diff --git a/rhodecode/public/js/src/rhodecode/comments.js b/rhodecode/public/js/src/rhodecode/comments.js
--- a/rhodecode/public/js/src/rhodecode/comments.js
+++ b/rhodecode/public/js/src/rhodecode/comments.js
@@ -1331,7 +1331,7 @@ var CommentsController = function() {
 
           // There aren't any comments, we init the `.inline-comments` with `reply-thread-container` first
           if ($comments.length===0) {
-            var replBtn = '<button class="cb-comment-add-button" onclick="return Rhodecode.comments.createComment(this, \'{0}\', \'{1}\', null)">Reply...</button>'.format(f_path, line_no)
+            var replBtn = '<button class="cb-comment-add-button" onclick="return Rhodecode.comments.createComment(this, \'{0}\', \'{1}\', null)">Reply...</button>'.format(escapeHtml(f_path), line_no)
             var $reply_container = $('#cb-comments-inline-container-template')
             $reply_container.find('button.cb-comment-add-button').replaceWith(replBtn);
             $td.append($($reply_container).html());
diff --git a/rhodecode/templates/ejs_templates/templates.html b/rhodecode/templates/ejs_templates/templates.html
--- a/rhodecode/templates/ejs_templates/templates.html
+++ b/rhodecode/templates/ejs_templates/templates.html
@@ -221,7 +221,7 @@ if (show_disabled) {
                 <%= version_info %>
             <% } %>
             <br/>
-            File: <code><%- file_name -%></code>
+            File: <code><%= file_name -%></code>
         <% } else { %>
             <% if (review_status) { %>
                 <i class="icon-circle review-status-<%= review_status %>"></i>