diff --git a/packages/visual-editor/src/a2/google-drive/unescape.ts b/packages/visual-editor/src/a2/google-drive/unescape.ts
index 033dcfa431c..b5fde7f2683 100644
--- a/packages/visual-editor/src/a2/google-drive/unescape.ts
+++ b/packages/visual-editor/src/a2/google-drive/unescape.ts
@@ -12,6 +12,11 @@ const namedEntities: Record<string, string> = {
   // add more as needed
 };
 
+/**
+ * WARNING: This function decodes HTML entities including `<`, `>`, and `&`.
+ * The output must NEVER be inserted into the DOM via innerHTML without
+ * sanitization. Use textContent or a sanitization library like DOMPurify.
+ */
 function unescape(html: string): string {
   return html.replace(unescapeTest, (_, n) => {
     n = n.toLowerCase();
diff --git a/packages/visual-editor/src/utils/make-share-link-from-template.ts b/packages/visual-editor/src/utils/make-share-link-from-template.ts
index cfa13d0753d..fb422308766 100644
--- a/packages/visual-editor/src/utils/make-share-link-from-template.ts
+++ b/packages/visual-editor/src/utils/make-share-link-from-template.ts
@@ -17,8 +17,8 @@ export function makeShareLinkFromTemplate({
 }: MakeShareLinkFromTemplate): string {
   const url = new URL(
     urlTemplate
-      .replaceAll("{fileId}", fileId)
-      .replaceAll("{resourceKey}", resourceKey ?? "")
+      .replaceAll("{fileId}", encodeURIComponent(fileId))
+      .replaceAll("{resourceKey}", resourceKey ? encodeURIComponent(resourceKey) : "")
   );
   // Remove any empty parameters. A slightly hacky way to clean up resourceKey
   // parameters when there is no resourceKey.