/** * Retrieve original referer that was posted, if it exists. * * @since 0.0.1 * * @return string|false False if no original referer or original referer if set. */ function hq_get_original_referer() { if (!empty($_REQUEST['_hq_original_http_referer']) && function_exists('hq_validate_redirect')) { return hq_validate_redirect(hq_unslash($_REQUEST['_hq_original_http_referer']), false); } return false; }
/** * Performs a safe (local) redirect, using hq_redirect(). * * Checks whether the $location is using an allowed host, if it has an absolute * path. A plugin can therefore set or remove allowed host(s) to or from the * list. * * If the host is not allowed, then the redirect defaults to hq-admin on the siteurl * instead. This prevents malicious redirects which redirect to another host, * but only used in a few places. * * @since 0.0.1 */ function hq_safe_redirect($location, $status = 302) { // Need to look at the URL the way it will end up in hq_redirect() $location = hq_sanitize_redirect($location); /** * Filter the redirect fallback URL for when the provided redirect is not safe (local). * * @since 0.0.1 * * @param string $fallback_url The fallback URL to use by default. * @param int $status The redirect status. */ $location = hq_validate_redirect($location, apply_filters('hq_safe_redirect_fallback', admin_url(), $status)); hq_redirect($location, $status); }
?> </p> <p class="step"><a class="button button-large" href="upgrade.php?step=1&backto=<?php echo $goback; ?> "><?php _e('Update HiveQueen Database'); ?> </a></p> <?php break; case 1: hq_upgrade(); $backto = !empty($_GET['backto']) ? hq_unslash(urldecode($_GET['backto'])) : __get_option('home') . '/'; $backto = esc_url($backto); $backto = hq_validate_redirect($backto, __get_option('home') . '/'); ?> <h2><?php _e('Update Complete'); ?> </h2> <p><?php _e('Your HiveQueen database has been successfully updated!'); ?> </p> <p class="step"><a class="button button-large" href="<?php echo $backto; ?> "><?php _e('Continue'); ?>
/** * Whitelists allowed redirect hosts for safe HTTP requests as well. * * Attached to the http_request_host_is_external filter. * * @since 0.0.1 * * @param bool $is_external * @param string $host * @return bool */ function allowed_http_request_hosts($is_external, $host) { if (!$is_external && hq_validate_redirect('http://' . $host)) { $is_external = true; } return $is_external; }