diff --git a/internal/api/ui/login/mfa_init_verify_handler.go b/internal/api/ui/login/mfa_init_verify_handler.go
index 5f0f0e3119..a5e7326a69 100644
--- a/internal/api/ui/login/mfa_init_verify_handler.go
+++ b/internal/api/ui/login/mfa_init_verify_handler.go
@@ -2,6 +2,7 @@ package login
 
 import (
 	"bytes"
+	"html/template"
 	"net/http"
 
 	"github.com/zitadel/zitadel/internal/domain"
@@ -76,7 +77,7 @@ func (l *Login) renderMFAInitVerify(w http.ResponseWriter, r *http.Request, auth
 	if data.MFAType == domain.MFATypeTOTP {
 		code, err := generateQrCode(data.totpData.Url)
 		if err == nil {
-			data.totpData.QrCode = code
+			data.totpData.QrCode = template.HTML(code)
 		}
 	}
 
diff --git a/internal/api/ui/login/renderer.go b/internal/api/ui/login/renderer.go
index a446800903..f4ca69b771 100644
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -706,5 +706,5 @@ type mfaDoneData struct {
 type totpData struct {
 	Url    string
 	Secret string
-	QrCode string
+	QrCode template.HTML
 }