[wp-trac] [WordPress Trac] #31335: wp_logout_url: redirect charactor escape &

WordPress Trac noreply at wordpress.org
Sun Jul 26 00:50:49 UTC 2015

#31335: wp_logout_url: redirect charactor escape &
 Reporter:  adaldesign              |       Owner:
     Type:  defect (bug)            |      Status:  reopened
 Priority:  normal                  |   Milestone:
Component:  Login and Registration  |     Version:  4.1
 Severity:  normal                  |  Resolution:
 Keywords:  2nd-opinion             |     Focuses:
Changes (by maratbn):

 * status:  closed => reopened
 * resolution:  worksforme =>


 Replying to [comment:1 Bishoy.A]:
 > I am unable to duplicate this issue. It's working here fine on a fresh


 I don't think you checked well enough as I'm able to duplicate this bug
 very easily, and I can also identify what's causing this problem.

 To duplicate this bug, all that's necessary is to call the function
 {{{wp_logout_url(...)}}} with a value for some redirect URL, say
 {{{xyz}}}.  The function {{{wp_logout_url(...)}}} will use the function
 {{{add_query_arg(...)}}} to properly add the query string
 {{{&redirect_to=xyz}}} to the URL, and everything will be fine up to this

 However, what will happen next, is that the function
 {{{wp_logout_url(...)}}} will call the function {{{wp_nonce_url(...)}}},
 which will escape the {{{&}}} into its HTML entity {{{&}}}.

 I took a look at the source code of {{{wp_nonce_url(...)}}}, and it looks
 very strange.  First it unescapes any {{{&}}} into {{{&}}}, then it
 adds the nonce, and then it escapes all {{{&}}} to {{{&}}} via call to
 {{{esc_html(...)}}}.  I don't think this unescaping/escaping logic should
 even be in {{{wp_nonce_url(...)}}}.

 A good temporary fix for this bug would be to move the core nonce-adding
 logic into a new function, something like {{{wp_nonce_url_pure(...)}}}
 whose job would be only to add the nonce, but not do any of the
 unescaping/escaping, and use this new function from

 The original {{{wp_nonce_url(...)}}} could then call
 {{{wp_nonce_url_pure(...)}}} to be backward-compatible with the current
 logic that calls {{{wp_nonce_url(...)}}}, but in general there seems to be
 something wrong with the way {{{wp_nonce_url(...)}}} is coded and called.
 So the long-term solution would be to refactor the logic that would need
 {{{wp_nonce_url(...)}}} to return an encoded result.

 Taking a look at {{{https://wordpress.org/support/topic/wp_logout_url-not-
 redirecting}}} indicates that this problem has been present for a while.
 The solution presented in the last post to that thread may not work if the
 redirect URL also contains query strings.

 For anyone dealing with this problem while it still persists in the
 WordPress core, I would recommend duplicating the logic in
 {{{wp_logout_url(...)}}} in your own project, but instead of calling
 {{{wp_nonce_url(...)}}}, have it call your own function like the
 theoretical {{{wp_nonce_url_pure(...)}}} that I described above.

Ticket URL: <https://core.trac.wordpress.org/ticket/31335#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list