diff --git a/swh/web/assets/src/bundles/browse/origin-search.js b/swh/web/assets/src/bundles/browse/origin-search.js
--- a/swh/web/assets/src/bundles/browse/origin-search.js
+++ b/swh/web/assets/src/bundles/browse/origin-search.js
@@ -37,7 +37,7 @@
       let browseUrl = Urls.browse_origin(elem.url);
       let tableRow = `<tr id="origin-${elem.id}" class="swh-search-result-entry swh-tr-hover-highlight">`;
       tableRow += `<td style="width: 120px;">${elem.type}</td>`;
-      tableRow += `<td style="white-space: nowrap;"><a href="${browseUrl}">${elem.url}</a></td>`;
+      tableRow += `<td style="white-space: nowrap;"><a href="${encodeURI(browseUrl)}">${encodeURI(elem.url)}</a></td>`;
       tableRow += `<td id="visit-status-origin-${elem.id}"><i title="Checking visit status" class="fa fa-refresh fa-spin"></i></td>`;
       tableRow += '</tr>';
       table.append(tableRow);
diff --git a/swh/web/browse/utils.py b/swh/web/browse/utils.py
--- a/swh/web/browse/utils.py
+++ b/swh/web/browse/utils.py
@@ -12,6 +12,7 @@
 
 from django.core.cache import cache
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 
 from importlib import reload
 
@@ -489,7 +490,8 @@
             attrs += '%s="%s" ' % (k, v)
     if not link_text:
         link_text = url
-    link = '<a%shref="%s">%s</a>' % (attrs, url, link_text)
+    link = '<a%shref="%s">%s</a>' \
+        % (escape(attrs), escape(url), escape(link_text))
     return mark_safe(link)
 
 
@@ -923,7 +925,7 @@
 
         if not snapshot_id:
             raise NotFoundExc('No snapshot associated to the visit of origin '
-                              '%s on %s' % (origin_url, fmt_date))
+                              '%s on %s' % (escape(origin_url), fmt_date))
 
         # provided timestamp is not necessarily equals to the one
         # of the retrieved visit, so get the exact one in order