Sanitize the return_to param to avoid XSS.
Update sprite icon markup to be up to HTML standard

Changelog: security
EE: true