wp_sanitize_redirect() removes square brackets from URL

[bluntelk]

The function wp_sanitize_redirect() removes square brackets from URLs.

PHP's functionality with arrays in the URL require square braces, stripping them from the URL means that pages (and plugins) that rely on them fail.

To Reproduce:

<?php
$url = 'http://example.com/my_url_array[1]=hello+world';
print wp_sanitize_redirect($url);
?>

Current Output:
​http://example.com/my_url_array1=hello+world

Expected Output:
​http://example.com/my_url_array[1]=hello+world

Whilst developers should be able to work around this as the function is pluggable I believe this should just work out of the box.

whilst referring to blogroll, the root cause is the same

In short, the brackets shouldn't be in the url, they *should* be encoded, but often arn't.

#16859

adds square braces to the regular expression for allowed characters in a safe URL

Probably shouldnt've closed this so fast as a duplicate.

It's the same cause, but probably a lot better explained and in a different usecase.

Hi dd32,

Thanks for re-opening this ticket.

I was working under the assumption that the characters we simply missing from the regular expression due to an oversight.

It is a powerful feature to support.

If it is determined under review that they should be stripped from the URL, we can always automatically encode the square brackets into their entities inside the function.

Thanks for your time.

Jason

Version number indicates when the bug was initially introduced/reported.