diff --git a/flask_security/utils.py b/flask_security/utils.py
index f75a17e..ea3bffa 100644
--- a/flask_security/utils.py
+++ b/flask_security/utils.py
@@ -212,7 +212,7 @@ def validate_redirect_url(url):
         return False
     url_next = urlsplit(url)
     url_base = urlsplit(request.host_url)
-    if url_next.netloc and url_next.netloc != url_base.netloc:
+    if (url_next.netloc or url_next.scheme) and url_next.netloc != url_base.netloc:
         return False
     return True
 
diff --git a/tests/test_common.py b/tests/test_common.py
index 7eeb298..b91c5e4 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -40,6 +40,12 @@ def test_authenticate_with_invalid_next(client, get_message):
     assert get_message('INVALID_REDIRECT') in response.data
 
 
+def test_authenticate_with_invalid_malformed_next(client, get_message):
+    data = dict(email='matt@lp.com', password='password')
+    response = client.post('/login?next=http:///google.com', data=data)
+    assert get_message('INVALID_REDIRECT') in response.data
+
+
 def test_authenticate_case_insensitive_email(app, client):
     response = authenticate(client, 'MATT@lp.com', follow_redirects=True)
     assert b'Hello matt@lp.com' in response.data