Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#31486 closed defect (bug) (fixed)

wp_redirect sends incorrect url when it contains non escaped unicode characters

Reported by: louyx's profile louyx Owned by: pento's profile pento
Milestone: 4.2 Priority: normal
Severity: normal Version: 2.3
Component: General Keywords:
Focuses: Cc:


When using wp_redirect to a url that contains non-ascii letters, those letters are stripped out from the HTTP Location header.

I have created a small fix for this issue by escaping every non-ascii character:

$redirect_url = preg_replace_callback('/([^\x00-\x7F])/i', function($matches) {
  return urlencode($matches[1]);
}, $redirect_url);

More Details:
Some plugins redirect to some urls containing unicode characters without escaping them first. Escape functions esc_url and esc_url_raw do not solve this either. I think solving this at core level is the best thing to do, especially that it doesn't affect the current behavior of the function.

Here's an example (in Arabic, which is RTL):

wp_redirect( 'تجربة-1/' );
//redirects to

Change History (3)

#1 @pento
9 years ago

  • Owner set to pento
  • Status changed from new to accepted
  • Version changed from trunk to 2.3

#2 @pento
9 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 31587:

When sanitizing a URL to redirect to, UTF-8 characters can be URL encoded, instead of being removed.

While RFC 3986 does not specify which character sets are allowed in URIs, Section 2.5 states that octects matching UTF-8 character encoding should be percent-encoded, then unreserved octets outside of the UTF-8 range should be percent-encoded. As browsers tend to only implement support for UTF-8 in URLs, this change only implements the UTF-8 encoding part. We may revisit the second part if it becomes an issue.

Fixes #31486

#3 @pento
9 years ago

  • Milestone changed from Awaiting Review to 4.2
Note: See TracTickets for help on using tickets.