diff --git a/assemblies/pentaho-war/src/main/webapp/js/ajaxslt/dom.js b/assemblies/pentaho-war/src/main/webapp/js/ajaxslt/dom.js
index 4bb438206a7..121df038c10 100644
--- a/assemblies/pentaho-war/src/main/webapp/js/ajaxslt/dom.js
+++ b/assemblies/pentaho-war/src/main/webapp/js/ajaxslt/dom.js
@@ -34,7 +34,8 @@
 // Spec. However, different browsers actually pass very different
 // values at the API.
 //
-function xmlResolveEntities(s) {
+
+  function xmlResolveEntities(s) {
 
   var parts = stringSplit(s, '&');
 
@@ -73,7 +74,7 @@ function xmlResolveEntities(s) {
         // through the W3C DOM. W3C DOM access is specified to resolve
         // entities. 
         var span = window.document.createElement('span');
-        span.innerHTML = '&' + rp[0] + '; ';
+        pho.util.xss.setHtml(span, '&' + rp[0] + '; ');
         ch = span.childNodes[0].nodeValue.charAt(0);
     }
     ret += ch + rp[1];
diff --git a/assemblies/pentaho-war/src/main/webapp/js/google-demo.js b/assemblies/pentaho-war/src/main/webapp/js/google-demo.js
index 69a79992df7..b20c64160f6 100644
--- a/assemblies/pentaho-war/src/main/webapp/js/google-demo.js
+++ b/assemblies/pentaho-war/src/main/webapp/js/google-demo.js
@@ -86,7 +86,7 @@ greenicon = icon;
 
 	function updateProductMix( content ) {
 		document.getElementById( 'details-div' ).style.display='block';
-		document.getElementById( 'details-cell1' ).innerHTML=content;
+		pho.util.xss.setHtml(document.getElementById('details-cell1'), content);
 		pentahoAction( "steel-wheels", "google", "customer_details.xaction", 
 				new Array( new Array( "customer", currentRecord[7] ) ), 
 				 'updateHistory'
@@ -95,7 +95,7 @@ greenicon = icon;
 
 	function updateHistory( content ) {
 		document.getElementById( 'details-div' ).style.display='block';
-		document.getElementById( 'details-cell2' ).innerHTML=content;
+		pho.util.xss.setHtml(document.getElementById('details-cell2'), content);
 	}
 
 function showAddress(address, name, custNum, value, selected) {
@@ -191,6 +191,4 @@ function showAddress(address, name, custNum, value, selected) {
 				'updateInfoWindow'
 			);
 		}
-
-		
 	}
diff --git a/assemblies/pentaho-war/src/main/webapp/js/options.js b/assemblies/pentaho-war/src/main/webapp/js/options.js
index e63b19043b0..56f3b5d66b5 100644
--- a/assemblies/pentaho-war/src/main/webapp/js/options.js
+++ b/assemblies/pentaho-war/src/main/webapp/js/options.js
@@ -20,11 +20,11 @@ function runInBackground( url, target )
 		url = url + "&background=true";
 		if ( target.toLowerCase().indexOf( 'new' ) >= 0 )
 		{
-			var targetWin = window.open( url );
+			var targetWin = window.open(pho.util.xss.sanitizeUrl(url));
 		}
 		else
 		{
-			window.location = url;
+			window.location = pho.util.xss.sanitizeUrl(url);
 		}
 	}
 	return undefined;	// forces current page to remain unchanged when target=new
diff --git a/assemblies/pentaho-war/src/main/webapp/js/parameters.js b/assemblies/pentaho-war/src/main/webapp/js/parameters.js
index 7c7424551d5..c9030753176 100644
--- a/assemblies/pentaho-war/src/main/webapp/js/parameters.js
+++ b/assemblies/pentaho-war/src/main/webapp/js/parameters.js
@@ -360,7 +360,7 @@ function executeAction (target, submitUrl) {
 // convert characters from entities like ı to display characters (HTML)
 function convertHtmlEntitiesToCharacters(theStr) {
     var newDiv = document.createElement(newDiv);
-    newDiv.innerHTML = theStr;
+	pho.util.xss.setHtml(newDiv, theStr);
     return newDiv.innerHTML;
 }
 
diff --git a/assemblies/pentaho-war/src/main/webapp/js/src/html/util.js b/assemblies/pentaho-war/src/main/webapp/js/src/html/util.js
index 4bd8ee853bd..79623b6caed 100644
--- a/assemblies/pentaho-war/src/main/webapp/js/src/html/util.js
+++ b/assemblies/pentaho-war/src/main/webapp/js/src/html/util.js
@@ -210,7 +210,7 @@ dojo.html.createNodesFromText = function(/* string */txt, /* boolean? */trim){
 		txt = "<table>" + txt + "</table>";
 		tableType = "section";
 	}
-	tn.innerHTML = txt;
+	pho.util.xss.setHtml(tn, txt);
 	if(tn["normalize"]){
 		tn.normalize();
 	}
diff --git a/assemblies/pentaho-war/src/main/webapp/js/utils.js b/assemblies/pentaho-war/src/main/webapp/js/utils.js
index bee2ec6f80f..c11a03bb19c 100644
--- a/assemblies/pentaho-war/src/main/webapp/js/utils.js
+++ b/assemblies/pentaho-war/src/main/webapp/js/utils.js
@@ -294,8 +294,8 @@ function refreshDatePicker(dateFieldName, year, month, day)
  
   // and finally, close the table
   html += xTABLE;
- 
-  document.getElementById(datePickerDivID).innerHTML = html;
+
+  pho.util.xss.setHtml(document.getElementById(datePickerDivID), html);
   // add an "iFrame shim" to allow the datepicker to display above selection lists
   adjustiFrame();
 }
@@ -530,4 +530,4 @@ function isValidName(name){
 function reservedCharListForDisplay( separatorString ) {
 	//ToDo: Fix this
 	return "/ \ :";
-}
\ No newline at end of file
+}
diff --git a/user-console/src/main/resources/org/pentaho/mantle/public/home/content/welcome/js/main.js b/user-console/src/main/resources/org/pentaho/mantle/public/home/content/welcome/js/main.js
index 1883f5b9a2b..70f7aa9597a 100644
--- a/user-console/src/main/resources/org/pentaho/mantle/public/home/content/welcome/js/main.js
+++ b/user-console/src/main/resources/org/pentaho/mantle/public/home/content/welcome/js/main.js
@@ -50,7 +50,7 @@ CCP.liveChat = function(){
 		pucOpenTab( name, title, url );
 	}
 	else {
-		window.open( url );
+		window.open(pho.util.xss.sanitizeUrl(url));
 	}
 }
 
diff --git a/user-console/src/main/resources/org/pentaho/mantle/public/home/js/gettingStarted.js b/user-console/src/main/resources/org/pentaho/mantle/public/home/js/gettingStarted.js
index 0c983a2be9f..14aaf2cca5d 100644
--- a/user-console/src/main/resources/org/pentaho/mantle/public/home/js/gettingStarted.js
+++ b/user-console/src/main/resources/org/pentaho/mantle/public/home/js/gettingStarted.js
@@ -13,8 +13,9 @@
 define([
   "common-ui/util/ContextProvider",
   "common-ui/util/BootstrappedTabLoader",
-  "common-ui/util/HandlebarsCompiler"
-], function (ContextProvider, BootstrappedTabLoader, HandlebarsCompiler) {
+  "common-ui/util/HandlebarsCompiler",
+  "common-ui/util/xss"
+], function (ContextProvider, BootstrappedTabLoader, HandlebarsCompiler, xssUtil) {
 
   var brightCoveVideoTemplate =
       '<iframe src="https://players.brightcove.net/4680021553001/default_default/index.html?videoId={{videoId}}&autoplay=true"' +
@@ -206,7 +207,7 @@ define([
 
     launchLink.unbind("click");
     launchLink.bind("click", function () {
-      window.open(href, "_blank");
+      window.open(xssUtil.sanitizeUrl(href), "_blank");
     });
   }