--- a/plugins/SpecialUserFuncs.php	Tue Nov 16 12:44:22 2010 -0500
+++ b/plugins/SpecialUserFuncs.php	Tue Jul 12 22:13:37 2011 -0400
@@ -143,7 +143,7 @@
   }
   if ( $p = $paths->getAllParams() )
   {
-    echo '<input type="hidden" name="return_to" value="'.$p.'" />';
+    echo '<input type="hidden" name="return_to" value="'.htmlspecialchars($p).'" />';
   }
   else if ( isset($_POST['login']) && isset($_POST['return_to']) )
   {
@@ -290,7 +290,7 @@
       if(isset($_POST['return_to']))
       {
         $name = ( isset($paths->pages[$_POST['return_to']]['name']) ) ? $paths->pages[$_POST['return_to']]['name'] : $_POST['return_to'];
-        redirect( makeUrl($_POST['return_to'], false, true), 'Login successful', 'You have successfully logged into the '.getConfig('site_name').' site as "'.$session->username.'". Redirecting to ' . $name . '...' );
+        redirect( makeUrl($_POST['return_to'], false, true), 'Login successful', 'You have successfully logged into the '.getConfig('site_name').' site as "'.$session->username.'". Redirecting to ' . htmlspecialchars($name) . '...' );
       }
       else
       {
@@ -326,11 +326,17 @@
   global $db, $session, $paths, $template, $plugins; // Common objects
   if ( !$session->user_logged_in )
     $paths->main_page();
+
+  $token = $paths->getParam(0);
+  if ( $token !== $session->csrf_token )
+  	  csrf_request_confirm();
+  
+  $target_page = ($p = $paths->getParam(1)) ? $p : getConfig('main_page');
   
   $l = $session->logout();
   if ( $l == 'success' )
   {
-    redirect(makeUrl(getConfig('main_page'), false, true), 'Logged out', 'You have been successfully logged out, and all cookies have been cleared. You will now be transferred to the main page.', 4);
+    redirect(makeUrl($target_page, false, true), 'Logged out', 'You have been successfully logged out, and all cookies have been cleared. You will now be transferred to the main page.', 4);
   }
   $template->header();
   echo '<h3>An error occurred during the logout process.</h3><p>'.$l.'</p>';