3 files changed, 6 insertions, 3 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 413b74cea..39e7616ed 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -776,6 +776,9 @@ class RequestController < ApplicationController
         # Prevent spam to magic request address. Note that the binary
         # subsitution method used depends on the content type
         @incoming_message.apply_masks!(@attachment.body, @attachment.content_type)
+        if response.content_type == 'text/html'
+            @attachment.body = ActionController::Base.helpers.sanitize(@attachment.body)
+        end
 
         render :text => @attachment.body
     end
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb
index 7018af03c..4b272797f 100644
--- a/app/controllers/track_controller.rb
+++ b/app/controllers/track_controller.rb
@@ -211,7 +211,7 @@ class TrackController < ApplicationController
             track_thing.destroy
         end
 
-        redirect_to params[:r]
+        redirect_to URI.parse(params[:r]).path
     end
 
 
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index b7c8252f5..56f42891d 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -256,7 +256,7 @@ class UserController < ApplicationController
     def signout
         clear_session_credentials
         if params[:r]
-            redirect_to params[:r]
+            redirect_to URI.parse(params[:r]).path
         else
             redirect_to :controller => "general", :action => "frontpage"
         end
@@ -596,7 +596,7 @@ class UserController < ApplicationController
         end
         @user.receive_email_alerts = params[:receive_email_alerts]
         @user.save!
-        redirect_to params[:came_from]
+        redirect_to URI.parse(params[:came_from]).path
     end
 
     private