/** * Add rel="nofollow" * to the given attribute * array if the specified * href is external * * @param array $attrs * * @return mixed */ public static function add_link_rel($attrs) { if (isset($attrs['href']) && !empty($attrs['href']) && !wp_validate_redirect($attrs['href'], false)) { $attrs['rel'] = 'nofollow'; } return $attrs; }
/** * Add to cart messages. * * @access public * @param int|array $products * @param bool $show_qty Should qty's be shown? Added in 2.6.0 */ function wc_add_to_cart_message($products, $show_qty = false) { $titles = array(); $count = 0; if (!is_array($products)) { $products = array($products); $show_qty = false; } if (!$show_qty && !is_array($products)) { $products = array_fill_keys(array_values($products), 1); } foreach ($products as $product_id => $qty) { $titles[] = ($qty > 1 ? absint($qty) . ' × ' : '') . sprintf(_x('“%s”', 'Item name in quotes', 'woocommerce'), strip_tags(get_the_title($product_id))); $count += $qty; } $titles = array_filter($titles); $added_text = sprintf(_n('%s has been added to your cart.', '%s have been added to your cart.', $count, 'woocommerce'), wc_format_list_of_items($titles)); // Output success messages if ('yes' === get_option('woocommerce_cart_redirect_after_add')) { $return_to = apply_filters('woocommerce_continue_shopping_redirect', wp_get_raw_referer() ? wp_validate_redirect(wp_get_raw_referer(), false) : wc_get_page_permalink('shop')); $message = sprintf('<a href="%s" class="button wc-forward">%s</a> %s', esc_url($return_to), esc_html__('Continue Shopping', 'woocommerce'), esc_html($added_text)); } else { $message = sprintf('<a href="%s" class="button wc-forward">%s</a> %s', esc_url(wc_get_page_permalink('cart')), esc_html__('View Cart', 'woocommerce'), esc_html($added_text)); } wc_add_notice(apply_filters('wc_add_to_cart_message', $message, $product_id)); }
public function json_create_user() { $error = array("status" => 0, "msg" => __('There has been an error processing your request. Please, reload the page and try again.', Eab_EventsHub::TEXT_DOMAIN)); $data = stripslashes_deep($_POST); $email = $data['email']; if (empty($email)) { $error['msg'] = __('Please, submit an email.', Eab_EventsHub::TEXT_DOMAIN); die(json_encode($error)); } if (!is_email($email)) { $error['msg'] = __('Please, submit a valid email.', Eab_EventsHub::TEXT_DOMAIN); die(json_encode($error)); } if (email_exists($email)) { $current_location = get_permalink(); if (!empty($data['location'])) { // Let's make this sane first - it's coming from a POST request, so make that sane $loc = wp_validate_redirect(wp_sanitize_redirect($data['location'])); if (!empty($loc)) { $current_location = $loc; } } $login_link = wp_login_url($current_location); $login_message = sprintf(__('The email address already exists. Please <a href="%s">Login</a> and RSVP to the event.', Eab_EventsHub::TEXT_DOMAIN), $login_link); $error['msg'] = $login_message; die(json_encode($error)); } $wordp_user = $this->_create_user($email); if (is_object($wordp_user) && !empty($wordp_user->ID)) { $this->_login_user($wordp_user); } else { die(json_encode($error)); } die(json_encode(array("status" => 1))); }
/** * Authorizations */ function client_authorize() { $data = stripslashes_deep($_GET); $data['auth_type'] = 'client'; $role = Jetpack::translate_current_user_to_role(); $redirect = isset($data['redirect']) ? esc_url_raw((string) $data['redirect']) : ''; $this->check_admin_referer("jetpack-authorize_{$role}_{$redirect}"); $result = $this->authorize($data); if (is_wp_error($result)) { Jetpack::state('error', $result->get_error_code()); } if (wp_validate_redirect($redirect)) { $this->wp_safe_redirect($redirect); } else { $this->wp_safe_redirect(Jetpack::admin_url()); } /** * Fires after the Jetpack client is authorized to communicate with WordPress.com. * * @since 4.2.0 * * @param int Jetpack Blog ID. */ do_action('jetpack_client_authorized', Jetpack_Options::get_option('id')); $this->do_exit(); }
/** * catch quicklink submissions and redirect if the URL is valid. * * @since 1.0.4 * @return void */ protected function redirect_quick_link() { if (!isset($_POST['mlp_quicklink_select'])) { return; } add_filter('allowed_redirect_hosts', array($this, 'extend_allowed_hosts'), 10, 2); $url = wp_validate_redirect($_POST['mlp_quicklink_select'], FALSE); remove_filter('allowed_redirect_hosts', array($this, 'extend_allowed_hosts')); if (!$url) { return; } // force GET request wp_redirect($url, 303); exit; }
/** * Track the page view * * @since 0.1.0 * @change 1.4.2 */ public static function track_visit() { /* Init vars */ $use_snippet = self::$_options['snippet']; $is_snippet = $use_snippet && get_query_var('statify_target'); /* Skip tracking */ if (self::_skip_tracking()) { return self::_jump_out($is_snippet); } /* Set target & referrer */ if ($is_snippet) { $target = urldecode(get_query_var('statify_target')); $referrer = urldecode(get_query_var('statify_referrer')); } else { if (!$use_snippet) { $target = isset($_SERVER['REQUEST_URI']) ? wp_unslash($_SERVER['REQUEST_URI']) : '/'; $referrer = isset($_SERVER['HTTP_REFERER']) ? wp_unslash($_SERVER['HTTP_REFERER']) : ''; } else { return; } } /* Invalid target? */ if (empty($target) or !wp_validate_redirect($target, false)) { return self::_jump_out($is_snippet); } /* Global vars */ global $wpdb, $wp_rewrite; /* Init rows */ $data = array('created' => '', 'referrer' => '', 'target' => ''); /* Set request timestamp */ $data['created'] = strftime('%Y-%m-%d', current_time('timestamp')); /* Sanitize referrer url */ if (!empty($referrer) && strpos($referrer, home_url()) === false) { $data['referrer'] = esc_url_raw($referrer, array('http', 'https')); } /* Relative target url */ $data['target'] = home_url($target, 'relative'); /* Trim target url */ if ($wp_rewrite->permalink_structure) { $data['target'] = parse_url($data['target'], PHP_URL_PATH); } /* Sanitize target url */ $data['target'] = esc_url_raw($data['target']); /* Insert */ $wpdb->insert($wpdb->statify, $data); /* Jump! */ return self::_jump_out($is_snippet); }
/** * Authorizations */ function client_authorize() { $data = stripslashes_deep($_GET); $data['auth_type'] = 'client'; $jetpack = $this->get_jetpack(); $role = $jetpack->translate_current_user_to_role(); $redirect = isset($data['redirect']) ? esc_url_raw((string) $data['redirect']) : ''; $this->check_admin_referer("jetpack-authorize_{$role}_{$redirect}"); $result = $this->authorize($data); if (is_wp_error($result)) { Jetpack::state('error', $result->get_error_code()); } if (wp_validate_redirect($redirect)) { $this->wp_safe_redirect($redirect); } else { $this->wp_safe_redirect(Jetpack::admin_url()); } $this->do_exit(); }
/** * Safe Redirect * * Ensure the redirect is to the same site or pluggable list of allowed domains. * If invalid will redirect to ... * Based on the WordPress wp_safe_redirect() function. */ function safe_redirect($location, $status = 302) { $location = wp_sanitize_redirect($location); $location = wp_validate_redirect($location, home_url()); wp_redirect($location, $status); }
function authorize() { $data = stripslashes_deep($_GET); $args = array(); $redirect = isset($data['redirect']) ? esc_url_raw((string) $data['redirect']) : ''; do { $jetpack = Jetpack::init(); $role = $jetpack->translate_current_user_to_role(); if (!$role) { Jetpack::state('error', 'no_role'); break; } $cap = $jetpack->translate_role_to_cap($role); if (!$cap) { Jetpack::state('error', 'no_cap'); break; } check_admin_referer("jetpack-authorize_{$role}_{$redirect}"); if (!empty($data['error'])) { Jetpack::state('error', $data['error']); break; } if (empty($data['state'])) { Jetpack::state('error', 'no_state'); break; } if (!ctype_digit($data['state'])) { Jetpack::state('error', 'invalid_state'); break; } $current_user_id = get_current_user_id(); if ($current_user_id != $data['state']) { Jetpack::state('error', 'wrong_state'); break; } if (empty($data['code'])) { Jetpack::state('error', 'no_code'); break; } $token = $this->get_token($data); if (is_wp_error($token)) { if ($error = $token->get_error_code()) { Jetpack::state('error', $error); } else { Jetpack::state('error', 'invalid_token'); } Jetpack::state('error_description', $token->get_error_message()); break; } if (!$token) { Jetpack::state('error', 'no_token'); break; } $is_master_user = !Jetpack::is_active(); Jetpack::update_user_token($current_user_id, sprintf('%s.%d', $token, $current_user_id), $is_master_user); if ($is_master_user) { Jetpack::state('message', 'authorized'); } else { Jetpack::state('message', 'linked'); // Don't activate anything since we are just connecting a user. break; } if ($active_modules = Jetpack::get_option('active_modules')) { Jetpack::delete_option('active_modules'); Jetpack::activate_default_modules(999, 1, $active_modules); } else { Jetpack::activate_default_modules(); } $jetpack->sync->register('noop'); // Spawn a sync to make sure the Jetpack Servers know what modules are active. // Start nonce cleaner wp_clear_scheduled_hook('jetpack_clean_nonces'); wp_schedule_event(time(), 'hourly', 'jetpack_clean_nonces'); } while (false); if (wp_validate_redirect($redirect)) { wp_safe_redirect($redirect); } else { wp_safe_redirect(Jetpack::admin_url()); } exit; }
/** * Retrieve original referer that was posted, if it exists. * * @since 2.0.4 * * @return string|false False if no original referer or original referer if set. */ function wp_get_original_referer() { if (!empty($_REQUEST['_wp_original_http_referer']) && function_exists('wp_validate_redirect')) { return wp_validate_redirect(wp_unslash($_REQUEST['_wp_original_http_referer']), false); } return false; }
static function JsRedirect($url, $unsafe = false) { $url = wp_sanitize_redirect($url); if (!$unsafe) { $url = wp_validate_redirect($url, apply_filters('wp_safe_redirect_fallback', admin_url(), 302)); } echo '<script type="text/javascript"> window.location = "', str_replace('"', '\\"', $url), '"; </script><h1><a href="', esc_attr($url), '">', esc_html($url), '</a></h1>'; // NO exit/die here! }
/** * Redirect back to the provided return_url * * @since 1.2.0 * @param string $redirect_location * @param string $redirect_location */ public function redirect_after_save_account_details($redirect_location) { $safe_redirect_location = get_permalink(wc_get_page_id('myaccount')); $safe_redirect_location = wp_sanitize_redirect($safe_redirect_location); $safe_redirect_location = wp_validate_redirect($safe_redirect_location, admin_url()); if ($redirect_location === $safe_redirect_location && ($new_location = get_transient('wcsl_' . md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'])))) { $redirect_location = $new_location; delete_transient('wcsl_' . md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'])); } return $redirect_location; }
/** * Возвращает URL, на который пользователь должен быть перенаправлен после успешной авторизации. * * @param string $redirect_to URL-адрес перенаправления. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. * @param WP_User|WP_Error $user WP_User если Логин прошла успешно, в противном случае объект WP_Error. * * @return string Redirect URL */ public function redirect_after_login($redirect_to, $requested_redirect_to, $user) { $redirect_url = home_url(); if (!isset($user->ID)) { return $redirect_url; } if (user_can($user, 'manage_options')) { // Используйте параметр redirect_to если он установлен, в противном случае перенаправления администратора приборной панели. if ($requested_redirect_to == '') { $redirect_url = admin_url(); } else { $redirect_url = $requested_redirect_to; } } else { //Простым пользователям всегда идти к своей странице аккаунта после регистрации $redirect_url = home_url('member-account'); } return wp_validate_redirect($redirect_url, home_url()); }
/** * Method used for the janrain_capture_logout action on admin-ajax.php. */ function logout() { $s = isset($_SERVER['HTTPS']) ? '; secure' : ''; $n = self::$name; $r = isset($_GET['source']) ? $_GET['source'] : home_url(); $r = wp_validate_redirect($r, home_url()); // Escaping - applied early due to heredoc if (function_exists('wp_json_encode')) { $r = wp_json_encode($r); } elseif (function_exists('json_encode')) { $r = json_encode($r); } echo <<<LOGOUT <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" \t "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > \t<head> \t<title>Janrain Capture</title> \t</head> \t<body> \t<script type="text/javascript"> \t\tdocument.cookie = 'backplane-channel=; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/{$s}'; \t\twindow.location.href = {$r}; \t</script> \t</body> </html> LOGOUT; exit; }
/** * Builds a URL to the Jetpack connection auth page * * @since 3.9.5 * * @param bool $raw If true, URL will not be escaped. * @param bool|string $redirect If true, will redirect back to Jetpack wp-admin landing page after connection. * If string, will be a custom redirect. * @param bool|string $from If not false, adds 'from=$from' param to the connect URL. * * @return string Connect URL */ function build_connect_url($raw = false, $redirect = false, $from = false) { if (!Jetpack_Options::get_option('blog_token') || !Jetpack_Options::get_option('id')) { $url = Jetpack::nonce_url_no_esc(Jetpack::admin_url('action=register'), 'jetpack-register'); if (is_network_admin()) { $url = add_query_arg('is_multisite', network_admin_url('admin.php?page=jetpack-settings'), $url); } } else { require_once JETPACK__GLOTPRESS_LOCALES_PATH; $role = $this->translate_current_user_to_role(); $signed_role = $this->sign_role($role); $user = wp_get_current_user(); $jetpack_admin_page = esc_url_raw(admin_url('admin.php?page=jetpack')); $redirect = $redirect ? wp_validate_redirect(esc_url_raw($redirect), $jetpack_admin_page) : $jetpack_admin_page; $gp_locale = GP_Locales::by_field('wp_locale', get_locale()); if (isset($_REQUEST['is_multisite'])) { $redirect = Jetpack_Network::init()->get_url('network_admin_page'); } $secrets = Jetpack::init()->generate_secrets('authorize'); @(list($secret) = explode(':', $secrets)); $site_icon = function_exists('has_site_icon') && has_site_icon() ? get_site_icon_url() : false; $args = urlencode_deep(array('response_type' => 'code', 'client_id' => Jetpack_Options::get_option('id'), 'redirect_uri' => add_query_arg(array('action' => 'authorize', '_wpnonce' => wp_create_nonce("jetpack-authorize_{$role}_{$redirect}"), 'redirect' => urlencode($redirect)), esc_url(admin_url('admin.php?page=jetpack'))), 'state' => $user->ID, 'scope' => $signed_role, 'user_email' => $user->user_email, 'user_login' => $user->user_login, 'is_active' => Jetpack::is_active(), 'jp_version' => JETPACK__VERSION, 'auth_type' => 'calypso', 'secret' => $secret, 'locale' => isset($gp_locale->slug) ? $gp_locale->slug : '', 'blogname' => get_option('blogname'), 'site_url' => site_url(), 'home_url' => home_url(), 'site_icon' => $site_icon)); $url = add_query_arg($args, Jetpack::api_url('authorize')); } if ($from) { $url = add_query_arg('from', $from, $url); } if (isset($_GET['calypso_env'])) { $url = add_query_arg('calypso_env', sanitize_key($_GET['calypso_env']), $url); } return $raw ? $url : esc_url($url); }
function r20486_comment_post_redirect($location) { $location = wp_sanitize_redirect($location); $location = wp_validate_redirect($location, admin_url()); return $location; }
/** * Catches quicklink submissions and redirects if the URL is valid. * * @since 1.0.4 * * @param string $url The URL that is to be redirected to. * * @return void */ private function redirect_quick_link($url) { $callback = [$this, 'extend_allowed_hosts']; add_filter('allowed_redirect_hosts', $callback, 10, 2); $url = wp_validate_redirect($url, false); remove_filter('allowed_redirect_hosts', $callback); if (!$url) { return; } // Force GET request. wp_redirect($url, 303); \Inpsyde\MultilingualPress\call_exit(); }
/** * Returns the URL to which the user should be redirected after the (successful) login. * * @param string $redirect_to The redirect destination URL. * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise. * * @return string Redirect URL */ public function redirect_after_login($redirect_to, $requested_redirect_to, $user) { $redirect_url = home_url(); if (!isset($user->ID)) { return $redirect_url; } if (user_can($user, 'manage_options')) { // Use the redirect_to parameter if one is set, otherwise redirect to admin dashboard. if ($requested_redirect_to == '') { $redirect_url = admin_url(); } else { $redirect_url = $requested_redirect_to; } } else { // Non-admin users always go to their account page after login //$redirect_url = home_url( 'profile' ); $redirect_url = home_url($user->user_login); } return wp_validate_redirect($redirect_url, home_url()); }
/** * Builds a URL to the Jetpack connection auth page * * @since 3.9.5 * * @param bool $raw If true, URL will not be escaped. * @param bool|string $redirect If true, will redirect back to Jetpack wp-admin landing page after connection. * If string, will be a custom redirect. * @param bool|string $from If not false, adds 'from=$from' param to the connect URL. * * @return string Connect URL */ function build_connect_url($raw = false, $redirect = false, $from = false) { if (!Jetpack_Options::get_option('blog_token') || !Jetpack_Options::get_option('id')) { $url = Jetpack::nonce_url_no_esc(Jetpack::admin_url('action=register'), 'jetpack-register'); if (is_network_admin()) { $url = add_query_arg('is_multisite', network_admin_url('admin.php?page=jetpack-settings'), $url); } } else { if (defined('JETPACK__GLOTPRESS_LOCALES_PATH') && (include_once JETPACK__GLOTPRESS_LOCALES_PATH)) { $gp_locale = GP_Locales::by_field('wp_locale', get_locale()); } $role = self::translate_current_user_to_role(); $signed_role = self::sign_role($role); $user = wp_get_current_user(); $jetpack_admin_page = esc_url_raw(admin_url('admin.php?page=jetpack')); $redirect = $redirect ? wp_validate_redirect(esc_url_raw($redirect), $jetpack_admin_page) : $jetpack_admin_page; if (isset($_REQUEST['is_multisite'])) { $redirect = Jetpack_Network::init()->get_url('network_admin_page'); } $secrets = Jetpack::init()->generate_secrets('authorize'); @(list($secret) = explode(':', $secrets)); $site_icon = function_exists('has_site_icon') && has_site_icon() ? get_site_icon_url() : false; /** * Filter the type of authorization. * 'calypso' completes authorization on wordpress.com/jetpack/connect * while 'jetpack' ( or any other value ) completes the authorization at jetpack.wordpress.com. * * @since 4.3.3 * * @param string $auth_type Defaults to 'calypso', can also be 'jetpack'. */ $auth_type = apply_filters('jetpack_auth_type', 'calypso'); $args = urlencode_deep(array('response_type' => 'code', 'client_id' => Jetpack_Options::get_option('id'), 'redirect_uri' => add_query_arg(array('action' => 'authorize', '_wpnonce' => wp_create_nonce("jetpack-authorize_{$role}_{$redirect}"), 'redirect' => urlencode($redirect)), esc_url(admin_url('admin.php?page=jetpack'))), 'state' => $user->ID, 'scope' => $signed_role, 'user_email' => $user->user_email, 'user_login' => $user->user_login, 'is_active' => Jetpack::is_active(), 'jp_version' => JETPACK__VERSION, 'auth_type' => $auth_type, 'secret' => $secret, 'locale' => isset($gp_locale) && isset($gp_locale->slug) ? $gp_locale->slug : '', 'blogname' => get_option('blogname'), 'site_url' => site_url(), 'home_url' => home_url(), 'site_icon' => $site_icon)); $url = add_query_arg($args, Jetpack::api_url('authorize')); } if ($from) { $url = add_query_arg('from', $from, $url); } if (isset($_GET['calypso_env'])) { $url = add_query_arg('calypso_env', sanitize_key($_GET['calypso_env']), $url); } return $raw ? $url : esc_url($url); }
function new_fb_redirect() { $redirect = get_site_transient(nextend_uniqid() . '_fb_r'); if (!$redirect || $redirect == '' || $redirect == new_fb_login_url()) { if (isset($_GET['redirect'])) { $redirect = $_GET['redirect']; } else { $redirect = site_url(); } } $redirect = wp_sanitize_redirect($redirect); $redirect = wp_validate_redirect($redirect, site_url()); header('LOCATION: ' . $redirect); delete_site_transient(nextend_uniqid() . '_fb_r'); exit; }
/** * Whitelists allowed redirect hosts for safe HTTP requests as well. * * Attached to the http_request_host_is_external filter. * * @since 3.6.0 * * @param bool $is_external * @param string $host * @return bool */ function allowed_http_request_hosts($is_external, $host) { if (!$is_external && wp_validate_redirect('http://' . $host)) { $is_external = true; } return $is_external; }
/** * Performs a safe (local) redirect, using wp_redirect(). * * Checks whether the $location is using an allowed host, if it has an absolute * path. A plugin can therefore set or remove allowed host(s) to or from the * list. * * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl * instead. This prevents malicious redirects which redirect to another host, * but only used in a few places. * * @since 2.3.0 * * @param string $location The path to redirect to. * @param int $status Status code to use. */ function wp_safe_redirect($location, $status = 302) { // Need to look at the URL the way it will end up in wp_redirect() $location = wp_sanitize_redirect($location); /** * Filters the redirect fallback URL for when the provided redirect is not safe (local). * * @since 4.3.0 * * @param string $fallback_url The fallback URL to use by default. * @param int $status The redirect status. */ $location = wp_validate_redirect($location, apply_filters('wp_safe_redirect_fallback', admin_url(), $status)); wp_redirect($location, $status); }
* @package WordPress * @subpackage Customize * @since 3.4.0 */ define('IFRAME_REQUEST', true); /** Load WordPress Administration Bootstrap */ require_once dirname(__FILE__) . '/admin.php'; if (!current_user_can('customize')) { wp_die(__('Cheatin’ uh?'), 403); } wp_reset_vars(array('url', 'return')); $url = wp_unslash($url); $url = wp_validate_redirect($url, home_url('/')); if ($return) { $return = wp_unslash($return); $return = wp_validate_redirect($return); } if (!$return) { if ($url) { $return = $url; } elseif (current_user_can('edit_theme_options') || current_user_can('switch_themes')) { $return = admin_url('themes.php'); } else { $return = admin_url(); } } global $wp_scripts, $wp_customize; $registered = $wp_scripts->registered; $wp_scripts = new WP_Scripts(); $wp_scripts->registered = $registered; add_action('customize_controls_print_scripts', 'print_head_scripts', 20);
/** * When jetpack-sso-auth-redirect query parameter is set, will redirect user to * WordPress.com authorization flow. * * We redirect here instead of in handle_login() because Jetpack::init()->build_connect_url * calls menu_page_url() which doesn't work properly until admin menus are registered. */ function maybe_authorize_user_after_sso() { if (empty($_GET['jetpack-sso-auth-redirect'])) { return; } $redirect_to = !empty($_GET['redirect_to']) ? esc_url_raw($_GET['redirect_to']) : admin_url(); $request_redirect_to = !empty($_GET['request_redirect_to']) ? esc_url_raw($_GET['request_redirect_to']) : $redirect_to; /** This filter is documented in core/src/wp-login.php */ $redirect_after_auth = apply_filters('login_redirect', $redirect_to, $request_redirect_to, wp_get_current_user()); /** * Since we are passing this redirect to WordPress.com and therefore can not use wp_safe_redirect(), * let's sanitize it here to make sure it's safe. If the redirect is not safe, then use admin_url(). */ $redirect_after_auth = wp_sanitize_redirect($redirect_after_auth); $redirect_after_auth = wp_validate_redirect($redirect_after_auth, admin_url()); /** * Return the raw connect URL with our redirect and attribute connection to SSO. */ $connect_url = Jetpack::init()->build_connect_url(true, $redirect_after_auth, 'sso'); add_filter('allowed_redirect_hosts', array('Jetpack_SSO_Helpers', 'allowed_redirect_hosts')); wp_safe_redirect($connect_url); exit; }
<p class="step"><a class="button button-large" href="upgrade.php?step=1&backto=<?php echo $goback; ?> "><?php _e('Update WordPress Database'); ?> </a> </p> <?php break; case 1: wp_upgrade(); $backto = !empty($_GET['backto']) ? wp_unslash(urldecode($_GET['backto'])) : __get_option('home') . '/'; $backto = esc_url($backto); $backto = wp_validate_redirect($backto, __get_option('home') . '/'); ?> <h2><?php _e('Update Complete'); ?> </h2> <p><?php _e('Your WordPress database has been successfully updated!'); ?> </p> <p class="step"><a class="button button-large" href="<?php echo $backto; ?> "><?php _e('Continue'); ?>
/** * Return the original (real) Return URL * * @param integer $session_id * * @return string * * @since 3.9 */ protected function get_original_return_url($session_id) { $transact_url = get_option('transact_url'); $transact_url = apply_filters('wpsc_paypal_digital_goods_transact_url', $transact_url); $transact_url = apply_filters('wpsc_paypal_express_checkout_transact_url', $transact_url); $location = add_query_arg(array('sessionid' => $session_id, 'token' => $_REQUEST['token'], 'PayerID' => $_REQUEST['PayerID'], 'payment_gateway' => 'paypal-digital-goods', 'payment_gateway_callback' => 'confirm_transaction'), $transact_url); $location = wp_validate_redirect($location); $location = apply_filters('wpsc_paypal_express_checkout_return_url', $location); return apply_filters('wpsc_paypal_digital_goods_return_url', $location); }
/** * Performs a safe (local) redirect, using wp_redirect(). * * Checks whether the $location is using an allowed host, if it has an absolute * path. A plugin can therefore set or remove allowed host(s) to or from the * list. * * If the host is not allowed, then the redirect is to wp-admin on the siteurl * instead. This prevents malicious redirects which redirect to another host, * but only used in a few places. * * @since 2.3.0 * * @return void Does not return anything **/ function wp_safe_redirect($location, $status = 302) { // Need to look at the URL the way it will end up in wp_redirect() $location = wp_sanitize_redirect($location); $location = wp_validate_redirect($location, admin_url()); wp_redirect($location, $status); }
* Customize Controls * * @package WordPress * @subpackage Customize * @since 3.4.0 */ define('IFRAME_REQUEST', true); require_once './admin.php'; if (!current_user_can('edit_theme_options')) { wp_die(__('Cheatin’ uh?')); } wp_reset_vars(array('url', 'return')); $url = urldecode($url); $url = wp_validate_redirect($url, home_url('/')); if ($return) { $return = wp_validate_redirect(urldecode($return)); } if (!$return) { $return = $url; } global $wp_scripts, $wp_customize; $registered = $wp_scripts->registered; $wp_scripts = new WP_Scripts(); $wp_scripts->registered = $registered; add_action('customize_controls_print_scripts', 'print_head_scripts', 20); add_action('customize_controls_print_footer_scripts', '_wp_footer_scripts'); add_action('customize_controls_print_styles', 'print_admin_styles', 20); do_action('customize_controls_init'); wp_enqueue_script('customize-controls'); wp_enqueue_style('customize-controls'); do_action('customize_controls_enqueue_scripts');
/** * Set URL to link the user to when closing the Customizer. * * URL is validated. * * @since 4.4.0 * @access public * * @param string $return_url URL for return link. */ public function set_return_url($return_url) { $return_url = esc_url_raw($return_url); $return_url = remove_query_arg(wp_removable_query_args(), $return_url); $return_url = wp_validate_redirect($return_url); $this->return_url = $return_url; }
/** * Builds preview layout model and dispatches save. */ public function build_preview() { if (!Upfront_Permissions::current(Upfront_Permissions::SAVE) && !Upfront_Permissions::current(Upfront_Permissions::SAVE_REVISION)) { $this->_reject(); } global $post; $raw_data = stripslashes_deep($_POST); $data = !empty($raw_data['data']) ? $raw_data['data'] : ''; $current_url = !empty($raw_data['current_url']) ? $raw_data['current_url'] : home_url(); $current_url = wp_validate_redirect(wp_sanitize_redirect($current_url), false); $current_url = $current_url ? $current_url : home_url(); $layout = Upfront_Layout::from_json($data); $layout_id_key = $this->_data->save_revision($layout); // Check concurrent edits from other users $current_user_id = get_current_user_id(); $current_others_revisions = $this->_data->get_entity_revisions($layout->get_cascade(), array('date_query' => array(array('after' => "-15 minutes")), 'author__not_in' => array($current_user_id))); $concurrent_users = array(); if (!empty($current_others_revisions)) { foreach ($current_others_revisions as $rvsn) { if (empty($rvsn->post_author)) { continue; } $user = get_user_by('id', $rvsn->post_author); if (empty($user) || empty($user->ID)) { continue; } $concurrent_users[$user->ID] = $user->display_name; } } $preview_url = remove_query_arg('editmode', add_query_arg(array(self::HOOK => $layout_id_key), $current_url)); $this->_out(new Upfront_JsonResponse_Success(array('html' => $preview_url, 'concurrent_users' => $concurrent_users))); }