Best practice, use wp_safe_redirect() when dealing with referrers. Props nacin.

git-svn-id: http://svn.automattic.com/wordpress/trunk@19579 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-12-10 18:26:48 +00:00 · 2011-12-10 18:26:48 +00:00 · 02a1dd7ccb
parent ec305a2ee0
commit 02a1dd7ccb
7 changed files with 26 additions and 26 deletions
--- a/wp-admin/edit-comments.php
+++ b/wp-admin/edit-comments.php
@ -30,7 +30,7 @@ if ( $doaction ) {
 	} elseif ( isset( $_REQUEST['ids'] ) ) {
 		$comment_ids = array_map( 'absint', explode( ',', $_REQUEST['ids'] ) );
 	} elseif ( wp_get_referer() ) {
-		wp_redirect( wp_get_referer() );
+		wp_safe_redirect( wp_get_referer() );
 		exit;
 	}
@ -92,7 +92,7 @@ if ( $doaction ) {
 	if ( $trashed || $spammed )
 		$redirect_to = add_query_arg( 'ids', join( ',', $comment_ids ), $redirect_to );
-	wp_redirect( $redirect_to );
+	wp_safe_redirect( $redirect_to );
 	exit;
 } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
 	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) );
--- a/wp-admin/includes/misc.php
+++ b/wp-admin/includes/misc.php
@ -367,7 +367,7 @@ function set_screen_options() {
 		}
 		update_user_meta($user->ID, $option, $value);
-		wp_redirect( remove_query_arg( array('pagenum', 'apage', 'paged'), wp_get_referer() ) );
+		wp_safe_redirect( remove_query_arg( array('pagenum', 'apage', 'paged'), wp_get_referer() ) );
 		exit;
 	}
 }
--- a/wp-admin/network/site-themes.php
+++ b/wp-admin/network/site-themes.php
@ -118,12 +118,12 @@ if ( $action ) {
 	update_option( 'allowedthemes', $allowed_themes );
 	restore_current_blog();
-	wp_redirect( add_query_arg( array( 'id' => $id, $action => $n ), $referer ) );
+	wp_safe_redirect( add_query_arg( array( 'id' => $id, $action => $n ), $referer ) );
 	exit;
 }
 if ( isset( $_GET['action'] ) && 'update-site' == $_GET['action'] ) {
-	wp_redirect( $referer );
+	wp_safe_redirect( $referer );
 	exit();
 }
--- a/wp-admin/network/site-users.php
+++ b/wp-admin/network/site-users.php
@ -153,12 +153,12 @@ if ( $action ) {
 	}
 	restore_current_blog();
-	wp_redirect( add_query_arg( 'update', $update, $referer ) );
+	wp_safe_redirect( add_query_arg( 'update', $update, $referer ) );
 	exit();
 }
 if ( isset( $_GET['action'] ) && 'update-site' == $_GET['action'] ) {
-	wp_redirect( $referer );
+	wp_safe_redirect( $referer );
 	exit();
 }
--- a/wp-admin/network/sites.php
+++ b/wp-admin/network/sites.php
@ -63,9 +63,9 @@ if ( isset( $_GET['action'] ) ) {
 			if ( $id != '0' && $id != $current_site->blog_id && current_user_can( 'delete_site', $id ) ) {
 				wpmu_delete_blog( $id, true );
-				wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) );
+				wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) );
 			} else {
-				wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'not_deleted' ), wp_get_referer() ) );
+				wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'not_deleted' ), wp_get_referer() ) );
 			}
 			exit();
@ -110,7 +110,7 @@ if ( isset( $_GET['action'] ) ) {
 					}
 				}
-				wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $blogfunction ), wp_get_referer() ) );
+				wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $blogfunction ), wp_get_referer() ) );
 			} else {
 				wp_redirect( network_admin_url( 'sites.php' ) );
 			}
@ -123,7 +123,7 @@ if ( isset( $_GET['action'] ) ) {
 				wp_die( __( 'You do not have permission to access this page.' ) );
 			update_blog_status( $id, 'archived', '1' );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'archive' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'archive' ), wp_get_referer() ) );
 			exit();
 		break;
@ -133,7 +133,7 @@ if ( isset( $_GET['action'] ) ) {
 				wp_die( __( 'You do not have permission to access this page.' ) );
 			update_blog_status( $id, 'archived', '0' );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unarchive' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unarchive' ), wp_get_referer() ) );
 			exit();
 		break;
@ -144,7 +144,7 @@ if ( isset( $_GET['action'] ) ) {
 			update_blog_status( $id, 'deleted', '0' );
 			do_action( 'activate_blog', $id );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'activate' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'activate' ), wp_get_referer() ) );
 			exit();
 		break;
@ -155,7 +155,7 @@ if ( isset( $_GET['action'] ) ) {
 			do_action( 'deactivate_blog', $id );
 			update_blog_status( $id, 'deleted', '1' );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'deactivate' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'deactivate' ), wp_get_referer() ) );
 			exit();
 		break;
@ -165,7 +165,7 @@ if ( isset( $_GET['action'] ) ) {
 				wp_die( __( 'You do not have permission to access this page.' ) );
 			update_blog_status( $id, 'spam', '0' );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unspam' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unspam' ), wp_get_referer() ) );
 			exit();
 		break;
@ -175,7 +175,7 @@ if ( isset( $_GET['action'] ) ) {
 				wp_die( __( 'You do not have permission to access this page.' ) );
 			update_blog_status( $id, 'spam', '1' );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'spam' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'spam' ), wp_get_referer() ) );
 			exit();
 		break;
@ -185,7 +185,7 @@ if ( isset( $_GET['action'] ) ) {
 				wp_die( __( 'You do not have permission to access this page.' ) );
 			update_blog_status( $id, 'mature', '0' );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unmature' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unmature' ), wp_get_referer() ) );
 			exit();
 		break;
@ -195,7 +195,7 @@ if ( isset( $_GET['action'] ) ) {
 				wp_die( __( 'You do not have permission to access this page.' ) );
 			update_blog_status( $id, 'mature', '1' );
-			wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'mature' ), wp_get_referer() ) );
+			wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'mature' ), wp_get_referer() ) );
 			exit();
 		break;
--- a/wp-admin/network/themes.php
+++ b/wp-admin/network/themes.php
@ -47,33 +47,33 @@ if ( $action ) {
 			check_admin_referer('disable-theme_' . $_GET['theme']);
 			unset( $allowed_themes[ $_GET['theme'] ] );
 			update_site_option( 'allowedthemes', $allowed_themes );
-			wp_redirect( add_query_arg( 'disabled', '1', $referer ) );
+			wp_safe_redirect( add_query_arg( 'disabled', '1', $referer ) );
 			exit;
 			break;
 		case 'enable-selected':
 			check_admin_referer('bulk-themes');
 			$themes = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
 			if ( empty($themes) ) {
-				wp_redirect( add_query_arg( 'error', 'none', $referer ) );
+				wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) );
 				exit;
 			}
 			foreach( (array) $themes as $theme )
 				$allowed_themes[ $theme ] = true;
 			update_site_option( 'allowedthemes', $allowed_themes );
-			wp_redirect( add_query_arg( 'enabled', count( $themes ), $referer ) );
+			wp_safe_redirect( add_query_arg( 'enabled', count( $themes ), $referer ) );
 			exit;
 			break;
 		case 'disable-selected':
 			check_admin_referer('bulk-themes');
 			$themes = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array();
 			if ( empty($themes) ) {
-				wp_redirect( add_query_arg( 'error', 'none', $referer ) );
+				wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) );
 				exit;
 			}
 			foreach( (array) $themes as $theme )
 				unset( $allowed_themes[ $theme ] );
 			update_site_option( 'allowedthemes', $allowed_themes );
-			wp_redirect( add_query_arg( 'disabled', count( $themes ), $referer ) );
+			wp_safe_redirect( add_query_arg( 'disabled', count( $themes ), $referer ) );
 			exit;
 			break;
 		case 'update-selected' :
@ -117,7 +117,7 @@ if ( $action ) {
 				unset( $themes[ get_option( 'stylesheet' ) ] );
 			if ( empty( $themes ) ) {
-				wp_redirect( add_query_arg( 'error', 'none', $referer ) );
+				wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) );
 				exit;
 			}
@ -134,7 +134,7 @@ if ( $action ) {
 			}
 			if ( empty( $themes ) ) {
-				wp_redirect( add_query_arg( 'error', 'main', $referer ) );
+				wp_safe_redirect( add_query_arg( 'error', 'main', $referer ) );
 				exit;
 			}
--- a/wp-admin/network/users.php
+++ b/wp-admin/network/users.php
@ -166,7 +166,7 @@ if ( isset( $_GET['action'] ) ) {
 					}
 				}
-				wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $userfunction ), wp_get_referer() ) );
+				wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $userfunction ), wp_get_referer() ) );
 			} else {
 				$location = network_admin_url( 'users.php' );