diff --git a/hbd/server/http.py b/hbd/server/http.py
index 2a469bd..ef28d84 100644
--- a/hbd/server/http.py
+++ b/hbd/server/http.py
@@ -2,6 +2,7 @@
 
 import asyncio
 import datetime
+import html as _html
 import json
 import platform
 import socket
@@ -630,10 +631,10 @@ async def start(
         if _providers:
             buttons_html = ""
             for _p in _providers:
-                _logo = f'<img src="{_p.logo}" alt="" class="oauth-logo">' if _p.logo else ""
+                _logo = f'<img src="{_html.escape(_p.logo)}" alt="" class="oauth-logo">' if _p.logo else ""
                 buttons_html += f"""
-    <a href="/login/oauth/{_p.name}" class="oauth-btn">
-      {_logo}{_p.label}
+    <a href="/login/oauth/{_html.escape(_p.name)}" class="oauth-btn">
+      {_logo}{_html.escape(_p.label)}
     </a>"""
             oauth_buttons = f"""
     <div class="divider">or</div>{buttons_html}"""
diff --git a/hbd/server/oauth.py b/hbd/server/oauth.py
index 5097bf9..ad9ec1d 100644
--- a/hbd/server/oauth.py
+++ b/hbd/server/oauth.py
@@ -244,12 +244,11 @@ async def fetch_user(provider: ResolvedProvider, token: str) -> dict:
     try:
         for key in provider.profile_data_path:
             data = data.get(key, {})
+        avatar_field = provider.field_map.get("avatar")
+        return {
+            "login":      data.get(provider.field_map["username"], ""),
+            "full_name":  data.get(provider.field_map["full_name"], ""),
+            "avatar_url": data.get(avatar_field, "") if avatar_field else "",
+        }
     except AttributeError:
         raise OAuthError(f"Unexpected profile response structure from {provider.type}")
-
-    avatar_field = provider.field_map.get("avatar")
-    return {
-        "login":      data.get(provider.field_map["username"], ""),
-        "full_name":  data.get(provider.field_map["full_name"], ""),
-        "avatar_url": data.get(avatar_field, "") if avatar_field else "",
-    }