diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index 6386c95f62..775f2a11fc 100644
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@@ -1280,6 +1280,9 @@ if ( ! function_exists( 'wp_sanitize_redirect' ) ) :
 	 * @return string Redirect-sanitized URL.
 	 */
 	function wp_sanitize_redirect( $location ) {
+		// Encode spaces.
+		$location = str_replace( ' ', '%20', $location );
+
 		$regex    = '/
 		(
 			(?: [\xC2-\xDF][\x80-\xBF]        # double-byte sequences   110xxxxx 10xxxxxx
@@ -1296,7 +1299,7 @@ if ( ! function_exists( 'wp_sanitize_redirect' ) ) :
 		$location = preg_replace( '|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location );
 		$location = wp_kses_no_null( $location );
 
-		// remove %0d and %0a from location
+		// Remove %0D and %0A from location.
 		$strip = array( '%0d', '%0a', '%0D', '%0A' );
 		return _deep_replace( $strip, $location );
 	}
diff --git a/tests/phpunit/tests/formatting/redirect.php b/tests/phpunit/tests/formatting/redirect.php
index ac16172c69..493dae4a1c 100644
--- a/tests/phpunit/tests/formatting/redirect.php
+++ b/tests/phpunit/tests/formatting/redirect.php
@@ -36,6 +36,14 @@ class Tests_Formatting_Redirect extends WP_UnitTestCase {
 		$this->assertEquals( 'http://example.com/@username', wp_sanitize_redirect( 'http://example.com/@username' ) );
 	}
 
+	/**
+	 * @group 36998
+	 */
+	function test_wp_sanitize_redirect_should_encode_spaces() {
+		$this->assertEquals( 'http://example.com/test%20spaces', wp_sanitize_redirect( 'http://example.com/test%20spaces' ) );
+		$this->assertEquals( 'http://example.com/test%20spaces%20in%20url', wp_sanitize_redirect( 'http://example.com/test spaces in url' ) );
+	}
+
 	/**
 	 * @dataProvider valid_url_provider
 	 */