diff --git a/app/views/todos/create.js.erb b/app/views/todos/create.js.erb
index cdc91ac4..58155973 100644
--- a/app/views/todos/create.js.erb
+++ b/app/views/todos/create.js.erb
@@ -1,5 +1,5 @@
 <% if @saved -%>
-  TracksPages.page_notify('notice', "<%=@status_message%>", 5);
+  TracksPages.page_notify('notice', "<%=escape_javascript @status_message%>", 5);
   TracksPages.hide_errors();
   TracksPages.set_page_badge(<%= @down_count %>);
   <% if should_show_new_item -%>
@@ -18,9 +18,9 @@
 function clear_form() {
   $('#todo-form-new-action').clearForm();
   $('#todo-form-new-action').clearDeps();
-  TracksForm.set_context_name('<%=@initial_context_name%>');
-  TracksForm.set_project_name('<%=@initial_project_name%>');
-  TracksForm.set_tag_list('<%=@default_tags%>');
+  TracksForm.set_context_name('<%=escape_javascript @initial_context_name%>');
+  TracksForm.set_project_name('<%=escape_javascript @initial_project_name%>');
+  TracksForm.set_tag_list('<%=escape_javascript @default_tags%>');
   $('#todo-form-new-action input:text:first').focus();
 }
 
diff --git a/app/views/todos/update.js.erb b/app/views/todos/update.js.erb
index adb412b3..9c48aa9a 100644
--- a/app/views/todos/update.js.erb
+++ b/app/views/todos/update.js.erb
@@ -20,7 +20,7 @@
 %>
 
   <%= render_animation(animation) %>
-  TracksPages.page_notify('notice', '<%=@status_message%>', 5);
+  TracksPages.page_notify('notice', '<%=escape_javascript @status_message%>', 5);
   TracksPages.set_page_badge(<%= @down_count %>);
 <% end %>