W3cubDocs

/WordPress

wp_sanitize_redirect( string $location )

Sanitizes a URL for use in a redirect.

Parameters

$location: (string) (Required) The path to redirect to.

Return

(string) Redirect-sanitized URL.

Source

File: wp-includes/pluggable.php

function wp_sanitize_redirect( $location ) {
		// Encode spaces.
		$location = str_replace( ' ', '%20', $location );

		$regex    = '/
		(
			(?: [\xC2-\xDF][\x80-\xBF]        # double-byte sequences   110xxxxx 10xxxxxx
			|   \xE0[\xA0-\xBF][\x80-\xBF]    # triple-byte sequences   1110xxxx 10xxxxxx * 2
			|   [\xE1-\xEC][\x80-\xBF]{2}
			|   \xED[\x80-\x9F][\x80-\xBF]
			|   [\xEE-\xEF][\x80-\xBF]{2}
			|   \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences   11110xxx 10xxxxxx * 3
			|   [\xF1-\xF3][\x80-\xBF]{3}
			|   \xF4[\x80-\x8F][\x80-\xBF]{2}
		){1,40}                              # ...one or more times
		)/x';
		$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
		$location = preg_replace( '|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location );
		$location = wp_kses_no_null( $location );

		// Remove %0D and %0A from location.
		$strip = array( '%0d', '%0a', '%0D', '%0A' );
		return _deep_replace( $strip, $location );
	}

Uses

Uses	Description
wp-includes/formatting.php: _deep_replace()	Perform a deep string replace operation to ensure the values in $search are no longer present
wp-includes/kses.php: wp_kses_no_null()	Removes any invalid control characters in a text string.

Used By

Used By	Description
wp-includes/pluggable.php: wp_redirect()	Redirects to another page.
wp-includes/pluggable.php: wp_safe_redirect()	Performs a safe (local) redirect, using wp_redirect().
wp-includes/pluggable.php: wp_validate_redirect()	Validates a URL for use in a redirect.

Changelog

Version	Description
2.3.0	Introduced.

© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/wp_sanitize_redirect