wp_sanitize_redirect

函数
wp_sanitize_redirect ( $location )
参数
  • (string) $location The path to redirect to.
    Required:
返回值
  • (string) Redirect-sanitized URL.
定义位置
相关方法
wp_safe_redirectwp_validate_redirectwp_redirectsanitize_user_objectwpmu_admin_do_redirect
引入
2.3.0
弃用
-

wp_sanitize_redirect: 这是一个WordPress函数,用于在将用户重定向到一个URL之前对其进行净化和验证。它检查URL是否与当前网站在同一域内,并删除任何潜在的恶意字符。

对一个URL进行净化,以便在重定向中使用。

function wp_sanitize_redirect( $location ) {
		// Encode spaces.
		$location = str_replace( ' ', '%20', $location );

		$regex    = '/
		(
			(?: [xC2-xDF][x80-xBF]        # double-byte sequences   110xxxxx 10xxxxxx
			|   xE0[xA0-xBF][x80-xBF]    # triple-byte sequences   1110xxxx 10xxxxxx * 2
			|   [xE1-xEC][x80-xBF]{2}
			|   xED[x80-x9F][x80-xBF]
			|   [xEE-xEF][x80-xBF]{2}
			|   xF0[x90-xBF][x80-xBF]{2} # four-byte sequences   11110xxx 10xxxxxx * 3
			|   [xF1-xF3][x80-xBF]{3}
			|   xF4[x80-x8F][x80-xBF]{2}
		){1,40}                              # ...one or more times
		)/x';
		$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
		$location = preg_replace( '|[^a-z0-9-~+_.?#=&;,/:%!*[]()@]|i', '', $location );
		$location = wp_kses_no_null( $location );

		// Remove %0D and %0A from location.
		$strip = array( '%0d', '%0a', '%0D', '%0A' );
		return _deep_replace( $strip, $location );
	}

	/**
	 * URL encodes UTF-8 characters in a URL.
	 *
	 * @ignore
	 * @since 4.2.0
	 * @access private
	 *
	 * @see wp_sanitize_redirect()
	 *
	 * @param array $matches RegEx matches against the redirect location.
	 * @return string URL-encoded version of the first RegEx match.
	 */
	function _wp_sanitize_utf8_in_redirect( $matches ) {
		return urlencode( $matches[0] );
	}
endif;

if ( ! function_exists( 'wp_safe_redirect' ) ) :
	/**
	 * Performs a safe (local) redirect, using wp_redirect().
	 *
	 * Checks whether the $location is using an allowed host, if it has an absolute
	 * path. A plugin can therefore set or remove allowed host(s) to or from the
	 * list.
	 *
	 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
	 * instead. This prevents malicious redirects which redirect to another host,
	 * but only used in a few places.
	 *
	 * Note: wp_safe_redirect() does not exit automatically, and should almost always be
	 * followed by a call to `exit;`:
	 *
	 *     wp_safe_redirect( $url );
	 *     exit;
	 *
	 * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional
	 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters:
	 *
	 *     if ( wp_safe_redirect( $url ) ) {
	 *         exit;
	 *     }
	 *
	 * @since 2.3.0
	 * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
	 *
	 * @param string $location      The path or URL to redirect to.
	 * @param int    $status        Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
	 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
	 * @return bool False if the redirect was canceled, true otherwise.
	 */

常见问题

FAQs
查看更多 >