WordPress.org
Get WordPress

Make WordPress Core

Changeset 6134


Ignore:
Timestamp:
09/19/2007 03:47:37 AM (18 years ago)
Author:
markjaquith
Message:

More robust wp_safe_redirect(). Introducing wp_sanitize_redirect() for use in wp_redirect() and wp_safe_redirect(). fixes #4606

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-includes/pluggable.php

    r6131 r6134  
    374374        return false;
    375375
     376    $location = wp_sanitize_redirect($location);
     377
     378    if ( $is_IIS ) {
     379        header("Refresh: 0;url=$location");
     380    } else {
     381        if ( php_sapi_name() != 'cgi-fcgi' )
     382            status_header($status); // This causes problems on IIS and some FastCGI setups
     383        header("Location: $location");
     384    }
     385}
     386endif;
     387
     388if ( !function_exists('wp_sanitize_redirect') ) :
     389/**
     390 * sanitizes a URL for use in a redirect
     391 * @return string redirect-sanitized URL
     392 **/
     393function wp_sanitize_redirect($location) {
    376394    $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
    377395    $location = wp_kses_no_null($location);
     
    389407        }
    390408    }
    391 
    392     if ( $is_IIS ) {
    393         header("Refresh: 0;url=$location");
    394     } else {
    395         if ( php_sapi_name() != 'cgi-fcgi' )
    396             status_header($status); // This causes problems on IIS and some FastCGI setups
    397         header("Location: $location");
    398     }
     409    return $location;
    399410}
    400411endif;
     
    406417 **/
    407418function wp_safe_redirect($location, $status = 302) {
    408     if ( $location{0} == '/' ) {
    409         if ( $location{1} == '/' )
    410             $location = get_option('home') . '/';
    411     } else {
    412         if ( substr($location, 0, strlen(get_option('home'))) != get_option('home') )
    413             $location = get_option('home') . '/';
    414     }
     419
     420    // Need to look at the URL the way it will end up in wp_redirect()
     421    $location = wp_sanitize_redirect($location);
     422
     423    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
     424    if ( substr($location, 0, 2) == '//' )
     425        $location = 'http:' . $location;
     426
     427    $lp  = parse_url($location);
     428    $wpp = parse_url(get_option('home'));
     429
     430    if ( isset($lp['host']) && $lp['host'] != $wpp['host'] )
     431        $location = get_option('siteurl') . '/wp-admin/';
    415432
    416433    wp_redirect($location, $status);
Note: See TracChangeset for help on using the changeset viewer.