Opened 10 years ago
Closed 9 years ago
#31335 closed defect (bug) (duplicate)
wp_logout_url: redirect character escape &
Reported by: | adaldesign | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.1 |
Component: | Login and Registration | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
The wp_logout_url function is still not working, even though this ticket was created and closed: #21885
The issue is also explained and fixed in this forum post: https://wordpress.org/support/topic/wp_logout_url-not-redirecting?replies=6#post-2182272
Change History (5)
#1
follow-up:
↓ 3
@
10 years ago
- Keywords 2nd-opinion added
- Resolution set to worksforme
- Status changed from new to closed
#3
in reply to:
↑ 1
@
9 years ago
- Resolution worksforme deleted
- Status changed from closed to reopened
Replying to Bishoy.A:
I am unable to duplicate this issue. It's working here fine on a fresh install.
Hi,
I don't think you checked well enough as I'm able to duplicate this bug very easily, and I can also identify what's causing this problem.
To duplicate this bug, all that's necessary is to call the function wp_logout_url(...)
with a value for some redirect URL, say xyz
. The function wp_logout_url(...)
will use the function add_query_arg(...)
to properly add the query string &redirect_to=xyz
to the URL, and everything will be fine up to this point.
However, what will happen next, is that the function wp_logout_url(...)
will call the function wp_nonce_url(...)
, which will escape the &
into its HTML entity &
.
I took a look at the source code of wp_nonce_url(...)
, and it looks very strange. First it unescapes any &
into &
, then it adds the nonce, and then it escapes all &
to &
via call to esc_html(...)
. I don't think this unescaping/escaping logic should even be in wp_nonce_url(...)
.
A good temporary fix for this bug would be to move the core nonce-adding logic into a new function, something like wp_nonce_url_pure(...)
whose job would be only to add the nonce, but not do any of the unescaping/escaping, and use this new function from wp_logout_url(...)
.
The original wp_nonce_url(...)
could then call wp_nonce_url_pure(...)
to be backward-compatible with the current logic that calls wp_nonce_url(...)
, but in general there seems to be something wrong with the way wp_nonce_url(...)
is coded and called. So the long-term solution would be to refactor the logic that would need wp_nonce_url(...)
to return an encoded result.
Taking a look at https://wordpress.org/support/topic/wp_logout_url-not-redirecting indicates that this problem has been present for a while. The solution presented in the last post to that thread may not work if the redirect URL also contains query strings.
For anyone dealing with this problem while it still persists in the WordPress core, I would recommend duplicating the logic in wp_logout_url(...)
in your own project, but instead of calling wp_nonce_url(...)
, have it call your own function like the theoretical wp_nonce_url_pure(...)
that I described above.
I am unable to duplicate this issue. It's working here fine on a fresh install.