We need to go through our JS code and make sure that we never call jQuery's .html() method with unsafe content. Some of this work has been done in #4826

Whenever .html(something) appears in our code:

• We should put an inline comment saying why it is allowed.

Other cases should be converted to calls of .text()