diff --git a/course/lib.php b/course/lib.php
index d0addd5ad9fe2..19b2f12ff41b7 100644
--- a/course/lib.php
+++ b/course/lib.php
@@ -241,19 +241,50 @@ function make_log_url($module, $url) {
         case 'message':
         case 'calendar':
         case 'blog':
-            return "/$module/$url";
+            if (strpos($url, '../') === 0) {
+                $url = ltrim($url, '.');
+            } else {
+                $url = "/course/$url";
+            }
+            break;
+            $url = "/$module/$url";
             break;
         case 'upload':
-            return $url;
+            $url = $url;
             break;
         case 'library':
         case '':
-            return '/';
+            $url = '/';
             break;
         default:
-            return "/mod/$module/$url";
+            $url = "/mod/$module/$url";
             break;
     }
+
+    //now let's sanitise urls - there might be some ugly nasties:-(
+    $parts = explode('?', $url);
+    $script = array_shift($parts);
+    if (strpos($script, 'http') === 0) {
+        $script = clean_param($script, PARAM_URL);
+    } else {
+        $script = clean_param($script, PARAM_PATH);
+    }
+
+    $query = '';
+    if ($parts) {
+        $query = implode('', $parts);
+        $query = str_replace('&amp;', '&', $query); // both & and &amp; are stored in db :-|
+        $parts = explode('&', $query);
+        $eq = urlencode('=');
+        foreach ($parts as $key=>$part) {
+            $part = urlencode(urldecode($part));
+            $part = str_replace($eq, '=', $part);
+            $parts[$key] = $part;
+        }
+        $query = '?'.implode('&amp;', $parts);
+    }
+
+    return $script.$query;
 }
 
 
@@ -415,10 +446,6 @@ function print_log($course, $user=0, $date=0, $order="l.time ASC", $page=0, $per
         //Filter log->info 
         $log->info = format_string($log->info);
 
-        $log->url  = strip_tags(urldecode($log->url));   // Some XSS protection
-        $log->info = strip_tags(urldecode($log->info));  // Some XSS protection
-        $log->url  = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!!
-
         echo '<tr class="r'.$row.'">';
         if ($course->id == SITEID) {
             echo "<td class=\"r$row c0\" nowrap=\"nowrap\">\n";
@@ -506,10 +533,7 @@ function print_log_csv($course, $user, $date, $order='l.time DESC', $modname,
 
         //Filter log->info 
         $log->info = format_string($log->info);
-
-        $log->url  = strip_tags(urldecode($log->url));     // Some XSS protection
         $log->info = strip_tags(urldecode($log->info));    // Some XSS protection
-        $log->url  = str_replace('&', '&amp;', $log->url); /// XHTML compatibility
 
         $firstField = $courses[$log->course];
         $fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));
@@ -710,10 +734,7 @@ function print_log_ooo($course, $user, $date, $order='l.time DESC', $modname,
 
         // Filter log->info 
         $log->info = format_string($log->info);
-
-        $log->url  = strip_tags(urldecode($log->url));     // Some XSS protection
         $log->info = strip_tags(urldecode($log->info));    // Some XSS protection
-        $log->url  = str_replace('&', '&amp;', $log->url); // XHTML compatibility
 
         $firstField = $courses[$log->course];
         $fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));
