--- includes/common.inc.orig	2007-10-26 14:54:32.323176765 -0400
+++ includes/common.inc	2007-10-26 14:55:30.171044040 -0400
@@ -149,10 +149,6 @@ function drupal_get_destination() {
  * 'user login'-block in a sidebar.  The function drupal_get_destination()
  * can be used to help set the destination URL.
  *
- * It is advised to use drupal_goto() instead of PHP's header(), because
- * drupal_goto() will append the user's session ID to the URI when PHP is
- * compiled with "--enable-trans-sid".
- *
  * This function ends the request; use it rather than a print theme('page')
  * statement in your menu callback.
  *
@@ -174,6 +170,8 @@ function drupal_goto($path = '', $query 
   }
 
   $url = url($path, $query, $fragment, TRUE);
+  // Remove newlines from the URL to avoid header injection attacks.
+  $url = str_replace(array("\n", "\r"), '', $url);
 
   if (ini_get('session.use_trans_sid') && session_id() && !strstr($url, session_id())) {
     $sid = session_name() . '=' . session_id();