Ticket #13051: patch2.diff

pluggable.php

@@ -904 +904 @@
         // remove %0d and %0a from location
         $strip = array('%0d', '%0a', '%0D', '%0A');
         $location = _deep_replace($strip, $location);
+        // convert any & to &
+        $location = str_replace(array('&', '#038;'), '&', $location);
         return $location;
 }
 endif;

functions.php

@@ -1868 +1868 @@
  * @return string URL with nonce action added.
  */
 function wp_nonce_url( $actionurl, $action = -1 ) {
-        $actionurl = str_replace( '&', '&', $actionurl );
-        return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
+        // $actionurl = str_replace( array('&', '&038;'), '&', $actionurl );
+        return esc_html( wp_sanitize_redirect( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ) );
 }