diff --git a/renderer.php b/renderer.php
index 64fb01c..2e4981a 100644
--- a/renderer.php
+++ b/renderer.php
@@ -138,7 +138,7 @@ public function render_envbar($match, $fixed = true, $envs = array()) {
         if (!isset($config->stringseparator)) {
             $config->stringseparator = '-'; // Set default.
         }
-        if ($match->lastrefresh > 0) {
+        if (property_exists($match, 'lastrefresh') && $match->lastrefresh > 0) {
             $show = format_time(time() - $match->lastrefresh);
             $num = strtok($show, ' ');
             $unit = strtok(' ');
diff --git a/toggle_debugging.php b/toggle_debugging.php
index 185c471..71b4847 100644
--- a/toggle_debugging.php
+++ b/toggle_debugging.php
@@ -38,5 +38,9 @@
 envbarlib::set_debug_config($CFG->debug);
 // Go back to current page.
 $redirecturl = base64_decode(required_param('redirect', PARAM_RAW));
+$redirecturl = clean_param($redirecturl, PARAM_URL);
+if (strpos($redirecturl, '/') !== 0) {
+    print_error('Access denied.');
+}
 redirect($redirecturl);