From 7b14133f6651e531ce52c1604029a5ee2cf27c61 Mon Sep 17 00:00:00 2001
From: Dominik Schilling <dominikschilling+git@gmail.com>
Date: Tue, 21 Jun 2016 14:22:34 +0000
Subject: [PATCH] Customize: Make sure that preview and return URLs are URLs.

Merge of [37527] to the 3.7 branch.
Built from https://develop.svn.wordpress.org/branches/3.7@37780


git-svn-id: http://core.svn.wordpress.org/branches/3.7@37745 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/customize.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wp-admin/customize.php b/wp-admin/customize.php
index 7f26586ab8..c146465197 100644
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -15,9 +15,10 @@ if ( ! current_user_can( 'edit_theme_options' ) )
 
 wp_reset_vars( array( 'url', 'return' ) );
 $url = urldecode( $url );
+$url = esc_url_raw( $url );
 $url = wp_validate_redirect( $url, home_url( '/' ) );
 if ( $return )
-	$return = wp_validate_redirect( urldecode( $return ) );
+	$return = wp_validate_redirect( esc_url_raw( urldecode( $return ) ) );
 if ( ! $return )
 	$return = $url;