diff --git a/swh/web/browse/utils.py b/swh/web/browse/utils.py
--- a/swh/web/browse/utils.py
+++ b/swh/web/browse/utils.py
@@ -12,6 +12,7 @@
 
 from django.core.cache import cache
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 
 from importlib import reload
 
@@ -489,7 +490,8 @@
             attrs += '%s="%s" ' % (k, v)
     if not link_text:
         link_text = url
-    link = '<a%shref="%s">%s</a>' % (attrs, url, link_text)
+    link = '<a%shref="%s">%s</a>' \
+        % (escape(attrs), escape(url), escape(link_text))
     return mark_safe(link)
 
 
@@ -923,7 +925,7 @@
 
         if not snapshot_id:
             raise NotFoundExc('No snapshot associated to the visit of origin '
-                              '%s on %s' % (origin_url, fmt_date))
+                              '%s on %s' % (escape(origin_url), fmt_date))
 
         # provided timestamp is not necessarily equals to the one
         # of the retrieved visit, so get the exact one in order
diff --git a/swh/web/common/exc.py b/swh/web/common/exc.py
--- a/swh/web/common/exc.py
+++ b/swh/web/common/exc.py
@@ -58,7 +58,7 @@
     return render(request, 'error.html',
                   {'error_code': error_code,
                    'error_message': http_status_code_message[error_code],
-                   'error_description': mark_safe(error_description)},
+                   'error_description': error_description},
                   status=error_code)
 
 
@@ -116,7 +116,8 @@
     if isinstance(exc, NotFoundExc):
         error_code = 404
     if html_response:
-        return _generate_error_page(request, error_code, error_description)
+        return _generate_error_page(request, error_code,
+                                    mark_safe(error_description))
     else:
         return HttpResponse(error_description, content_type='text/plain',
                             status=error_code)