Opened 12 years ago
Closed 9 years ago
#22612 closed enhancement (fixed)
Filterable default for wp_safe_redirect/wp_validate_redirect
Reported by: | batmoo | Owned by: | dd32 |
---|---|---|---|
Milestone: | 4.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | HTTP API | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
The default/fallback for wp_safe_redirect
is admin_url()
. It would be nice to have a filter to be able to modify this (e.g. redirect to home_url()
instead, which is probably a better default anyway).
Attachments (3)
Change History (15)
#3
@
11 years ago
- Component changed from General to HTTP
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
#4
@
10 years ago
- Keywords has-patch needs-testing added; needs-patch removed
Submitted a patch for this. Worked for my testing.
#5
@
10 years ago
After further testing, I realized that the initial patch allowed you to hijack the website with some simple malicious code in a plugin. Edge case, sure, but it's now fixed in the new patch. In this patch I expanded on to also run wp_validate_redirect on the default value passed to wp_validate_redirect from the filter. If this is invalid, it again defaults to admin_url().
I also ran into issues with infinite loops due to this, so I expanded wp_redirect so that it checks for the current web page, and if $location is the same, it doesn't run the redirect.
#6
@
10 years ago
- Keywords commit added; needs-testing removed
No objections to 22612.diff, 22612.2.diff appears to take it a step too far IMHO, Plugins already have complete control over a website, we shouldn't have to protect ourselves from something a plugin does.
#7
@
10 years ago
I could agree with that, 22612.diff is more in tune with the letter of the ticket.
#8
@
10 years ago
- Keywords needs-docs added
The new filter will also need hook documentation added to the patch.
No objection here.