/** * Performs a safe (local) redirect, using nxt_redirect(). * * Checks whether the $location is using an allowed host, if it has an absolute * path. A plugin can therefore set or remove allowed host(s) to or from the * list. * * If the host is not allowed, then the redirect is to the site url * instead. This prevents malicious redirects which redirect to another host, * but only used in a few places. * * @uses apply_filters() Calls 'allowed_redirect_hosts' on an array containing * bbPress host string and $location host string. * * @return void Does not return anything **/ function bb_safe_redirect($location, $status = 302) { // Need to look at the URL the way it will end up in nxt_redirect() $location = nxt_sanitize_redirect($location); // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//' if (substr($location, 0, 2) == '//') { $location = 'http:' . $location; } // In php 5 parse_url may fail if the URL query part contains http://, bug #38143 $test = ($cut = strpos($location, '?')) ? substr($location, 0, $cut) : $location; $lp = parse_url($test); $bp = parse_url(bb_get_uri()); $allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($bp['host']), isset($lp['host']) ? $lp['host'] : ''); if (isset($lp['host']) && (!in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($bp['host']))) { $location = bb_get_uri(null, null, BB_URI_CONTEXT_HEADER); } return nxt_redirect($location, $status); }
/** * Performs a safe (local) redirect, using nxt_redirect(). * * Checks whether the $location is using an allowed host, if it has an absolute * path. A plugin can therefore set or remove allowed host(s) to or from the * list. * * If the host is not allowed, then the redirect is to nxt-admin on the siteurl * instead. This prevents malicious redirects which redirect to another host, * but only used in a few places. * * @since 2.3 * @uses nxt_validate_redirect() To validate the redirect is to an allowed host. * * @return void Does not return anything **/ function nxt_safe_redirect($location, $status = 302) { // Need to look at the URL the way it will end up in nxt_redirect() $location = nxt_sanitize_redirect($location); $location = nxt_validate_redirect($location, admin_url()); nxt_redirect($location, $status); }