Make WordPress Core

Opened 9 years ago

Closed 8 years ago

#31335 closed defect (bug) (duplicate)

wp_logout_url: redirect character escape &

Reported by: adaldesign's profile adaldesign Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.1
Component: Login and Registration Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

The wp_logout_url function is still not working, even though this ticket was created and closed: #21885

The issue is also explained and fixed in this forum post:

Change History (5)

#1 follow-up: @Bishoy.A
9 years ago

  • Keywords 2nd-opinion added
  • Resolution set to worksforme
  • Status changed from new to closed

I am unable to duplicate this issue. It's working here fine on a fresh install.

#2 @DrewAPicture
9 years ago

  • Milestone Awaiting Review deleted

#3 in reply to: ↑ 1 @maratbn
9 years ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

Replying to Bishoy.A:

I am unable to duplicate this issue. It's working here fine on a fresh install.


I don't think you checked well enough as I'm able to duplicate this bug very easily, and I can also identify what's causing this problem.

To duplicate this bug, all that's necessary is to call the function wp_logout_url(...) with a value for some redirect URL, say xyz. The function wp_logout_url(...) will use the function add_query_arg(...) to properly add the query string &redirect_to=xyz to the URL, and everything will be fine up to this point.

However, what will happen next, is that the function wp_logout_url(...) will call the function wp_nonce_url(...), which will escape the & into its HTML entity &.

I took a look at the source code of wp_nonce_url(...), and it looks very strange. First it unescapes any & into &, then it adds the nonce, and then it escapes all & to & via call to esc_html(...). I don't think this unescaping/escaping logic should even be in wp_nonce_url(...).

A good temporary fix for this bug would be to move the core nonce-adding logic into a new function, something like wp_nonce_url_pure(...) whose job would be only to add the nonce, but not do any of the unescaping/escaping, and use this new function from wp_logout_url(...).

The original wp_nonce_url(...) could then call wp_nonce_url_pure(...) to be backward-compatible with the current logic that calls wp_nonce_url(...), but in general there seems to be something wrong with the way wp_nonce_url(...) is coded and called. So the long-term solution would be to refactor the logic that would need wp_nonce_url(...) to return an encoded result.

Taking a look at indicates that this problem has been present for a while. The solution presented in the last post to that thread may not work if the redirect URL also contains query strings.

For anyone dealing with this problem while it still persists in the WordPress core, I would recommend duplicating the logic in wp_logout_url(...) in your own project, but instead of calling wp_nonce_url(...), have it call your own function like the theoretical wp_nonce_url_pure(...) that I described above.

Last edited 9 years ago by SergeyBiryukov (previous) (diff)

#4 @SergeyBiryukov
9 years ago

  • Description modified (diff)
  • Milestone set to Awaiting Review
  • Summary changed from wp_logout_url: redirect charactor escape & to wp_logout_url: redirect character escape &

#5 @johnbillion
8 years ago

  • Keywords 2nd-opinion removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from reopened to closed

Thank you for the detailed response, maratbn. This is in fact a duplicate of #20771, which I'm currently working on a patch for.

Note: See TracTickets for help on using tickets.