Summery Summery
Validates a URL for use in a redirect.
Syntax Syntax
Description Description
Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.
If the host is not allowed, then the redirect is to $default supplied
Parameters Parameters
- $location
-
(Required) The redirect to validate
- $default
-
(Optional) The value to return if $location is not allowed
Default value: ''
Return Return
(string) redirect-sanitized URL
Source Source
File: wp-includes/pluggable.php
/** * Validates a URL for use in a redirect. * * Checks whether the $location is using an allowed host, if it has an absolute * path. A plugin can therefore set or remove allowed host(s) to or from the * list. * * If the host is not allowed, then the redirect is to $default supplied * * @since 2.8.1 * * @param string $location The redirect to validate * @param string $default The value to return if $location is not allowed * @return string redirect-sanitized URL */ function wp_validate_redirect( $location, $default = '' ) { $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) ); // Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'. if ( '//' === substr( $location, 0, 2 ) ) { $location = 'http:' . $location; } // In PHP 5 parse_url() may fail if the URL query part contains 'http://'. // See https://bugs.php.net/bug.php?id=38143 $cut = strpos( $location, '?' ); $test = $cut ? substr( $location, 0, $cut ) : $location; $lp = parse_url( $test ); // Give up if malformed URL. if ( false === $lp ) { return $default; } // Allow only 'http' and 'https' schemes. No 'data:', etc. if ( isset( $lp['scheme'] ) && ! ( 'http' === $lp['scheme'] || 'https' === $lp['scheme'] ) ) { return $default; } if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) { $path = ''; if ( ! empty( $_SERVER['REQUEST_URI'] ) ) { $path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' ); $path = wp_normalize_path( $path ); } $location = '/' . ltrim( $path . '/', '/' ) . $location; } // Reject if certain components are set but host is not. // This catches URLs like https:host.com for which parse_url() does not set the host field. if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) { return $default; } // Reject malformed components parse_url() can return on odd inputs. foreach ( array( 'user', 'pass', 'host' ) as $component ) { if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) { return $default; } } $wpp = parse_url( home_url() ); /** * Filters the list of allowed hosts to redirect to.
Advertisement
Changelog Changelog
Version | Description |
---|---|
2.8.1 | Introduced. |