diff --git a/app/helpers/activity_helper.rb b/app/helpers/activity_helper.rb
index 659b222ab..04d1d492d 100644
--- a/app/helpers/activity_helper.rb
+++ b/app/helpers/activity_helper.rb
@@ -8,6 +8,6 @@ module ActivityHelper
       title = truncate(activity_title, length: len)
     end
     message = message.gsub(/#{activity_title}/, title )
-    message.html_safe if message
+    sanitize_input(message.html_safe) if message
   end
 end
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 31990a632..eaa1d5e40 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -14,8 +14,10 @@ module ApplicationHelper
 
   def display_tooltip(message, len = Constants::NAME_TRUNCATION_LENGTH)
     if message.strip.length > Constants::NAME_TRUNCATION_LENGTH
-      "<div class='modal-tooltip'>#{truncate(message.strip, length: len)} \
-        <span class='modal-tooltiptext'>#{message.strip}</span></div>".html_safe
+      sanitize_input("<div class='modal-tooltip'> \
+      #{truncate(message.strip, length: len)} \
+      <span class='modal-tooltiptext'> \
+      #{message.strip}</span></div>")
     else
       truncate(message.strip, length: len)
     end
diff --git a/app/helpers/assets_helper.rb b/app/helpers/assets_helper.rb
index 404819241..7db281e88 100644
--- a/app/helpers/assets_helper.rb
+++ b/app/helpers/assets_helper.rb
@@ -4,7 +4,7 @@ module AssetsHelper
     res = <<-eos
     <span
       data-status='asset-loading'
-      data-filename='#{asset.file_file_name}'
+      data-filename='#{sanitize_input(asset.file_file_name)}'
       data-type='#{asset.is_image? ? "image" : "asset"}'
       data-present-url='#{file_present_asset_path(asset, format: :json)}'
       #{asset.is_image? ? "data-preview-url='" + preview_asset_path(asset) + "'" : ""}'
diff --git a/app/helpers/input_sanitize_helper.rb b/app/helpers/input_sanitize_helper.rb
new file mode 100644
index 000000000..b73a81018
--- /dev/null
+++ b/app/helpers/input_sanitize_helper.rb
@@ -0,0 +1,6 @@
+module InputSanitizeHelper
+  def sanitize_input(text)
+    ActionController::Base.helpers.sanitize(text,
+                                            tags: Constants::WHITELISTED_TAGS)
+  end
+end
diff --git a/app/helpers/organizations_helper.rb b/app/helpers/organizations_helper.rb
index 2ffeaf09d..a52f8d872 100644
--- a/app/helpers/organizations_helper.rb
+++ b/app/helpers/organizations_helper.rb
@@ -9,8 +9,9 @@ module OrganizationsHelper
 
   def truncate_organization_name(name, len = Constants::NAME_TRUNCATION_LENGTH)
     if name.length > len
-      "<div class='modal-tooltip'>#{truncate(name, length: len)}
-		    <span class='modal-tooltiptext'>#{name}</span></div>".html_safe
+      "<div class='modal-tooltip'>#{truncate(sanitize_input(name), length: len)}
+		    <span class='modal-tooltiptext'>#{sanitize_input(name)}</span>
+      </div>".html_safe
     else
       name
     end
diff --git a/app/helpers/protocol_status_helper.rb b/app/helpers/protocol_status_helper.rb
index 855246ca4..e0645a686 100644
--- a/app/helpers/protocol_status_helper.rb
+++ b/app/helpers/protocol_status_helper.rb
@@ -5,7 +5,10 @@ module ProtocolStatusHelper
     res = ""
     res << "<a href=\"#\" data-toggle=\"popover\" data-html=\"true\" "
     res << "data-trigger=\"focus\" data-placement=\"bottom\" title=\""
-    res << protocol_status_popover_title(parent) + "\" data-content=\"" + protocol_status_popover_content(parent) + "\">" + protocol_name(parent) + "</a>"
+    res << sanitize_input(protocol_status_popover_title(parent)) +
+           '" data-content="' +
+           sanitize_input(protocol_status_popover_content(parent)) +
+           '">' + sanitize_input(protocol_name(parent)) + '</a>'
     res.html_safe
   end
 
diff --git a/app/views/my_modules/activities/_activity.html.erb b/app/views/my_modules/activities/_activity.html.erb
index f5d261aaa..63a047b90 100644
--- a/app/views/my_modules/activities/_activity.html.erb
+++ b/app/views/my_modules/activities/_activity.html.erb
@@ -2,6 +2,6 @@
   <span class="activity-item-date">
     <%= l activity.created_at, format: :full %>
   </span>
-  <span class="activity-item-text"><%= activity.message.html_safe %>
+  <span class="activity-item-text"><%= sanitize_input(activity.message) %>
   </span>
-</li>
\ No newline at end of file
+</li>
diff --git a/app/views/reports/elements/_my_module_activity_element.html.erb b/app/views/reports/elements/_my_module_activity_element.html.erb
index 4582d0868..a0a47a563 100644
--- a/app/views/reports/elements/_my_module_activity_element.html.erb
+++ b/app/views/reports/elements/_my_module_activity_element.html.erb
@@ -30,7 +30,7 @@
                 </span>
                 <span class="activity-message">
                   &nbsp;
-                  <%= activity.message.html_safe %>
+                  <%= sanitize_input(activity.message) %>
                 </span>
               </li>
             <% end %>
diff --git a/config/initializers/constants.rb b/config/initializers/constants.rb
index 91ff85752..7940dd3bc 100644
--- a/config/initializers/constants.rb
+++ b/config/initializers/constants.rb
@@ -207,6 +207,11 @@ class Constants
     'gif', 'jpeg', 'pjpeg', 'png', 'x-png', 'svg+xml', 'bmp'
   ].freeze
 
+  WHITELISTED_TAGS = [
+    'a', 'b', 'strong', 'i', 'em', 'li', 'ul', 'ol', 'h1',
+    'h2', 'h3', 'br', 'sub', 'p', 'div', 'span'
+  ].freeze
+
   # Very basic regex to check for validity of emails
   BASIC_EMAIL_REGEX = URI::MailTo::EMAIL_REGEXP