diff --git a/CHANGELOG b/CHANGELOG
index ce4366e90..bdd183ff7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -323,6 +323,7 @@
 - fixed setting group approvers from previous document version
 - very experimental support of memcached for accelerating some database
   operations (do not use in production)
+- prevent malicious manipulation of referer when setting language
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.38
diff --git a/op/op.SetLanguage.php b/op/op.SetLanguage.php
index 9cb0b2d02..f9a2da8b8 100644
--- a/op/op.SetLanguage.php
+++ b/op/op.SetLanguage.php
@@ -31,5 +31,4 @@ include("../inc/inc.Authentication.php");
 
 $session->setLanguage($_GET['lang']);
 
-header("Location: http".((isset($_SERVER['HTTPS']) && (strcmp($_SERVER['HTTPS'],'off')!=0)) ? "s" : "")."://".$_SERVER['HTTP_HOST'].$_GET['referer']);
-?>
+header("Location: http".((isset($_SERVER['HTTPS']) && (strcmp($_SERVER['HTTPS'],'off')!=0)) ? "s" : "")."://".$_SERVER['HTTP_HOST'].decryptData($settings->_encryptionKey, $_GET['referer']));
diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index e4087d929..43afb91dd 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -464,7 +464,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 						echo "<li class=\"active\">";
 					else
 						echo "<li>";
-					echo "<a href=\"".$this->params['settings']->_httpRoot."op/op.SetLanguage.php?lang=".$currLang."&referer=".$_SERVER["REQUEST_URI"]."\">";
+					echo "<a href=\"".$this->params['settings']->_httpRoot."op/op.SetLanguage.php?lang=".$currLang."&referer=".urlencode(encryptData($this->params['settings']->_encryptionKey, $_SERVER["REQUEST_URI"]))."\">";
 					echo getMLText($currLang)."</a></li>\n";
 				}
 				echo "     </ul>\n";
diff --git a/views/bootstrap4/class.Bootstrap4.php b/views/bootstrap4/class.Bootstrap4.php
index c2be23b6d..7c4f0ecf2 100644
--- a/views/bootstrap4/class.Bootstrap4.php
+++ b/views/bootstrap4/class.Bootstrap4.php
@@ -472,7 +472,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 						echo "      <a class=\"dropdown-item active\"";
 					else
 						echo "      <a class=\"dropdown-item\"";
-					echo " href=\"".$this->params['settings']->_httpRoot."op/op.SetLanguage.php?lang=".$currLang."&referer=".$_SERVER["REQUEST_URI"]."\">";
+					echo " href=\"".$this->params['settings']->_httpRoot."op/op.SetLanguage.php?lang=".$currLang."&referer=".urlencode(encryptData($this->params['settings']->_encryptionKey, $_SERVER["REQUEST_URI"]))."\">";
 					echo getMLText($currLang)."</a>\n";
 				}
 				echo "     </div>\n";