diff --git a/swh/web/assets/src/bundles/browse/origin-search.js b/swh/web/assets/src/bundles/browse/origin-search.js
--- a/swh/web/assets/src/bundles/browse/origin-search.js
+++ b/swh/web/assets/src/bundles/browse/origin-search.js
@@ -37,7 +37,7 @@
       let browseUrl = Urls.browse_origin(elem.url);
       let tableRow = `<tr id="origin-${elem.id}" class="swh-search-result-entry swh-tr-hover-highlight">`;
       tableRow += `<td style="width: 120px;">${elem.type}</td>`;
-      tableRow += `<td style="white-space: nowrap;"><a href="${browseUrl}">${elem.url}</a></td>`;
+      tableRow += `<td style="white-space: nowrap;"><a href="${encodeURI(browseUrl)}">${encodeURI(elem.url)}</a></td>`;
       tableRow += `<td id="visit-status-origin-${elem.id}"><i title="Checking visit status" class="fa fa-refresh fa-spin"></i></td>`;
       tableRow += '</tr>';
       table.append(tableRow);
diff --git a/swh/web/browse/utils.py b/swh/web/browse/utils.py
--- a/swh/web/browse/utils.py
+++ b/swh/web/browse/utils.py
@@ -12,6 +12,7 @@
 
 from django.core.cache import cache
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 
 from importlib import reload
 
@@ -489,7 +490,8 @@
             attrs += '%s="%s" ' % (k, v)
     if not link_text:
         link_text = url
-    link = '<a%shref="%s">%s</a>' % (attrs, url, link_text)
+    link = '<a%shref="%s">%s</a>' \
+        % (escape(attrs), escape(url), escape(link_text))
     return mark_safe(link)
 
 
@@ -861,7 +863,7 @@
                 return origin_info
             except Exception:
                 pass
-    raise NotFoundExc('Origin with url %s not found!' % origin_url)
+    raise NotFoundExc('Origin with url %s not found!' % escape(origin_url))
 
 
 def get_snapshot_context(snapshot_id=None, origin_type=None, origin_url=None,
@@ -923,7 +925,7 @@
 
         if not snapshot_id:
             raise NotFoundExc('No snapshot associated to the visit of origin '
-                              '%s on %s' % (origin_url, fmt_date))
+                              '%s on %s' % (escape(origin_url), fmt_date))
 
         # provided timestamp is not necessarily equals to the one
         # of the retrieved visit, so get the exact one in order
diff --git a/swh/web/browse/views/utils/snapshot_context.py b/swh/web/browse/views/utils/snapshot_context.py
--- a/swh/web/browse/views/utils/snapshot_context.py
+++ b/swh/web/browse/views/utils/snapshot_context.py
@@ -10,6 +10,7 @@
 
 from django.shortcuts import render
 from django.template.defaultfilters import filesizeformat
+from django.utils.html import escape
 
 from swh.model.identifiers import snapshot_identifier
 
@@ -117,7 +118,7 @@
               ' and url %s not found!' % (branch_type, branch, timestamp,
                                           origin_info['type'],
                                           origin_info['url'])
-    raise NotFoundExc(msg)
+    raise NotFoundExc(escape(msg))
 
 
 def _process_snapshot_request(request, snapshot_id=None, origin_type=None,
diff --git a/swh/web/common/origin_save.py b/swh/web/common/origin_save.py
--- a/swh/web/common/origin_save.py
+++ b/swh/web/common/origin_save.py
@@ -9,6 +9,7 @@
 from django.core.exceptions import ObjectDoesNotExist
 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator
+from django.utils.html import escape
 
 from swh.web import config
 from swh.web.common import service
@@ -127,7 +128,7 @@
         _validate_url(origin_url)
     except ValidationError:
         raise BadInputExc('The provided origin url (%s) is not valid!' %
-                          origin_url)
+                          escape(origin_url))
 
 
 def _get_visit_info_for_save_request(save_request):