diff --git a/parcoursup/api.js b/parcoursup/api.js
index 8766324..d7a6f82 100644
--- a/parcoursup/api.js
+++ b/parcoursup/api.js
@@ -1,3 +1,8 @@
+// Échapper les apostrophes dans les valeurs injectées dans la clause where
+function echapperValeur(valeur) {
+  return String(valeur).replace(/'/g, "\\'")
+}
+
 // Construire l'URL de requête vers l'API Parcoursup
 export function construireURL(requete, limite = 20, decalage = 0, filtres = {}) {
 
@@ -9,19 +14,19 @@ export function construireURL(requete, limite = 20, decalage = 0, filtres = {})
   var conditions = []
 
   if (requete && requete.trim() !== "") {
-    conditions.push("search(lib_for_voe_ins, '" + requete + "')")
+    conditions.push("search(lib_for_voe_ins, '" + echapperValeur(requete.trim()) + "')")
   }
 
   if (filtres.filiere && filtres.filiere !== "") {
-    conditions.push("fili='" + filtres.filiere + "'")
+    conditions.push("fili='" + echapperValeur(filtres.filiere) + "'")
   }
 
   if (filtres.selectivite && filtres.selectivite !== "") {
-    conditions.push("select_form='" + filtres.selectivite + "'")
+    conditions.push("select_form='" + echapperValeur(filtres.selectivite) + "'")
   }
 
   if (filtres.region && filtres.region !== "") {
-    conditions.push("region_etab_aff='" + filtres.region + "'")
+    conditions.push("region_etab_aff='" + echapperValeur(filtres.region) + "'")
   }
 
   if (filtres.tauxMin && filtres.tauxMin > 0) {
@@ -33,7 +38,7 @@ export function construireURL(requete, limite = 20, decalage = 0, filtres = {})
   }
 
   if (conditions.length > 0) {
-    url += "&where=" + conditions.join(" AND ")
+    url += "&where=" + encodeURIComponent(conditions.join(" AND "))
   }
 
   return url
@@ -46,7 +51,7 @@ export async function chargerFormations(requete, limite = 20, decalage = 0, filt
   var reponse = await fetch(url)
 
   if (!reponse.ok) {
-    throw new Error("Erreur HTTP")
+    throw new Error("Erreur HTTP " + reponse.status)
   }
 
   return await reponse.json()
@@ -64,9 +69,10 @@ export async function chargerHistoriqueFormation(codUai, nomFormation) {
     2025: "fr-esr-parcoursup"
   }
 
-  var historique  = []
-  var nomCourt    = nomFormation.substring(0, 40).replace(/'/g, "\\'")
-  var annees      = [2020, 2021, 2022, 2023, 2024, 2025]
+  var historique = []
+  var nomCourt   = echapperValeur((nomFormation || "").substring(0, 40))
+  var codeUai    = echapperValeur(codUai)
+  var annees     = [2020, 2021, 2022, 2023, 2024, 2025]
 
   for (var i = 0; i < annees.length; i++) {
 
@@ -75,11 +81,14 @@ export async function chargerHistoriqueFormation(codUai, nomFormation) {
 
     try {
 
+      var where =
+        "cod_uai='" + codeUai + "' AND search(lib_for_voe_ins, '" + nomCourt + "')"
+
       var url = "https://data.enseignementsup-recherche.gouv.fr/api/explore/v2.1/catalog/datasets/"
         + dataset + "/records?"
         + "limit=5"
-        + "&where=cod_uai%3D'" + codUai + "' AND search(lib_for_voe_ins, '" + nomCourt + "')"
-        + "&select=cod_uai,lib_for_voe_ins,voe_tot,acc_tot,pct_sansmention,pct_ab,pct_b,pct_tb,pct_tbf,pct_bg,pct_bt,pct_bp"
+        + "&where=" + encodeURIComponent(where)
+        + "&select=" + encodeURIComponent("cod_uai,lib_for_voe_ins,voe_tot,acc_tot,pct_sansmention,pct_ab,pct_b,pct_tb,pct_tbf,pct_bg,pct_bt,pct_bp")
 
       var reponse = await fetch(url)
 
@@ -119,4 +128,4 @@ export async function chargerHistoriqueFormation(codUai, nomFormation) {
   }
 
   return historique
-}
+}
\ No newline at end of file