DevToolbox

URL Encode Backslash (\)

Learn how to URL encode the backslash character (\) as %5C. Important for Windows file paths in URLs and avoiding security vulnerabilities.

Character

\

Encoded

%5C

Detailed Explanation

The backslash (\) is not a valid character in URLs and must always be encoded as %5C. Unlike the forward slash (/), the backslash has no structural role in URLs and is classified as unsafe by RFC 3986. However, some browsers silently convert backslashes to forward slashes, creating a significant security concern.

Percent-encoded form: %5C represents the backslash (ASCII code 92, hexadecimal 0x5C).

Browser normalization risk: Many browsers (including Chrome and Edge) automatically convert backslashes to forward slashes in the URL path. This means https://example.com\..\admin may be normalized to https://example.com/../admin. This behavior has been exploited in open redirect and path traversal attacks, where security checks validate the URL string containing backslashes, but the browser interprets it with forward slashes.

JavaScript behavior:

encodeURIComponent("\\")               // "%5C"
encodeURIComponent("C:\\Users\\file.txt") // "C%3A%5CUsers%5Cfile.txt"

// Important: in JS strings, backslash is an escape character
// You need \\ in source code to represent a single backslash
const path = "C:\\Windows\\System32";
encodeURIComponent(path) // "C%3A%5CWindows%5CSystem32"

Common scenarios:

  • Windows file paths passed as URL parameters (the most frequent case)
  • UNC network paths: \\\\server\\share needs encoding as %5C%5Cserver%5Cshare
  • Regular expression patterns containing backslash escapes
  • JSON strings containing escaped characters passed in URLs
  • LDAP distinguished names that use backslash escaping

Security implications: The backslash is one of the most dangerous characters in URLs from a security perspective:

  1. Open redirect: Validation checks may not recognize https://evil.com\\@good.com as an external URL
  2. Path traversal: ..%5C may bypass path traversal filters that only check for ../
  3. SSRF: Server-side URL parsers may handle backslashes differently than the browser

Pitfall: When accepting file paths from Windows users (e.g., file upload paths, log file locations), always convert backslashes to forward slashes or properly encode them before including them in URLs. Never trust URLs containing backslashes from untrusted sources, and be aware that browser normalization may change the URL's meaning between client and server.

Use Case

Encoding Windows file system paths in URL parameters, such as a remote file management API that accepts paths like C:\Users\Documents\report.pdf.

Try It — URL Encoder

Open full tool

Related Topics

URL Encode Forward Slash (/)

/%2F

URL Encode Colon (:)

:%3A

URL Encode Percent Sign (%)

%%25

URL Path Encoding vs Query String Encoding

Double Encoding Problems in URLs

%25%2525

URL Safe Characters (Unreserved Characters)