceTags, scrollSidebar */,
   'jquery.instructure_misc_plugins' /* showIf */,
   'jquery.templateData' /* fillTemplateData, getTemplateData */,
   'media_comments' /* mediaComment, mediaCommentThumbnail */
-], function(INST, I18n, $, _, GradeCalculator, round) {
+], function(INST, I18n, $, _, GradeCalculator, round, htmlEscape) {
 
   function updateStudentGrades() {
     var ignoreUngradedSubmissions = $("#only_consider_graded_assignments").attr('checked');
@@ -147,8 +148,8 @@ define([
       if (!$(this).find('.grade').data('originalValue')){
         $(this).find('.grade').data('originalValue', $(this).find('.grade').html());
       }
-      var screenreader_link_clone = $(this).find('.screenreader-only').clone(true);
-      $(this).find('.grade').data("screenreader_link", screenreader_link_clone);
+      var $screenreader_link_clone = $(this).find('.screenreader-only').clone(true);
+      $(this).find('.grade').data("screenreader_link", $screenreader_link_clone);
       $(this).find('.grade').empty().append($("#grade_entry"));
       $(this).find('.score_value').hide();
       var val = $(this).parents('.student_assignment').find('.score').text();
@@ -212,10 +213,10 @@ define([
       }
       if (val === 0) { val = '0.0'; }
       if (val === originalVal) { val = originalScore; }
-      $assignment.find('.grade').html(val || $assignment.find('.grade').data('originalValue'));
+      $assignment.find('.grade').html($.raw(htmlEscape(val) || $assignment.find('.grade').data('originalValue')));
       if (!isChanged) {
-        var screenreader_link_clone = $assignment.find('.grade').data("screenreader_link");
-        $assignment.find('.grade').prepend(screenreader_link_clone);
+        var $screenreader_link_clone = $assignment.find('.grade').data("screenreader_link");
+        $assignment.find('.grade').prepend($screenreader_link_clone);
       }
 
       updateScoreForAssignment(assignment_id, val);
@@ -255,8 +256,8 @@ define([
       if(!skipEval) {
         updateStudentGrades();
       }
-      var screenreader_link_clone = $assignment.find('.grade').data("screenreader_link");
-      $assignment.find('.grade').prepend(screenreader_link_clone);
+      var $screenreader_link_clone = $assignment.find('.grade').data("screenreader_link");
+      $assignment.find('.grade').prepend($screenreader_link_clone);
       setTimeout(function() { $assignment.find(".grade").focus();}, 0);
     });
     $("#grades_summary:not(.editable) .assignment_score").css('cursor', 'default');
diff --git a/public/javascripts/groups.js b/public/javascripts/groups.js
index 4c3e63786f7..4f760fc08af 100644
--- a/public/javascripts/groups.js
+++ b/public/javascripts/groups.js
@@ -80,7 +80,7 @@ define([
         return;
       }
       $member_list = $('<ul/>').addClass('member_list');
-      var $loader = $('<li/>').addClass('loader').html(I18n.t('loading', 'loading group roster...'));
+      var $loader = $('<li/>').addClass('loader').text(I18n.t('loading', 'loading group roster...'));
       $member_list.append($loader);
       $member_list.pageless({
         container: $member_list,
@@ -92,7 +92,7 @@ define([
         scrape: function(data, xhr) {
           students = $.parseJSON(data)
           for (idx in students) {
-            $('<li/>').addClass('student').html(students[idx].display_name).insertBefore($loader);
+            $('<li/>').addClass('student').text(students[idx].display_name).insertBefore($loader);
           }
           return '';
         }
diff --git a/public/javascripts/instructure.js b/public/javascripts/instructure.js
index 12a7dd5255c..8b0cff92d20 100644
--- a/public/javascripts/instructure.js
+++ b/public/javascripts/instructure.js
@@ -324,15 +324,15 @@ define([
             .addClass('external')
             .html('<span>' + $(this).html() + '</span>')
             .attr('target', '_blank')
-            .append('<span aria-hidden="true" class="ui-icon ui-icon-extlink ui-icon-inline" title="' + externalLink + '"/>')
-            .append('<span class="screenreader-only">&nbsp;(' + externalLink + ')</span>');
+            .append('<span aria-hidden="true" class="ui-icon ui-icon-extlink ui-icon-inline" title="' + $.raw(externalLink) + '"/>')
+            .append('<span class="screenreader-only">&nbsp;(' + $.raw(externalLink) + ')</span>');
         }).end()
           .find("a.instructure_file_link").each(function() {
               var $link = $(this),
                   $span = $("<span class='instructure_file_link_holder link_holder'/>");
               $link.removeClass('instructure_file_link').before($span).appendTo($span);
               if($link.attr('target') != '_blank') {
-            $span.append("<a href='" + $link.attr('href') + "' target='_blank' title='" + htmlEscape(I18n.t('titles.view_in_new_window', "View in a new window")) +
+            $span.append("<a href='" + htmlEscape($link.attr('href')) + "' target='_blank' title='" + htmlEscape(I18n.t('titles.view_in_new_window', "View in a new window")) +
                 "' style='padding-left: 5px;'><img src='/images/popout.png' alt='" + htmlEscape(I18n.t('titles.view_in_new_window', "View in a new window")) + "'/></a>");
           }
         });
@@ -341,7 +341,7 @@ define([
           var $link = $(this);
           if ( $.trim($link.text()) ) {
             var $span = $("<span class='instructure_scribd_file_holder link_holder'/>"),
-                        $scribd_link = $("<a class='scribd_file_preview_link' aria-hidden='true' tabindex='-1' href='" + $link.attr('href') + "' title='" + htmlEscape(I18n.t('titles.preview_document', "Preview the document")) +
+                        $scribd_link = $("<a class='scribd_file_preview_link' aria-hidden='true' tabindex='-1' href='" + htmlEscape($link.attr('href')) + "' title='" + htmlEscape(I18n.t('titles.preview_document', "Preview the document")) +
                             "' style='padding-left: 5px;'><img src='/images/preview.png' alt='" + htmlEscape(I18n.t('titles.preview_document', "Preview the document")) + "'/></a>");
                     $link.removeClass('instructure_scribd_file').before($span).appendTo($span);
                     $span.append($scribd_link);
@@ -364,10 +364,10 @@ define([
               id = $.youTubeID(href || "");
           if($link.hasClass('inline_disabled')) {
           } else if(id) {
-            var $after = $('<a href="'+ href +'" class="youtubed"><img src="/images/play_overlay.png" class="media_comment_thumbnail" style="background-image: url(//img.youtube.com/vi/' + id + '/2.jpg)"/></a>')
+            var $after = $('<a href="'+ htmlEscape(href) +'" class="youtubed"><img src="/images/play_overlay.png" class="media_comment_thumbnail" style="background-image: url(//img.youtube.com/vi/' + htmlEscape(id) + '/2.jpg)"/></a>')
               .click(function(event) {
                 event.preventDefault();
-                var $video = $("<span class='youtube_holder' style='display: block;'><object width='425' height='344'><param name='wmode' value='opaque'></param><param name='movie' value='//www.youtube.com/v/" + id + "&autoplay=1&hl=en_US&fs=1&'></param><param name='allowFullScreen' value='true'></param><param name='allowscriptaccess' value='always'></param><embed src='//www.youtube.com/v/" + id + "&autoplay=1&hl=en_US&fs=1&' type='application/x-shockwave-flash' allowscriptaccess='always' allowfullscreen='true' width='425' height='344' wmode='opaque'></embed></object><br/><a href='#' style='font-size: 0.8em;' class='hide_youtube_embed_link'>" + htmlEscape(I18n.t('links.minimize_youtube_video', "Minimize Video")) + "</a></span>");
+                var $video = $("<span class='youtube_holder' style='display: block;'><object width='425' height='344'><param name='wmode' value='opaque'></param><param name='movie' value='//www.youtube.com/v/" + htmlEscape(id) + "&autoplay=1&hl=en_US&fs=1&'></param><param name='allowFullScreen' value='true'></param><param name='allowscriptaccess' value='always'></param><embed src='//www.youtube.com/v/" + htmlEscape(id) + "&autoplay=1&hl=en_US&fs=1&' type='application/x-shockwave-flash' allowscriptaccess='always' allowfullscreen='true' width='425' height='344' wmode='opaque'></embed></object><br/><a href='#' style='font-size: 0.8em;' class='hide_youtube_embed_link'>" + htmlEscape(I18n.t('links.minimize_youtube_video', "Minimize Video")) + "</a></span>");
                 $video.find(".hide_youtube_embed_link").click(function(event) {
                   event.preventDefault();
                   $video.remove();
diff --git a/public/javascripts/jquery.doc_previews.js b/public/javascripts/jquery.doc_previews.js
index 48a690b3e47..1ead9a8665c 100644
--- a/public/javascripts/jquery.doc_previews.js
+++ b/public/javascripts/jquery.doc_previews.js
@@ -126,7 +126,7 @@ define([
             url: opts.public_url
           });
           if (!opts.ajax_valid || opts.ajax_valid()){
-            $('<iframe src="' + googleDocPreviewUrl + '" height="' + opts.height  + '" width="100%" />')
+            $('<iframe src="' + htmlEscape(googleDocPreviewUrl) + '" height="' + opts.height  + '" width="100%" />')
               .appendTo($this)
               .load(function(){
                 tellAppIViewedThisInline('google');
diff --git a/public/javascripts/jquery.dropdownList.js b/public/javascripts/jquery.dropdownList.js
index c27a5b89839..90301d7dd8f 100644
--- a/public/javascripts/jquery.dropdownList.js
+++ b/public/javascripts/jquery.dropdownList.js
@@ -88,9 +88,9 @@ define([
         $div.find(".list").css('maxHeight', options.height); 
       }
       $list.empty();
-      $.each(options.options, function(optionName, callback){
+      $.each(options.options, function(optionHtml, callback){
         var $option = $("<div class='option minimal' style='cursor: pointer; padding: 2px 5px; overflow: hidden; white-space: nowrap;'>" +
-                        "  <span tabindex='-1'>" + optionName + "</span>" +
+                        "  <span tabindex='-1'>" + optionHtml + "</span>" +
                         "</div>").appendTo($list);
 
         if($.isFunction(callback)) {
diff --git a/public/javascripts/jquery.inst_tree.js b/public/javascripts/jquery.inst_tree.js
index 945b12413f9..97593f856da 100644
--- a/public/javascripts/jquery.inst_tree.js
+++ b/public/javascripts/jquery.inst_tree.js
@@ -15,12 +15,15 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
+
+// xsslint jqueryObject.identifier tree
 define([
   'jquery' /* $ */,
   'underscore',
+  'str/htmlEscape',
   'jqueryui/draggable' /* /\.draggable/ */,
   'jqueryui/droppable' /* /\.droppable/ */
-], function($,_) {
+], function($, _, htmlEscape) {
   $.fn.instTree = function(options) {
     return $(this).each(function() {
       var binded = false;
@@ -48,13 +51,13 @@ define([
       $.fn.instTree.InitInstTree = function(obj) {
         tree = $(obj);
 
-        var sep = '<li class="separator"></li>';
+        var $sep = '<li class="separator"></li>';
 
         tree.find('li:not(.separator)').filter(function() {
           return !(($(this).prev('li.separator').get(0)) || ($(this).parents('ul.non-instTree').get(0)));
         })
         .each(function() {
-          $(this).before(sep);
+          $(this).before($sep);
         });
 
         tree.find('li > span').not('.sign').not('.clr').addClass('text').attr('unselectable', 'on');
@@ -90,7 +93,7 @@ define([
           cursor: ($.browser.msie) ? 'default': 'move',
           distance: 3,
           helper: function() {
-            return $('<div id="instTree-drag"><span>' + $(this).text() + '</span></div>');
+            return $('<div id="instTree-drag"><span>' + $(this).html() + '</span></div>');
           },
           appendTo: tree
         });
@@ -187,6 +190,7 @@ define([
           var lin = $(activeElement).parents('li.node:first');
 
           if ((!lin.is('.fixedLevel')) || (type != 'node')) {
+          // xsslint safeString.identifier ncont cn
           var cn = (type == 'leaf') ? '': ' class="node"';
 
           var sep = '<li class="separator"></li>';
@@ -247,7 +251,7 @@ define([
         if (activeElement) {
           var li = $(activeElement).parents('li:first');
 
-          $(activeElement).replaceWith('<span class="text">&nbsp;</span><input type="text" value="' + $(activeElement).text() + '" />');
+          $(activeElement).replaceWith('<span class="text">&nbsp;</span><input type="text" value="' + htmlEscape($(activeElement).text()) + '" />');
 
           li.find('input:text').focus().select().blur(function() {
             it.SaveInput(obj, $(this));
@@ -282,7 +286,7 @@ define([
 
         var val = ($.trim(input.get(0).value) !== '') ? input.get(0).value: '_____';
 
-        input.replaceWith('<span class="active text">' + val + '</span>');
+        input.replaceWith('<span class="active text">' + htmlEscape(val) + '</span>');
 
         $.fn.instTree.InitInstTree(obj);
       };//SaveInput
diff --git a/public/javascripts/jquery.instructure_date_and_time.js b/public/javascripts/jquery.instructure_date_and_time.js
index d6341af279d..80586c43383 100644
--- a/public/javascripts/jquery.instructure_date_and_time.js
+++ b/public/javascripts/jquery.instructure_date_and_time.js
@@ -249,7 +249,7 @@ var speakMessage = function ($this, message) {
       var ampm = inst.input.data('time-ampm') || "";
       var selectedAM = (ampm == "am") ? "selected" : "";
       var selectedPM = (ampm == "pm") ? "selected" : "";
-      html += "<div class='ui-datepicker-time ui-corner-bottom'><label for='ui-datepicker-time-hour'>" + htmlEscape(I18n.beforeLabel(I18n.t('labels.datepicker.time', "Time"))) + "</label> <input id='ui-datepicker-time-hour' type='text' value='" + hr + "' title='hr' class='ui-datepicker-time-hour' style='width: 20px;'/>:<input type='text' value='" + min + "' title='min' class='ui-datepicker-time-minute' style='width: 20px;'/> <select class='ui-datepicker-time-ampm un-bootrstrapify' title='" + htmlEscape(I18n.t('datepicker.titles.am_pm', "am/pm")) + "'><option value=''>&nbsp;</option><option value='am' " + selectedAM + ">" + htmlEscape(I18n.t('#time.am', "am")) + "</option><option value='pm' " + selectedPM + ">" + htmlEscape(I18n.t('#time.pm', "pm")) + "</option></select>&nbsp;&nbsp;&nbsp;<button type='button' class='btn btn-mini ui-datepicker-ok'>" + htmlEscape(I18n.t('#buttons.done', "Done")) + "</button></div>";
+      html += "<div class='ui-datepicker-time ui-corner-bottom'><label for='ui-datepicker-time-hour'>" + htmlEscape(I18n.beforeLabel(I18n.t('labels.datepicker.time', "Time"))) + "</label> <input id='ui-datepicker-time-hour' type='text' value='" + htmlEscape(hr) + "' title='hr' class='ui-datepicker-time-hour' style='width: 20px;'/>:<input type='text' value='" + htmlEscape(min) + "' title='min' class='ui-datepicker-time-minute' style='width: 20px;'/> <select class='ui-datepicker-time-ampm un-bootrstrapify' title='" + htmlEscape(I18n.t('datepicker.titles.am_pm', "am/pm")) + "'><option value=''>&nbsp;</option><option value='am' " + htmlEscape(selectedAM) + ">" + htmlEscape(I18n.t('#time.am', "am")) + "</option><option value='pm' " + htmlEscape(selectedPM) + ">" + htmlEscape(I18n.t('#time.pm', "pm")) + "</option></select>&nbsp;&nbsp;&nbsp;<button type='button' class='btn btn-mini ui-datepicker-ok'>" + htmlEscape(I18n.t('#buttons.done', "Done")) + "</button></div>";
     }
     return html;
   };
diff --git a/public/javascripts/jquery.instructure_forms.js b/public/javascripts/jquery.instructure_forms.js
index 35e828197bd..79d7a4f6b3b 100644
--- a/public/javascripts/jquery.instructure_forms.js
+++ b/public/javascripts/jquery.instructure_forms.js
@@ -222,7 +222,7 @@ define([
         });
       } else if(doUploadFile) {
         var id            = _.uniqueId(formId + "_"),
-            $frame        = $("<div style='display: none;' id='box_" + id + "'><iframe id='frame_" + id + "' name='frame_" + id + "' src='about:blank' onload='$(\"#frame_" + id + "\").triggerHandler(\"form_response_loaded\");'></iframe>")
+            $frame        = $("<div style='display: none;' id='box_" + htmlEscape(id) + "'><iframe id='frame_" + htmlEscape(id) + "' name='frame_" + htmlEscape(id) + "' src='about:blank' onload='$(\"#frame_" + htmlEscape(id) + "\").triggerHandler(\"form_response_loaded\");'></iframe>")
                                 .appendTo("body").find("#frame_" + id),
             formMethod    = method,
             priorTarget   = $form.attr('target'),
@@ -515,6 +515,7 @@ define([
     }
     if(window.FormData && !hasFakeFile) {
       var fd = new FormData();
+      // xsslint xssable.receiver.whitelist fd
       for(var idx in params) {
         var param = params[idx];
         if(window.FileList && (param instanceof FileList)) {
@@ -935,17 +936,17 @@ define([
       if($form.find(":input[name='" + i + "'],:input[name*='[" + i + "]']").length > 0) {
         $.each(val, function(idx, msg) {
           if(!errors[i]) {
-            errors[i] = msg;
+            errors[i] = htmlEscape(msg);
           } else {
-            errors[i] += "<br/>" + msg;
+            errors[i] += "<br/>" + htmlEscape(msg);
           }
         });
       } else {
         $.each(val, function(idx, msg) {
           if(!errors.general) {
-            errors.general = msg;
+            errors.general = htmlEscape(msg);
           } else {
-            errors.general += "<br/>" + msg;
+            errors.general += "<br/>" + htmlEscape(msg);
           }
         });
       }
@@ -966,7 +967,7 @@ define([
       }
       errorDetails[name] = {object: $obj, message: msg};
       hasErrors = true;
-      var offset = $obj.errorBox(msg).offset();
+      var offset = $obj.errorBox($.raw(msg)).offset();
       if (offset.top > highestTop) {
         highestTop = offset.top;
       }
@@ -1010,7 +1011,7 @@ define([
       var $box = $template.clone(true).attr('id', '').css('zIndex', $obj.zIndex() + 1).appendTo("body");
 
       // If our message happens to be a safe string, parse it as such. Otherwise, clean it up. //
-      $box.find(".error_text").html(htmlEscape(message).toString());
+      $box.find(".error_text").html(htmlEscape(message));
 
       var offset = $obj.offset();
       var height = $box.outerHeight();
diff --git a/public/javascripts/jquery.instructure_misc_helpers.js b/public/javascripts/jquery.instructure_misc_helpers.js
index 3e484bddcd2..b5e4e61a947 100644
--- a/public/javascripts/jquery.instructure_misc_helpers.js
+++ b/public/javascripts/jquery.instructure_misc_helpers.js
@@ -71,6 +71,18 @@ define([
   $.raw = function(str) {
     return new htmlEscape.SafeString(str);
   }
+  // ensure the jquery html setters don't puke if given a SafeString
+  $.each(["html", "append", "prepend"], function(idx, method) {
+    var orig = $.fn[method];
+    $.fn[method] = function() {
+      var args = [].slice.call(arguments);
+      for (var i = 0, len = args.length; i < len; i++) {
+        if (args[i] instanceof htmlEscape.SafeString)
+          args[i] = args[i].toString();
+      }
+      return orig.apply(this, args);
+    }
+  });
 
   $.replaceOneTag = function(text, name, value) {
     if(!text) { return text; }
@@ -295,7 +307,7 @@ define([
         event.stopPropagation();
         var now = new Date();
         $dialog.find("button").attr('disabled', true);
-        $dialog.find(".results").empty().append(I18n.t('status.searching', "Searching..."));
+        $dialog.find(".results").empty().append(htmlEscape(I18n.t('status.searching', "Searching...")));
         $dialog.bind('search_results', function(event, data) {
           $dialog.find("button").attr('disabled', false);
           if(data && data.photos && data.photos.photo) {
diff --git a/public/javascripts/jquery.instructure_misc_plugins.js b/public/javascripts/jquery.instructure_misc_plugins.js
index d79b0567444..be3f1ba7759 100644
--- a/public/javascripts/jquery.instructure_misc_plugins.js
+++ b/public/javascripts/jquery.instructure_misc_plugins.js
@@ -35,11 +35,11 @@ define([
     }
 
     options.forEach( function(opt) {
-      escOpt = htmlEscape(opt);
-      result += "<option value=\"" + escOpt + "\">" + escOpt + "</option>";
+      var optHtml = htmlEscape(opt);
+      result += "<option value=\"" + optHtml + "\">" + optHtml + "</option>";
     });
 
-    return this.html(result);
+    return this.html($.raw(result));
   }
 
   // this function is to prevent you from doing all kinds of expesive operations on a
@@ -394,8 +394,7 @@ define([
             if (val === (val = input.val())) {return;}
 
             // Enter new content into testSubject
-            var escaped = val.replace(/&/g, '&amp;').replace(/\s/g,'&nbsp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
-            testSubject.html(escaped);
+            testSubject.text(val);
 
             // Calculate new width + whether to change
             var testerWidth = testSubject.width(),
diff --git a/public/javascripts/jquery.templateData.js b/public/javascripts/jquery.templateData.js
index 4dc297e0cf1..78ee963d14b 100644
--- a/public/javascripts/jquery.templateData.js
+++ b/public/javascripts/jquery.templateData.js
@@ -64,7 +64,7 @@ define([
                 options.data[item] = "";
               }
               if(options.htmlValues && $.inArray(item, options.htmlValues) != -1) {
-                $found.html(options.data[item].toString());
+                $found.html($.raw(options.data[item].toString()));
                 if($found.hasClass('user_content')) {
                   contentChange = true;
                   $found.removeClass('enhanced');
diff --git a/public/javascripts/jquery.ui.menu.inputmenu.js b/public/javascripts/jquery.ui.menu.inputmenu.js
index 80c424b8f96..a2b813ad723 100755
--- a/public/javascripts/jquery.ui.menu.inputmenu.js
+++ b/public/javascripts/jquery.ui.menu.inputmenu.js
@@ -96,7 +96,7 @@ $.extend( proto, {
 				if( parent.prev().length && !parent.prev().children( "a" ).length ) {
 					parent.prev()
 						.addClass( "ui-state-disabled" )
-						.html( "<span class='ui-menu-input-group'>" + parent.prev().text() + "</span>" )
+						.html( "<span class='ui-menu-input-group'>" + parent.prev().html() + "</span>" )
 						.bind( "click.menu", function( event ) {
 							return false;
 						}).after( "<li><hr /></li>" );
diff --git a/public/javascripts/manage_groups.js b/public/javascripts/manage_groups.js
index 959cfed9f65..43a2c54fa19 100644
--- a/public/javascripts/manage_groups.js
+++ b/public/javascripts/manage_groups.js
@@ -122,7 +122,8 @@ define([
           contextGroups.insertIntoGroup($user, $group);
         }
 
-        $group.find(".loading_members").html(data['pagination_html']);
+        // xsslint safeString.property pagination_html
+        $group.find(".loading_members").html(data.pagination_html);
         $group.find(".unassigned_members_pagination a").click(function(event) {
           event.preventDefault();
           var page_regex = /page=(\d+)/
diff --git a/public/javascripts/mathquill.js b/public/javascripts/mathquill.js
index 6082ece9431..8d6dc3717c9 100644
--- a/public/javascripts/mathquill.js
+++ b/public/javascripts/mathquill.js
@@ -5,6 +5,9 @@
  *  * I18n'd toolbar tabs
  */
 
+// xsslint jqueryObject.identifier contents textareaSpan
+// xsslint jqueryObject.property jQ
+
 /**
  * Copyleft 2010-2011 Jay and Han (laughinghan@gmail.com)
  *   under the GNU Lesser General Public License
@@ -13,8 +16,9 @@
  */
 define([
   'i18n!mathquill',
-  'jquery' /* jQuery, $ */
-], function(I18n, $) {
+  'jquery', /* jQuery, $ */
+  'str/htmlEscape'
+], function(I18n, $, htmlEscape) {
 
   var undefined,
     _, //temp variable of prototypes
@@ -415,7 +419,7 @@ define([
 
     if (!editable) {
       jQ.bind('cut paste', false).bind('copy', setTextareaSelection)
-        .prepend('<span class="selectable">$'+root.latex()+'$</span>');
+        .prepend('<span class="selectable">$'+htmlEscape(root.latex())+'$</span>');
       textarea.blur(function() {
         cursor.clearSelection();
         setTimeout(detach); //detaching during blur explodes in WebKit
@@ -595,22 +599,22 @@ define([
     var panes = [];
     $.each(button_tabs, function(index, tab){
       tabs.push(
-        '<li><a href="#' + tab.name + '_tab" role="tab" tabindex="-1" aria-controls="' + tab.name + '_tab">'
-        + '  <span class="mathquill-rendered-math">' + tab.example + '</span>' + tab.name + '</a></li>'
+        '<li><a href="#' + htmlEscape(tab.name) + '_tab" role="tab" tabindex="-1" aria-controls="' + htmlEscape(tab.name) + '_tab">'
+        + '  <span class="mathquill-rendered-math">' + htmlEscape(tab.example) + '</span>' + htmlEscape(tab.name) + '</a></li>'
       );
       var buttons = [];
       $.each(tab.button_groups, function(index, group) {
         $.each(group, function(index, cmd) {
           var obj = new LatexCmds[cmd](undefined, cmd);
-           buttons.push('<li><a class="mathquill-rendered-math" href="#" title="' + (cmd.match(/^[a-z]+$/i) ? '\\' + cmd : cmd) + '">' +
-                       (html_template_overrides[cmd] ? html_template_overrides[cmd] : '<span style="line-height: 1.5em">' + obj.html_template.join('') + '</span>') +
+           buttons.push('<li><a class="mathquill-rendered-math" href="#" title="' + htmlEscape(cmd.match(/^[a-z]+$/i) ? '\\' + cmd : cmd) + '">' +
+                       $.raw(html_template_overrides[cmd] ? html_template_overrides[cmd] : '<span style="line-height: 1.5em">' + $.raw(obj.html_template.join('')) + '</span>') +
                        '</a></li>');
         });
         buttons.push('<li class="mathquill-button-spacer"></li>');
       });
-      panes.push('<div class="mathquill-tab-pane" id="' + tab.name + '_tab" role="tabpanel"><ul>' + buttons.join('') + '</ul></div>');
+      panes.push('<div class="mathquill-tab-pane" id="' + htmlEscape(tab.name) + '_tab" role="tabpanel"><ul>' + $.raw(buttons.join('')) + '</ul></div>');
     });
-    root.toolbar = $('#mathquill-view .mathquill-toolbar').html('<ul class="mathquill-tab-bar" role="tablist">' + tabs.join('') + '</ul><div class="mathquill-toolbar-panes">' + panes.join('') + '</div>');
+    root.toolbar = $('#mathquill-view .mathquill-toolbar').html('<ul class="mathquill-tab-bar" role="tablist">' + $.raw(tabs.join('')) + '</ul><div class="mathquill-toolbar-panes">' + $.raw(panes.join('')) + '</div>');
     $('#mathquill-view .mathquill-tab-bar li a').click(function(e) {
       e.preventDefault();
       $('#mathquill-view .mathquill-tab-bar li').removeClass('mathquill-tab-selected')
@@ -1152,7 +1156,7 @@ define([
   // Round/Square/Curly/Angle Brackets (aka Parens/Brackets/Braces)
   function Bracket(open, close, cmd, end, replacedFragment) {
     this.init('\\left'+cmd,
-      ['<span class="block"><span class="paren">'+open+'</span><span class="block"></span><span class="paren">'+close+'</span></span>'],
+      ['<span class="block"><span class="paren">'+htmlEscape(open)+'</span><span class="block"></span><span class="paren">'+htmlEscape(close)+'</span></span>'],
       [open, close],
       replacedFragment);
     this.end = '\\right'+end;
@@ -1617,7 +1621,7 @@ define([
   LatexCmds.f = bind(Symbol, 'f', '<var class="florin">&fnof;</var><span style="display:inline-block;width:0">&nbsp;</span>');
 
   function Variable(ch, html) {
-    Symbol.call(this, ch, '<var>'+(html || ch)+'</var>');
+    Symbol.call(this, ch, '<var>'+$.raw(html || htmlEscape(ch))+'</var>');
   }
   _ = Variable.prototype = new Symbol;
   _.text = function() {
@@ -1632,7 +1636,7 @@ define([
   };
 
   function VanillaSymbol(ch, html) {
-    Symbol.call(this, ch, '<span>'+(html || ch)+'</span>');
+    Symbol.call(this, ch, '<span>'+$.raw(html || htmlEscape(ch))+'</span>');
   }
   VanillaSymbol.prototype = Symbol.prototype;
 
@@ -1641,7 +1645,7 @@ define([
   LatexCmds.prime = CharCmds["'"] = bind(VanillaSymbol, "'", '&prime;');
 
   function NonSymbolaSymbol(ch, html) { //does not use Symbola font
-    Symbol.call(this, ch, '<span class="nonSymbola">'+(html || ch)+'</span>');
+    Symbol.call(this, ch, '<span class="nonSymbola">'+$.raw(html || htmlEscape(ch))+'</span>');
   }
   NonSymbolaSymbol.prototype = Symbol.prototype;
 
@@ -2131,7 +2135,7 @@ define([
 
 
   function NonItalicizedFunction(replacedFragment, fn) {
-    Symbol.call(this, '\\'+fn+' ', '<span>'+fn+'</span>');
+    Symbol.call(this, '\\'+fn+' ', '<span>'+htmlEscape(fn)+'</span>');
   }
   _ = NonItalicizedFunction.prototype = new Symbol;
   _.respace = function()
diff --git a/public/javascripts/media_comments.js b/public/javascripts/media_comments.js
index 6d33218d03f..1e48caf563f 100644
--- a/public/javascripts/media_comments.js
+++ b/public/javascripts/media_comments.js
@@ -249,7 +249,7 @@ define([
       $("#media_upload_progress").hide();
     },
     setupErrorHandler: function() {
-      $("#media_upload_feedback_text").html(I18n.t('errors.media_comment_installation_broken', "Media comment uploading has not been set up properly. Please contact your administrator."));
+      $("#media_upload_feedback_text").text(I18n.t('errors.media_comment_installation_broken', "Media comment uploading has not been set up properly. Please contact your administrator."));
       $("#media_upload_feedback").css('visibility', 'visible');
       $('#audio_upload_holder').css('visibility', 'hidden');
       $('#video_upload_holder').css('visibility', 'hidden');
diff --git a/public/javascripts/question_bank.js b/public/javascripts/question_bank.js
index 3dc8af9f545..473e192e16e 100644
--- a/public/javascripts/question_bank.js
+++ b/public/javascripts/question_bank.js
@@ -3,6 +3,7 @@ define([
   'jquery' /* $ */,
   'find_outcome',
   'jst/quiz/move_question',
+  'str/htmlEscape',
   'jquery.ajaxJSON' /* ajaxJSON */,
   'jquery.instructure_forms' /* formSubmit, getFormData, formErrors */,
   'jqueryui/dialog',
@@ -11,7 +12,7 @@ define([
   'jquery.keycodes' /* keycodes */,
   'jquery.loadingImg' /* loadingImage */,
   'jquery.templateData' /* fillTemplateData, getTemplateData */
-], function(I18n, $, find_outcome, moveQuestion) {
+], function(I18n, $, find_outcome, moveQuestionTemplate, htmlEscape) {
 
   var questionBankPage = {
     updateAlignments: function(alignments) {
@@ -215,7 +216,7 @@ define([
       var moveQuestions = {
         elements: {
           $dialog: $('#move_question_dialog'),
-          $loadMessage: $('<li />').append(I18n.t('load_questions', 'Loading Questions...')),
+          $loadMessage: $('<li />').append(htmlEscape(I18n.t('load_questions', 'Loading Questions...'))),
           $questions: $('#move_question_dialog .questions')
         },
         messages: {
@@ -261,9 +262,8 @@ define([
           $.ajaxJSON(window.location.href + '/questions?page=' + this.page, 'GET', {}, $.proxy(this.onData, this));
         },
         onData: function(data){
-          var questions = moveQuestion(data);
           this.elements.$loadMessage.remove();
-          this.elements.$questions.append(questions);
+          this.elements.$questions.append(moveQuestionTemplate(data));
           if (this.page < data.pages){
             this.elements.$questions.append(this.elements.$loadMessage);
             this.page += 1;
diff --git a/public/javascripts/quiz_arrows.js b/public/javascripts/quiz_arrows.js
index 3f419f2496e..c671f7e9852 100644
--- a/public/javascripts/quiz_arrows.js
+++ b/public/javascripts/quiz_arrows.js
@@ -16,6 +16,8 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
+// xsslint jqueryObject.identifier /Tpl$/
+
 define(['i18n!quizzes.show', 'jquery'], function(I18n, $) {
   // Create and append right/wrong arrows to all appropriate
   // answers on a quiz results page.
diff --git a/public/javascripts/quiz_inputs.js b/public/javascripts/quiz_inputs.js
index 15cccd0c4d2..710c305b813 100644
--- a/public/javascripts/quiz_inputs.js
+++ b/public/javascripts/quiz_inputs.js
@@ -19,26 +19,26 @@
 define(['jquery'], function($) {
   var inputMethods = {
     disableInputs: function(inputs) {
-      var body       = $('body'),
-          inputCover = $('<div />', { 'class': 'input_cover' });
+      var $body       = $('body'),
+          $inputCover = $('<div />', { 'class': 'input_cover' });
 
-      inputCover.on('mouseleave', function(e) { $(this).remove(); });
+      $inputCover.on('mouseleave', function(e) { $(this).remove(); });
 
       $(inputs).on('mouseenter', function(e) {
-        var el    = $(this),
-            cover = inputCover.clone(true);
+        var $el    = $(this),
+            $cover = $inputCover.clone(true);
 
-        cover.css({
-          height   : el.height() + 12,
-          width    : el.width() + 12,
+        $cover.css({
+          height   : $el.height() + 12,
+          width    : $el.width() + 12,
           position : 'absolute',
-          left     : el.offset().left - 6,
-          top      : el.offset().top - 6,
+          left     : $el.offset().left - 6,
+          top      : $el.offset().top - 6,
           zIndex   : 15,
           background: 'url(/images/blank.png) 0 0 repeat'
         });
 
-        body.append(cover);
+        $body.append($cover);
       });
     },
 
diff --git a/public/javascripts/quiz_show.js b/public/javascripts/quiz_show.js
index 14ff40d2115..a692febe7fa 100644
--- a/public/javascripts/quiz_show.js
+++ b/public/javascripts/quiz_show.js
@@ -41,8 +41,8 @@ define([
       if ($('#quiz_details').length) {
         return callback();
       } else {
-        return $.get($("#quiz_details_wrapper").data('url'), function(data) {
-          $("#quiz_details_wrapper").html(data);
+        return $.get($("#quiz_details_wrapper").data('url'), function(html) {
+          $("#quiz_details_wrapper").html(html);
           callback();
         });
       };
diff --git a/public/javascripts/quizzes.js b/public/javascripts/quizzes.js
index bad6b5662f9..7f2b88db274 100644
--- a/public/javascripts/quizzes.js
+++ b/public/javascripts/quizzes.js
@@ -15,6 +15,10 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
+
+// xsslint jqueryObject.function makeFormAnswer makeDisplayAnswer
+// xsslint jqueryObject.property sortable placeholder
+// xsslint safeString.property question_text
 define([
   'jst/quiz/regrade',
   'i18n!quizzes',
@@ -494,14 +498,14 @@ define([
               $tr.append($td);
             }
             var $td = $("<td class='final_answer'/>");
-            var answer = data.answer;
+            var answerHtml = data.answer;
             if (question.answerDecimalPoints || question.answer_tolerance) {
               var tolerance = parseFloatOrPercentage(question.answer_tolerance);
               tolerance = tolerance || Math.pow(0.1, question.answerDecimalPoints);
-              answer = answer + " <span style='font-size: 0.8em;'>+/-</span> " + tolerance;
+              answerHtml = answerHtml + " <span style='font-size: 0.8em;'>+/-</span> " + htmlEscape(tolerance);
               $question.find(".answer_tolerance").text(tolerance);
             }
-            $td.html(answer);
+            $td.html(answerHtml);
             $tr.append($td);
             $question.find(".equation_combinations tbody").append($tr);
           });
@@ -532,9 +536,9 @@ define([
       $question.find(".blank_id_select").empty();
       if (question.question_type == 'missing_word_question') {
         var $text = $question.find(".question_text");
-        $text.html("<span class='text_before_answers'>" + question.question_text + "</span> ");
+        $text.html("<span class='text_before_answers'>" + $.raw(question.question_text) + "</span> ");
         $text.append($select);
-        $text.append(" <span class='text_after_answers'>" + question.text_after_answers + "</span>");
+        $text.append(" <span class='text_after_answers'>" + $.raw(question.text_after_answers) + "</span>");
       } else if (question.question_type == 'multiple_dropdowns_question' || question.question_type == 'fill_in_multiple_blanks_question') {
         var variables = {}
         $.each(question.answers, function(i, data) {
@@ -570,15 +574,15 @@ define([
             split = split.split("\n");
           }
         }
-        var code = "";
+        var codeHtml = "";
         for(var cdx in split) {
           if(split[cdx]) {
-            code = code + "<li>" + htmlEscape(split[cdx]) + "</li>";
+            codeHtml = codeHtml + "<li>" + htmlEscape(split[cdx]) + "</li>";
           }
         }
 
-        if (code) {
-          $text.append(I18n.beforeLabel(I18n.t('labels.other_incorrect_matches', "Other Incorrect Match Options")) + "<ul class='matching_answer_incorrect_matches_list'>" + code + "</ul>");
+        if (codeHtml) {
+          $text.append(htmlEscape(I18n.beforeLabel(I18n.t('labels.other_incorrect_matches', "Other Incorrect Match Options"))) + "<ul class='matching_answer_incorrect_matches_list'>" + codeHtml + "</ul>");
         }
       }
       $question.find(".blank_id_select").change();
@@ -1852,12 +1856,12 @@ define([
             $td.attr('aria-labelledby', 'possible_solution_' + question.answers[idx].variables[jdx].name);
             $tr.append($td);
           }
-          var text = question.answers[idx].answer_text;
+          var html = question.answers[idx].answer_text;
           if (question.answer_tolerance) {
-            text = text + " <span style='font-size: 0.8em;'>+/-</span> " + question.answer_tolerance;
+            html = html + " <span style='font-size: 0.8em;'>+/-</span> " + htmlEscape(question.answer_tolerance);
           }
           var $td = $("<td class='final_answer'/>");
-          $td.html(text);
+          $td.html(html);
           $td.attr('aria-labelledby', 'possible_solution_final');
           $tr.append($td);
           $form.find(".combinations tbody").append($tr);
@@ -2206,7 +2210,7 @@ define([
       var $form = $question.parents(".question_holder").children("form");
       $form.attr('action', $("#quiz_urls .add_question_url,#bank_urls .add_question_url").attr('href'))
         .attr('method', 'POST')
-        .find(".submit_button").html(I18n.t('buttons.create_question', "Create Question"));
+        .find(".submit_button").text(I18n.t('buttons.create_question', "Create Question"));
       $form.find("option.missing_word").remove();
       $question.find(".question_type").change();
       $("html,body").scrollTo({top: $question.offset().top - 10, left: 0});
@@ -3077,17 +3081,17 @@ define([
 
         if (this.intoGroups.length > 0) {
           options = $.map(this.intoGroups, function(g) {
-            return '<option value="' + g.id + '">' + g.name + '</option>';
+            return '<option value="' + g.id + '">' + htmlEscape(g.name) + '</option>';
           });
           options.unshift('<option value="top">' +
-            I18n.t('top_level', '-- Top level --') +
+            htmlEscape(I18n.t('top_level', '-- Top level --')) +
           '</option>');
 
           moveWrapper.show();
         } else {
           moveWrapper.hide();
         }
-        moveSelect.html(options.join(''));
+        moveSelect.html($.raw(options.join('')));
 
         // trigger building 'place' menu
         moveSelect.change(this.buildPlaceMenu.bind(this));
@@ -3103,14 +3107,14 @@ define([
 
         // build options
         var options = $.map(filtered, function(item) {
-          return '<option value="' + item.type + '_' + item.id + '">' +
-            I18n.t('before_quiz_item', "before %{name}", {name: item.name}) +
+          return '<option value="' + htmlEscape(item.type) + '_' + item.id + '">' +
+            htmlEscape(I18n.t('before_quiz_item', "before %{name}", {name: item.name})) +
           '</option>';
         });
         options.push('<option value="last">' +
-          I18n.t('at_the_bottom', "-- at the bottom --") +
+          htmlEscape(I18n.t('at_the_bottom', "-- at the bottom --")) +
         '</option>');
-        this.$form.find('#move_select_question').html(options.join(''));
+        this.$form.find('#move_select_question').html($.raw(options.join('')));
       },
 
       itemsInGroup: function(group) {
@@ -3199,7 +3203,7 @@ define([
         this.reorderDomGroupContent(bottom);
         this.setQuestionGroupClass(group);
       },
-      reorderDomGroupContent: function(bottom) {
+      reorderDomGroupContent: function($bottom) {
         if (this.selected.type != 'group') { return; }
 
         var prev = this.selected.sortable;
@@ -3210,7 +3214,7 @@ define([
             prev = item.sortable;
           });
         }
-        prev.after(bottom);
+        prev.after($bottom);
       },
       setQuestionGroupClass: function(group) {
         if (this.selected.type != 'question') { return; }
@@ -3300,7 +3304,7 @@ define([
           } else {
             ui.placeholder.removeClass('group');
           }
-          ui.placeholder.append("<div class='question_placeholder' style='height: " + (ui.helper.height() - 10) + "px;'>&nbsp;</div>");
+          ui.placeholder.append("<div class='question_placeholder' style='height: " + $.raw(ui.helper.height() - 10) + "px;'>&nbsp;</div>");
         }
       },
       change: function(event, ui) {
@@ -3508,8 +3512,8 @@ define([
     $("#calc_helper_methods").change(function() {
       var method = $(this).val();
       $("#calc_helper_method_description").text(calcCmd.functionDescription(method));
-      var code = "<pre>" + calcCmd.functionExamples(method).join("</pre><pre>") + "</pre>";
-      $("#calc_helper_method_examples").html(code);
+      var html = "<pre>" + $.raw($.map(calcCmd.functionExamples(method), htmlEscape).join("</pre><pre>")) + "</pre>";
+      $("#calc_helper_method_examples").html(html);
     });
 
     $("#equations_dialog_tabs").tabs();
@@ -3564,7 +3568,7 @@ define([
       }
       // if there are not any options besides the default "<option class="shown_when_no_other_options_available" value='0'>[ Enter Answer Variables Above ]</option>" one
       if (!$select.find("option:not(.shown_when_no_other_options_available)").length) {
-        $select.append("<option class='shown_when_no_other_options_available' value='0'>" + I18n.t('enter_answer_variable_above', "[ Enter Answer Variables Above ]") + "</option>");
+        $select.append("<option class='shown_when_no_other_options_available' value='0'>" + htmlEscape(I18n.t('enter_answer_variable_above', "[ Enter Answer Variables Above ]")) + "</option>");
       }
       $select.find("option.to_be_removed").remove();
       $select.change();
@@ -3720,12 +3724,12 @@ define([
               });
               var $td = $("<td/>");
               $td.addClass('final_answer');
-              var text = solution.rawText();
+              var html = htmlEscape(solution.rawText());
               var tolerance = answer_tolerance;
               if (tolerance) {
-                text += " <span style='font-size: 0.8em;'>+/-</span> " + tolerance;
+                html += " <span style='font-size: 0.8em;'>+/-</span> " + htmlEscape(tolerance);
               }
-              $td.html(text);
+              $td.html(html);
               $result.append($td);
               succeeded++;
               failedCount = 0;
@@ -3804,7 +3808,7 @@ define([
       val = Math.round(val * data.rounder) / (data.rounder);
       $variable.attr('data-value', val);
       if (!options || options.template) {
-        $variable.find(".value").html(val);
+        $variable.find(".value").text(val);
       }
       if (!options || options.recompute) {
         $question.find(".supercalc").superCalc('recalculate');
@@ -3844,7 +3848,8 @@ define([
             if (!matchHash[variable]) {
               var $variable = $question.find('.variables tr.variable[data-name="' + variable + '"]');
               if ($variable.length === 0) {
-                var label_id = "label_for_var_" + variable;
+                var label_id = htmlEscape("label_for_var_" + variable);
+                // xsslint safeString.identifier label_id
 
                 $variable = $("<tr class='variable'>"
                               + "<th id='" + label_id + "' class='name'></th>"
diff --git a/public/javascripts/rubric_assessment.js b/public/javascripts/rubric_assessment.js
index c8e28390690..c7ac017bec2 100644
--- a/public/javascripts/rubric_assessment.js
+++ b/public/javascripts/rubric_assessment.js
@@ -217,10 +217,10 @@ window.rubricAssessment = {
             $saved_custom_rating = $holder.find(".saved_custom_rating");
             
         $saved_custom_rating.find(".comment").remove();
-        $saved_custom_rating.empty().append('<option value="">' + I18n.t('options.select', '[ Select ]') + '</option>');
+        $saved_custom_rating.empty().append('<option value="">' + htmlEscape(I18n.t('options.select', '[ Select ]')) + '</option>');
         for(var jdx in comments) {
           if(comments[jdx]) {
-            $saved_custom_rating.append('<option value="' + escape(comments[jdx])+ '">' + TextHelper.truncateText(comments[jdx], {max: 50}) + '</option>');
+            $saved_custom_rating.append('<option value="' + htmlEscape(comments[jdx])+ '">' + htmlEscape(TextHelper.truncateText(comments[jdx], {max: 50})) + '</option>');
             $holder.show();
           }
         }
diff --git a/public/javascripts/saml_testing.js b/public/javascripts/saml_testing.js
index bb916af9334..83bf5e458c6 100644
--- a/public/javascripts/saml_testing.js
+++ b/public/javascripts/saml_testing.js
@@ -26,7 +26,7 @@ define([
       $.ajaxJSON(url, 'GET', {}, function (data) {
         if (data) {
           if (data.debugging) {
-            $saml_debug_info.html(data.debug_data);
+            $saml_debug_info.html($.raw(data.debug_data));
             $saml_debug_info.show();
             refresh_timer = setTimeout(function () {load_debug_data(false);}, 30000);
           } else {
diff --git a/public/javascripts/sis_import.js b/public/javascripts/sis_import.js
index a1b1242879a..e23fa2309aa 100644
--- a/public/javascripts/sis_import.js
+++ b/public/javascripts/sis_import.js
@@ -53,7 +53,7 @@ $(document).ready(function(event) {
   function createMessageHtml(batch){
     var output = "";
     if(batch.processing_errors && batch.processing_errors.length > 0){
-      output += "<li>" + I18n.t('headers.import_errors', "Errors that prevent importing") + "\n<ul>";
+      output += "<li>" + htmlEscape(I18n.t('headers.import_errors', "Errors that prevent importing")) + "\n<ul>";
       for(var i in batch.processing_errors) {
         var message = batch.processing_errors[i];
         output += "<li>" + htmlEscape(message[0]) + " - " + htmlEscape(message[1]) + "</li>";
@@ -61,7 +61,7 @@ $(document).ready(function(event) {
       output += "</ul>\n</li>";
     }
     if(batch.processing_warnings && batch.processing_warnings.length > 0){
-      output += "<li>" + I18n.t('headers.import_warnings', "Warnings") + "\n<ul>";
+      output += "<li>" + htmlEscape(I18n.t('headers.import_warnings', "Warnings")) + "\n<ul>";
       for(var i in batch.processing_warnings) {
         var message = batch.processing_warnings[i];
         output += "<li>" + htmlEscape(message[0]) + " - " + htmlEscape(message[1]) + "</li>";
@@ -76,23 +76,23 @@ $(document).ready(function(event) {
     if(!(batch.data && batch.data.counts)){
       return '';
     }
-    output = "<ul><li>" + I18n.t('headers.imported_items', "Imported Items") + "<ul>";
-    output += "<li>" + I18n.t('import_counts.accounts', "Accounts: %{account_count}", {account_count: batch.data.counts.accounts}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.terms', "Terms: %{term_count}", {term_count: batch.data.counts.terms}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.courses', "Courses: %{course_count}", {course_count: batch.data.counts.courses}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.sections', "Sections: %{section_count}", {section_count: batch.data.counts.sections}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.users', "Users: %{user_count}", {user_count: batch.data.counts.users}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.enrollments', "Enrollments: %{enrollment_count}", {enrollment_count: batch.data.counts.enrollments}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.crosslists', "Crosslists: %{crosslist_count}", {crosslist_count: batch.data.counts.xlists}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.groups', "Groups: %{group_count}", {group_count: batch.data.counts.groups}) + "</li>";
-    output += "<li>" + I18n.t('import_counts.group_enrollments', "Group Enrollments: %{group_enrollments_count}", {group_enrollments_count: batch.data.counts.group_memberships}) + "</li>";
+    output = "<ul><li>" + htmlEscape(I18n.t('headers.imported_items', "Imported Items")) + "<ul>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.accounts', "Accounts: %{account_count}", {account_count: batch.data.counts.accounts})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.terms', "Terms: %{term_count}", {term_count: batch.data.counts.terms})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.courses', "Courses: %{course_count}", {course_count: batch.data.counts.courses})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.sections', "Sections: %{section_count}", {section_count: batch.data.counts.sections})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.users', "Users: %{user_count}", {user_count: batch.data.counts.users})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.enrollments', "Enrollments: %{enrollment_count}", {enrollment_count: batch.data.counts.enrollments})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.crosslists', "Crosslists: %{crosslist_count}", {crosslist_count: batch.data.counts.xlists})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.groups', "Groups: %{group_count}", {group_count: batch.data.counts.groups})) + "</li>";
+    output += "<li>" + htmlEscape(I18n.t('import_counts.group_enrollments', "Group Enrollments: %{group_enrollments_count}", {group_enrollments_count: batch.data.counts.group_memberships})) + "</li>";
     output += "</ul></li></ul>";
     
     return output
   }
 
   function startPoll() {
-    $("#sis_importer").html(I18n.t('status.processing', "Processing") + " <div style='font-size: 0.6em;'>" + I18n.t('notices.processing_takes_awhile', "this may take a bit...") + "</div>")
+    $("#sis_importer").html(htmlEscape(I18n.t('status.processing', "Processing")) + " <div style='font-size: 0.6em;'>" + htmlEscape(I18n.t('notices.processing_takes_awhile', "this may take a bit...")) + "</div>")
        .attr('disabled', true);
     $(".instruction").hide();
     $(".progress_bar_holder").slideDown();
@@ -128,28 +128,28 @@ $(document).ready(function(event) {
         if(!sis_batch || sis_batch.workflow_state == 'imported') {
           $("#sis_importer").hide();
           $(".copy_progress").progressbar('option', 'value', 100);
-          $(".progress_message").html(I18n.t('messages.import_complete_success', "The import is complete and all records were successfully imported.") + createCountsHtml(sis_batch));
+          $(".progress_message").html($.raw(htmlEscape(I18n.t('messages.import_complete_success', "The import is complete and all records were successfully imported.")) + createCountsHtml(sis_batch)));
         } else if(sis_batch.workflow_state == 'failed') {
           code = "sis_batch_" + sis_batch.id;
           $(".progress_bar_holder").hide();
           $("#sis_importer").hide();
           var message = I18n.t('errors.import_failed_code', "There was an error importing your SIS data. No records were imported.  Please notify your system administrator and give them the following code: \"%{code}\"", {code: code});
-          $(".sis_messages .sis_error_message").html(message);
+          $(".sis_messages .sis_error_message").text(message);
           $(".sis_messages").show();
         } else if(sis_batch.workflow_state == 'failed_with_messages') {
           $(".progress_bar_holder").hide();
           $("#sis_importer").hide();
-          var message = I18n.t('errors.import_failed_messages', "No SIS records were imported. The import failed with these messages:");
+          var message = htmlEscape(I18n.t('errors.import_failed_messages', "No SIS records were imported. The import failed with these messages:"));
           message += createMessageHtml(sis_batch);
-          $(".sis_messages .sis_error_message").html(message);
+          $(".sis_messages .sis_error_message").html($.raw(message));
           $(".sis_messages").show();
         } else if(sis_batch.workflow_state == 'imported_with_messages') {
           $(".progress_bar_holder").hide();
           $("#sis_importer").hide();
-          var message = I18n.t('messages.import_complete_warnings', "The SIS data was imported but with these messages:");
+          var message = htmlEscape(I18n.t('messages.import_complete_warnings', "The SIS data was imported but with these messages:"));
           message += createMessageHtml(sis_batch);
           message += createCountsHtml(sis_batch);
-          $(".sis_messages").show().html(message);
+          $(".sis_messages").show().html($.raw(message));
         } else {
           if(progress == lastProgress) {
             waitTime = Math.max(waitTime + 500, 30000);
diff --git a/public/javascripts/slickgrid.long_text_editor.js b/public/javascripts/slickgrid.long_text_editor.js
index c2a037039a2..82efa8a60bc 100644
--- a/public/javascripts/slickgrid.long_text_editor.js
+++ b/public/javascripts/slickgrid.long_text_editor.js
@@ -1,4 +1,4 @@
-define(['jquery', 'i18n!LongTextEditor'], function($, I18n) {
+define(['jquery', 'i18n!LongTextEditor', 'str/htmlEscape'], function($, I18n, htmlEscape) {
 
   /*
    * this is just LongTextEditor from slick.editors.js but with i18n and a
@@ -15,12 +15,12 @@ define(['jquery', 'i18n!LongTextEditor'], function($, I18n) {
       $wrapper = $("<DIV class=dontblur style='z-index:10000;position:absolute;background:white;padding:5px;border:3px solid gray; -moz-border-radius:10px; border-radius:10px;'/>")
           .appendTo($container);
 
-      $input = $("<TEXTAREA hidefocus maxlength="+args.maxLength+" rows=5 style='backround:white;width:250px;height:80px;border:0;outline:0'>")
+      $input = $("<TEXTAREA hidefocus maxlength="+htmlEscape(args.maxLength)+" rows=5 style='backround:white;width:250px;height:80px;border:0;outline:0'>")
           .appendTo($wrapper);
 
       var saveText = I18n.t("save", "Save");
       var cancelText = I18n.t("cancel", "Cancel");
-      $("<DIV style='text-align:right'><BUTTON>"+saveText+"</BUTTON><BUTTON>"+cancelText+"</BUTTON></DIV>")
+      $("<DIV style='text-align:right'><BUTTON>"+htmlEscape(saveText)+"</BUTTON><BUTTON>"+htmlEscape(cancelText)+"</BUTTON></DIV>")
           .appendTo($wrapper);
 
       $wrapper.find("button:first").bind("click", this.save);
diff --git a/public/javascripts/speed_grader.js b/public/javascripts/speed_grader.js
index 2c84ba99e63..5f666a8e544 100644
--- a/public/javascripts/speed_grader.js
+++ b/public/javascripts/speed_grader.js
@@ -265,23 +265,24 @@ define([
     return {raw: raw, formatted: formatted};
   }
 
+  // xsslint safeString.identifier MENU_PARTS_DELIMITER
   var MENU_PARTS_DELIMITER = '----☃----'; // something random and unlikely to be in a person's name
 
   function initDropdown(){
     var hideStudentNames = utils.shouldHideStudentNames();
     $("#hide_student_names").attr('checked', hideStudentNames);
-    var options = $.map(jsonData.studentsWithSubmissions, function(s, idx){
-      var name = htmlEscape(s.name).replace(MENU_PARTS_DELIMITER, ""),
+    var optionsHtml = $.map(jsonData.studentsWithSubmissions, function(s, idx){
+      var name = s.name.replace(MENU_PARTS_DELIMITER, ""),
           className = classNameBasedOnStudent(s);
 
       if(hideStudentNames) {
         name = I18n.t('nth_student', "Student %{n}", {'n': idx + 1});
       }
 
-      return '<option value="' + s.id + '" class="' + className.raw + ' ui-selectmenu-hasIcon">' + name + MENU_PARTS_DELIMITER + className.formatted + MENU_PARTS_DELIMITER + className.raw + '</option>';
+      return '<option value="' + s.id + '" class="' + htmlEscape(className.raw) + ' ui-selectmenu-hasIcon">' + htmlEscape(name) + MENU_PARTS_DELIMITER + htmlEscape(className.formatted) + MENU_PARTS_DELIMITER + htmlEscape(className.raw) + '</option>';
     }).join("");
 
-    $selectmenu = $("<select id='students_selectmenu'>" + options + "</select>")
+    $selectmenu = $("<select id='students_selectmenu'>" + optionsHtml + "</select>")
       .appendTo("#combo_box_container")
       .selectmenu({
         style:'dropdown',
@@ -293,6 +294,7 @@ define([
         EG.handleStudentChanged();
       });
 
+    // xsslint safeString.function getIcon
     function getIcon(helper_text){
       var icon = "<span class='ui-selectmenu-item-icon speedgrader-selectmenu-icon'>";
       if(helper_text == "graded"){
@@ -308,9 +310,9 @@ define([
           $menu = $("#section-menu");
 
 
-      $menu.find('ul').append($.map(jsonData.context.active_course_sections, function(section, i){
+      $menu.find('ul').append($.raw($.map(jsonData.context.active_course_sections, function(section, i){
         return '<li><a class="section_' + section.id + '" data-section-id="'+ section.id +'" href="#">'+ htmlEscape(section.name) +'</a></li>';
-      }).join(''));
+      }).join('')));
 
       $menu.insertBefore($selectmenu_list).bind('mouseenter mouseleave', function(event){
         $(this)
@@ -472,7 +474,7 @@ define([
           this.spinMute();
           $.ajaxJSON(this.muteUrl(), 'put', { status: true }, $.proxy(function(res){
             this.elements.spinner.stop();
-            this.elements.mute.label.html(label);
+            this.elements.mute.label.text(label);
             this.elements.mute.icon
               .removeClass('ui-icon-volume-off')
               .addClass('ui-icon-volume-on')
@@ -486,7 +488,7 @@ define([
           this.spinMute();
           $.ajaxJSON(this.muteUrl(), 'put', { status: false }, $.proxy(function(res){
             this.elements.spinner.stop();
-            this.elements.mute.label.html(label);
+            this.elements.mute.label.text(label);
             this.elements.mute.icon
               .removeClass('ui-icon-volume-on')
               .addClass('ui-icon-volume-off')
@@ -633,8 +635,9 @@ define([
           $('#record_button').attr("recording", false).attr("aria-label", I18n.t('dialog_button.aria_record_reset', "Click to record"));
         }
 
+        // xsslint safeString.function linebreak
         function linebreak(transcript){
-          return transcript.replace(/\n\n/g, '<p></p>').replace(/\n/g, '<br>');
+          return htmlEscape(transcript).replace(/\n\n/g, '<p></p>').replace(/\n/g, '<br>');
         }
       }
     }
@@ -1257,7 +1260,7 @@ define([
                                          {user_id: this.currentStudent.id})
         });
       }
-      $multiple_submissions.html(innerHTML);
+      $multiple_submissions.html($.raw(innerHTML));
     },
 
     showSubmissionDetails: function(){
@@ -1273,7 +1276,7 @@ define([
     },
 
     updateStatsInHeader: function(){
-      $x_of_x_students.html(
+      $x_of_x_students.text(
         I18n.t('gradee_index_of_total', '%{gradee} %{x} of %{y}', {
           gradee: gradeeLabel,
           x: EG.currentIndex() + 1,
@@ -1307,13 +1310,13 @@ define([
           return Math.round(number*coefficient)/coefficient;
         }
         var outOf = jsonData.points_possible ? ([" / ", jsonData.points_possible, " (", Math.round( 100 * (avg(scores) / jsonData.points_possible)), "%)"].join("")) : "";
-        $average_score.html( [roundWithPrecision(avg(scores), 2) + outOf].join("") );
+        $average_score.text( [roundWithPrecision(avg(scores), 2) + outOf].join("") );
       }
       else { //there are no submissions that have been graded.
         $average_score_wrapper.hide();
       }
 
-      $grded_so_far.html(
+      $grded_so_far.text(
         I18n.t('portion_graded', '%{x} / %{y} Graded', {
           x: gradedStudents.length,
           y: jsonData.context.students.length
@@ -1399,12 +1402,12 @@ define([
 	        var src = unescape($submission_file_hidden.find('.display_name').attr('href'))
 	                  .replace("{{submissionId}}", this.currentStudent.submission.user_id)
 	                  .replace("{{attachmentId}}", attachment.id);
-	        $iframe_holder.html('<iframe src="'+src+'" frameborder="0" id="speedgrader_iframe"></iframe>').show();
+	        $iframe_holder.html('<iframe src="'+htmlEscape(src)+'" frameborder="0" id="speedgrader_iframe"></iframe>').show();
 	      }
 	      else {
 	        //load in the iframe preview.  if we are viewing a past version of the file pass the version to preview in the url
-	        $iframe_holder.html(
-            '<iframe id="speedgrader_iframe" src="/courses/' + jsonData.context_id  +
+	        $iframe_holder.html($.raw(
+            '<iframe id="speedgrader_iframe" src="' + htmlEscape('/courses/' + jsonData.context_id  +
             '/assignments/' + this.currentStudent.submission.assignment_id +
             '/submissions/' + this.currentStudent.submission.user_id +
             '?preview=true' + (
@@ -1416,7 +1419,7 @@ define([
               ''
             ) + (
               utils.shouldHideStudentNames() ? "&hide_student_name=1" : ""
-            ) + '" frameborder="0"></iframe>')
+            )) + '" frameborder="0"></iframe>'))
             .show();
 	      }
   	  }
@@ -1436,7 +1439,7 @@ define([
 
         $rubric_assessments_select.find("option").remove();
         $.each(this.currentStudent.rubric_assessments, function(){
-          $rubric_assessments_select.append('<option value="' + this.id + '">' + htmlEscape(this.assessor_name) + '</option>');
+          $rubric_assessments_select.append('<option value="' + htmlEscape(this.id) + '">' + htmlEscape(this.assessor_name) + '</option>');
         });
 
         // show a new option if there is not an assessment by me
@@ -1477,7 +1480,7 @@ define([
           var hideStudentName = hideStudentNames && jsonData.studentMap[comment.author_id];
           if (hideStudentName) { comment.author_name = I18n.t('student', "Student"); }
           var $comment = $comment_blank.clone(true).fillTemplateData({ data: comment });
-          $comment.find('span.comment').html(htmlEscape(comment.comment).replace(/\n/g, "<br />"));
+          $comment.find('span.comment').html($.raw(htmlEscape(comment.comment).replace(/\n/g, "<br />")));
           if (comment.avatar_path && !hideStudentName) {
             $comment.find(".avatar").attr('src', comment.avatar_path).show();
           }
diff --git a/public/javascripts/str/stripTags.js b/public/javascripts/str/stripTags.js
new file mode 100644
index 00000000000..202556f5123
--- /dev/null
+++ b/public/javascripts/str/stripTags.js
@@ -0,0 +1,22 @@
+define(["jquery"], function() {
+
+  /* Make an html snippet plain text.
+   *
+   * Removes tags, and converts entities to their character equivalents.
+   * Because it uses a detached element, it's safe to use on untrusted
+   * input.
+   *
+   * That said, the result is NOT an html-safe string, because it only
+   * does a single pass. e.g.
+   *
+   * "<b>hi</b> &lt;script&gt;..." -> "hi <script>..."
+   */
+  var $stripDiv = $("<div />");
+
+  return function(html) {
+    return $stripDiv.html(html).text();
+  }
+
+  return stripTags;
+});
+
diff --git a/public/javascripts/submission_download.js b/public/javascripts/submission_download.js
index 903c8b8d0ff..12c92e7c0f6 100644
--- a/public/javascripts/submission_download.js
+++ b/public/javascripts/submission_download.js
@@ -2,10 +2,11 @@ define([
   'INST' /* INST */,
   'i18n!submissions',
   'jquery' /* $ */,
+  'str/htmlEscape',
   'jquery.ajaxJSON' /* ajaxJSON */,
   'jqueryui/dialog',
   'jqueryui/progressbar' /* /\.progressbar/ */
-], function(INST, I18n, $) {
+], function(INST, I18n, $, htmlEscape) {
 
   INST.downloadSubmissions = function(url) {
     var cancelled = false;
@@ -29,8 +30,8 @@ define([
           if(attachment.workflow_state == 'zipped') { 
             $("#download_submissions_dialog .progress").progressbar('value', 100);
             var message = I18n.t("#submissions.finished_redirecting", "Finished!  Redirecting to File...");
-            var link = "<a href=\"" + url + "\"><b> " + I18n.t("#submissions.click_to_download", "Click here to download %{size_of_file}", {size_of_file: attachment.readable_size}) + "</b></a>"
-            $("#download_submissions_dialog .status").html(message + "<br>" + link);
+            var link = "<a href=\"" + htmlEscape(url) + "\"><b> " + htmlEscape(I18n.t("#submissions.click_to_download", "Click here to download %{size_of_file}", {size_of_file: attachment.readable_size})) + "</b></a>"
+            $("#download_submissions_dialog .status").html(htmlEscape(message) + "<br>" + $.raw(link));
             $("#download_submissions_dialog .status_loader").css('visibility', 'hidden');
             location.href = url;
             return;
diff --git a/public/javascripts/supercalc.js b/public/javascripts/supercalc.js
index 48ac30d2574..8b8603f4d0c 100644
--- a/public/javascripts/supercalc.js
+++ b/public/javascripts/supercalc.js
@@ -59,7 +59,7 @@ define([
                           "<tr><td colspan='3' class='last_row_details' style='display: none;'>" + htmlEscape(I18n.t('last_formula_row', "the last formula row will be used to compute the final answer")) + "</td></tr>" +
                           "<tr><td></td><td class='decimal_places'>" +
                             "<select aria-labelledby='decimal_places_label' class='round'><option>0</option><option>1</option><option>2</option><option>3</option><option>4</option></select> " +
-                            "<label id='decimal_places_label'>" + I18n.t('decimal_places', 'Decimal Places') + "</label>" +
+                            "<label id='decimal_places_label'>" + htmlEscape(I18n.t('decimal_places', 'Decimal Places')) + "</label>" +
                           "</td></tr>" +
                         "</tfoot>" +
                         "<tbody></tbody>"+
@@ -126,7 +126,7 @@ define([
           }
           this.status.attr('data-res', res);
           if(!no_dom) {
-            this.status.html(res);
+            this.status.text(res);
           }
         });
         if(!no_dom) {
@@ -143,7 +143,7 @@ define([
         if(event.keyCode == 13 || enter && $displayBox.val()) {
           event.preventDefault();
           event.stopPropagation();
-          var $tr = $("<tr class='formula_row'><td class='formula' aria-labelledby='headings.formula' title='" + htmlEscape(I18n.t('drag_to_reorder', 'Drag to reorder')) + "'></td><td class='status' aria-labelledby='headings.result'></td><td><a href='#' class='delete_formula_row_link no-hover'><img src='/images/delete_circle.png' alt='" + I18n.t('delete_formula', 'Delete Formula') + "'/></a></td></tr>");
+          var $tr = $("<tr class='formula_row'><td class='formula' aria-labelledby='headings.formula' title='" + htmlEscape(I18n.t('drag_to_reorder', 'Drag to reorder')) + "'></td><td class='status' aria-labelledby='headings.result'></td><td><a href='#' class='delete_formula_row_link no-hover'><img src='/images/delete_circle.png' alt='" + htmlEscape(I18n.t('delete_formula', 'Delete Formula')) + "'/></a></td></tr>");
           $tr.find("td:first").text($entryBox.val());
           $entryBox.val("");
           $displayBox.val("");
diff --git a/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_embed/editor_plugin.js b/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_embed/editor_plugin.js
index c75c01f4859..e404b2c38d8 100644
--- a/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_embed/editor_plugin.js
+++ b/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_embed/editor_plugin.js
@@ -34,18 +34,18 @@ define([
 
   var TRANSLATIONS = {
     click_to_embed: I18n.t('click_to_embed', 'Click to embed the image'),
-    instructions: INST.htmlEscape(I18n.t('instructions', "Paste or type the URL of the image you'd like to embed:")),
-    url: INST.htmlEscape(I18n.t('url', 'URL:')),
-    alt_text: INST.htmlEscape(I18n.t('alt_text', 'Alternate Text:')),
+    instructions: I18n.t('instructions', "Paste or type the URL of the image you'd like to embed:"),
+    url: I18n.t('url', 'URL:'),
+    alt_text: I18n.t('alt_text', 'Alternate Text:'),
     search_flickr: I18n.t('search_flickr', 'Search flickr creative commons'),
     loading: I18n.t('loading', 'Loading...'),
     embed_external: I18n.t('embed_external', 'Embed External Image'),
-    embed_image: INST.htmlEscape(I18n.t('embed_image', 'Embed Image')),
+    embed_image: I18n.t('embed_image', 'Embed Image'),
     image_not_found: I18n.t('image_not_found', 'Image not found, please try a new URL')
   };
 
   function initShared () {
-    $box = $('<div/>', {html: TRANSLATIONS.instructions + "<form id='instructure_embed_prompt_form' style='margin-top: 5px;'><table class='formtable'><tr><td>"+ TRANSLATIONS.url +"</td><td><input type='text' class='prompt' style='width: 250px;' value='http://'/></td></tr><tr><td class='nobr'>"+TRANSLATIONS.alt_text+"</td><td><input type='text' class='alt_text' style='width: 150px;' value=''/></td></tr><tr><td colspan='2' style='text-align: right;'><input type='submit' class='btn' value='Embed Image'/></td></tr></table></form><div class='actions'></div>"}).hide();
+    $box = $('<div/>', {html: htmlEscape(TRANSLATIONS.instructions) + "<form id='instructure_embed_prompt_form' style='margin-top: 5px;'><table class='formtable'><tr><td>"+ htmlEscape(TRANSLATIONS.url) +"</td><td><input type='text' class='prompt' style='width: 250px;' value='http://'/></td></tr><tr><td class='nobr'>"+htmlEscape(TRANSLATIONS.alt_text)+"</td><td><input type='text' class='alt_text' style='width: 150px;' value=''/></td></tr><tr><td colspan='2' style='text-align: right;'><input type='submit' class='btn' value='Embed Image'/></td></tr></table></form><div class='actions'></div>"}).hide();
     $altText = $box.find('.alt_text');
     $actions = $box.find('.actions');
     $userURL = $box.find('.prompt');
@@ -75,19 +75,19 @@ define([
     event.preventDefault();
     $box.dialog('close');
     $.findImageForService('flickr_creative_commons', function (data) {
-      var title = INST.htmlEscape(data.title),
-          html = '<a href="' + data.link_url + '"><img src="' + data.image_url + '" title="' + title + '"alt="' + title + '" style="max-width: 500; max-height: 500"></a>';
+      var title = data.title,
+          html = '<a href="' + htmlEscape(data.link_url) + '"><img src="' + htmlEscape(data.image_url) + '" title="' + htmlEscape(title) + '"alt="' + htmlEscape(title) + '" style="max-width: 500; max-height: 500"></a>';
       $box.dialog('close');
       $editor.editorBox('insert_code', html);
     });
   }
 
   function embedURLImage (event) {
-    var alt = INST.htmlEscape($altText.val() || ''),
-        text = INST.htmlEscape($userURL.val());
+    var alt = $altText.val() || '',
+        text = $userURL.val();
 
     event.preventDefault();
-    $editor.editorBox('insert_code', "<img src='" + text + "' alt='" + alt + "'/>");
+    $editor.editorBox('insert_code', "<img src='" + htmlEscape(text) + "' alt='" + htmlEscape(alt) + "'/>");
     $box.dialog('close');
   }
 
diff --git a/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_equella/editor_plugin.js b/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_equella/editor_plugin.js
index 4fdb323512d..6980be6cb09 100644
--- a/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_equella/editor_plugin.js
+++ b/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_equella/editor_plugin.js
@@ -15,6 +15,7 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
+// xsslint safeString.identifier frameHeight teaser
 
 define([
   'compiled/editor/stocktiny',
diff --git a/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_external_tools/editor_plugin.js b/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_external_tools/editor_plugin.js
index 1dc09aaba96..5d23035b038 100644
--- a/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_external_tools/editor_plugin.js
+++ b/public/javascripts/tinymce/jscripts/tiny_mce/plugins/instructure_external_tools/editor_plugin.js
@@ -45,6 +45,7 @@ define([
       function buttonSelected(button) {
         var frameHeight = Math.max(Math.min($(window).height() - 100, 550), 100);
         if(!$dialog) {
+          // xsslint safeString.identifier frameHeight
           $dialog = $('<div id="external_tool_button_dialog" style="padding: 0; overflow-y: hidden;"/>')
             .hide()
             .html("<div class='teaser' style='width: 800px; margin-bottom: 10px; display: none;'></div>" +
diff --git a/public/javascripts/user_name.js b/public/javascripts/user_name.js
index c9e3eee8084..e3d5fa9380e 100644
--- a/public/javascripts/user_name.js
+++ b/public/javascripts/user_name.js
@@ -19,12 +19,13 @@
 define([
   'i18n!user_name',
   'jquery' /* $ */,
+  'str/htmlEscape',
   'jquery.ajaxJSON' /* ajaxJSON */,
   'jquery.instructure_forms' /* formSubmit */,
   'jqueryui/dialog',
   'compiled/jquery/fixDialogButtons' /* fix dialog formatting */,
   'jquery.templateData' /* fillTemplateData */
-], function(I18n, $) {
+], function(I18n, $, htmlEscape) {
 $(document).ready(function() {
   $("#name_and_email").delegate('.edit_user_link', 'click', function(event) {
     event.preventDefault();
@@ -71,7 +72,7 @@ $(document).ready(function() {
     var $link = $(this);
     $link.text(I18n.t('messages.reporting_image', "Reporting image..."));
     $.ajaxJSON($link.attr('href'), 'POST', {}, function(data) {
-      $link.after(I18n.t('notices.image_reported', "This image has been reported"));
+      $link.after(htmlEscape(I18n.t('notices.image_reported', "This image has been reported")));
       $link.remove();
     }, function(data) {
       $link.text(I18n.t('errors.failed_to_report_image', "Failed to report the image, please try again"));
diff --git a/public/javascripts/user_notes.js b/public/javascripts/user_notes.js
index a713dfce770..093b8df228e 100644
--- a/public/javascripts/user_notes.js
+++ b/public/javascripts/user_notes.js
@@ -60,7 +60,7 @@ define([
           .attr('href', action)
           .end()
         .find('.formatted_note')
-          .html(user_note.formatted_note)
+          .html($.raw(user_note.formatted_note))
           .end()
         .slideDown();
     },
diff --git a/public/javascripts/wikiSidebar.js b/public/javascripts/wikiSidebar.js
index 545f2f087df..a4134809361 100644
--- a/public/javascripts/wikiSidebar.js
+++ b/public/javascripts/wikiSidebar.js
@@ -67,7 +67,7 @@ define([
     itemSelected: function(item) {
       switch(item.item_type) {
         case 'image':
-          wikiSidebar.editor.editorBox('insert_code', '<img alt="' + item.title + '" src="' + item.link_url + '"/>');
+          wikiSidebar.editor.editorBox('insert_code', '<img alt="' + htmlEscape(item.title) + '" src="' + htmlEscape(item.link_url) + '"/>');
           break;
         default: // we'll rely on enhance-user-content to create youtube thumbnails, etc.
           wikiSidebar.editor.editorBox('create_link', {title: (item.title || I18n.t("no_title", "No title")), url: item.link_url});
@@ -88,7 +88,7 @@ define([
     imageSelected: function($img) {
       var src = $img.data('url') || $img.attr('src'),
           alt = $img.attr('alt');
-      wikiSidebar.editor.editorBox('insert_code', '<img alt="'+alt+'" src="'+src+'"/>');
+      wikiSidebar.editor.editorBox('insert_code', '<img alt="'+htmlEscape(alt)+'" src="'+htmlEscape(src)+'"/>');
     },
     fileAdded: function(attachment, newUploadOrCallbackOrParent, fileCallback) {
       var children, newUpload, imageCallback, $file;
@@ -105,7 +105,7 @@ define([
       }
       if(children.length || fileCallback) {
         var file = attachment;
-        var displayName = "<span class='screenreader-only'>" + htmlEscape(file.display_name) + " " + I18n.t('aria_tree.file', 'file') + "</span>" + htmlEscape(file.display_name);
+        var displayName = "<span class='screenreader-only'>" + htmlEscape(file.display_name) + " " + htmlEscape(I18n.t('aria_tree.file', 'file')) + "</span>" + htmlEscape(file.display_name);
 
         $file = $tree1.find(".file_blank").clone(true);
         $file
@@ -185,7 +185,7 @@ define([
           var folder = data.sub_folders[idx].folder;
           var $folder = $tree1.find(".folder_blank").clone(true);
           $folder.attr('class', 'folder').data('id', folder.id).addClass('folder_' + folder.id);
-          $folder.find('.name').html(" <span class='screenreader-only'>" + htmlEscape(folder.name) + " " + I18n.t('aria_tree.folder', 'folder') + "</span>" + htmlEscape(folder.name) );
+          $folder.find('.name').html(" <span class='screenreader-only'>" + htmlEscape(folder.name) + " " + htmlEscape(I18n.t('aria_tree.folder', 'folder')) + "</span>" + htmlEscape(folder.name) );
           $folder.attr('aria-level', children.data('level'))
                  .attr('id', wikiSidebar.generateTreeItemID('folder'));
           children.append($folder);
@@ -214,7 +214,7 @@ define([
         }
         var $option = $("<option />");
         $option.val(folder.id);
-        $option.html(name);
+        $option.html($.raw(name));
         $sidebar_upload_file_form.find('#attachment_folder_id').append($option.clone());
         $sidebar_upload_image_form.find('#image_folder_id').append($option.clone());
         $wiki_sidebar_select_folder_dialog.find('.folder_id').append($option.clone());
diff --git a/script/xsslint.js b/script/xsslint.js
new file mode 100644
index 00000000000..eb8532f7e83
--- /dev/null
+++ b/script/xsslint.js
@@ -0,0 +1,43 @@
+var XSSLint    = require("xsslint");
+var Linter     = require("xsslint/linter");
+var globby     = require("gglobby").default;
+var fs         = require("fs");
+
+XSSLint.configure({
+  "xssable.receiver.whitelist": ["formData"],
+  "jqueryObject.identifier": [/^\$/],
+  "jqueryObject.property":   [/^\$/],
+  "safeString.identifier":   [/(_html|Html|View|Template)$/, "html", "id"],
+  "safeString.function":     ["h", "htmlEscape", "template", /(Template|View|Dialog)$/],
+  "safeString.property":     ["template", "id", "height", "width", /_id$/],
+  "safeString.method":       ["$.raw", "template", /(Template|Html)$/, "toISOString", "friendlyDatetime", /^(date|(date)?time)String$/]
+});
+
+// treat I18n.t calls w/ wrappers as html-safe, since they are
+var origIsSafeString = Linter.prototype.isSafeString;
+Linter.prototype.isSafeString = function(node) {
+  var result = origIsSafeString.call(this, node);
+  if (result) return result;
+
+  if (node.type !== "CallExpression") return false;
+  var callee = node.callee;
+  if (callee.type !== "MemberExpression") return false;
+  if (callee.object.type !== "Identifier" || callee.object.name !== "I18n") return false;
+  if (callee.property.type !== "Identifier" || callee.property.name !== "t" && callee.property.name !== "translate") return false;
+  var lastArg = node.arguments[node.arguments.length - 1];
+  if (lastArg.type !== "ObjectExpression") return false;
+  var wrapperOption = lastArg.properties.filter(function(prop){
+    return prop.key.name === "wrapper" || prop.key.name === "wrappers";
+  });
+  return (wrapperOption.length > 0)
+}
+
+process.chdir("public/javascripts");
+var ignores = fs.readFileSync(".xssignore").toString().trim().split(/\r?\n|\r/);
+var files = globby.select(["*.js"]).reject(ignores).files;
+//var files = ["./script/test.js"];
+
+files.forEach(function(file) {
+  XSSLint.run(file);
+});
+