WordPress at a glance

wp_validate_redirect() WP 1.0

Validates a URL for use in a redirect.

Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.

If the host is not allowed, then the redirect is to $default supplied

This is a pluggable function, and it can be replaced by a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. It must be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in a plugin you can create a function with the same name, then it replace this function.

✈ 1 time = 0.003549s = very slow | 50000 times = 2.44s = fast | PHP 7.0.32, WP 5.1.1
Hooks in function
Return

String. redirect-sanitized URL

Usage

wp_validate_redirect( $location, $default );
$location(string) (required)
The redirect to validate
$default(string)
The value to return if $location is not allowed
Default: ''

Code of wp validate redirect: wp-includes/pluggable.php WP 5.2.2

<?php
function wp_validate_redirect( $location, $default = '' ) {
	$location = trim( $location, " \t\n\r\0\x08\x0B" );
	// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
	if ( substr( $location, 0, 2 ) == '//' ) {
		$location = 'http:' . $location;
	}

	// In php 5 parse_url may fail if the URL query part contains http://, bug #38143
	$test = ( $cut = strpos( $location, '?' ) ) ? substr( $location, 0, $cut ) : $location;

	// @-operator is used to prevent possible warnings in PHP < 5.3.3.
	$lp = @parse_url( $test );

	// Give up if malformed URL
	if ( false === $lp ) {
		return $default;
	}

	// Allow only http and https schemes. No data:, etc.
	if ( isset( $lp['scheme'] ) && ! ( 'http' == $lp['scheme'] || 'https' == $lp['scheme'] ) ) {
		return $default;
	}

	// Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field.
	if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
		return $default;
	}

	// Reject malformed components parse_url() can return on odd inputs.
	foreach ( array( 'user', 'pass', 'host' ) as $component ) {
		if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
			return $default;
		}
	}

	$wpp = parse_url( home_url() );

	/**
	 * Filters the whitelist of hosts to redirect to.
	 *
	 * @since 2.3.0
	 *
	 * @param array       $hosts An array of allowed hosts.
	 * @param bool|string $host  The parsed host; empty if not isset.
	 */
	$allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array( $wpp['host'] ), isset( $lp['host'] ) ? $lp['host'] : '' );

	if ( isset( $lp['host'] ) && ( ! in_array( $lp['host'], $allowed_hosts ) && $lp['host'] != strtolower( $wpp['host'] ) ) ) {
		$location = $default;
	}

	return $location;
}

Related Functions

From tag: validate (check vars)

More from tag: redirect

More from tag: Link (URL)

More from category: Uncategorized

No comments
    Hello, !     Log In . Register