diff --git a/HISTORY.rst b/HISTORY.rst
index c882ceae3b..4d4e14628e 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -36,6 +36,9 @@
   links' icons.
 - Documents app: Hide the title link of documents in the trash.
 - Workflow app: Define a redirection after workflow actions are edited.
+- Appearance app: avoid setting window.location directly to avoid exploit
+  of cross site scripting. Thanks to Lokesh (@lokesh1095) for the report
+  and solution. Closes GitLab issue #494.
 
 3.0.1 (2018-07-08)
 =================
diff --git a/mayan/apps/appearance/templates/appearance/base_plain.html b/mayan/apps/appearance/templates/appearance/base_plain.html
index b797b15a4e..f6f1da6e70 100644
--- a/mayan/apps/appearance/templates/appearance/base_plain.html
+++ b/mayan/apps/appearance/templates/appearance/base_plain.html
@@ -34,7 +34,7 @@
                 // template.
                 var currentHash = window.location.hash;
                 if (currentHash.length) {
-                    window.location = currentHash.substring(1);
+                    window.location.pathname = currentHash.substring(1);
                 }
 
                 function waitForJQuery(func) {