WordPress at a glance

wp_sanitize_redirect() WP 1.0

Sanitizes a URL for use in a redirect.

This is a pluggable function, and it can be replaced by a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in a plugin you can create a function with the same name, then it replace this function.

Is the basis for: wp_safe_redirect()
Works based on: wp_kses_no_null()
✈ 1 time = 0.000309s = fast | 50000 times = 0.20s = very fast | PHP 7.1.5, WP 4.8.2

No Hooks.


String. Redirect-sanitized URL.


wp_sanitize_redirect( $location );
$location(string) (required)
The path to redirect to.


Since 2.3.0 Introduced.

Code of wp sanitize redirect: wp-includes/pluggable.php WP 5.2.4

function wp_sanitize_redirect( $location ) {
	$regex    = '/
		(?: [\xC2-\xDF][\x80-\xBF]        # double-byte sequences   110xxxxx 10xxxxxx
		|   \xE0[\xA0-\xBF][\x80-\xBF]    # triple-byte sequences   1110xxxx 10xxxxxx * 2
		|   [\xE1-\xEC][\x80-\xBF]{2}
		|   \xED[\x80-\x9F][\x80-\xBF]
		|   [\xEE-\xEF][\x80-\xBF]{2}
		|   \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences   11110xxx 10xxxxxx * 3
		|   [\xF1-\xF3][\x80-\xBF]{3}
		|   \xF4[\x80-\x8F][\x80-\xBF]{2}
	){1,40}                              # ...one or more times
	$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
	$location = preg_replace( '|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location );
	$location = wp_kses_no_null( $location );

	// remove %0d and %0a from location
	$strip = array( '%0d', '%0a', '%0D', '%0A' );
	return _deep_replace( $strip, $location );

Related Functions

From tag: redirect

More from category: Security

No comments
    Hello, !     Log In . Register