diff --git a/framework/assets/yii.js b/framework/assets/yii.js
index 6384d07d172..ce8a00d8ea9 100644
--- a/framework/assets/yii.js
+++ b/framework/assets/yii.js
@@ -223,7 +223,7 @@ window.yii = (function ($) {
                 }
             } else {
                 if (!isValidAction) {
-                    action = pub.getCurrentUrl();
+                    action = pub.getSafeUrl();
                 }
                 $form = $('<form/>', {method: method, action: action});
                 var target = $e.attr('target');
@@ -350,7 +350,16 @@ window.yii = (function ($) {
          */
         getCurrentUrl: function () {
             return window.location.href;
-        }
+        },
+
+        /**
+         * Returns the safest URL possiblebased on getCurrentUrl
+         * @returns {string}
+         */
+        getSafeUrl: function () {
+            var url = this.getCurrentUrl();
+            return url.replace(/[^\d\w\&\?\=\[\]\/\:\.]*/gmi, "");
+        },
     };
 
     function initCsrfHandler() {