diff --git a/apps/web/src/app/core/event.service.ts b/apps/web/src/app/core/event.service.ts
index c8c6a54f2a6..36afd1850e0 100644
--- a/apps/web/src/app/core/event.service.ts
+++ b/apps/web/src/app/core/event.service.ts
@@ -522,16 +522,25 @@ export class EventService {
         break;
       // Org Domain claiming events
       case EventType.OrganizationDomain_Added:
-        msg = humanReadableMsg = this.i18nService.t("addedDomain", ev.domainName);
+        msg = humanReadableMsg = this.i18nService.t("addedDomain", this.escapeHtml(ev.domainName));
         break;
       case EventType.OrganizationDomain_Removed:
-        msg = humanReadableMsg = this.i18nService.t("removedDomain", ev.domainName);
+        msg = humanReadableMsg = this.i18nService.t(
+          "removedDomain",
+          this.escapeHtml(ev.domainName),
+        );
         break;
       case EventType.OrganizationDomain_Verified:
-        msg = humanReadableMsg = this.i18nService.t("domainClaimedEvent", ev.domainName);
+        msg = humanReadableMsg = this.i18nService.t(
+          "domainClaimedEvent",
+          this.escapeHtml(ev.domainName),
+        );
         break;
       case EventType.OrganizationDomain_NotVerified:
-        msg = humanReadableMsg = this.i18nService.t("domainNotClaimedEvent", ev.domainName);
+        msg = humanReadableMsg = this.i18nService.t(
+          "domainNotClaimedEvent",
+          this.escapeHtml(ev.domainName),
+        );
         break;
       // Secrets Manager
       case EventType.Secret_Retrieved:
@@ -893,6 +902,15 @@ export class EventService {
     return id?.substring(0, 8);
   }
 
+  private escapeHtml(unsafe: string): string {
+    if (!unsafe) {
+      return unsafe;
+    }
+    const div = document.createElement("div");
+    div.textContent = unsafe;
+    return div.innerHTML;
+  }
+
   private toDateTimeLocalString(date: Date) {
     return (
       date.getFullYear() +