Index: openacs-4/packages/bug-tracker/www/send-summary-email.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/bug-tracker/www/send-summary-email.tcl,v
diff -u -N -r1.5 -r1.6
--- openacs-4/packages/bug-tracker/www/send-summary-email.tcl	24 Jun 2015 09:29:44 -0000	1.5
+++ openacs-4/packages/bug-tracker/www/send-summary-email.tcl	29 May 2016 10:50:02 -0000	1.6
@@ -10,7 +10,14 @@
 } {
     workflow_id:naturalnum,notnull
     {bug_id:naturalnum,optional,multiple ""}
-    return_url:optional
+    {return_url:optional,trim,notnull "./"}
+} -validate {
+    valid_return_url -requires return_url {
+	# actually, one should use the page filter localurl from OpenACS 5.9
+	if {[util::external_url_p $return_url]} {
+	    ad_complain "invalid return_url"
+	}
+    }
 }
 
 set title [_ bug-tracker.Send_Summary_Email]
@@ -19,10 +26,6 @@
 set user_id [auth::require_login]
 set sender_email [acs_user::get_element -user_id $user_id -element email]
 
-if {(![info exists return_url] || $return_url eq "")} {
-    set return_url "./"
-}
-
 if {![llength $bug_id]} {
     ad_returnredirect -message [_ bug-tracker.No_selected_bugs] $return_url
     ad_script_abort