diff --git a/static/webdev-editor.js b/static/webdev-editor.js
index ed1fdbae0b05e2cd20249cea4753212440325ec8..de0e2f338b86f1dd3fe1273d4e7173700ef5e5f4 100644
--- a/static/webdev-editor.js
+++ b/static/webdev-editor.js
@@ -79,9 +79,19 @@ ACOSWebdev.prototype.extendGrade = function (eventOrMutations, cb) {
 ACOSWebdev.prototype.extendProtocolFeedback = function (feedback) {
   var $out = $(this.$editorOutput.find('iframe').get(0).contentWindow.document.body);
   $out.find('script').remove();
-  return '<pre><code>' + this.editor.getValue() + '</code></pre><div>' + $out.html() + '</div>';
+  return '<pre><code>' + this.esc(this.editor.getValue()) + '</code></pre><div>' + $out.html() + '</div>';
 };
 
+ACOSWebdev.prototype.esc = function (str) {
+  if (str) {
+    var rep = {'&': '&amp;', '<': '&lt;', '>': '&gt;'};
+    return str.replace(/[&<>]/g, function (ch) {
+      return rep[ch] || ch;
+    });
+  }
+  return str;
+}
+
 ACOSWebdev.prototype.editorExecute = function (cb) {
   var $iframe = $('<iframe src="about:blank"></iframe>');
   this.$editorOutput.empty().append($iframe);