diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java
index 42ad173f2e9e..62c6a9c5732c 100644
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java
@@ -34,6 +34,7 @@
 import org.dspace.content.service.CommunityService;
 import org.dspace.core.Context;
 import org.dspace.core.LogManager;
+import org.dspace.core.Utils;
 import org.dspace.discovery.DiscoverQuery;
 import org.dspace.discovery.DiscoverResult;
 import org.dspace.discovery.IndexableObject;
@@ -103,7 +104,8 @@ public void search(HttpServletRequest request,
 
             // do some sanity checking
             if (!openSearchService.getFormats().contains(format)) {
-                String err = "Format " + format + " is not supported.";
+                // Since we are returning error response as HTML, escape any HTML in "format" param
+                String err = "Format " + Utils.addEntities(format) + " is not supported.";
                 response.setContentType("text/html");
                 response.setContentLength(err.length());
                 response.getWriter().write(err);