diff --git a/src/applications/phame/view/PhamePostView.php b/src/applications/phame/view/PhamePostView.php
index 7d6ac92978..4f3b59fad8 100644
--- a/src/applications/phame/view/PhamePostView.php
+++ b/src/applications/phame/view/PhamePostView.php
@@ -162,8 +162,7 @@ final class PhamePostView extends AphrontView {
       '');
 
     $c_uri = '//connect.facebook.net/en_US/all.js#xfbml=1&appId='.$fb_id;
-    $fb_js = hsprintf(
-      '<script>%s</script>',
+    $fb_js = CelerityStaticResourceResponse::renderInlineScript(
       jsprintf(
         '(function(d, s, id) {'.
         ' var js, fjs = d.getElementsByTagName(s)[0];'.
@@ -211,8 +210,7 @@ final class PhamePostView extends AphrontView {
       ));
 
     // protip - try some  var disqus_developer = 1; action to test locally
-    $disqus_js = hsprintf(
-      '<script>%s</script>',
+    $disqus_js = CelerityStaticResourceResponse::renderInlineScript(
       jsprintf(
         ' var disqus_shortname = "phabricator";'.
         ' var disqus_identifier = %s;'.
diff --git a/src/infrastructure/celerity/CelerityStaticResourceResponse.php b/src/infrastructure/celerity/CelerityStaticResourceResponse.php
index 287f6644c5..08e6da5a42 100644
--- a/src/infrastructure/celerity/CelerityStaticResourceResponse.php
+++ b/src/infrastructure/celerity/CelerityStaticResourceResponse.php
@@ -182,14 +182,24 @@ final class CelerityStaticResourceResponse {
 
     if ($data) {
       $data = implode("\n", $data);
-      return hsprintf(
-        '<script type="text/javascript">//<![CDATA['."\n".'%s//]]></script>',
-        phutil_safe_html($data));
+      return self::renderInlineScript($data);
     } else {
       return '';
     }
   }
 
+  public static function renderInlineScript($data) {
+    if (stripos($data, '</script>') !== false) {
+      throw new Exception(
+        'Literal </script> is not allowed inside inline script.');
+    }
+    return hsprintf(
+      // We don't use <![CDATA[ ]]> because it is ignored by HTML parsers. We
+      // would need to send the document with XHTML content type.
+      '<script type="text/javascript">%s</script>',
+      phutil_safe_html($data));
+  }
+
   public function buildAjaxResponse($payload, $error = null) {
     $response = array(
       'error'   => $error,
diff --git a/src/view/page/PhabricatorBarePageView.php b/src/view/page/PhabricatorBarePageView.php
index a5c112bb23..2f0e23eb7c 100644
--- a/src/view/page/PhabricatorBarePageView.php
+++ b/src/view/page/PhabricatorBarePageView.php
@@ -91,13 +91,14 @@ class PhabricatorBarePageView extends AphrontPageView {
 
     $response = CelerityAPI::getStaticResourceResponse();
 
+    $developer = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
     return hsprintf(
-      '%s%s%s<script type="text/javascript">%s window.__DEV__=%s;</script>%s',
+      '%s%s%s%s%s',
       $viewport_tag,
       $icon_tag,
       $apple_tag,
-      $framebust,
-      (PhabricatorEnv::getEnvConfig('phabricator.developer-mode') ? '1' : '0'),
+      CelerityStaticResourceResponse::renderInlineScript(
+        $framebust.jsprintf('window.__DEV__=%d;', ($developer ? 1 : 0))),
       $response->renderResourcesOfType('css'));
   }