diff --git a/app/controllers/images_controller.rb b/app/controllers/images_controller.rb
index 665c7ce64..2e1093f0b 100644
--- a/app/controllers/images_controller.rb
+++ b/app/controllers/images_controller.rb
@@ -11,7 +11,7 @@ class ImagesController < ApplicationController
         else
           flash[:alert] = t "images.actions.destroy.alert"
         end
-        redirect_to params[:from]
+        redirect_to request.referer
       end
       format.js do
         if @image.destroy
diff --git a/app/views/budgets/investments/_investment_show.html.erb b/app/views/budgets/investments/_investment_show.html.erb
index 98d18e655..e112342b7 100644
--- a/app/views/budgets/investments/_investment_show.html.erb
+++ b/app/views/budgets/investments/_investment_show.html.erb
@@ -26,7 +26,7 @@
           <div class="sidebar-divider"></div>
           <h2><%= t("budgets.investments.show.author") %></h2>
           <div class="show-actions-menu">
-            <%= link_to image_path(investment.image, from: request.url),
+            <%= link_to image_path(investment.image),
                         method: :delete,
                         class: "button hollow alert expanded" do %>
                 <span class="icon-image"></span>
diff --git a/spec/controllers/images_controller_spec.rb b/spec/controllers/images_controller_spec.rb
new file mode 100644
index 000000000..5b83ac1c8
--- /dev/null
+++ b/spec/controllers/images_controller_spec.rb
@@ -0,0 +1,17 @@
+require "rails_helper"
+
+describe ImagesController do
+  let(:user) { create(:user) }
+  before { sign_in user }
+
+  describe "DELETE destroy" do
+    it "redirects to the referer URL" do
+      image = create(:image, imageable: create(:proposal, author: user))
+      request.env["HTTP_REFERER"] = "/proposals"
+
+      delete :destroy, params: { id: image, from: "http://evil.dev" }
+
+      expect(response).to redirect_to "/proposals"
+    end
+  end
+end