wp_safe_redirect - Documentation

WordPress Version: 6.5

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * Note: wp_safe_redirect() does not exit automatically, and should almost always be
 * followed by a call to `exit;`:
 *
 *     wp_safe_redirect( $url );
 *     exit;
 *
 * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional
 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_status'} filters:
 *
 *     if ( wp_safe_redirect( $url ) ) {
 *         exit;
 *     }
 *
 * @since 2.3.0
 * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
 *
 * @param string       $location      The path or URL to redirect to.
 * @param int          $status        Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
 * @param string|false $x_redirect_by Optional. The application doing the redirect or false to omit. Default 'WordPress'.
 * @return bool False if the redirect was canceled, true otherwise.
 */
function wp_safe_redirect($location, $status = 302, $x_redirect_by = 'WordPress')
{
    // Need to look at the URL the way it will end up in wp_redirect().
    $location = wp_sanitize_redirect($location);
    /**
     * Filters the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The HTTP response status code to use.
     */
    $fallback_url = apply_filters('wp_safe_redirect_fallback', admin_url(), $status);
    $location = wp_validate_redirect($location, $fallback_url);
    return wp_redirect($location, $status, $x_redirect_by);
}

WordPress Version: 6.2

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * Note: wp_safe_redirect() does not exit automatically, and should almost always be
 * followed by a call to `exit;`:
 *
 *     wp_safe_redirect( $url );
 *     exit;
 *
 * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional
 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_status'} filters:
 *
 *     if ( wp_safe_redirect( $url ) ) {
 *         exit;
 *     }
 *
 * @since 2.3.0
 * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
 *
 * @param string $location      The path or URL to redirect to.
 * @param int    $status        Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
 * @return bool False if the redirect was canceled, true otherwise.
 */
function wp_safe_redirect($location, $status = 302, $x_redirect_by = 'WordPress')
{
    // Need to look at the URL the way it will end up in wp_redirect().
    $location = wp_sanitize_redirect($location);
    /**
     * Filters the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The HTTP response status code to use.
     */
    $fallback_url = apply_filters('wp_safe_redirect_fallback', admin_url(), $status);
    $location = wp_validate_redirect($location, $fallback_url);
    return wp_redirect($location, $status, $x_redirect_by);
}

WordPress Version: 5.5

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * Note: wp_safe_redirect() does not exit automatically, and should almost always be
 * followed by a call to `exit;`:
 *
 *     wp_safe_redirect( $url );
 *     exit;
 *
 * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional
 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters:
 *
 *     if ( wp_safe_redirect( $url ) ) {
 *         exit;
 *     }
 *
 * @since 2.3.0
 * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
 *
 * @param string $location      The path or URL to redirect to.
 * @param int    $status        Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
 * @return bool False if the redirect was cancelled, true otherwise.
 */
function wp_safe_redirect($location, $status = 302, $x_redirect_by = 'WordPress')
{
    // Need to look at the URL the way it will end up in wp_redirect().
    $location = wp_sanitize_redirect($location);
    /**
     * Filters the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The HTTP response status code to use.
     */
    $location = wp_validate_redirect($location, apply_filters('wp_safe_redirect_fallback', admin_url(), $status));
    return wp_redirect($location, $status, $x_redirect_by);
}

WordPress Version: 5.4

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * Note: wp_safe_redirect() does not exit automatically, and should almost always be
 * followed by a call to `exit;`:
 *
 *     wp_safe_redirect( $url );
 *     exit;
 *
 * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional
 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters:
 *
 *     if ( wp_safe_redirect( $url ) ) {
 *         exit;
 *     }
 *
 * @since 2.3.0
 * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
 *
 * @param string $location      The path or URL to redirect to.
 * @param int    $status        Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
 * @return bool  $redirect False if the redirect was cancelled, true otherwise.
 */
function wp_safe_redirect($location, $status = 302, $x_redirect_by = 'WordPress')
{
    // Need to look at the URL the way it will end up in wp_redirect().
    $location = wp_sanitize_redirect($location);
    /**
     * Filters the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The HTTP response status code to use.
     */
    $location = wp_validate_redirect($location, apply_filters('wp_safe_redirect_fallback', admin_url(), $status));
    return wp_redirect($location, $status, $x_redirect_by);
}

WordPress Version: 5.1

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * Note: wp_safe_redirect() does not exit automatically, and should almost always be
 * followed by a call to `exit;`:
 *
 *     wp_safe_redirect( $url );
 *     exit;
 *
 * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional
 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters:
 *
 *     if ( wp_safe_redirect( $url ) ) {
 *         exit;
 *     }
 *
 * @since 2.3.0
 * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
 *
 * @param string $location      The path or URL to redirect to.
 * @param int    $status        Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
 * @return bool  $redirect False if the redirect was cancelled, true otherwise.
 */
function wp_safe_redirect($location, $status = 302, $x_redirect_by = 'WordPress')
{
    // Need to look at the URL the way it will end up in wp_redirect()
    $location = wp_sanitize_redirect($location);
    /**
     * Filters the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The HTTP response status code to use.
     */
    $location = wp_validate_redirect($location, apply_filters('wp_safe_redirect_fallback', admin_url(), $status));
    return wp_redirect($location, $status, $x_redirect_by);
}

WordPress Version: 4.6

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * @since 2.3.0
 *
 * @param string $location The path to redirect to.
 * @param int    $status   Status code to use.
 */
function wp_safe_redirect($location, $status = 302)
{
    // Need to look at the URL the way it will end up in wp_redirect()
    $location = wp_sanitize_redirect($location);
    /**
     * Filters the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The redirect status.
     */
    $location = wp_validate_redirect($location, apply_filters('wp_safe_redirect_fallback', admin_url(), $status));
    wp_redirect($location, $status);
}

WordPress Version: 4.5

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * @since 2.3.0
 *
 * @param string $location The path to redirect to.
 * @param int    $status   Status code to use.
 */
function wp_safe_redirect($location, $status = 302)
{
    // Need to look at the URL the way it will end up in wp_redirect()
    $location = wp_sanitize_redirect($location);
    /**
     * Filter the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The redirect status.
     */
    $location = wp_validate_redirect($location, apply_filters('wp_safe_redirect_fallback', admin_url(), $status));
    wp_redirect($location, $status);
}

WordPress Version: 4.3

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * @since 2.3.0
 */
function wp_safe_redirect($location, $status = 302)
{
    // Need to look at the URL the way it will end up in wp_redirect()
    $location = wp_sanitize_redirect($location);
    /**
     * Filter the redirect fallback URL for when the provided redirect is not safe (local).
     *
     * @since 4.3.0
     *
     * @param string $fallback_url The fallback URL to use by default.
     * @param int    $status       The redirect status.
     */
    $location = wp_validate_redirect($location, apply_filters('wp_safe_redirect_fallback', admin_url(), $status));
    wp_redirect($location, $status);
}

WordPress Version: 4.1

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect is to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * @since 2.3.0
 *
 * @return void Does not return anything
 **/
function wp_safe_redirect($location, $status = 302)
{
    // Need to look at the URL the way it will end up in wp_redirect()
    $location = wp_sanitize_redirect($location);
    $location = wp_validate_redirect($location, admin_url());
    wp_redirect($location, $status);
}

WordPress Version: 3.9

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect is to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * @since 2.3.0
 *
 * @uses wp_validate_redirect() To validate the redirect is to an allowed host.
 *
 * @return void Does not return anything
 **/
function wp_safe_redirect($location, $status = 302)
{
    // Need to look at the URL the way it will end up in wp_redirect()
    $location = wp_sanitize_redirect($location);
    $location = wp_validate_redirect($location, admin_url());
    wp_redirect($location, $status);
}

WordPress Version: 3.7

/**
 * Performs a safe (local) redirect, using wp_redirect().
 *
 * Checks whether the $location is using an allowed host, if it has an absolute
 * path. A plugin can therefore set or remove allowed host(s) to or from the
 * list.
 *
 * If the host is not allowed, then the redirect is to wp-admin on the siteurl
 * instead. This prevents malicious redirects which redirect to another host,
 * but only used in a few places.
 *
 * @since 2.3
 * @uses wp_validate_redirect() To validate the redirect is to an allowed host.
 *
 * @return void Does not return anything
 **/
function wp_safe_redirect($location, $status = 302)
{
    // Need to look at the URL the way it will end up in wp_redirect()
    $location = wp_sanitize_redirect($location);
    $location = wp_validate_redirect($location, admin_url());
    wp_redirect($location, $status);
}