Performs a safe (local) redirect, using wp_redirect() .

Description

Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.

If the host is not allowed, then the redirect defaults to wp-admin on the siteurl instead. This prevents malicious redirects which redirect to another host, but only used in a few places.

Note: wp_safe_redirect() does not exit automatically, and should almost always be followed by a call to exit;:

wp_safe_redirect( $url );
exit;

Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional in conjunction with the ‘wp_redirect’ and ‘wp_redirect_status’ filters:

if ( wp_safe_redirect( $url ) ) {
    exit;
}

Parameters

$locationstringrequired

The path or URL to redirect to.

$statusintoptional

HTTP response status code to use. Default '302' (Moved Temporarily).

Default:302

$x_redirect_bystring|falseoptional

The application doing the redirect or false to omit. Default 'WordPress'.

Default:'WordPress'

Return

Source

function wp_safe_redirect( $location, $status = 302, $x_redirect_by = 'WordPress' ) {

	// Need to look at the URL the way it will end up in wp_redirect().
	$location = wp_sanitize_redirect( $location );

	/**
	 * Filters the redirect fallback URL for when the provided redirect is not safe (local).
	 *
	 * @since 4.3.0
	 *
	 * @param string $fallback_url The fallback URL to use by default.
	 * @param int    $status       The HTTP response status code to use.
	 */
	$fallback_url = apply_filters( 'wp_safe_redirect_fallback', admin_url(), $status );

	$location = wp_validate_redirect( $location, $fallback_url );

	return wp_redirect( $location, $status, $x_redirect_by );
}

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘wp_safe_redirect_fallback’, string $fallback_url, int $status )

Filters the redirect fallback URL for when the provided redirect is not safe (local).

Changelog