Index: lams_tool_preview/src/java/org/lamsfoundation/lams/tool/peerreview/service/PeerreviewServiceImpl.java
===================================================================
RCS file: /usr/local/cvsroot/lams_tool_preview/src/java/org/lamsfoundation/lams/tool/peerreview/service/PeerreviewServiceImpl.java,v
diff -u -r1.7.2.15 -r1.7.2.16
--- lams_tool_preview/src/java/org/lamsfoundation/lams/tool/peerreview/service/PeerreviewServiceImpl.java	26 Oct 2016 04:18:49 -0000	1.7.2.15
+++ lams_tool_preview/src/java/org/lamsfoundation/lams/tool/peerreview/service/PeerreviewServiceImpl.java	11 Nov 2016 04:08:46 -0000	1.7.2.16
@@ -496,15 +496,18 @@
 
     private void generateRatingEntryForEmail(StringBuilder notificationMessage, RatingCriteria criteria,
 	    StyledCriteriaRatingDTO dto) {
+	String escapedTitle = StringEscapeUtils.escapeHtml(dto.getRatingCriteria().getTitle());
 	if (dto.getRatingDtos().size() >= 1) {
 	    if (criteria.isCommentRating()) {
 		StringBuilder comments = new StringBuilder();
 		for (StyledRatingDTO ratingDto : dto.getRatingDtos()) {
-		    if (ratingDto.getComment() != null)
-			comments.append("<li>").append(ratingDto.getComment()).append("</li>");
+		    if (ratingDto.getComment() != null) {
+			String escaped = StringEscapeUtils.escapeHtml(ratingDto.getComment());
+			comments.append("<li>").append(escaped).append("</li>");
+		    }
 		}
 		notificationMessage.append(getLocalisedMessage("event.sent.results.criteria.comment", new Object[] {
-			dto.getRatingCriteria().getTitle(), comments.toString() }));
+			escapedTitle, comments.toString() }));
 	    } else {
 		String avgRating = dto.getRatingDtos().get(0).getAverageRating().length() > 0 ? dto.getRatingDtos()
 			.get(0).getAverageRating() : "0";
@@ -513,30 +516,32 @@
 		    if (criteria.isCommentsEnabled()) {
 			comments = new StringBuilder();
 			for (StyledRatingDTO ratingDto : dto.getRatingDtos()) {
-			    if (ratingDto.getComment() != null)
-				comments.append("<li>").append(ratingDto.getComment()).append("</li>");
+			    if (ratingDto.getComment() != null) {
+				String escaped = StringEscapeUtils.escapeHtml(ratingDto.getComment());
+				comments.append("<li>").append(escaped).append("</li>");
+			    }
 			}
 		    }
 		    notificationMessage.append(getLocalisedMessage(
 			    "event.sent.results.criteria.star",
-			    new Object[] { dto.getRatingCriteria().getTitle(), avgRating,
+			    new Object[] { escapedTitle, avgRating,
 				    comments != null ? comments.toString() : "" }));
 		} else if (criteria.isRankingStyleRating()) {
 		    if (criteria.getMaxRating() > 0) {
 			notificationMessage
 				.append(getLocalisedMessage("event.sent.results.criteria.rank", new Object[] {
-					dto.getRatingCriteria().getTitle(), avgRating, criteria.getMaxRating() }));
+					escapedTitle, avgRating, criteria.getMaxRating() }));
 		    } else {
 			notificationMessage.append(getLocalisedMessage("event.sent.results.criteria.rankAll",
-				new Object[] { dto.getRatingCriteria().getTitle(), avgRating }));
+				new Object[] { escapedTitle, avgRating }));
 		    }
 		} else { // hedge style rating
 		    notificationMessage.append(getLocalisedMessage("event.sent.results.criteria.hedge", new Object[] {
-			    dto.getRatingCriteria().getTitle(), avgRating, criteria.getMaxRating() }));
+			    escapedTitle, avgRating, criteria.getMaxRating() }));
 		}
 	    }
 	} else {
-	    notificationMessage.append(dto.getRatingCriteria().getTitle()).append(
+	    notificationMessage.append(escapedTitle).append(
 		    getLocalisedMessage("event.sent.results.no.results", null));
 	}
 	notificationMessage.append("\n");
Index: lams_tool_preview/web/pages/learning/learning.jsp
===================================================================
RCS file: /usr/local/cvsroot/lams_tool_preview/web/pages/learning/learning.jsp,v
diff -u -r1.6.2.8 -r1.6.2.9
--- lams_tool_preview/web/pages/learning/learning.jsp	12 Oct 2016 20:48:42 -0000	1.6.2.8
+++ lams_tool_preview/web/pages/learning/learning.jsp	11 Nov 2016 04:08:46 -0000	1.6.2.9
@@ -104,7 +104,7 @@
 		</div>
 			
 		<div class="panel">
-			<h4>${criteriaRatings.ratingCriteria.title}</h4>
+			<h4><c:out value="${criteriaRatings.ratingCriteria.title}" escapeXml="true"/></h4>
 		<c:choose>
 		<c:when test="${criteriaRatings.ratingCriteria.ratingStyle == isComment}">
 			<%@ include file="comment.jsp" %>
Index: lams_tool_preview/web/pages/learning/results.jsp
===================================================================
RCS file: /usr/local/cvsroot/lams_tool_preview/web/pages/learning/results.jsp,v
diff -u -r1.3.2.5 -r1.3.2.6
--- lams_tool_preview/web/pages/learning/results.jsp	10 Oct 2016 00:31:04 -0000	1.3.2.5
+++ lams_tool_preview/web/pages/learning/results.jsp	11 Nov 2016 04:08:46 -0000	1.3.2.6
@@ -106,7 +106,7 @@
 		<c:forEach var="criteriaRatings" items="${allCriteriaRatings}" varStatus="status">
 			<div class="panel panel-default">
 			<div class="panel-heading panel-title">
-				${criteriaRatings.ratingCriteria.title}
+				<c:out value="${criteriaRatings.ratingCriteria.title}" escapeXml="true"/>
 			</div>
 			<div class="panel-body">
 			<lams:StyledRating criteriaRatings="${criteriaRatings}" showJustification="true" alwaysShowAverage="false" currentUserDisplay="false"/>
@@ -121,7 +121,7 @@
 		</div>
 		<div class="panel-body">
 			<c:forEach var="criteriaRatings" items="${userRatings}" varStatus="status">
-				<h4>${criteriaRatings.ratingCriteria.title}</h4>
+				<h4><c:out value="${criteriaRatings.ratingCriteria.title}" escapeXml="true"/></h4>
 		 		<lams:StyledRating criteriaRatings="${criteriaRatings}" showJustification="false" alwaysShowAverage="true" currentUserDisplay="true"/>
 		</c:forEach>
 		</div>
Index: lams_tool_preview/web/pages/monitoring/summary.jsp
===================================================================
RCS file: /usr/local/cvsroot/lams_tool_preview/web/pages/monitoring/summary.jsp,v
diff -u -r1.5.2.5 -r1.5.2.6
--- lams_tool_preview/web/pages/monitoring/summary.jsp	26 Oct 2016 04:18:49 -0000	1.5.2.5
+++ lams_tool_preview/web/pages/monitoring/summary.jsp	11 Nov 2016 04:08:46 -0000	1.5.2.6
@@ -90,7 +90,7 @@
 	<c:choose>
 		<c:when test="${not empty criterias && fn:length(criterias) eq 1}">
 			<c:forEach var="criteria" items="${criterias}">
-			<h4>${criteria.title}</h4>
+			<h4><c:out value="${criteria.title}" escapeXml="true"/></h4>
 			<c:set var="toolSessionId" value="${groupSummary.sessionId}" scope="request"/>
 			<c:set var="criteria" value="${criteria}" scope="request"/>
 			<c:set var="sessionMap" value="${sessionMap}" scope="request"/>
@@ -101,7 +101,7 @@
 			<c:forEach var="criteria" items="${criterias}">
 				<c:set var='url'>criteria.do?sessionMapID=${sessionMapID}&toolSessionId=${groupSummary.sessionId}&criteriaId=${criteria.ratingCriteriaId}</c:set>
 				<a href="javascript:launchPopup('${url}')" class="btn btn-default voffset5 loffset5">
-					<fmt:message key="label.monitoring.view"><fmt:param>${criteria.title}</fmt:param></fmt:message></a>
+					<fmt:message key="label.monitoring.view"><fmt:param><c:out value="${criteria.title}" escapeXml="true"/></fmt:param></fmt:message></a>
 			</c:forEach>
 			<div class="voffset5">&nbsp;</div>
 		</c:otherwise>