AbstractAuthenticationTargetUrlRequestHandler#determineTargetUrl(HttpServletRequest, HttpServletResponse) calls URLDecoder.decode, and the result is directly feed to DefaultRedirectStrategy by default, which does not filter line feeds, injecting a custom header after "Location"
I think this is probably best addressed in a standard response wrapper which is injected into the filter chain by the FilterChainProxy. This will cover all attempts to redirect to an invalid location rather than just those which use the default redirect strategy. In future we should also support pluggable request and response validation strategies (allowing, for example, the use of the ESAPI validator as an option) rather than attempting to provide a generic blacklist.
The redirect location is now sanitized in a FirewalledResponse class which wraps the response. Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.