diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5fd2c92..66f1d9d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
* Enable IPv6 automagically, i.e. if target via IPv6 is reachable just (also) scan it
* Detect and show DNS HTTPS RR (RFC 9460)
* Provide an FAQ
+* Security fix: HTML-escape URLs in the HTML report to prevent stored XSS from a server-controlled `Location:` header (#3090)
### Features implemented / improvements in 3.2
diff --git a/CREDITS.md b/CREDITS.md
index f4ca94b..c0ac52b 100644
--- a/CREDITS.md
+++ b/CREDITS.md
@@ -71,6 +71,9 @@ Full contribution, see git log.
* Christian Dresen
- Dockerfile
+* Eric Gu
+ - HTML report XSS fix (escape server-controlled URLs, #3090)
+
* enxio
- support for TN3270/telnet STARTTLS
diff --git a/testssl.sh b/testssl.sh
index 2e0cdc2..39ce9f4 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -760,8 +760,8 @@ tmln_fixme() { tmln_warning "Fixme: $1"; }
pr_fixme() { pr_warning "Fixme: $1"; }
prln_fixme() { prln_warning "Fixme: $1"; }
-pr_url() { tm_out "$1"; html_out "$1"; }
-pr_boldurl() { tm_bold "$1"; html_out "$1"; }
+pr_url() { tm_out "$1"; html_out "$(html_reserved "$1")"; }
+pr_boldurl() { tm_bold "$1"; html_out "$(html_reserved "$1")"; }
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
### https://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html