Description: Customize: Make sure that preview and return URLs are URLs.
Author: ocean90
Origin: upstream, https://core.trac.wordpress.org/changeset/37773/
Applied-Upstream: 4.1.12
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2016-06-26
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -18,9 +18,11 @@
 
 wp_reset_vars( array( 'url', 'return' ) );
 $url = wp_unslash( $url );
+$url = esc_url_raw( $url );
 $url = wp_validate_redirect( $url, home_url( '/' ) );
 if ( $return ) {
 	$return = wp_unslash( $return );
+	$return = esc_url_raw( $return );
 	$return = wp_validate_redirect( $return );
 }
 if ( ! $return ) {
