From 569f0c90fce5d1f8fbd0d770f09f4da2372ea399 Mon Sep 17 00:00:00 2001
From: Dominik Schilling <dominikschilling+git@gmail.com>
Date: Tue, 21 Jun 2016 14:19:48 +0000
Subject: [PATCH] Customize: Make sure that preview and return URLs are URLs.

Merge of [37527] to the 4.2 branch.
Built from https://develop.svn.wordpress.org/branches/4.2@37772


git-svn-id: http://core.svn.wordpress.org/branches/4.2@37737 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/customize.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wp-admin/customize.php b/wp-admin/customize.php
index c8bd6e3c2e..71a65928b4 100644
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -18,9 +18,11 @@ if ( ! current_user_can( 'customize' ) ) {
 
 wp_reset_vars( array( 'url', 'return' ) );
 $url = wp_unslash( $url );
+$url = esc_url_raw( $url );
 $url = wp_validate_redirect( $url, home_url( '/' ) );
 if ( $return ) {
 	$return = wp_unslash( $return );
+	$return = esc_url_raw( $return );
 	$return = wp_validate_redirect( $return );
 }
 if ( ! $return ) {