Sanitization bypass in clean_url and wp_sanitise redirect

[westi]

Following on from #4819, while writing unit tests for clean_url I noticed an issue with the way in which it removes %0d and %0a from urls.

It expects the miscreant to have been nice and used lower case letters so %0D and %0A just slip straight through.

This also affects wp_safe_redirect and clean_url can currently be bypassed in the same way that wp_safe_redirect could before #4819 is fixed.

[westi]

(In [11615]) Introduce _deep_replace() and use it to improve the stripping of percent encoded values from urls. Fixes #10226 for trunk.

[westi]

Reopen for 2.8.1

[westi]

(In [11616]) Introduce _deep_replace() and use it to improve the stripping of percent encoded values from urls. Fixes #10226 for 2.8.1

[Denis-de-Bernardy]

seems like there's a buggy loop, with one or both of:

• %0%0%0DAD
• %0%0%0ADA

[westi]

Replying to Denis-de-Bernardy:

seems like there's a buggy loop, with one or both of:

• %0%0%0DAD
• %0%0%0ADA

Nope both of those are covered fine.

[ryan]

(In [11622]) Load formatting.php before install redirect so that wp_redirect() can call _deep_replace(). see #10226

[ryan]

(In [11623]) Load formatting.php before install redirect so that wp_redirect() can call _deep_replace(). see #10226