diff --git a/contrib/src/sparkle/rules.mak b/contrib/src/sparkle/rules.mak
index 41459aeb9bf8e04e30d8c29687ff064206e07253..0b758a7c18dd89c1b922263e4b53e82a2a89fea9 100644
--- a/contrib/src/sparkle/rules.mak
+++ b/contrib/src/sparkle/rules.mak
@@ -16,6 +16,8 @@ sparkle: Sparkle-$(SPARKLE_VERSION).zip .sum-sparkle
 	$(UNPACK)
 	$(APPLY) $(SRC)/sparkle/sparkle-fix-compilation-on-snowleopard.patch
 	$(APPLY) $(SRC)/sparkle/sparkle-fix-runtime-exception-on-snowleopard.patch
+	$(APPLY) $(SRC)/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch
+	$(APPLY) $(SRC)/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch
 	$(MOVE)
 
 .sparkle: sparkle
diff --git a/contrib/src/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch b/contrib/src/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d3eaf3d72ae8ff27ad33ba7b60b411de60ede665
--- /dev/null
+++ b/contrib/src/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch
@@ -0,0 +1,20 @@
+diff -ru Sparkle-1.6.1/SUUpdateAlert.m Sparkle-1.6.1-fixed/SUUpdateAlert.m
+--- Sparkle-1.6.1/SUUpdateAlert.m	2014-04-26 00:22:59.000000000 +0200
++++ Sparkle-1.6.1-fixed/SUUpdateAlert.m	2016-01-20 11:38:47.000000000 +0100
+@@ -313,6 +313,16 @@
+ 
+ - (void)webView:sender decidePolicyForNavigationAction:(NSDictionary *)actionInformation request:(NSURLRequest *)request frame:frame decisionListener:listener
+ {
++    NSURL *requestURL = request.URL;
++    NSString *scheme = requestURL.scheme;
++    BOOL whitelistedSafe = [@"http" isEqualToString:scheme] || [@"https" isEqualToString:scheme] || [@"about:blank" isEqualToString:requestURL.absoluteString];
++ 
++    // Do not allow redirects to dangerous protocols such as file://
++    if (!whitelistedSafe) {
++        [listener ignore];
++        return;
++    }
++    
+     if (webViewFinishedLoading) {
+         [[NSWorkspace sharedWorkspace] openURL:[request URL]];
+ 		
diff --git a/contrib/src/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch b/contrib/src/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bcfe595ed7074a4abbbaff17ea1525a320ef1706
--- /dev/null
+++ b/contrib/src/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch
@@ -0,0 +1,12 @@
+diff -ru Sparkle-1.6.1/SUAppcast.m Sparkle-1.6.1-fixed/SUAppcast.m
+--- Sparkle-1.6.1/SUAppcast.m	2016-01-20 11:39:11.000000000 +0100
++++ Sparkle-1.6.1-fixed/SUAppcast.m	2016-01-20 11:40:53.000000000 +0100
+@@ -92,7 +92,7 @@
+ 	
+ 	if (downloadFilename)
+ 	{
+-        NSUInteger options = NSXMLDocumentTidyXML;
++        NSUInteger options = NSXMLDocumentTidyXML | NSXMLNodeLoadExternalEntitiesNever;
+ 		document = [[[NSXMLDocument alloc] initWithContentsOfURL:[NSURL fileURLWithPath:downloadFilename] options:options error:&error] autorelease];
+ 	
+ 		[[NSFileManager defaultManager] removeItemAtPath:downloadFilename error:nil];