getHeader()->sendHttpHeaders(); $response->disable(); if (! Core::isValid($_REQUEST['url']) || ! preg_match('/^https:\/\/[^\n\r]*$/', $_REQUEST['url']) || ! Core::isAllowedDomain($_REQUEST['url']) ) { Core::sendHeaderLocation('./'); } else { // JavaScript redirection is necessary. Because if header() is used // then web browser sometimes does not change the HTTP_REFERER // field and so with old URL as Referer, token also goes to // external site. echo ""; // Display redirecting msg on screen. // Do not display the value of $_REQUEST['url'] to avoid showing injected content echo __('Taking you to the target site.'); } die();