diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go
index 28c654676ee..e2af6d7413e 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go
@@ -83,7 +83,7 @@ type Transport struct {
 // RoundTrip implements the http.RoundTripper interface
 func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Add reverse proxy headers.
-	forwardedURI := path.Join(t.PathPrepend, req.URL.Path)
+	forwardedURI := path.Join(t.PathPrepend, req.URL.EscapedPath())
 	if strings.HasSuffix(req.URL.Path, "/") {
 		forwardedURI = forwardedURI + "/"
 	}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go
index 90816ffa524..74511eb36fd 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/transport_test.go
@@ -197,6 +197,14 @@ func TestProxyTransport(t *testing.T) {
 			contentType:  "text/html",
 			forwardedURI: "/proxy/node/node1:10250/logs/log.log",
 		},
+		"forwarded URI must be escaped": {
+			input:        "<html></html>",
+			sourceURL:    "http://mynode.com/logs/log.log%00<script>alert(1)</script>",
+			transport:    testTransport,
+			output:       "<html></html>",
+			contentType:  "text/html",
+			forwardedURI: "/proxy/node/node1:10250/logs/log.log%00%3Cscript%3Ealert%281%29%3C/script%3E",
+		},
 	}
 
 	testItem := func(name string, item *Item) {