In my WordPress site I have a hack that looks at the uri and does a redirect to a subdomain. The problem is wp_redirect calls wp_sanitize_redirect which will strip out @ signs, so when a user tries to load something like
oursite.com?email=foo@bar.com
The page that gets loaded should be
prefix.oursite.com?email=foo@bar.com
but instead it’s
prefix.oursite.com?email=foobar.com (i.e. - no @ sign)
The problem is easy to work around – I just manually encode @ signs as %40 before calling wp_redirect.
Question: why does wp_sanitize_redirect strip out @ signs, exactly? Anybody could anyway try to load a url with an @ sign in it – is there some security issue I’m not thinking about?
EDIT: The function I’m talking about is wp_sanitize_redirect
Just take a look at the source:
So the only characters, the
preg_replaceallows area-z~+_.?#=&;,/:%!.What does that mean for URIs and URLs?
The php function
urlencode()replaces all no alpha-numeric chararcters, except-_.with a%(percent) character followed by two hexdecimal values and spaces with a+. If you userawurlencode(), it also strips the+. As you can see from thepreg_replace(), it allows all URL encoded/prepared characters, so it’s safe to throw such encoded characters/URL parts into the game.Just wanted to follow up on my own findings. This happened to me if I was leaving out the last / in my URLs. Doing so caused WP to call func:redirect_canonical which stripped out the @ symbols. When I added the last / it did not call this function and the @ symbol remained.
A good plugin for debugging redirects is: Debug WP Redirect
Example 1 which fails:
Original URL: http://www.domain.com/somepage?email=me@me.com
Final URL : http://www.domain.com/somepage/?email=meme.com
Example 2 which works:
Original URL: http://www.domain.com/somepage/?email=me@me.com
Final URL : http://www.domain.com/somepage/?email=me@me.com