[wp-trac] [WordPress Trac] #36998: wp_sanitize_redirect() strips spaces out of URLs instead of encoding them

Thu Jun 2 11:20:34 UTC 2016

#36998: wp_sanitize_redirect() strips spaces out of URLs instead of encoding them
--------------------------+-----------------------------
 Reporter:  hlashbrooke   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Formatting    |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 This is similar to #17052, #10690 and one or two others that relate to
 non-ASCII characters being stripped from URLs, however I couldn't find a
 ticket that relates directly to spaces being stripped out in the
 `wp_sanitize_redirect()` function. This function is called when using
 `wp_redirect()` or `wp_safe_redirect()` and, when it is called, it strips
 out the spaces from URLs instead of encoding them as `%20` (which I would
 think would be the correct way of doing things). This results in
 unexpected behaviour and broken redirects when passing a URL with spaces
 to `wp_redirect()`.

 The cause for this will likely be the same as what was fixed in #23605 for
 the `esc_url()` function, but this is in a separate location so I'm not
 100% if the same fix will apply.

 The fix for `esc_url()` was to simply add `$url = str_replace( ' ', '%20',
 $url );`, which works just fine, but the case in `wp_sanitize_redirect()`
 may be a bit different (although I don't see why it would be).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36998>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform