From 65b88f980217989c2157f18c777014776005e9bf Mon Sep 17 00:00:00 2001
From: Dominik Schilling <dominikschilling+git@gmail.com>
Date: Tue, 21 Jun 2016 14:20:25 +0000
Subject: [PATCH] Customize: Make sure that preview and return URLs are URLs.

Merge of [37527] to the 4.1 branch.
Built from https://develop.svn.wordpress.org/branches/4.1@37773


git-svn-id: http://core.svn.wordpress.org/branches/4.1@37738 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/customize.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wp-admin/customize.php b/wp-admin/customize.php
index 178db28243..7f6f8cddb2 100644
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -18,9 +18,11 @@ if ( ! current_user_can( 'customize' ) ) {
 
 wp_reset_vars( array( 'url', 'return' ) );
 $url = wp_unslash( $url );
+$url = esc_url_raw( $url );
 $url = wp_validate_redirect( $url, home_url( '/' ) );
 if ( $return ) {
 	$return = wp_unslash( $return );
+	$return = esc_url_raw( $return );
 	$return = wp_validate_redirect( $return );
 }
 if ( ! $return ) {