wp_sanitize_redirect strips out @ signs (even from parameters) — why?

Question why does wp_sanitize_redirect strip out @ signs, exactly? Anybody could anyway try to load a url with an @ sign in it – is there some security issue I’m not thinking about?

Just take a look at the source:

function wp_sanitize_redirect($location) {
    $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!]|i', '', $location);
    $location = wp_kses_no_null($location);

    // remove %0d and %0a from location
    $strip = array('%0d', '%0a', '%0D', '%0A');
    $location = _deep_replace($strip, $location);
    return $location;
}

So the only characters, the preg_replace allows are

  • lower case a-z
  • numbers
  • and ~+_.?#=&;,/:%!.

What does that mean for URIs and URLs?

The php function urlencode() replaces all no alpha-numeric chararcters, except -_. with a % (percent) character followed by two hexdecimal values and spaces with a +. If you use rawurlencode(), it also strips the +. As you can see from the preg_replace(), it allows all URL encoded/prepared characters, so it’s safe to throw such encoded characters/URL parts into the game.

Related Posts:

  1. NextGEN Gallery Lightbox – Social Share URL Redirect
  2. WordPress redirects non-existing url to existing ones – how to disable
  3. My WP_options db rewrite_rules Does Not Work
  4. Can I change default registration link (without htaccess)?
  5. Redirect HTTP to HTTPS for all sub domains (blog posts)
  6. How to remove trailing slash from root WordPress folder?
  7. Rewrites: .htaccess or wp_rewrite for bulk 301 changes?
  8. WordPress rewrite front page url
  9. URL rewrite before template_redirect called
  10. Use Parent Pages for URL Structure without Landing Page
  11. Redirect if string found in URL
  12. How to make custom WordPress page deliver search results
  13. How to create custom URL routes?
  14. How do you create a “virtual” page in WordPress
  15. How to create a front end user profile with a friendly permalink
  16. Use a template file for a specific url without creating a page
  17. Using the Rewrite API to Construct a RESTful URL
  18. Does WordPress keep track of a post’s URL history and provide automatic redirects?
  19. Change the “page” slug in pagination
  20. Understanding add_rewrite_rule
  21. Override default url for author pages?
  22. web.config conflict on IIS
  23. Rewrite Slug for CPT Archive Pages to Plural Name of Slug
  24. Change author base slug for different roles
  25. Pretty permalinks for search results with extra query var
  26. Masking wp-content/themes/name/images to just images directory using htaccess
  27. Two (or more) parallel (sub-)TLDs that are retained when surfing the site / dynamically set the site address?
  28. Using custom/dynamic “slug” for a page
  29. How to make pages slug have priority over any other taxonomies like custom-post, post or category
  30. Rewrite rules not working in WordPress
  31. How to retrieve $_GET variables from rewritten URLs?
  32. Dynamic Endpoints
  33. Passing parameters to a custom page template using clean urls
  34. rewrite rules and querystring
  35. Adding rewrite endpoint breaks static front page
  36. How to add custom rewrite rule to .htaccess?
  37. How do I remove a rewrite rule?
  38. How do I add a server-independent external rewrite rule?
  39. Multiple endpoints to same page
  40. Problem with add_rewrite_rule and pagination (paged and page query_vars)
  41. Use subdomain for certain urls
  42. Custom Permalinks for Blog Posts Only
  43. Unique URL Every Time
  44. generate_rewrite_rules (action) vs add_rewrite_rule (function): which one is preferred?
  45. Detect page type by url (Archive, single, page, author,…)
  46. Rewrite URL – how to do a SEO-friendly Unicode custom URL?
  47. I want to create a custom slug in WordPress and output JSON. How do I do this?
  48. How to make a category page the blog home page?
  49. add_rewrite_rule: $matches var not replaced by captured value
  50. Can I call a custom plugin with a direct URL
  51. How to show the same content on multiple URLs?
  52. Custom slug in front of search URL
  53. Display posts with author in the url with custom post types
  54. Custom rewrite rules for pages
  55. Rewrite default post type
  56. Custom permalinks with NextGEN Gallery
  57. Clash of the rewrites
  58. Using a page template without a page
  59. External/non-WP rewrite rules
  60. How-to add rewrite rules to point the uploads folder to a subdomain
  61. Rewrite Rules for Multiple (more than 2) Taxonomies
  62. Create built-in pages without creating actual pages
  63. How to seamlessly redirect between different archive and singular slugs?
  64. Is the SEO plugin necessary?
  65. Can ‘numberposts’ be passed in the URL query string?
  66. How to add dot(“.”) in post slug
  67. How to prevent redirection to max 2147483647 for larger values of the page query variable?
  68. add_rewrite_rule not loading correct page nor getting variables
  69. Overwrite rewrite-slug of built in post-type ‘post’
  70. Preserving $_GET parameter while using custom Rewrite Rule
  71. How to change default page slug?
  72. Query Vars for the Homepage?
  73. Disable wordpress pagination URL rewrite for specific page
  74. How to use Post Custom Metadata in Post Titles and Post Permalinks
  75. Using WordPress with Apache behind an nginx reverse proxy
  76. Handle category name URL rewrite before different post type slugs
  77. Using plus (+) sign instead of space (-) in WordPress URL
  78. Rewrite url for custom post type
  79. How do i change the search permanent links
  80. add_query_vars and add_rewrite_rules
  81. How to remove “admin.php?page=” from wp-admin using .htaccess?
  82. add_rewrite_rule() not playing nice with child pages
  83. WordPress URLs without posts
  84. rewrite_rule() not preserving the query string
  85. Need help with rewrite_rules_array
  86. Add language/country code to each possible URL
  87. Google is indexing wordpress attachment pages
  88. How to create the pseudo static rules of the page I created
  89. Changing directory and/or URL structure
  90. SEO Friendly URLs for my plugin categories
  91. Will references to ugly links automatically redirect to their pretty url permalink?
  92. How do I add a add_rewrite_rule without it redirecting?
  93. How to create a specific frontend URL (not a Page) from a theme or plugin?
  94. Taxonomy rewrite question
  95. Mod_rewrite delete parameter in 301 Redirect
  96. add_rewrite_rule not working for page var
  97. how to add prefix to post url structor only
  98. How do I remove a word from a url in WordPress using .htaccess?
  99. Why does wordpress still strip my query var?
  100. Appending numbers to url do not break the link

Leave a Comment