diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
index 3da7d0fd1..ece4e1aaf 100644
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@@ -988,6 +988,21 @@ function log_error($error)
     syslog(LOG_ERR, "$page: $error");
 }
 
+function url_safe($format, $args = array())
+{
+    if (!is_array($args)) {
+        /* just in case there's only one argument */
+        $args = array($args);
+    }
+
+    foreach ($args as $id => $arg) {
+        $args[$id] = urlencode($arg);
+    }
+
+    return vsprintf($format, $args);
+}
+
+
 /****f* util/exec_command
  * NAME
  *   exec_command - Execute a command and return a string of the result.
diff --git a/src/www/system_usermanager.php b/src/www/system_usermanager.php
index d11006d16..225346009 100644
--- a/src/www/system_usermanager.php
+++ b/src/www/system_usermanager.php
@@ -173,7 +173,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($a_user[$id]);
             write_config();
             $savemsg = sprintf(gettext('The user "%s" was successfully removed.'), $userdeleted);
-            header("Location: system_usermanager.php?savemsg=".$savemsg);
+            header(url_safe('Location: system_usermanager.php?savemsg=%s', $savemsg));
             exit;
         }
     } elseif ($act == "delcert" && isset($id)) {
@@ -183,7 +183,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         unset($a_user[$id]['cert'][$pconfig['certid']]);
         write_config();
         $savemsg = sprintf(gettext('The certificate association "%s" was successfully removed.'), $certdeleted);
-        header("Location: system_usermanager.php?savemsg=".$savemsg."&act=edit&userid=".$id);
+        header(url_safe('Location: system_usermanager.php?savemsg=%s&act=edit&userid=%s', array($savemsg, $id)));
         exit;
     } elseif ($act == "newApiKey" && isset($id)) {
         // every action is using the sequence of the user, to keep it understandable, we will use
@@ -209,7 +209,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $savemsg = gettext('No API key found');
         }
         // redirect
-        header("Location: system_usermanager.php?savemsg=".$savemsg."&act=edit&userid=".$id);
+        header(url_safe('Location: system_usermanager.php?savemsg=%s&act=edit&userid=%s', array($savemsg, $id)));
         exit;
     } elseif (isset($pconfig['save'])) {
         // save user
@@ -347,17 +347,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
             if (!empty($pconfig['chkNewCert'])) {
                 // redirect to cert manager when a new cert is requested for this user
-                header("Location: system_certmanager.php?act=new&userid=".(count($a_user)-1));
+                header(url_safe('Location: system_certmanager.php?act=new&userid=%s', count($a_user) - 1));
             } else {
-                header("Location: system_usermanager.php");
+                header(url_safe('Location: system_usermanager.php'));
                 exit;
             }
         }
     } elseif (isset($id)) {
-        header("Location: system_usermanager.php?userid=".$id);
+        header(url_safe('Location: system_usermanager.php?userid=%s', $id));
         exit;
     } else {
-        header("Location: system_usermanager.php");
+        header(url_safe('Location: system_usermanager.php'));
         exit;
     }
 }
diff --git a/src/www/system_usermanager_addprivs.php b/src/www/system_usermanager_addprivs.php
index 275cd7305..a157d9d61 100644
--- a/src/www/system_usermanager_addprivs.php
+++ b/src/www/system_usermanager_addprivs.php
@@ -52,7 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $input_type = "group";
         $id = $_GET['groupid'];
     } else {
-        header("Location: system_usermanager.php");
+        header(url_safe('Location: system_usermanager.php'));
         exit;
     }
     if ($input_type == "group") {
@@ -80,7 +80,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $retval = write_config();
             $savemsg = get_std_save_message();
 
-            header("Location: system_usermanager.php?act=edit&userid=".$userid."&savemsg=".$savemsg);
+            header(url_safe('Location: system_usermanager.php?act=edit&userid=%s&savemsg=%s', array($userid, $savemsg)));
             exit;
         } elseif ($_POST['input_type'] == 'group' && isset($config['system']['group'][$pconfig['id']]['name'])) {
             $groupid = $_POST['id'];
@@ -101,11 +101,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             }
 
             write_config();
-            header("Location: system_groupmanager.php?act=edit&groupid={$groupid}");
+            header(url_safe('Location: system_groupmanager.php?act=edit&groupid=%s', $groupid));
             exit;
         }
     }
-    header("Location: system_usermanager.php");
+    header(url_safe('Location: system_usermanager.php'));
     exit;
 }