diff --git a/lib/app/endpoint/home.rb b/lib/app/endpoint/home.rb
index 290fb6620..49cc97453 100644
--- a/lib/app/endpoint/home.rb
+++ b/lib/app/endpoint/home.rb
@@ -29,7 +29,7 @@ class Home < Endpoint
 
           if inferno_module.nil?
             Inferno.logger.error "Unknown module: #{params[:module]}"
-            halt 404, "Unknown module: #{params[:module]}"
+            halt 404, "Unknown module: #{ERB::Util.html_escape(params[:module])}"
           end
 
           @instance = Inferno::TestingInstance.new(url: url,
diff --git a/lib/app/utils/oauth2_error_messages.rb b/lib/app/utils/oauth2_error_messages.rb
index db8550859..875a58295 100644
--- a/lib/app/utils/oauth2_error_messages.rb
+++ b/lib/app/utils/oauth2_error_messages.rb
@@ -7,7 +7,7 @@ def no_instance_for_state_error_message
         %(
           <p>
             Inferno has detected an issue with the SMART launch.
-            No actively running launch sequences found with a state of #{params[:state]}.
+            #{param_description}
             The authorization server is not returning the correct state variable and
             therefore Inferno cannot identify which server is currently under test.
             Please click your browser's "Back" button to return to Inferno,
@@ -18,10 +18,16 @@ def no_instance_for_state_error_message
         )
       end
 
+      def param_description
+        return "No 'state' parameter was returned by the authorization server." if params[:state].nil?
+
+        "No actively running launch sequences found with a 'state' parameter of '#{ERB::Util.html_escape(params[:state])}'."
+      end
+
       def server_error_message
         return '' if params[:error].blank?
 
-        "<p>Error returned by server: <strong>#{params[:error]}</strong>.</p>"
+        "<p>Error returned by server: <strong>#{ERB::Util.html_escape(params[:error])}</strong>.</p>"
       end
 
       def server_error_description
@@ -31,18 +37,18 @@ def server_error_description
       end
 
       def bad_state_error_message
-        "State provided in redirect (#{params[:state]}) does not match expected state (#{@instance.state})."
+        "State provided in redirect (#{ERB::Util.html_escape(params[:state])}) does not match expected state (#{ERB::Util.html_escape(@instance.state)})."
       end
 
       def no_instance_for_iss_error_message
         %(
-          Error: No actively running launch sequences found for iss #{params[:iss]}.
+          Error: No actively running launch sequences found for iss #{ERB::Util.html_escape(params[:iss])}.
           Please ensure that the EHR launch test is actively running before attempting to launch Inferno from the EHR.
         )
       end
 
       def unknown_iss_error_message
-        params[:iss].present? ? "Unknown iss: #{params[:iss]}" : no_iss_error_message
+        params[:iss].present? ? "Unknown iss: #{ERB::Util.html_escape(params[:iss])}" : no_iss_error_message
       end
 
       def no_iss_error_message
diff --git a/test/integration/oauth2_endpoints_test.rb b/test/integration/oauth2_endpoints_test.rb
index 7a375c3b7..d7d184d1e 100644
--- a/test/integration/oauth2_endpoints_test.rb
+++ b/test/integration/oauth2_endpoints_test.rb
@@ -188,7 +188,8 @@ def test_redirect_response_not_running
 
       assert last_response.status == 500
 
-      expected_error_message = "No actively running launch sequences found with a state of #{bad_state}"
+      expected_error_message = "No actively running launch sequences found with a 'state' parameter of '#{bad_state}'"
+
       assert last_response.body.include? expected_error_message
       break
     end