diff --git a/frappe/utils/html_utils.py b/frappe/utils/html_utils.py
index c34c4fd188..7edf6556c9 100644
--- a/frappe/utils/html_utils.py
+++ b/frappe/utils/html_utils.py
@@ -4,6 +4,7 @@ import re
 from bleach_allowlist import bleach_allowlist
 
 import frappe
+from frappe.utils.data import escape_html
 
 EMOJI_PATTERN = re.compile(
 	"(\ud83d[\ude00-\ude4f])|"
@@ -204,10 +205,12 @@ def get_icon_html(icon, small=False):
 
 	if is_image(icon):
 		return (
-			f'<img style="width: 16px; height: 16px;" src="{icon}">' if small else f'<img src="{icon}">'
+			f"<img style='width: 16px; height: 16px;' src={escape_html(icon)!r}>"
+			if small
+			else f"<img src={escape_html(icon)!r}>"
 		)
 	else:
-		return f"<i class='{icon}'></i>"
+		return f"<i class={escape_html(icon)!r}></i>"
 
 
 def unescape_html(value):
diff --git a/frappe/www/login.py b/frappe/www/login.py
index 97ceb01c6e..8529b03bf6 100644
--- a/frappe/www/login.py
+++ b/frappe/www/login.py
@@ -6,9 +6,9 @@ import frappe.utils
 from frappe import _
 from frappe.auth import LoginManager
 from frappe.integrations.doctype.ldap_settings.ldap_settings import LDAPSettings
-from frappe.integrations.oauth2_logins import decoder_compat
 from frappe.rate_limiter import rate_limit
 from frappe.utils import cint, get_url
+from frappe.utils.data import escape_html
 from frappe.utils.html_utils import get_icon_html
 from frappe.utils.jinja import guess_is_path
 from frappe.utils.oauth import get_oauth2_authorize_url, get_oauth_keys, redirect_post_login
@@ -72,7 +72,7 @@ def get_context(context):
 			if provider.provider_name == "Custom":
 				icon = get_icon_html(provider.icon, small=True)
 			else:
-				icon = f"<img src='{provider.icon}' alt={provider.provider_name}>"
+				icon = f"<img src={escape_html(provider.icon)!r} alt={escape_html(provider.provider_name)!r}>"
 
 		if provider.client_id and provider.base_url and get_oauth_keys(provider.name):
 			context.provider_logins.append(