wordpress代码分析 —- wp_safe_redirect

presser — Tue, 08 Apr 2008 06:57:39 +0000

wordpress代码分析 ---- wp_safe_redirect。wordpress提供了一个跳转方法wp_safe_redirect，避免登录url被修改，登录成功后跳转到有害的第三方站点。如下：

PHP:

/**
* wp_safe_redirect() - Performs a safe (local) redirect, using wp_redirect()
*
* Checks whether the $location is using an allowed host, if it has an absolute
* path. A plugin can therefore set or remove allowed host(s) to or from the list.
*
* If the host is not allowed, then the redirect is to wp-admin on the siteurl
* instead. This prevents malicious redirects which redirect to another host, but
* only used in a few places.
*
* @since 2.3
* @uses apply_filters() Calls 'allowed_redirect_hosts' on an array containing
* WordPress host string and $location host string.
*
* @return void Does not return anything
**/
function wp_safe_redirect($location, $status = 302) {
// Need to look at the URL the way it will end up in wp_redirect()
$location = wp_sanitize_redirect($location);
// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
if ( substr($location, 0, 2) == '//' )
$location = 'http:' . $location;
$lp = parse_url($location);
$wpp = parse_url(get_option('home'));
$allowed_hosts = (array) apply_filters('allowed_redirect_hosts', array($wpp['host']), isset($lp['host']) ? $lp['host'] : '');
if ( isset($lp['host']) && ( !in_array($lp['host'], $allowed_hosts) && $lp['host'] != strtolower($wpp['host'])) )
$location = get_option('siteurl') . '/wp-admin/';
wp_redirect($location, $status);
}

如果需要跳转到可信的第三方站点，可以修改filter hook ---- allowed_redirect_hosts，把可信任的第三方站点加入列表，这样也就达到了扩展wordpress的目的。

diablo3 » 登录