Make WordPress Core


Ignore:
Timestamp:
02/07/2008 06:23:51 PM (16 years ago)
Author:
ryan
Message:

wp_safe_redirect() for 2.0. Props markjaquith and snakefoot. fixes #4606 for 2.0

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-includes/pluggable-functions.php

    r5993 r6751  
    260260    global $is_IIS;
    261261
     262    $location = apply_filters('wp_redirect', $location, $status);
     263
     264    if ( !$location ) // allows the wp_redirect filter to cancel a redirect
     265        return false;
     266
     267    $location = wp_sanitize_redirect($location);
     268
     269    if ( $is_IIS ) {
     270        header("Refresh: 0;url=$location");
     271    } else {
     272        if ( php_sapi_name() != 'cgi-fcgi' )
     273            status_header($status); // This causes problems on IIS and some FastCGI setups
     274        header("Location: $location");
     275    }
     276}
     277endif;
     278
     279if ( !function_exists('wp_sanitize_redirect') ) :
     280/**
     281* sanitizes a URL for use in a redirect
     282* @return string redirect-sanitized URL
     283**/
     284function wp_sanitize_redirect($location) {
    262285    $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
     286    $location = wp_kses_no_null($location);
    263287
    264288    // remove %0d and %0a from location
     
    274298        }
    275299    }
    276 
    277     if ( $is_IIS ) {
    278         header("Refresh: 0;url=$location");
    279     } else {
    280         if ( php_sapi_name() != 'cgi-fcgi' )
    281             status_header($status); // This causes problems on IIS and some FastCGI setups
    282         header("Location: $location");
    283     }
     300    return $location;
     301}
     302endif;
     303
     304if ( !function_exists('wp_safe_redirect') ) :
     305/**
     306* performs a safe (local) redirect, using wp_redirect()
     307* @return void
     308**/
     309function wp_safe_redirect($location, $status = 302) {
     310
     311    // Need to look at the URL the way it will end up in wp_redirect()
     312    $location = wp_sanitize_redirect($location);
     313
     314    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
     315    if ( substr($location, 0, 2) == '//' )
     316        $location = 'http:' . $location;
     317
     318    $lp  = parse_url($location);
     319    $wpp = parse_url(get_option('home'));
     320
     321    $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']));
     322
     323    if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
     324        $location = get_option('siteurl') . '/wp-admin/';
     325   
     326    wp_redirect($location, $status);
    284327}
    285328endif;
Note: See TracChangeset for help on using the changeset viewer.