diff --git a/templates/user/auth/oauth_container.tmpl b/templates/user/auth/oauth_container.tmpl
index 7531320394..a50ca5f612 100644
--- a/templates/user/auth/oauth_container.tmpl
+++ b/templates/user/auth/oauth_container.tmpl
@@ -8,7 +8,7 @@
 	<div class="tw-flex tw-flex-col tw-justify-center">
 		<div id="oauth2-login-navigator-inner" class="tw-flex tw-flex-col tw-flex-wrap tw-items-center tw-gap-2">
 			{{range $provider := .OAuth2Providers}}
-				<a class="{{$provider.Name}} ui button tw-flex tw-items-center tw-justify-center tw-py-2 tw-w-full oauth-login-link" href="{{AppSubUrl}}/user/oauth2/{{$provider.DisplayName}}">
+				<a class="{{$provider.Name}} ui button tw-flex tw-items-center tw-justify-center tw-py-2 tw-w-full oauth-login-link" href="{{AppSubUrl}}/user/oauth2/{{$provider.DisplayName | PathEscape}}">
 					{{$provider.IconHTML 28}}
 					{{ctx.Locale.Tr "sign_in_with_provider" $provider.DisplayName}}
 				</a>
diff --git a/tests/integration/signin_test.go b/tests/integration/signin_test.go
index c9b2d6ed1c..0367bedd6e 100644
--- a/tests/integration/signin_test.go
+++ b/tests/integration/signin_test.go
@@ -97,6 +97,36 @@ func TestSigninWithRememberMe(t *testing.T) {
 	session.MakeRequest(t, req, http.StatusOK)
 }
 
+func TestProviderDisplayNameIsPathEscaped(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	testCases := []string{
+		"sla/shed",
+		"per%cent",
+		"que?ry=string",
+		"ha#sh",
+		"spa ce",     // doesn't break the path
+		"pl+us",      // unchanged by url.PathEscape
+		"amper&sand", // unchanged by url.PathEscape
+	}
+
+	for _, testCase := range testCases {
+		// GitLab is only used here for convenience.
+		addAuthSource(t, authSourcePayloadGitLabCustom(testCase))
+	}
+
+	request := NewRequest(t, "GET", "/user/login")
+	response := MakeRequest(t, request, http.StatusOK)
+	htmlDoc := NewHTMLParser(t, response.Body)
+
+	for _, testCase := range testCases {
+		t.Run(testCase, func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			htmlDoc.AssertElement(t, fmt.Sprintf("a.oauth-login-link[href='/user/oauth2/%s']", url.PathEscape(testCase)), true)
+		})
+	}
+}
+
 func TestDisableSignin(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	// Mock alternative auth ways as enabled