Merge r607282 from trunk: * Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. Submitted by: Mark Cox, Joe Orton Reviewed by: rpluem, fuankg, wrowe