diff --git a/inc/mod/pages.php b/inc/mod/pages.php
index 77540e7e..bf40d7a9 100644
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@@ -928,45 +928,6 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
 
     $config = $ctx->get('config');
 
-    if (isset($_POST['ban_id'], $_POST['unban'])) {
-        if (!hasPermission($config['mod']['unban']))
-            error($config['error']['noaccess']);
-
-        Bans::delete($_POST['ban_id'], true, $mod['boards']);
-
-        if (empty($encoded_cursor)) {
-            \header("Location: ?/user_posts/ip/$ip#bans", true, $config['redirect_http']);
-        } else {
-            \header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#bans", true, $config['redirect_http']);
-        }
-        return;
-    }
-
-    if (isset($_POST['note'])) {
-        if (!hasPermission($config['mod']['create_notes']))
-            error($config['error']['noaccess']);
-
-        $_POST['note'] = escape_markup_modifiers($_POST['note']);
-        markup($_POST['note']);
-        $query = prepare('INSERT INTO ``ip_notes`` VALUES (NULL, :ip, :mod, :time, :body)');
-        $query->bindValue(':ip', $ip);
-        $query->bindValue(':mod', $mod['id']);
-        $query->bindValue(':time', time());
-        $query->bindValue(':body', $_POST['note']);
-        $query->execute() or error(db_error($query));
-
-        Cache::delete("mod_page_ip_view_notes_$ip");
-
-        modLog("Added a note for <a href=\"?/user_posts/ip/{$ip}\">{$ip}</a>");
-
-        if (empty($encoded_cursor)) {
-            \header("Location: ?/user_posts/ip/$ip#notes", true, $config['redirect_http']);
-        } else {
-            \header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#notes", true, $config['redirect_http']);
-        }
-        return;
-    }
-
     $args = [
         'ip' => $ip,
         'posts' => []
@@ -1051,10 +1012,11 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
 
     $args['boards'] = $boards;
 
+    // Since the security token is only used to send requests to create notes and remove bans, use "?/IP/" as the url.
     if (empty($encoded_cursor)) {
-        $args['security_token'] = make_secure_link_token("user_posts/ip/$ip");
+        $args['security_token'] = make_secure_link_token("IP/$ip");
     } else {
-        $args['security_token'] = make_secure_link_token("user_posts/ip/$ip/cursor/$encoded_cursor");
+        $args['security_token'] = make_secure_link_token("IP/$ip/cursor/$encoded_cursor");
     }
 
     mod_page(\sprintf('%s: %s', _('IP'), \htmlspecialchars($ip)), 'mod/view_ip.html', $args, $args['hostname']);
diff --git a/templates/mod/view_ip.html b/templates/mod/view_ip.html
index 5edbeb85..8060c28a 100644
--- a/templates/mod/view_ip.html
+++ b/templates/mod/view_ip.html
@@ -43,7 +43,7 @@
 		{% endif %}
 
 		{% if mod|hasPermission(config.mod.create_notes) %}
-			<form action="" method="post" style="margin:0">
+			<form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="margin:0">
 				<input type="hidden" name="token" value="{{ security_token }}">
 				<table>
 					<tr>
@@ -74,7 +74,7 @@
 		<legend>{{ bans|count }} {% trans bans_on_record %}</legend>
 
 		{% for ban in bans %}
-			<form action="" method="post" style="text-align:center">
+			<form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="text-align:center">
 				<input type="hidden" name="token" value="{{ security_token }}">
 				<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
 					<tr>