Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer...
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:17:45 +0000 (09:17 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:17:45 +0000 (09:17 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@8427 709f56b5-9817-0410-a4d7-c38de5d9e867

27 files changed:
ChangeLog
t3lib/class.t3lib_tcemain.php
typo3/alt_doc.php
typo3/class.db_list.inc
typo3/class.show_rechis.inc
typo3/db_list.php
typo3/db_new.php
typo3/file_edit.php
typo3/file_newfolder.php
typo3/file_rename.php
typo3/file_upload.php
typo3/index.php
typo3/logout.php
typo3/mod/tools/em/class.em_index.php
typo3/move_el.php
typo3/show_item.php
typo3/sysext/cms/layout/db_new_content_el.php
typo3/sysext/cms/tslib/class.tslib_fe.php
typo3/sysext/install/mod/class.tx_install.php
typo3/sysext/version/cm1/index.php
typo3/tce_db.php
typo3/tce_file.php
typo3/template.php
typo3/wizard_add.php
typo3/wizard_forms.php
typo3/wizard_list.php
typo3/wizard_table.php

index 4ff4c9f..acd9b5d 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,7 @@
        * Fixed bug #14412: Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted (thanks to Helmut Hummel and Xavier Perseguers)
        * Fixed bug #14114: Core mailform is open to spam abuse (thanks to Lars Houmark)
        * Fixed bug #12294: Unchecked URL-Redirect parameter in Front-End logon (thanks to Steffen Kamper and Helmut Hummel)
+       * Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer and Marcus Krause)
 
 2010-07-21  Ingo Renner  <ingo@typo3.org>
 
index 3caa2df..487796f 100755 (executable)
@@ -7217,6 +7217,7 @@ State was change by %s (username: %s)
                                        </tr>';
                        }
 
+                       $redirect = t3lib_div::sanitizeLocalUrl($redirect);
                        $lines[] = '
                                        <tr>
                                                <td colspan="2" align="center"><br />'.
index 20c8cb6..1d05b6a 100755 (executable)
@@ -200,7 +200,7 @@ class SC_alt_doc {
                $this->defVals = t3lib_div::_GP('defVals');
                $this->overrideVals = t3lib_div::_GP('overrideVals');
                $this->columnsOnly = t3lib_div::_GP('columnsOnly');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->closeDoc = t3lib_div::_GP('closeDoc');
                $this->doSave = t3lib_div::_GP('doSave');
                $this->returnEditConf = t3lib_div::_GP('returnEditConf');
@@ -271,7 +271,7 @@ class SC_alt_doc {
                $this->cmd = t3lib_div::_GP('cmd');
                $this->mirror = t3lib_div::_GP('mirror');
                $this->cacheCmd = t3lib_div::_GP('cacheCmd');
-               $this->redirect = t3lib_div::_GP('redirect');
+               $this->redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
                $this->returnNewPageId = t3lib_div::_GP('returnNewPageId');
                $this->vC = t3lib_div::_GP('vC');
 
@@ -1161,7 +1161,7 @@ class SC_alt_doc {
                        if (is_array($localizedRecord)) {
                                        // Create parameters and finally run the classic page module for creating a new page translation
                                $params = '&edit['.$table.']['.$localizedRecord['uid'].']=edit';
-                               $returnUrl = '&returnUrl='.rawurlencode(t3lib_div::_GP('returnUrl'));
+                               $returnUrl = '&returnUrl='.rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl')));
                                $location = $GLOBALS['BACK_PATH'].'alt_doc.php?'.$params.$returnUrl;
 
                                header('Location: '.t3lib_div::locationHeaderUrl($location));
index 44a47bd..e130661 100755 (executable)
@@ -653,7 +653,7 @@ class recordList extends t3lib_recordList {
                        '?id='.(strcmp($altId,'')?$altId:$this->id).
                        '&table='.rawurlencode($table==-1?$this->table:$table).
                        ($this->thumbs?'&imagemode='.$this->thumbs:'').
-                       ($this->returnUrl?'&returnUrl='.rawurlencode($this->returnUrl):'').
+                       ($this->returnUrl?'&returnUrl='.rawurlencode(t3lib_div::sanitizeLocalUrl($this->returnUrl)):'').
                        ($this->searchString?'&search_field='.rawurlencode($this->searchString):'').
                        ($this->searchLevels?'&search_levels='.rawurlencode($this->searchLevels):'').
                        ($this->showLimit?'&showLimit='.rawurlencode($this->showLimit):'').
index c2da5fb..9aff66f 100755 (executable)
@@ -65,7 +65,7 @@ class recordHistory {
        function recordHistory()        {
                        // GPvars:
                $this->element = t3lib_div::_GP('element');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->lastSyslogId = t3lib_div::_GP('diff');
                $this->rollbackFields = t3lib_div::_GP('rollbackFields');
                        // resolve sh_uid if set
index 8c2c066..ff3518e 100755 (executable)
@@ -144,7 +144,7 @@ class SC_db_list {
                $this->search_field = t3lib_div::_GP('search_field');
                $this->search_levels = t3lib_div::_GP('search_levels');
                $this->showLimit = t3lib_div::_GP('showLimit');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                $this->clear_cache = t3lib_div::_GP('clear_cache');
                $this->cmd = t3lib_div::_GP('cmd');
index dfc2f53..4291ac7 100755 (executable)
@@ -176,7 +176,7 @@ class SC_db_new {
                }
                        // Setting GPvars:
                $this->id = intval(t3lib_div::_GP('id'));       // The page id to operate from
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->pagesOnly = t3lib_div::_GP('pagesOnly');
 
                        // Create instance of template class for output
index 04a16da..08e5987 100755 (executable)
@@ -107,7 +107,7 @@ class SC_file_edit {
 
                        // Setting target, which must be a file reference to a file within the mounts.
                $this->target = $this->origTarget = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                        // Creating file management object:
                $this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
index 57ed014..919bd96 100755 (executable)
@@ -115,7 +115,7 @@ class SC_file_newfolder {
                        // Initialize GPvars:
                $this->number = t3lib_div::_GP('number');
                $this->target = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                        // Init basic-file-functions object:
                $this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
index 3262d4b..81875bf 100755 (executable)
@@ -109,7 +109,7 @@ class SC_file_rename {
 
                        // Initialize GPvars:
                $this->target = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                        // Init basic-file-functions object:
                $this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
index 02bfc28..efd28a0 100755 (executable)
@@ -117,7 +117,7 @@ class SC_file_upload {
                        // Initialize GPvars:
                $this->number = t3lib_div::_GP('number');
                $this->target = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->returnUrl = $this->returnUrl ? $this->returnUrl : t3lib_div::getIndpEnv('TYPO3_SITE_URL').TYPO3_mainDir.'file_list.php?id='.rawurlencode($this->target);
 
                if (empty($this->number))       {
index b0cd564..d739aec 100755 (executable)
@@ -122,7 +122,7 @@ class SC_index {
                global $BE_USER,$TYPO3_CONF_VARS;
 
                        // GPvars:
-               $this->redirect_url = t3lib_div::_GP('redirect_url');
+               $this->redirect_url = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect_url'));
                $this->GPinterface = t3lib_div::_GP('interface');
 
                if(t3lib_div::getIndpEnv('TYPO3_SSL'))  {       // For security reasons this feature only works if SSL is used
index b40da0f..a4822a7 100755 (executable)
@@ -72,7 +72,9 @@ class SC_logout {
                $BE_USER->writelog(255,2,0,1,'User %s logged out from TYPO3 Backend',Array($BE_USER->user['username']));        // Logout written to log
                $BE_USER->logoff();
 
-               header('Location: '.t3lib_div::locationHeaderUrl(t3lib_div::_GP('redirect')?t3lib_div::_GP('redirect'):'index.php'));
+               $redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
+               $redirectUrl = $redirect ? $redirect : 'index.php';
+               header('Location: '.t3lib_div::locationHeaderUrl($redirectUrl));
        }
 }
 
index 045c67b..7417fcd 100644 (file)
@@ -2250,7 +2250,7 @@ EXTENSION KEYS:
        function requestInstallExtensions($extList)     {
 
                        // Return URL:
-               $returnUrl = t3lib_div::_GP('returnUrl');
+               $returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $installOrImportExtension = t3lib_div::_POST('installOrImportExtension');
 
                        // Extension List:
index 05c957a..459b3ee 100755 (executable)
@@ -260,7 +260,7 @@ class SC_move_el {
                $this->sys_language = intval(t3lib_div::_GP('sys_language'));
                $this->page_id=intval(t3lib_div::_GP('uid'));
                $this->table=t3lib_div::_GP('table');
-               $this->R_URI=t3lib_div::_GP('returnUrl');
+               $this->R_URI=t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->input_moveUid = t3lib_div::_GP('moveUid');
                $this->moveUid = $this->input_moveUid ? $this->input_moveUid : $this->page_id;
                $this->makeCopy = t3lib_div::_GP('makeCopy');
index e282446..b4b6d3c 100755 (executable)
@@ -226,8 +226,9 @@ class SC_show_item {
                global $LANG;
 
                if ($this->access)      {
-                       $returnLinkTag = t3lib_div::_GP('returnUrl') ? '<a href="'.t3lib_div::_GP('returnUrl').'" class="typo3-goBack">' : '<a href="#" onclick="window.close();">';
-
+                       $returnLink =  t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
+                       $returnLinkTag = $returnLink ? '<a href="' . $returnLink . '" class="typo3-goBack">' : '<a href="#" onclick="window.close();">';
                                // render type by user func
                        $typeRendered = false;
                        if (is_array ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/show_item.php']['typeRendering'])) {
@@ -257,7 +258,7 @@ class SC_show_item {
                        }
 
                                // If return Url is set, output link to go back:
-                       if (t3lib_div::_GP('returnUrl'))        {
+                       if ($returnLink)        {
                                $this->content = $this->doc->section('',$returnLinkTag.'<strong>'.$LANG->sL('LLL:EXT:lang/locallang_core.xml:labels.goBack',1).'</strong></a><br /><br />').$this->content;
 
                                $this->content .= $this->doc->section('','<br />'.$returnLinkTag.'<strong>'.$LANG->sL('LLL:EXT:lang/locallang_core.xml:labels.goBack',1).'</strong></a>');
index d1a7492..ff774ed 100644 (file)
@@ -190,7 +190,7 @@ class SC_db_new_content_el {
                        // Setting internal vars:
                $this->id = intval(t3lib_div::_GP('id'));
                $this->sys_language = intval(t3lib_div::_GP('sys_language_uid'));
-               $this->R_URI = t3lib_div::_GP('returnUrl');
+               $this->R_URI = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->colPos = t3lib_div::_GP('colPos');
                $this->uid_pid = intval(t3lib_div::_GP('uid_pid'));
 
index de3d0ad..73629cf 100755 (executable)
@@ -1659,8 +1659,9 @@ require_once (PATH_t3lib.'class.t3lib_lock.php');
                                } else {
                                        $message = 'You logged out from Workspace preview mode. Click this link to <a href="%1$s">go back to the website</a>';
                                }
+                               $returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GET('returnUrl'));
                                die(sprintf($message,
-                                       htmlspecialchars(ereg_replace('\&?ADMCMD_prev=[[:alnum:]]+','',t3lib_div::_GET('returnUrl')))
+                                       htmlspecialchars(ereg_replace('\&?ADMCMD_prev=[[:alnum:]]+','', $returnUrl))
                                        ));
                        }
 
index 0d03079..fbdf8ae 100755 (executable)
@@ -269,7 +269,7 @@ class tx_install extends t3lib_install {
                } else {
                        $this->step = intval(t3lib_div::_GP('step'));
                }
-               $this->redirect_url = t3lib_div::_GP('redirect_url');
+               $this->redirect_url = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect_url'));
 
                $this->INSTALL['type'] = '';
                if ($_GET['TYPO3_INSTALL']['type']) {
index affcfc2..a140f5d 100755 (executable)
@@ -194,7 +194,7 @@ class tx_version_cm1 extends t3lib_SCbase {
                        // Setting module configuration:
                $this->MCONF = $GLOBALS['MCONF'];
 
-               $this->REQUEST_URI = str_replace('&sendToReview=1','',t3lib_div::getIndpEnv('REQUEST_URI'));
+               $this->REQUEST_URI = str_replace('&sendToReview=1','', t3lib_div::sanitizeLocalUrl(t3lib_div::getIndpEnv('REQUEST_URI')));
 
                        // Draw the header.
                $this->doc = t3lib_div::makeInstance('template');
@@ -352,7 +352,8 @@ class tx_version_cm1 extends t3lib_SCbase {
 
                                // If access to Web>List for user, then link to that module.
                        if ($BE_USER->check('modules','web_list'))      {
-                               $href = $BACK_PATH . 'db_list.php?id=' . $this->pageinfo['uid'] . '&returnUrl=' . rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI'));
+                               $returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::getIndpEnv('REQUEST_URI'));
+                               $href = $BACK_PATH . 'db_list.php?id=' . $this->pageinfo['uid'] . '&returnUrl=' . rawurlencode($returnUrl);
                                $buttons['record_list'] = '<a href="' . htmlspecialchars($href) . '">' .
                                                '<img' . t3lib_iconWorks::skinImg($BACK_PATH, 'gfx/list.gif') . ' title="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:labels.showList', 1) . '" alt="" />' .
                                                '</a>';
@@ -807,7 +808,8 @@ class tx_version_cm1 extends t3lib_SCbase {
                        $table = '<table border="0" cellpadding="0" cellspacing="1" class="lrPadding workspace-overview">'.implode('',$tableRows).'</table>';
                } else $table = '';
 
-               $linkBack = t3lib_div::_GP('returnUrl') ? '<a href="'.htmlspecialchars(t3lib_div::_GP('returnUrl')).'" class="typo3-goBack"><img'.t3lib_iconWorks::skinImg($this->doc->backPath,'gfx/goback.gif','width="14" height="14"').' alt="" />Click here to go back</a><br/><br/>' : '';
+               $returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
+               $linkBack = $returnUrl ? '<a href="'.htmlspecialchars($returnUrl).'" class="typo3-goBack"><img'.t3lib_iconWorks::skinImg($this->doc->backPath,'gfx/goback.gif','width="14" height="14"').' alt="" />Click here to go back</a><br/><br/>' : '';
                $resetDiffOnly = $this->diffOnly ? '<a href="index.php?id='.intval($this->id).'" class="typo3-goBack">Show all information</a><br/><br/>' : '';
 
                $versionSelector = $GLOBALS['BE_USER']->workspace ? $this->doc->getVersionSelector($this->id) : '';
index 0dd5a84..7e8d992 100644 (file)
@@ -118,7 +118,7 @@ class SC_tce_db {
                $this->cmd = t3lib_div::_GP('cmd');
                $this->mirror = t3lib_div::_GP('mirror');
                $this->cacheCmd = t3lib_div::_GP('cacheCmd');
-               $this->redirect = t3lib_div::_GP('redirect');
+               $this->redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
                $this->prErr = t3lib_div::_GP('prErr');
                $this->_disableRTE = t3lib_div::_GP('_disableRTE');
                $this->CB = t3lib_div::_GP('CB');
index c07ca05..da2970e 100755 (executable)
@@ -98,7 +98,7 @@ class SC_tce_file {
 
                        // GPvars:
                $this->file = t3lib_div::_GP('file');
-               $this->redirect = t3lib_div::_GP('redirect');
+               $this->redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
                $this->CB = t3lib_div::_GP('CB');
                $this->overwriteExistingFiles = t3lib_div::_GP('overwriteExistingFiles');
                $this->vC = t3lib_div::_GP('vC');
index c1aee92..9d60958 100755 (executable)
@@ -544,7 +544,7 @@ class template {
                ));
 
                $out ="
-       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::_GP('returnUrl')))."';
+       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'))))."';
        var T3_THIS_LOCATION = '".str_replace('%20','',rawurlencode($thisLocation))."';
                ";
                return $out;
index 224bfb8..6a0bebb 100755 (executable)
@@ -123,7 +123,7 @@ class SC_wizard_add {
 
                        // Return if new record as parent (not possibly/allowed)
                if (!strcmp($this->pid,''))     {
-                       header('Location: '.t3lib_div::locationHeaderUrl($this->P['returnUrl']));
+                       header('Location: '.t3lib_div::locationHeaderUrl(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])));
                        exit;
                }
 
@@ -192,7 +192,7 @@ class SC_wizard_add {
                                }
                        }
                                // Return to the parent alt_doc.php record editing session:
-                       header('Location: '.t3lib_div::locationHeaderUrl($this->P['returnUrl']));
+                       header('Location: '.t3lib_div::locationHeaderUrl(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])));
                } else {
                                // Redirecting to alt_doc.php with instructions to create a new record AND when closing to return back with information about that records ID etc.
                        header('Location: '.t3lib_div::locationHeaderUrl('alt_doc.php?returnUrl='.rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')).'&returnEditConf=1&edit['.$this->P['params']['table'].']['.$this->pid.']=new'));
index 5f1ae17..a37c4fd 100755 (executable)
@@ -359,7 +359,7 @@ class SC_wizard_forms {
 
                                        // If the save/close button was pressed, then redirect the screen:
                                if ($_POST['saveandclosedok_x'])        {
-                                       header('Location: '.t3lib_div::locationHeaderUrl($this->P['returnUrl']));
+                                       header('Location: '.t3lib_div::locationHeaderUrl(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])));
                                        exit;
                                }
                        }
@@ -641,7 +641,7 @@ class SC_wizard_forms {
                        <div id="c-saveButtonPanel">';
                $content.= '<input type="image" class="c-inputButton" name="savedok"'.t3lib_iconWorks::skinImg($this->doc->backPath,'gfx/savedok.gif','').' title="'.$LANG->sL('LLL:EXT:lang/locallang_core.php:rm.saveDoc',1).'" />';
                $content.= '<input type="image" class="c-inputButton" name="saveandclosedok"'.t3lib_iconWorks::skinImg($this->doc->backPath,'gfx/saveandclosedok.gif','').' title="'.$LANG->sL('LLL:EXT:lang/locallang_core.php:rm.saveCloseDoc',1).'" />';
-               $content.= '<a href="#" onclick="'.htmlspecialchars('jumpToUrl(unescape(\''.rawurlencode($this->P['returnUrl']).'\')); return false;').'">'.
+               $content.= '<a href="#" onclick="'.htmlspecialchars('jumpToUrl(unescape(\''.rawurlencode(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])).'\')); return false;').'">'.
                                        '<img'.t3lib_iconWorks::skinImg($this->doc->backPath,'gfx/closedok.gif','width="21" height="16"').' class="c-inputButton" title="'.$LANG->sL('LLL:EXT:lang/locallang_core.php:rm.closeDoc',1).'" alt="" />'.
                                        '</a>';
                $content.= '<input type="image" class="c-inputButton" name="_refresh"'.t3lib_iconWorks::skinImg('','gfx/refresh_n.gif','').' title="'.$LANG->getLL('forms_refresh',1).'" />';
index 760b0ab..c35f616 100755 (executable)
@@ -117,9 +117,9 @@ class SC_wizard_list {
 
                        // Make redirect:
                if (!strcmp($this->pid,'') || strcmp($this->id,''))     {       // If pid is blank OR if id is set, then return...
-                       header('Location: '.t3lib_div::locationHeaderUrl($this->P['returnUrl']));
+                       header('Location: '.t3lib_div::locationHeaderUrl(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])));
                } else {        // Otherwise, show the list:
-                       header('Location: '.t3lib_div::locationHeaderUrl('db_list.php?id='.$this->pid.'&table='.$this->P['params']['table'].'&returnUrl='.rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI'))));
+                       header('Location: '.t3lib_div::locationHeaderUrl('db_list.php?id='.$this->pid.'&table='.$this->P['params']['table'].'&returnUrl='.rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::getIndpEnv('REQUEST_URI')))));
                }
        }
 }
index e1b8ff3..057b51f 100755 (executable)
@@ -277,7 +277,7 @@ class SC_wizard_table {
 
                                        // If the save/close button was pressed, then redirect the screen:
                                if ($_POST['saveandclosedok_x'])        {
-                                       header('Location: '.t3lib_div::locationHeaderUrl($this->P['returnUrl']));
+                                       header('Location: '.t3lib_div::locationHeaderUrl(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])));
                                        exit;
                                }
                        }