#31866: wp_redirect strips out special characters
---------------------------+------------------------------
Reporter: Milmor | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.1.1
Severity: normal | Resolution: worksforme
Keywords: needs-testing | Focuses:
---------------------------+------------------------------
Changes (by Milmor):
* keywords: reporter-feedback => needs-testing
* status: new => closed
* resolution: => worksforme
Comment:
Hi @DrewAPicture,
with WordPress 4.2 i don't get that error!
In fact i found that the function '''wp_sanitize_redirect()''' in wp-
includes/pluggable.php has been changed.
WordPress 4.1:
{{{
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '',
$location);
$location = wp_kses_no_null($location);
// remove %0d and %0a from location
$strip = array('%0d', '%0a', '%0D', '%0A');
$location = _deep_replace($strip, $location);
return $location;
}}}
WordPress 4.2:
{{{
$regex = '/
(
(?: [\xC2-\xDF][\x80-\xBF] # double-byte sequences 110xxxxx
10xxxxxx
| \xE0[\xA0-\xBF][\x80-\xBF] # triple-byte sequences 1110xxxx
10xxxxxx * 2
| [\xE1-\xEC][\x80-\xBF]{2}
| \xED[\x80-\x9F][\x80-\xBF]
| [\xEE-\xEF][\x80-\xBF]{2}
| \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences 11110xxx
10xxxxxx * 3
| [\xF1-\xF3][\x80-\xBF]{3}
| \xF4[\x80-\x8F][\x80-\xBF]{2}
){1,50} # ...one or more times
)/x';
$location = preg_replace_callback( $regex,
'_wp_sanitize_utf8_in_redirect', $location );
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '',
$location);
$location = wp_kses_no_null($location);
// remove %0d and %0a from location
$strip = array('%0d', '%0a', '%0D', '%0A');
$location = _deep_replace($strip, $location);
return $location;
}}}
Now the function returns the correct url.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31866#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform