[wp-trac] [WordPress Trac] #36998: wp_sanitize_redirect() strips spaces out of URLs instead of encoding them
WordPress Trac
noreply at wordpress.org
Thu Jun 2 11:37:37 UTC 2016
#36998: wp_sanitize_redirect() strips spaces out of URLs instead of encoding them
------------------------------------------+-----------------------------
Reporter: hlashbrooke | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: needs-patch needs-unit-tests | Focuses:
------------------------------------------+-----------------------------
Comment (by dd32):
Technically speaking, spaces are invalid in a URL and stripping them out
is correct - you should pass a well-formed URL into the redirect (so
spaces should already be encoded). Just the same as you don't (shouldn't)
pass (unencoded) multibyte characters in a URL to it.
Realistically though, encoding spaces, multibyte characters, and other url
components as long as it doesn't affect the security of the url being
checked, is a sane thing to do. And it appears that we already urlencode
multibyte characters.
Also, technically speaking, In the linked example that @ocean90 gave, the
initial URL format is invalid, as it's not properly URL encoded (the
entire `redirect_url` parameter should be encoded, so `%20` would've
became `%2520` and the change wouldn't have been needed in the first
place.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36998#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list