Back to Top

Safely Redirect URLs in WordPress

Previous Post:

Safely Redirect URLs in WordPress

Since version 1.5.1, WordPress has provided the functionality to redirect to a particular page with proper status codes1. To do the redirection we use the magic function: wp_redirect()2. To make thing secure, wp_redirect() comes with target location sanitization, which is great but still, it is not safe enough, why?

Consider the following scenario: After your visitors have submitted a review for your product, you would like to redirect them to a particular page (be it a thank you page, a reminder page, etc.), and you make that happen by using this snippet:

// note that all functions are made up by me
if (review_submitted())
{
	$location = empty($_POST['redirect_to']) ? get_redirect_link() : $_POST['redirect_to'];
	wp_redirect($location);
	exit;
}

along with these HTML markups:

<form method="post" action="http://example.com/wp-reviews-post.php">
<p>
	<textarea rows="10" cols="120" id="review" name="review"></textarea>
	<input name="submit" type="submit" id="submit" value="Submit Review" />
	<input type='hidden' name='redirect_to' id='redirect_to' value='http://example.com/thankyou/' />
</p>
</form>

Things will work beautifully and peacefully, yes… until someone try to trick your beloved visitors into another page using the same magic function… but how? By setting up a a similar <form> that points to ‘http://example.com/wp-reviews-post.php’, but on his/her website, with a completely different ‘redirect_to’ input, e.g.:

<input type='hidden' name='redirect_to' id='redirect_to' value='http://anotherexample.com/do-something-malicious/' />

How can that even possible? Yes it is, and it is even more scary than you can imagine.

To protect your form, you must do one of the following things, or both: use a nonce key (to prevent unauthorized form submit) or use wp_safe_redirect()3 (to redirect to local URLs only). The two magic functions are identical and there would be no problem using wp_safe_redirect() instead of wp_redirect(). Our safer codes:

if (review_submitted())
{
	$location = empty($_POST['redirect_to']) ? get_redirect_link() : $_POST['redirect_to'];
	wp_safe_redirect($location);
	exit;
}

If you are not that paranoid about security, just consider this another useful tip that’s good for something ;).

References

  1. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html []
  2. http://codex.wordpress.org/Function_Reference/wp_redire ... p_redirect []
  3. http://codex.wordpress.org/Function_Reference/wp_safe_r ... e_redirect []

Take Social Sharing to
the Next Level with Monarch!

Take Social Sharing to the Next Level with Monarch!
Print Article Trackback Trackback to this Article   Subscribe to Comments RSS Subscribe to Comments RSS

Speak Up Your Mind!

An asterisk (*) indicates a required field and must be filled.




  • Web page and e-mail addresses turn into links automatically.
  • Wrap codes in: <code lang=""></code> or <pre lang="" extra="">
  • Lines and paragraphs break automatically.

Next Post: