diff --git a/itou/common_apps/nir/forms.py b/itou/common_apps/nir/forms.py
index 68548740c0..fbd3bca7f6 100644
--- a/itou/common_apps/nir/forms.py
+++ b/itou/common_apps/nir/forms.py
@@ -1,6 +1,7 @@
 from django import forms
 from django.core.exceptions import NON_FIELD_ERRORS
 from django.forms import widgets
+from django.utils.html import format_html
 
 from itou.users.enums import LackOfNIRReason
 from itou.utils.urls import get_tally_form_url
@@ -50,9 +51,9 @@ def __init__(self, *args, editor=None, tally_form_query=None, **kwargs):
         tally_url = get_tally_form_url("wzxQlg")
         if tally_form_query is not None:
             tally_url += f"?{tally_form_query}"
-        tally_link = (
-            f'<a href="{tally_url}" target="_blank" rel="noopener">'
-            "Demander la correction du numéro de sécurité sociale</a>"
+        tally_link = format_html(
+            '<a href="{}" target="_blank" rel="noopener">Demander la correction du numéro de sécurité sociale</a>',
+            tally_url,
         )
 
         if self.initial.get("nir"):
diff --git a/tests/www/dashboard/test_edit_job_seeker_info.py b/tests/www/dashboard/test_edit_job_seeker_info.py
index 67184b66f4..9de6b50c42 100644
--- a/tests/www/dashboard/test_edit_job_seeker_info.py
+++ b/tests/www/dashboard/test_edit_job_seeker_info.py
@@ -556,4 +556,4 @@ def test_xss(self, client):
         url = f"{url}?from_application={quote('"></a><blink>foobar</blink><a href="')}"
 
         response = client.get(url)
-        assertContains(response, "<blink>foobar</blink>", html=True)
+        assertNotContains(response, "<blink>foobar</blink>", html=True)