diff --git a/modules/httplib/url.go b/modules/httplib/url.go
index 2a1376b8d4..347cbf7b1e 100644
--- a/modules/httplib/url.go
+++ b/modules/httplib/url.go
@@ -24,6 +24,10 @@ func urlIsRelative(s string, u *url.URL) bool {
 	if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') {
 		return false
 	}
+	// Backslashes (including encoded) can be normalized by browsers into slashes and allow open redirects.
+	if strings.Contains(s, "\\") || strings.Contains(strings.ToLower(s), "%5c") {
+		return false
+	}
 	return u != nil && u.Scheme == "" && u.Host == ""
 }
 
diff --git a/modules/httplib/url_test.go b/modules/httplib/url_test.go
index 0ffb0cac05..4f537b6e2b 100644
--- a/modules/httplib/url_test.go
+++ b/modules/httplib/url_test.go
@@ -32,6 +32,8 @@ func TestIsRelativeURL(t *testing.T) {
 		"\\\\",
 		"/\\",
 		"\\/",
+		"/a/../\\example.com",
+		"/a/../%5cexample.com",
 		"mailto:a@b.com",
 		"https://test.com",
 	}