Question why does
wp_sanitize_redirect
strip out@
signs, exactly? Anybody could anyway try to load a url with an@
sign in it – is there some security issue I’m not thinking about?
Just take a look at the source:
function wp_sanitize_redirect($location) {
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!]|i', '', $location);
$location = wp_kses_no_null($location);
// remove %0d and %0a from location
$strip = array('%0d', '%0a', '%0D', '%0A');
$location = _deep_replace($strip, $location);
return $location;
}
So the only characters, the preg_replace
allows are
- lower case
a-z
- numbers
- and
~+_.?#=&;,/:%!
.
What does that mean for URIs and URLs?
The php function urlencode()
replaces all no alpha-numeric chararcters, except -_.
with a %
(percent) character followed by two hexdecimal values and spaces with a +
. If you use rawurlencode()
, it also strips the +
. As you can see from the preg_replace()
, it allows all URL encoded/prepared characters, so it’s safe to throw such encoded characters/URL parts into the game.