diff --git a/static/js/reactions.js b/static/js/reactions.js
index ba39e70c53..0fdb38daeb 100644
--- a/static/js/reactions.js
+++ b/static/js/reactions.js
@@ -187,7 +187,7 @@ exports.get_add_reaction_button = function (message_id) {
 
 exports.set_reaction_count = function (reaction, count) {
     var count_element = reaction.find('.message_reaction_count');
-    count_element.html(count);
+    count_element.text(count);
 };
 
 exports.add_reaction = function (event) {
diff --git a/static/js/stream_edit.js b/static/js/stream_edit.js
index e3d7462671..9904535b3e 100644
--- a/static/js/stream_edit.js
+++ b/static/js/stream_edit.js
@@ -69,7 +69,7 @@ exports.show_sub_settings = function (sub) {
     var $settings = $(".subscription_settings[data-stream-id='" + sub.stream_id + "']");
     if ($settings.find(".email-address").val().length === 0) {
         // Rerender stream email address, if not.
-        $settings.find(".email-address").html(sub.email_address);
+        $settings.find(".email-address").text(sub.email_address);
         $settings.find(".stream-email-box").show();
     }
     $settings.find(".regular_subscription_settings").addClass('in');
diff --git a/tools/linter_lib/custom_check.py b/tools/linter_lib/custom_check.py
index 1accba1c73..621f2c4697 100644
--- a/tools/linter_lib/custom_check.py
+++ b/tools/linter_lib/custom_check.py
@@ -188,6 +188,11 @@ def build_custom_checkers(by_lang):
          'description': 'Do not concatenate i18n strings'},
         {'pattern': '\+.*i18n\.t\(.+\)',
          'description': 'Do not concatenate i18n strings'},
+        {'pattern': '[.]html[(]',
+         'exclude_pattern': '[.]html[(]("|\'|templates|html|message.content|sub.rendered_description|i18n.t|rendered_|$|[)]|error_text|[$]error|[$][(]"<p>"[)])',
+         'exclude': ['static/js/portico', 'static/js/lightbox.js', 'static/js/ui_report.js',
+                     'frontend_tests/'],
+         'description': 'Setting HTML content with jQuery .html() can lead to XSS security bugs.  Consider .text() or using rendered_foo as a variable name if content comes from handlebars and thus is already sanitized.'},
         {'pattern': '["\']json/',
          'description': 'Relative URL for JSON route not supported by i18n'},
         # This rule is constructed with + to avoid triggering on itself