wp_validate_redirect

Validates a URL for use in a redirect.

Description

(string) wp_validate_redirect( (string) $location, (string) $default = '' ); 

Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.

If the host is not allowed, then the redirect is to $default supplied

Returns (string)

redirect-sanitized URL

Parameters (2)

0. $location (string)
The redirect to validate
1. $default — Optional. (string) => ''
The value to return if $location is not allowed

Usage

  1. if ( !function_exists( 'wp_validate_redirect' ) ) { 
  2. require_once ABSPATH . WPINC . '/pluggable.php'; 
  3.  
  4. // The redirect to validate 
  5. $location = ''; 
  6.  
  7. // The value to return if $location is not allowed 
  8. $default = ''; 
  9.  
  10. // NOTICE! Understand what this does before running. 
  11. $result = wp_validate_redirect($location, $default); 
  12.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/pluggable.php  
  1. function wp_validate_redirect($location, $default = '') { 
  2. $location = trim( $location, " \t\n\r\0\x08\x0B" ); 
  3. // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//' 
  4. if ( substr($location, 0, 2) == '//' ) 
  5. $location = 'http:' . $location; 
  6.  
  7. // In php 5 parse_url may fail if the URL query part contains http://, bug #38143 
  8. $test = ( $cut = strpos($location, '?') ) ? substr( $location, 0, $cut ) : $location; 
  9.  
  10. // @-operator is used to prevent possible warnings in PHP < 5.3.3. 
  11. $lp = @parse_url($test); 
  12.  
  13. // Give up if malformed URL 
  14. if ( false === $lp ) 
  15. return $default; 
  16.  
  17. // Allow only http and https schemes. No data:, etc. 
  18. if ( isset($lp['scheme']) && !('http' == $lp['scheme'] || 'https' == $lp['scheme']) ) 
  19. return $default; 
  20.  
  21. // Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field. 
  22. if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) { 
  23. return $default; 
  24.  
  25. // Reject malformed components parse_url() can return on odd inputs. 
  26. foreach ( array( 'user', 'pass', 'host' ) as $component ) { 
  27. if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) { 
  28. return $default; 
  29.  
  30. $wpp = parse_url(home_url()); 
  31.  
  32. /** 
  33. * Filters the whitelist of hosts to redirect to. 
  34. * @since 2.3.0 
  35. * @param array $hosts An array of allowed hosts. 
  36. * @param bool|string $host The parsed host; empty if not isset. 
  37. */ 
  38. $allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '' ); 
  39.  
  40. if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) ) 
  41. $location = $default; 
  42.  
  43. return $location;