Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -r4c67a2ae3d9ce7db7a06acd6ffca248e3f6e0937 -r0ce9905dea8fbef2c94b68d69fae13d71512c55d
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 4c67a2ae3d9ce7db7a06acd6ffca248e3f6e0937)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 0ce9905dea8fbef2c94b68d69fae13d71512c55d)
@@ -34,7 +34,6 @@
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.apache.commons.lang.StringUtils;
@@ -81,16 +80,9 @@
 			// LoginRequestServlet (integrations) and LoginAsAction (sysadmin) set this parameter
 			String redirectURL = request.getParameter("redirectURL");
 			if (!StringUtils.isBlank(redirectURL)) {
-			    // prevent XSS attack
-			    if (redirectURL.contains("<")) {
-				HttpServletResponse response = (HttpServletResponse) context.getServletResponse();
-				response.sendError(HttpServletResponse.SC_BAD_REQUEST,
-					"redirectURL parameter contains HTML tags");
-				return;
-			    }
 			    SsoHandler.handleRedirectBack(context, redirectURL);
 			}
-
+			
 			/* Fetch UserDTO before completing request so putting it later in session is done ASAP
 			 * Response is sent in another thread and if UserDTO is not present in session when browser completes redirect,
 			 * it results in error. Winning this race is the easiest option.