In `wp_sanitize_redirect()`, don't eat `@` characters. According to RFC 3986, "@" is a perfectly valid character in a URL path or query string.

Adds unit test.

Props markjaquith.
Fixes #18818.

Built from https://develop.svn.wordpress.org/trunk@33707


git-svn-id: http://core.svn.wordpress.org/trunk@33674 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Scott Taylor 2015-08-22 17:05:24 +00:00
parent 523b51a359
commit 5510b519f5
2 changed files with 2 additions and 2 deletions

View File

@ -1232,7 +1232,7 @@ function wp_sanitize_redirect($location) {
){1,40} # ...one or more times ){1,40} # ...one or more times
)/x'; )/x';
$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location ); $location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '', $location); $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location);
$location = wp_kses_no_null($location); $location = wp_kses_no_null($location);
// remove %0d and %0a from location // remove %0d and %0a from location

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.4-alpha-33706'; $wp_version = '4.4-alpha-33707';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.