wp_validate_redirect( string $location, string $default = '' ): string

Validates a URL for use in a redirect.

Contents

Description

Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.

If the host is not allowed, then the redirect is to $default supplied.

Top ↑

Parameters

$location string Required
The redirect to validate.
$default string Optional
The value to return if $location is not allowed.

Default: ''

Top ↑

Return

string redirect-sanitized URL.

Top ↑

Source

File: wp-includes/pluggable.php. View all references 

function wp_validate_redirect( $location, $default = '' ) {
	$location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
	// Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
	if ( '//' === substr( $location, 0, 2 ) ) {
		$location = 'http:' . $location;
	}

	// In PHP 5 parse_url() may fail if the URL query part contains 'http://'.
	// See https://bugs.php.net/bug.php?id=38143
	$cut  = strpos( $location, '?' );
	$test = $cut ? substr( $location, 0, $cut ) : $location;

	$lp = parse_url( $test );

	// Give up if malformed URL.
	if ( false === $lp ) {
		return $default;
	}

	// Allow only 'http' and 'https' schemes. No 'data:', etc.
	if ( isset( $lp['scheme'] ) && ! ( 'http' === $lp['scheme'] || 'https' === $lp['scheme'] ) ) {
		return $default;
	}

	if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) {
		$path = '';
		if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
			$path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' );
			$path = wp_normalize_path( $path );
		}
		$location = '/' . ltrim( $path . '/', '/' ) . $location;
	}

	// Reject if certain components are set but host is not.
	// This catches URLs like https:host.com for which parse_url() does not set the host field.
	if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
		return $default;
	}

	// Reject malformed components parse_url() can return on odd inputs.
	foreach ( array( 'user', 'pass', 'host' ) as $component ) {
		if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
			return $default;
		}
	}

	$wpp = parse_url( home_url() );

	/**
	 * Filters the list of allowed hosts to redirect to.
	 *
	 * @since 2.3.0
	 *
	 * @param string[] $hosts An array of allowed host names.
	 * @param string   $host  The host name of the redirect destination; empty string if not set.
	 */
	$allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array( $wpp['host'] ), isset( $lp['host'] ) ? $lp['host'] : '' );

	if ( isset( $lp['host'] ) && ( ! in_array( $lp['host'], $allowed_hosts, true ) && strtolower( $wpp['host'] ) !== $lp['host'] ) ) {
		$location = $default;
	}

	return $location;
}

View on Trac View on GitHub

Top ↑

Hooks

Top ↑

Top ↑

Used By

Used By
Used By Description
WP_Customize_Manager::set_return_url() wp-includes/class-wp-customize-manager.php

Sets URL to link the user to when closing the Customizer.
WP_Customize_Manager::set_preview_url() wp-includes/class-wp-customize-manager.php

Sets the initial URL to be previewed.
wp_safe_redirect() wp-includes/pluggable.php

Performs a safe (local) redirect, using wp_redirect() .
wp_nonce_ays() wp-includes/functions.php

Displays “Are You Sure” message to confirm the action being taken.
wp_get_referer() wp-includes/functions.php

Retrieves referer from ‘_wp_http_referer’ or HTTP referer.
wp_get_original_referer() wp-includes/functions.php

Retrieves original referer that was posted, if it exists.
allowed_http_request_hosts() wp-includes/http.php

Mark allowed redirect hosts safe for HTTP requests as well.
Show 2 more used by Hide more used by

Top ↑

Changelog

Changelog
Version Description
2.8.1 Introduced.

Top ↑

User Contributed Notes

You must log in before being able to contribute a note or feedback.