WordPress at a glance

wp_validate_redirect() WP 1.0

Validates a URL for use in a redirect.

Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.

If the host is not allowed, then the redirect is to $default supplied

This is a pluggable function, and it can be replaced by a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in a plugin you can create a function with the same name, then it replace this function.

1 time = 0.003549s = very slow | 50000 times = 2.44s = fast | PHP 7.0.32, WP 5.1.1
Hooks from the function
Return

String. redirect-sanitized URL

Usage

wp_validate_redirect( $location, $default );
$location(string) (required)
The redirect to validate
$default(string)
The value to return if $location is not allowed
Default: ''

Changelog

Since 2.8.1 Introduced.

Code of wp_validate_redirect() WP 5.5.3

<?php
function wp_validate_redirect( $location, $default = '' ) {
	$location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
	// Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
	if ( '//' === substr( $location, 0, 2 ) ) {
		$location = 'http:' . $location;
	}

	// In PHP 5 parse_url() may fail if the URL query part contains 'http://'.
	// See https://bugs.php.net/bug.php?id=38143
	$cut  = strpos( $location, '?' );
	$test = $cut ? substr( $location, 0, $cut ) : $location;

	$lp = parse_url( $test );

	// Give up if malformed URL.
	if ( false === $lp ) {
		return $default;
	}

	// Allow only 'http' and 'https' schemes. No 'data:', etc.
	if ( isset( $lp['scheme'] ) && ! ( 'http' === $lp['scheme'] || 'https' === $lp['scheme'] ) ) {
		return $default;
	}

	if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) {
		$path = '';
		if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
			$path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' );
			$path = wp_normalize_path( $path );
		}
		$location = '/' . ltrim( $path . '/', '/' ) . $location;
	}

	// Reject if certain components are set but host is not.
	// This catches URLs like https:host.com for which parse_url() does not set the host field.
	if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) {
		return $default;
	}

	// Reject malformed components parse_url() can return on odd inputs.
	foreach ( array( 'user', 'pass', 'host' ) as $component ) {
		if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) {
			return $default;
		}
	}

	$wpp = parse_url( home_url() );

	/**
	 * Filters the list of allowed hosts to redirect to.
	 *
	 * @since 2.3.0
	 *
	 * @param string[] $hosts An array of allowed host names.
	 * @param string   $host  The host name of the redirect destination; empty string if not set.
	 */
	$allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array( $wpp['host'] ), isset( $lp['host'] ) ? $lp['host'] : '' );

	if ( isset( $lp['host'] ) && ( ! in_array( $lp['host'], $allowed_hosts, true ) && strtolower( $wpp['host'] ) !== $lp['host'] ) ) {
		$location = $default;
	}

	return $location;
}

From tag: validate (check vars)

More from tag: redirect

More from tag: Link (URL)

More from category: Uncategorized

No comments
    Log In . Register