Opened 13 years ago
Closed 9 years ago
#17052 closed defect (bug) (fixed)
wp_sanitize_redirect() removes square brackets from URL
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 4.1 | Priority: | normal |
| Severity: | minor | Version: | 3.1 |
| Component: | Formatting | Keywords: | has-patch |
| Focuses: | Cc: |
Description
The function wp_sanitize_redirect() removes square brackets from URLs.
PHP's functionality with arrays in the URL require square braces, stripping them from the URL means that pages (and plugins) that rely on them fail.
To Reproduce:
<?php $url = 'http://example.com/my_url_array[1]=hello+world'; print wp_sanitize_redirect($url); ?>
Current Output:
http://example.com/my_url_array1=hello+world
Expected Output:
http://example.com/my_url_array[1]=hello+world
Whilst developers should be able to work around this as the function is pluggable I believe this should just work out of the box.
Attachments (4)
Change History (20)
#1
@
13 years ago
- Keywords has-patch removed
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
#2
@
13 years ago
- Milestone set to Awaiting Review
- Resolution duplicate deleted
- Status changed from closed to reopened
Probably shouldnt've closed this so fast as a duplicate.
It's the same cause, but probably a lot better explained and in a different usecase.
#3
@
13 years ago
- Keywords has-patch needs-testing added
Hi dd32,
Thanks for re-opening this ticket.
I was working under the assumption that the characters we simply missing from the regular expression due to an oversight.
It is a powerful feature to support.
If it is determined under review that they should be stripped from the URL, we can always automatically encode the square brackets into their entities inside the function.
Thanks for your time.
Jason
#5
@
12 years ago
- Version changed from 3.4 to 3.1
Version number indicates when the bug was initially introduced/reported.
#8
@
10 years ago
- Component changed from General to Formatting
- Milestone changed from Awaiting Review to Future Release
#9
@
10 years ago
"@" is being removed from URL as well. As "@" might be a part of basic-auth URL, it should be preserved in the URL.
As I noticed that https://core.trac.wordpress.org/ticket/26037 was closed as a dupe (despite it contains "@" as well), I'm posting a patch containing both ("@" and "[]") to his ticket.
#10
@
10 years ago
Allowing square brackets is also important when dealing with IPv6 literals (see RFC2732). The patch 17052-02.patch adds a couple unit tests in addition to adding [ and ] to the whitelist of allowed characters.
I am not sure that we want to "@" as part of this same patch, but "@" is a reserved character so I think it is appropriate for it to be allowed.
#12
@
9 years ago
Hi all, throwing my hat in the ring here..
I've raised a couple of these types of tickets in the past relating to characters being stripped out incorrectly (most recent is here: #30308 just the other day).
If we can avoid one more ticket and do the fix for @ while we're here, that would be preferable so it gets fixed sooner.
#13
@
9 years ago
- Keywords needs-patch added; has-patch commit removed
- Milestone changed from Future Release to 4.1
#14
@
9 years ago
- Keywords has-patch added; needs-patch removed
Refresh. Allows []'s in the url as an IPv6 and as a param. Adds unit tests.
whilst referring to blogroll, the root cause is the same
In short, the brackets shouldn't be in the url, they *should* be encoded, but often arn't.
#16859