diff --git a/node/utils/ExportHtml.js b/node/utils/ExportHtml.js
index 46ed980a..c699c411 100644
--- a/node/utils/ExportHtml.js
+++ b/node/utils/ExportHtml.js
@@ -292,7 +292,7 @@ function getHTMLFromAtext(pad, atext)
         var url = urlData[1];
         var urlLength = url.length;
         processNextChars(startIndex - idx);
-        assem.append('<a href="' + url.replace(/\"/g, '&quot;') + '">');
+        assem.append('<a href="' + _escapeHTML(url) + '">');
         processNextChars(urlLength);
         assem.append('</a>');
       });
@@ -429,14 +429,15 @@ exports.getPadHTMLDocument = function (padId, revNum, noDocType, callback)
 
 function _escapeHTML(s)
 {
-  var re = /[&<>]/g;
+  var re = /[&"<>]/g;
   if (!re.MAP)
   {
     // persisted across function calls!
     re.MAP = {
       '&': '&amp;',
+      '"': '&quot;',
       '<': '&lt;',
-      '>': '&gt;',
+      '>': '&gt;'
     };
   }
   
diff --git a/static/js/ace2_common.js b/static/js/ace2_common.js
index 1246a16e..1e5c415c 100644
--- a/static/js/ace2_common.js
+++ b/static/js/ace2_common.js
@@ -142,7 +142,14 @@ function binarySearchInfinite(expectedLength, func)
 
 function htmlPrettyEscape(str)
 {
-  return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/\r?\n/g, '\\n');
+  return str.replace(/[&"<>]/g, function (c) {
+    return {
+      '&': '&amp;',
+      '"': '&quot;',
+      '<': '&lt;',
+      '>': '&gt;'
+    }[c] || c;
+  }).replace(/\r?\n/g, '\\n');
 }
 
 if (typeof exports !== "undefined")
diff --git a/static/js/domline.js b/static/js/domline.js
index 56f74a1c..3456419c 100644
--- a/static/js/domline.js
+++ b/static/js/domline.js
@@ -162,7 +162,7 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
         {
           href = "http://"+href;
         }
-        extraOpenTags = extraOpenTags + '<a href="' + href.replace(/\"/g, '&quot;') + '">';
+        extraOpenTags = extraOpenTags + '<a href="' + domline.escapeHTML(href) + '">';
         extraCloseTags = '</a>' + extraCloseTags;
       }
       if (simpleTags)
@@ -229,7 +229,7 @@ domline.escapeHTML = function(s)
       '&': '&amp;',
       '<': '&lt;',
       '>': '&gt;',
-      '"': '&#34;',
+      '"': '&quot;',
       "'": '&#39;'
     };
   }
diff --git a/static/js/domline_client.js b/static/js/domline_client.js
index a152412c..cac753b9 100644
--- a/static/js/domline_client.js
+++ b/static/js/domline_client.js
@@ -158,7 +158,7 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
     {
       if (href)
       {
-        extraOpenTags = extraOpenTags + '<a href="' + href.replace(/\"/g, '&quot;') + '">';
+        extraOpenTags = extraOpenTags + '<a href="' + domline.escapeHTML(href) + '">';
         extraCloseTags = '</a>' + extraCloseTags;
       }
       if (simpleTags)
diff --git a/static/js/pad_utils.js b/static/js/pad_utils.js
index 76a16705..9083fa9b 100644
--- a/static/js/pad_utils.js
+++ b/static/js/pad_utils.js
@@ -23,7 +23,14 @@
 var padutils = {
   escapeHtml: function(x)
   {
-    return String(x).replace(/\</g, '&lt;').replace(/\>/g, '&gt;');
+    return String(x).replace(/[&"<>]/g, function (c) {
+      return {
+        '&': '&amp;',
+        '"': '&quot;',
+        '<': '&lt;',
+        '>': '&gt;'
+      }[c] || c;
+    });
   },
   uniqueId: function()
   {
@@ -180,7 +187,7 @@ var padutils = {
         var startIndex = urls[j][0];
         var href = urls[j][1];
         advanceTo(startIndex);
-        pieces.push('<a ', (target ? 'target="' + target + '" ' : ''), 'href="', href.replace(/\"/g, '&quot;'), '">');
+        pieces.push('<a ', (target ? 'target="' + target + '" ' : ''), 'href="', padutils.escapeHtml(href), '">');
         advanceTo(startIndex + href.length);
         pieces.push('</a>');
       }