diff --git a/ecrire/action/cookie.php b/ecrire/action/cookie.php
index 6882e44dae4c9651bddf5909d124c94c7f4eaa39..9d71e8b985c34c8cc1b3a9818025e8691e2905d3 100644
--- a/ecrire/action/cookie.php
+++ b/ecrire/action/cookie.php
@@ -19,8 +19,8 @@ include_spip('inc/cookie');
 function action_cookie_dist() {
 
 	// La cible de notre operation de connexion
-	$url = _request('url');
-	$redirect = isset($url) ? $url : _DIR_RESTREINT;
+	$url = securiser_redirect_action(_request('url'));
+	$redirect = $url ? $url : generer_url_ecrire('accueil');
 	$redirect_echec = _request('url_echec');
 	if (!isset($redirect_echec)) {
 		if (strpos($redirect,_DIR_RESTREINT_ABS)!==false)
diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php
index 24dc2cca556e51f0d8b9a75e90b1a63913434689..a5348673a1550a0507a3516a35415870990f969f 100644
--- a/ecrire/inc/utils.php
+++ b/ecrire/inc/utils.php
@@ -210,6 +210,16 @@ function set_request($var, $val = NULL, $c=false) {
 	return false; # n'affecte pas $c
 }
 
+
+/**
+ * Tester si une url est absolue
+ * @param  $url
+ * @return bool
+ */
+function tester_url_absolue($url){
+	return preg_match(";^([a-z]+:)?//;Uims",trim($url))?true:false;
+}
+
 //
 // Prend une URL et lui ajoute/retire un parametre.
 // Exemples : [(#SELF|parametre_url{suite,18})] (ajout)
diff --git a/ecrire/index.php b/ecrire/index.php
index a1c1e583bae6acc8bc53239953ccce5364fbda08..a175a333fe42bc486d881f5e3c4317a7ff234945 100644
--- a/ecrire/index.php
+++ b/ecrire/index.php
@@ -24,7 +24,7 @@ include_spip('inc/cookie');
 // Determiner l'action demandee
 //
 
-$exec = _request('exec');
+$exec = (string)_request('exec');
 $reinstall = _request('reinstall')?_request('reinstall'):($exec=='install'?'oui':NULL);
 //
 // Les scripts d'insallation n'authentifient pas, forcement,
diff --git a/ecrire/public.php b/ecrire/public.php
index 9a89e4b8b2f026ac3adf3bc2c2c0c287b329d88d..a4702dd0dabf0811ecf773093c9a2de30128cc86 100644
--- a/ecrire/public.php
+++ b/ecrire/public.php
@@ -38,7 +38,7 @@ if (isset($GLOBALS['_INC_PUBLIC'])) {
 
 	// fond demande dans l'url par page=xxxx ?
 	else if (isset($_GET[_SPIP_PAGE])) {
-		$fond = $_GET[_SPIP_PAGE];
+		$fond = (string)$_GET[_SPIP_PAGE];
 
 		// Securite
 		if (strstr($fond, '/')
diff --git a/ecrire/public/aiguiller.php b/ecrire/public/aiguiller.php
index 7f7974d50aca70163d515b1c5ee76abe72950992..414b51ac1d031196068d8ebd4b381234957793a4 100644
--- a/ecrire/public/aiguiller.php
+++ b/ecrire/public/aiguiller.php
@@ -12,6 +12,12 @@
 
 if (!defined('_ECRIRE_INC_VERSION')) return;
 
+function securiser_redirect_action($redirect){
+	if (tester_url_absolue($redirect) AND !defined('_AUTORISER_ACTION_ABS_REDIRECT'))
+		$redirect = "";
+	return $redirect;
+}
+
 // http://doc.spip.org/@traiter_appels_actions
 function traiter_appels_actions(){
 	// cas de l'appel qui renvoie une redirection (302) ou rien (204)
@@ -30,13 +36,17 @@ function traiter_appels_actions(){
 			$url = parametre_url($url,'var_ajax',$v,'&');
 			$url = parametre_url($url,'var_ajax_env',$args,'&');
 			set_request('redirect',$url);
-		}		
+		}
+		else if(_request('redirect')){
+			set_request('redirect',securiser_redirect_action(_request('redirect')));
+		}
 		$var_f = charger_fonction($action, 'action');
 		$var_f();
 		if (!isset($GLOBALS['redirect'])) {
 			$GLOBALS['redirect'] = _request('redirect');
 			if ($_SERVER['REQUEST_METHOD'] == 'POST')
 				$GLOBALS['redirect'] = urldecode($GLOBALS['redirect']);
+			$GLOBALS['redirect'] = securiser_redirect_action($GLOBALS['redirect']);
 		}
 		if ($url = $GLOBALS['redirect']) {
 			// si l'action est provoque par un hit {ajax}
diff --git a/prive/formulaires/login.php b/prive/formulaires/login.php
index c999804053d73551e012845330b064bb073baa4c..f14de6ac237affbe70fca926e63a80a65dcb003e 100644
--- a/prive/formulaires/login.php
+++ b/prive/formulaires/login.php
@@ -15,8 +15,9 @@ if (!defined('_ECRIRE_INC_VERSION')) return;
 include_spip('base/abstract_sql');
 
 function is_url_prive($cible){
-	$parse = parse_url($cible);
-	return strncmp(substr($parse['path'],-strlen(_DIR_RESTREINT_ABS)), _DIR_RESTREINT_ABS, strlen(_DIR_RESTREINT_ABS))==0;
+	include_spip('inc/filtres_mini');
+	$path = parse_url(tester_url_absolue($cible)?$cible:url_absolue($cible),PHP_URL_PATH);
+	return strncmp(substr($path,-strlen(_DIR_RESTREINT_ABS)), _DIR_RESTREINT_ABS, strlen(_DIR_RESTREINT_ABS))==0;
 }
 
 function formulaires_login_charger_dist($cible="",$login="",$prive=null)
@@ -194,7 +195,7 @@ function formulaires_login_traiter_dist($cible="",$login="",$prive=null){
 
 		// si c'est une url absolue, refuser la redirection
 		// sauf si cette securite est levee volontairement par le webmestre
-		elseif (preg_match(";^([a-z]+:)?//;Uims",$cible) AND !defined('_AUTORISER_LOGIN_ABS_REDIRECT')) {
+		elseif (tester_url_absolue($cible) AND !defined('_AUTORISER_LOGIN_ABS_REDIRECT')) {
 			$cible = "";
 		}
 	}