Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#31866 closed defect (bug) (worksforme)

wp_redirect strips out special characters

Reported by: milmor's profile Milmor Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.1.1
Component: General Keywords: needs-testing
Focuses: Cc:

Description

Forum post:
https://wordpress.org/support/topic/wp_redirect-strips-out-special-characters?replies=1

i have a problem with the function wp_redirect() when the url contains special characters.

wp_redirect( esc_url_raw( wp_get_attachment_url( $ID ) ) );

If the attachment url contains, for example, À, then the entire line of code leads to a 404 page because the final url won't contain that letter.

In addition:
esc_url_raw( wp_get_attachment_url( $ID ) )
is returning the correct url. Without esc_url_raw i get the same result.

It seems that wp_redirect strips out the character À. Is this normal?

(Apache server)

Change History (4)

#1 @Milmor
9 years ago

I did some additional tests with a file called test èàÀ.pdf

Linux returned me test-.pdf
Windows returned me test-eaA.pdf

#2 @DrewAPicture
9 years ago

  • Keywords reporter-feedback added

Hi @Milmor, would you like to try submitting a patch?

#3 @Milmor
9 years ago

  • Keywords needs-testing added; reporter-feedback removed
  • Resolution set to worksforme
  • Status changed from new to closed

Hi @DrewAPicture,
with WordPress 4.2 i don't get that error!

In fact i found that the function wp_sanitize_redirect() in wp-includes/pluggable.php has been changed.

WordPress 4.1:

$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '', $location);
$location = wp_kses_no_null($location);

// remove %0d and %0a from location
$strip = array('%0d', '%0a', '%0D', '%0A');
$location = _deep_replace($strip, $location);
return $location;

WordPress 4.2:

$regex = '/
(
(?: [\xC2-\xDF][\x80-\xBF]        # double-byte sequences   110xxxxx 10xxxxxx
|   \xE0[\xA0-\xBF][\x80-\xBF]    # triple-byte sequences   1110xxxx 10xxxxxx * 2
|   [\xE1-\xEC][\x80-\xBF]{2}
|   \xED[\x80-\x9F][\x80-\xBF]
|   [\xEE-\xEF][\x80-\xBF]{2}
|   \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences   11110xxx 10xxxxxx * 3
|   [\xF1-\xF3][\x80-\xBF]{3}
|   \xF4[\x80-\x8F][\x80-\xBF]{2}
){1,50}                              # ...one or more times
)/x';
$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '', $location);
$location = wp_kses_no_null($location);

// remove %0d and %0a from location
$strip = array('%0d', '%0a', '%0D', '%0A');
$location = _deep_replace($strip, $location);
return $location;

Now the function returns the correct url.

#4 @DrewAPicture
9 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.