diff --git a/app/controllers/direct_uploads_controller.rb b/app/controllers/direct_uploads_controller.rb
index d1d52eb4c..425c43200 100644
--- a/app/controllers/direct_uploads_controller.rb
+++ b/app/controllers/direct_uploads_controller.rb
@@ -17,7 +17,7 @@ class DirectUploadsController < ApplicationController
 
       render json: { cached_attachment: @direct_upload.relation.cached_attachment,
                      filename: @direct_upload.relation.attachment.original_filename,
-                     destroy_link: render_destroy_upload_link(@direct_upload).html_safe,
+                     destroy_link: render_destroy_upload_link(@direct_upload),
                      attachment_url: @direct_upload.relation.attachment.url }
     else
       @direct_upload.destroy_attachment
diff --git a/app/views/admin/budget_investments/_select_investment.html.erb b/app/views/admin/budget_investments/_select_investment.html.erb
index 793e05c7c..b293894b2 100644
--- a/app/views/admin/budget_investments/_select_investment.html.erb
+++ b/app/views/admin/budget_investments/_select_investment.html.erb
@@ -31,7 +31,7 @@
 <td class="small" data-field="valuator">
   <% valuators = [investment.assigned_valuation_groups, investment.assigned_valuators].compact %>
   <% no_valuators_assigned = t("admin.budget_investments.index.no_valuators_assigned") %>
-  <%= raw valuators.present? ? valuators.join(", ") : no_valuators_assigned %>
+  <%= valuators.present? ? valuators.join(", ") : no_valuators_assigned %>
 </td>
 
 <td class="small" data-field="geozone">
diff --git a/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb b/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
index bae02cd64..e566ebd03 100644
--- a/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
+++ b/app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
@@ -36,7 +36,7 @@
     <ul>
       <li><%= first_proposed_action.title %></li>
       <% if first_proposed_action.short_description.present? %>
-        <p><%= first_proposed_action.short_description.html_safe %></p>
+        <p><%= first_proposed_action.short_description %></p>
       <% end %>
     </ul>
   <% end %>
diff --git a/app/views/kaminari/_first_page.html.erb b/app/views/kaminari/_first_page.html.erb
index e8afb0431..a5335a30b 100644
--- a/app/views/kaminari/_first_page.html.erb
+++ b/app/views/kaminari/_first_page.html.erb
@@ -1,3 +1,3 @@
 <li>
-  <%= link_to t("views.pagination.first").html_safe, kaminari_path(url), :remote => remote %>
+  <%= link_to t("views.pagination.first"), kaminari_path(url), :remote => remote %>
 </li>
diff --git a/app/views/kaminari/_last_page.html.erb b/app/views/kaminari/_last_page.html.erb
index 5a49bd7e2..697b3bd15 100644
--- a/app/views/kaminari/_last_page.html.erb
+++ b/app/views/kaminari/_last_page.html.erb
@@ -1,3 +1,3 @@
 <li>
-  <%= link_to t("views.pagination.last").html_safe, kaminari_path(url), :remote => remote %>
+  <%= link_to t("views.pagination.last"), kaminari_path(url), :remote => remote %>
 </li>
diff --git a/app/views/kaminari/_next_page.html.erb b/app/views/kaminari/_next_page.html.erb
index 11c700900..366367031 100644
--- a/app/views/kaminari/_next_page.html.erb
+++ b/app/views/kaminari/_next_page.html.erb
@@ -1,3 +1,3 @@
 <li class="pagination-next">
-  <%= link_to t("views.pagination.next").html_safe, kaminari_path(url), :rel => "next", :remote => remote %>
+  <%= link_to t("views.pagination.next"), kaminari_path(url), :rel => "next", :remote => remote %>
 </li>
diff --git a/app/views/kaminari/_prev_page.html.erb b/app/views/kaminari/_prev_page.html.erb
index aba1d9369..d0147ff5c 100644
--- a/app/views/kaminari/_prev_page.html.erb
+++ b/app/views/kaminari/_prev_page.html.erb
@@ -1,3 +1,3 @@
 <li class="pagination-previous">
-  <%= link_to t("views.pagination.previous").html_safe, kaminari_path(url), :rel => "prev", :remote => remote %>
+  <%= link_to t("views.pagination.previous"), kaminari_path(url), :rel => "prev", :remote => remote %>
 </li>
diff --git a/app/views/layouts/_footer.html.erb b/app/views/layouts/_footer.html.erb
index 1337be64b..ebd7dc990 100644
--- a/app/views/layouts/_footer.html.erb
+++ b/app/views/layouts/_footer.html.erb
@@ -2,7 +2,7 @@
   <div class="row">
     <div class="small-12 large-4 column">
       <h1 class="logo">
-        <%= link_to t("layouts.header.open_gov", open: "#{t("layouts.header.open")}").html_safe %>
+        <%= link_to t("layouts.header.open_gov", open: t("layouts.header.open")), root_path %>
       </h1>
 
       <p class="info">
diff --git a/app/views/layouts/_notification_item.html.erb b/app/views/layouts/_notification_item.html.erb
index 7a21a3c38..c766f862a 100644
--- a/app/views/layouts/_notification_item.html.erb
+++ b/app/views/layouts/_notification_item.html.erb
@@ -10,11 +10,11 @@
         <span class="icon-circle" aria-hidden="true"></span>
         <span class="icon-notification" aria-hidden="true"
               title="<%= t("layouts.header.notification_item.new_notifications",
-                         count: current_user.notifications_count).html_safe %>">
+                         count: current_user.notifications_count) %>">
         </span>
         <span class="show-for-small-only">
           <%= t("layouts.header.notification_item.new_notifications",
-              count: current_user.notifications_count).html_safe %>
+              count: current_user.notifications_count) %>
         </span>
       <% else %>
         <span class="icon-no-notification" aria-hidden="true"
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
new file mode 100644
index 000000000..c99fc6c76
--- /dev/null
+++ b/spec/features/xss_spec.rb
@@ -0,0 +1,15 @@
+require "rails_helper"
+
+describe "Cross-Site Scripting protection", :js do
+  let(:attack_code) { "<script>document.body.remove()</script>" }
+
+  scenario "valuators in admin investments index" do
+    hacker = create(:user, username: attack_code)
+    investment = create(:budget_investment, valuators: [create(:valuator, user: hacker)])
+
+    login_as(create(:administrator).user)
+    visit admin_budget_budget_investments_path(investment.budget)
+
+    expect(page.text).not_to be_empty
+  end
+end