diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php
index 55661dd692..0e7394f5c8 100644
--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@@ -2655,7 +2655,7 @@ function wp_ajax_parse_embed() {
 	if ( ! $parsed ) {
 		wp_send_json_error( array(
 			'type' => 'not-embeddable',
-			'message' => sprintf( __( '%s failed to embed.' ), '<code>' . esc_url( $url ) . '</code>' ),
+			'message' => sprintf( __( '%s failed to embed.' ), '<code>' . esc_html( $url ) . '</code>' ),
 		) );
 	}
 
@@ -2685,7 +2685,7 @@ function wp_ajax_parse_embed() {
 		// Admin is ssl and the embed is not. Iframes, scripts, and other "active content" will be blocked.
 		wp_send_json_error( array(
 			'type' => 'not-ssl',
-			'message' => sprintf( __( 'Preview not available. %s cannot be embedded securely.' ), '<code>' . esc_url( $url ) . '</code>' ),
+			'message' => sprintf( __( 'Preview not available. %s cannot be embedded securely.' ), '<code>' . esc_html( $url ) . '</code>' ),
 		) );
 	}
 
@@ -2723,4 +2723,4 @@ function wp_ajax_parse_media_shortcode() {
 	}
 
 	wp_send_json_success( ob_get_clean() );
-}
\ No newline at end of file
+}