actually, my reply was not fully correct: NaviServer sanitizes all header fields since September 2013 (first i thought, i've missed this case, but it is covered as well).
https://bitbucket.org/naviserver/naviserver/commits/def03a4dc7568ca27ea5ee0111d51930d8d65801
however, the "double-fix" in OpenACS fixes the ad_returnredirect case for older versions of NaviServer and AolServer as well.
