diff --git a/Cargo.lock b/Cargo.lock
index 1407870d6fcb..c492b1300a3d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4394,6 +4394,7 @@ dependencies = [
  "tower-http 0.4.0",
  "tracing",
  "unicase",
+ "urlencoding",
  "uuid 1.6.1",
  "validator",
 ]
diff --git a/ee/tabby-webserver/Cargo.toml b/ee/tabby-webserver/Cargo.toml
index 06f0fe20211f..72c5cd0b7890 100644
--- a/ee/tabby-webserver/Cargo.toml
+++ b/ee/tabby-webserver/Cargo.toml
@@ -37,6 +37,7 @@ tower = { version = "0.4", features = ["util"] }
 tower-http = { version = "0.4.0", features = ["fs", "trace"] }
 tracing.workspace = true
 unicase = "2.7.0"
+urlencoding = "2.1.3"
 uuid.workspace = true
 validator = { version = "0.16.1", features = ["derive"] }
 
diff --git a/ee/tabby-webserver/src/oauth/mod.rs b/ee/tabby-webserver/src/oauth/mod.rs
index 582387ef2d9a..60a3a8db0b99 100644
--- a/ee/tabby-webserver/src/oauth/mod.rs
+++ b/ee/tabby-webserver/src/oauth/mod.rs
@@ -166,7 +166,7 @@ fn match_auth_result(
 
 fn make_error_redirect(provider: OAuthProvider, message: &str) -> Redirect {
     let query = querystring::stringify(vec![
-        ("error_message", message),
+        ("error_message", urlencoding::encode(message).as_ref()),
         (
             "provider",
             serde_json::to_string(&provider).unwrap().as_str(),
diff --git a/ee/tabby-webserver/src/ui.rs b/ee/tabby-webserver/src/ui.rs
index 4c462cb103d3..c8624bb1322d 100644
--- a/ee/tabby-webserver/src/ui.rs
+++ b/ee/tabby-webserver/src/ui.rs
@@ -15,8 +15,19 @@ where
     T: Into<String>,
 {
     fn into_response(self) -> Response {
+        let make_404_response = || {
+            Response::builder()
+                .status(StatusCode::NOT_FOUND)
+                .body(boxed(Full::from(WebAssets::get("404.html").unwrap().data)))
+                .unwrap_or_else(|_| panic!("Invalid response"))
+        };
+
         let path = self.0.into();
-        match WebAssets::get(path.as_str()) {
+        let Ok(decoded_path) = urlencoding::decode(&path) else {
+            return make_404_response();
+        };
+
+        match WebAssets::get(decoded_path.as_ref()) {
             Some(content) => {
                 let body = boxed(Full::from(content.data));
                 let mime = mime_guess::from_path(path).first_or_octet_stream();
@@ -25,10 +36,7 @@ where
                     .body(body)
                     .unwrap_or_else(|_| panic!("Invalid response"))
             }
-            None => Response::builder()
-                .status(StatusCode::NOT_FOUND)
-                .body(boxed(Full::from(WebAssets::get("404.html").unwrap().data)))
-                .unwrap_or_else(|_| panic!("Invalid response")),
+            None => make_404_response(),
         }
     }
 }