[wp-trac] [WordPress Trac] #31335: wp_logout_url: redirect charactor escape &
WordPress Trac
noreply at wordpress.org
Sun Jul 26 00:50:49 UTC 2015
#31335: wp_logout_url: redirect charactor escape &
------------------------------------+-----------------------
Reporter: adaldesign | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Login and Registration | Version: 4.1
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
------------------------------------+-----------------------
Changes (by maratbn):
* status: closed => reopened
* resolution: worksforme =>
Comment:
Replying to [comment:1 Bishoy.A]:
> I am unable to duplicate this issue. It's working here fine on a fresh
install.
Hi,
I don't think you checked well enough as I'm able to duplicate this bug
very easily, and I can also identify what's causing this problem.
To duplicate this bug, all that's necessary is to call the function
{{{wp_logout_url(...)}}} with a value for some redirect URL, say
{{{xyz}}}. The function {{{wp_logout_url(...)}}} will use the function
{{{add_query_arg(...)}}} to properly add the query string
{{{&redirect_to=xyz}}} to the URL, and everything will be fine up to this
point.
However, what will happen next, is that the function
{{{wp_logout_url(...)}}} will call the function {{{wp_nonce_url(...)}}},
which will escape the {{{&}}} into its HTML entity {{{&}}}.
I took a look at the source code of {{{wp_nonce_url(...)}}}, and it looks
very strange. First it unescapes any {{{&}}} into {{{&}}}, then it
adds the nonce, and then it escapes all {{{&}}} to {{{&}}} via call to
{{{esc_html(...)}}}. I don't think this unescaping/escaping logic should
even be in {{{wp_nonce_url(...)}}}.
A good temporary fix for this bug would be to move the core nonce-adding
logic into a new function, something like {{{wp_nonce_url_pure(...)}}}
whose job would be only to add the nonce, but not do any of the
unescaping/escaping, and use this new function from
{{{wp_logout_url(...)}}}.
The original {{{wp_nonce_url(...)}}} could then call
{{{wp_nonce_url_pure(...)}}} to be backward-compatible with the current
logic that calls {{{wp_nonce_url(...)}}}, but in general there seems to be
something wrong with the way {{{wp_nonce_url(...)}}} is coded and called.
So the long-term solution would be to refactor the logic that would need
{{{wp_nonce_url(...)}}} to return an encoded result.
Taking a look at {{{https://wordpress.org/support/topic/wp_logout_url-not-
redirecting}}} indicates that this problem has been present for a while.
The solution presented in the last post to that thread may not work if the
redirect URL also contains query strings.
For anyone dealing with this problem while it still persists in the
WordPress core, I would recommend duplicating the logic in
{{{wp_logout_url(...)}}} in your own project, but instead of calling
{{{wp_nonce_url(...)}}}, have it call your own function like the
theoretical {{{wp_nonce_url_pure(...)}}} that I described above.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31335#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list