Always loading the require_uri if entering the api_not_allowed see #6768

main/inc/lib/main_api.lib.php

@@ -2282,7 +2282,6 @@ function api_get_self() {
     return htmlentities($_SERVER['PHP_SELF']);
 }
 
-
 /* USER PERMISSIONS */
 
 /**
@@ -3045,11 +3044,11 @@ function api_not_allowed($print_headers = false, $message = null)
 
     global $this_section;
 
-    if (empty($user_id)) {
+    //if (empty($user_id)) {
 
-        // Why the CustomPages::enabled() need to be to set the request_uri
-        $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
-    }
+    // Why the CustomPages::enabled() need to be to set the request_uri
+    $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
+    //}
 
     if (CustomPages::enabled() && !isset($user_id)) {
         CustomPages::display(CustomPages::INDEX_UNLOGGED);

main/inc/lib/redirect.class.php

@@ -95,7 +95,9 @@ class Redirect {
         self::navigate("$www/user_portal.php");
     }
 
-    protected static function navigate($url) {
+    protected static function navigate($url)
+    {
+        $url = Security::remove_XSS($url);
         session_write_close(); //should not be neeeded
         header("Location: $url");
         exit;