Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#35719 closed defect (bug) (duplicate)

wp_sanitize_redirect() also incorrectly URL-encodes utf-8 in domain part of IDN domain names

Reported by: eirikrye Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6
Component: General Keywords:
Focuses: administration Cc:


This can easily be tested by changing your site URL to contain a UTF-8 character (e.g. test.hellowørld.com), and then attempting to open /wp-admin/ (which will redirect to wp-login.php). You will see the following 'Location' header being set:

http://test.hell%C3%B8world.com/wp-login.php?redirect_to= ..

The domain part should NOT be url/percent encoded. It should be encoded separately using Punycode. Only the path and query parameters should be url/percent encoded. This is not a valid IRI, and certain browsers (Safari, Firefox) will correctly complain about the hostname "test.hell%C3%B8world.com" not existing.

Change History (1)

#1 @SergeyBiryukov
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @eirikrye, welcome to Trac!

Thanks for the report, we're already tracking this issue in #10690 (see also #19279 and #29170).

Related: #25113.

Note: See TracTickets for help on using tickets.