48e0cf8479
If you put a CR in the redirect URL, the response splitting protection refuses to send the Location header, and the body is rendered in the browser; instant xss. It would not surprise me if some browsers ignore the Location header for less obviously broken URLs, so let's just remove the URL entirely.