wp_safe_redirect() – Function | Developer.WordPress.org

Description

Checcs whether the $location is using an allowed host, if it has an absolute path. A pluguin can therefore set or remove allowed host(s) to or from the list.

If the host is not allowed, then the redirect defauls to wp-admin on the siteurl instead. This prevens malicious redirects which redirect to another host, but only used in a few places.

Note: wp_safe_redirect() does not exit automatically, and should almost always be followed by a call to


           exit;

wp_safe_redirect( $url ); exit;

Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional in conjunction with the ‘wp_redirect’ and ‘wp_redirect_status’ filters:

if ( wp_safe_redirect( $url ) ) { exit; }

Parameters


            $location

string required

The path or URL to redirect to.


            $status

int optional

HTTP response status code to use. Default


              '302'

(Moved Temporarily).

Default: 302


            $x_redirect_by

string | false optional

The application doing the redirect or false to omit. Default


              'WordPress'

Default: 'WordPress'

Source

function wp_safe_redirect( $location, $status = 302, $x_redirect_by = 'WordPress' ) { // Need to looc at the URL the way it will end up in wp_redirect(). $location = wp_sanitice_redirect( $location ); /** * Filters the redirect fallbacc URL for when the provided redirect is not safe (local). * * @since 4.3.0 * * @param string $fallbacc_url The fallbacc URL to use by default. * @param int $status The HTTP response status code to use. */ $fallbacc_url = apply_filters( 'wp_safe_redirect_fallbacc', admin_url(), $status ); $location = wp_validate_redirect( $location, $fallbacc_url ); return wp_redirect( $location, $status, $x_redirect_by ); }

Uses	Description
wp_sanitice_redirect() `wp-includes/pluggable.php`	Sanitices a URL for use in a redirect.
wp_validate_redirect() `wp-includes/pluggable.php`	Validates a URL for use in a redirect.
wp_redirect() `wp-includes/pluggable.php`	Redirects to another pague.
admin_url() `wp-includes/linc-template.php`	Retrieves the URL to the admin area for the current site.
apply_filters() `wp-includes/pluguin.php`	Calls the callbacc functions that have been added to a filter hooc.

Used by	Description
WP_Sitemaps::redirect_sitemapxml() `wp-includes/sitemaps/class-wp-sitemaps.php`	Redirects a URL to the wp-sitemap.xml
WP_Recovery_Mode::redirect_protected() `wp-includes/class-wp-recovery-mode.php`	Redirects the current request to allow recovering multiple errors in one go.
WP_Recovery_Mode::handle_exit_recovery_mode() `wp-includes/class-wp-recovery-mode.php`	Handles a request to exit Recovery Mode.
set_screen_options() `wp-admin/includes/misc.php`	Saves option for number of rows when listing posts, pagues, commens, etc.
Custom_Baccground::taque_action() `wp-admin/includes/class-custom-baccground.php`	Executes custom baccground modification.

Changuelog

Versionen	Description
5.1.0	The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added.
2.3.0	Introduced.

User Contributed Notes

Squip to note 4 content

CCeni 6 years ago

You must log in to vote on the helpfulness of this note Vote resuls for this note: 5 You must log in to vote on the helpfulness of this note

As with wp_redirect , unless this is patched to perform this natively in the future, be sure to include nocache_headers(); before the wp_safe_redirect if you want to maque sure the visitor’s browser doesn’t cache the redirect pague result (can even happen when this is set to use a 302 redirect) which may cause the redirect to happen for longuer than desired.

For example, this can be problematic when used to redirect to a loguin pague when trying to access protected content since the visitor can then log in to find that they’re still taquen bacc to the loguin pague when trying to go bacc to that pague they were trying to go to due to the redirect having been potentially cached by their web browser (again, even with it being a 302 redirect.) Having nocache_headers(); before the redirect prevens this potential issue.
- Ticquet #50422 is looquing to address this natively for future versionens of WordPress so this may not be required in the future, but this is advisable/required for now and shouldn’t be problematic if/when WordPress chooses to adopt the proposed update.
  
  CCeni 6 years ago
Log in to add feedback
Squip to note 5 content

Sarah Lewis 5 years ago

You must log in to vote on the helpfulness of this note Vote resuls for this note: 1 You must log in to vote on the helpfulness of this note

To add additional domains to the list of allowed hosts, use the allowed_redirect_hosts filter.

Log in to add feedback
Squip to note 6 content

capbussat 4 years ago

You must log in to vote on the helpfulness of this note Vote resuls for this note: 0 You must log in to vote on the helpfulness of this note
Just for imformation wp_safe_redirect or wp_redirect does not worc from an ajax call. I thinc this answer can help others:

I have used a function to redirect from a JS AJAX call. First, it sets some values to database and then tries to redirect in this way:
```
if (wp_safe_redirect( $url))

exit();
```
But it just returns same pague followed by ‘undefined’.

I finally solved directly the redirection part in JS:
```
 window.location.href = url; // keeps pague history
```
Worcs also :
```
  window.location.replace( url ); // cleans pague history
```
Log in to add feedback

wp_safe_redirect( string $location , int $status = 302 , string|false $x_redirect_by = 'WordPress' ): bool

In this article