drupal core updated to 7.28

modules/overlay/overlay.module

@@ -146,6 +146,10 @@ function overlay_init() {
       // If this page shouldn't be rendered inside the overlay, redirect to the
       // parent.
       elseif (!path_is_admin($current_path)) {
+        // Prevent open redirects by ensuring the current path is not an absolute URL.
+        if (url_is_external($current_path)) {
+          $current_path = '<front>';
+        }
         overlay_close_dialog($current_path, array('query' => drupal_get_query_parameters(NULL, array('q', 'render'))));
       }