diff --git a/l.php b/l.php
index 286a17299cd1e51850b3760ed4e6d264244f7974..cbe9943fcb1010938abcfb76985e729d1f5f0324 100644
--- a/l.php
+++ b/l.php
@@ -14,8 +14,9 @@
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require 'secure.inc.php';
-$url = trim($_GET['url']);
-if (!$url || !Validator::is_url($url)) exit('Invalid url');
+//Basic url validation + token check.
+if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
+    exit('Invalid url');
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
diff --git a/scp/l.php b/scp/l.php
index dec8c0a6a52dd62c0d02f3edebfeeeaa79c0c8fa..167b4cff3bdcfc902575be197012e93adfc0cf61 100644
--- a/scp/l.php
+++ b/scp/l.php
@@ -14,8 +14,9 @@
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require_once 'staff.inc.php';
-$url = trim($_GET['url']);
-if (!$url || !Validator::is_url($url)) exit('Invalid url');
+//Basic url validation + token check.
+if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
+    exit('Invalid url');
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>