diff --git a/includes/core/class-login.php b/includes/core/class-login.php index 10e857f7..e4d2576d 100644 --- a/includes/core/class-login.php +++ b/includes/core/class-login.php @@ -63,7 +63,7 @@ if ( ! class_exists( 'um\core\Login' ) ) { if ( empty( $args['_wpnonce'] ) || ! wp_verify_nonce( $args['_wpnonce'], 'um_login_form' ) ) { // @todo add hookdocs $url = apply_filters( 'um_login_invalid_nonce_redirect_url', add_query_arg( array( 'err' => 'invalid_nonce' ) ) ); - wp_safe_redirect( $url ); + um_safe_redirect( $url ); exit; } } diff --git a/includes/core/class-logout.php b/includes/core/class-logout.php index 865c1cb4..e93f6538 100644 --- a/includes/core/class-logout.php +++ b/includes/core/class-logout.php @@ -74,8 +74,8 @@ if ( ! class_exists( 'um\core\Logout' ) ) { wp_destroy_current_session(); wp_logout(); session_unset(); - exit( wp_safe_redirect( esc_url_raw( $_REQUEST['redirect_to'] ) ) ); - } else if ( 'redirect_home' === um_user( 'after_logout' ) ) { + um_safe_redirect( esc_url_raw( $_REQUEST['redirect_to'] ) ); + } elseif ( 'redirect_home' === um_user( 'after_logout' ) ) { wp_destroy_current_session(); wp_logout(); session_unset(); @@ -107,14 +107,12 @@ if ( ! class_exists( 'um\core\Logout' ) ) { wp_destroy_current_session(); wp_logout(); session_unset(); - exit( wp_safe_redirect( $redirect_url ) ); + um_safe_redirect( $redirect_url ); } - } else { add_filter( 'wp_safe_redirect_fallback', array( &$this, 'safe_redirect_default' ), 10, 2 ); exit( wp_safe_redirect( home_url() ) ); } - } } diff --git a/includes/core/class-register.php b/includes/core/class-register.php index 833c2b28..f968dc72 100644 --- a/includes/core/class-register.php +++ b/includes/core/class-register.php @@ -57,7 +57,7 @@ if ( ! class_exists( 'um\core\Register' ) ) { if ( empty( $args['_wpnonce'] ) || ! wp_verify_nonce( $args['_wpnonce'], 'um_register_form' ) ) { // @todo add hookdocs $url = apply_filters( 'um_register_invalid_nonce_redirect_url', add_query_arg( array( 'err' => 'invalid_nonce' ) ) ); - wp_safe_redirect( $url ); + um_safe_redirect( $url ); exit; } } diff --git a/includes/core/um-actions-login.php b/includes/core/um-actions-login.php index de777c93..947142bc 100644 --- a/includes/core/um-actions-login.php +++ b/includes/core/um-actions-login.php @@ -217,7 +217,7 @@ function um_user_login( $submitted_data ) { // Priority redirect from $_GET attribute. if ( ! empty( $submitted_data['redirect_to'] ) ) { - wp_safe_redirect( $submitted_data['redirect_to'] ); + um_safe_redirect( $submitted_data['redirect_to'] ); exit; } @@ -252,7 +252,7 @@ function um_user_login( $submitted_data ) { * add_filter( 'um_login_redirect_url', 'my_login_redirect_url', 10, 2 ); */ $redirect_url = apply_filters( 'um_login_redirect_url', um_user( 'login_redirect_url' ), um_user( 'ID' ) ); - wp_safe_redirect( $redirect_url ); + um_safe_redirect( $redirect_url ); exit; case 'refresh': wp_safe_redirect( UM()->permalinks()->get_current_url() ); diff --git a/includes/core/um-actions-register.php b/includes/core/um-actions-register.php index b4d750c2..89098d95 100644 --- a/includes/core/um-actions-register.php +++ b/includes/core/um-actions-register.php @@ -204,14 +204,14 @@ function um_check_user_status( $user_id, $args, $form_data = null ) { // Priority redirect if ( isset( $args['redirect_to'] ) ) { - wp_safe_redirect( urldecode( $args['redirect_to'] ) ); + um_safe_redirect( urldecode( $args['redirect_to'] ) ); exit; } um_fetch_user( $user_id ); if ( 'redirect_url' === um_user( 'auto_approve_act' ) && '' !== um_user( 'auto_approve_url' ) ) { - wp_safe_redirect( um_user( 'auto_approve_url' ) ); + um_safe_redirect( um_user( 'auto_approve_url' )); exit; } @@ -246,7 +246,7 @@ function um_check_user_status( $user_id, $args, $form_data = null ) { */ $redirect_url = apply_filters( 'um_registration_pending_user_redirect', um_user( $status . '_url' ), $status, um_user( 'ID' ) ); - wp_safe_redirect( $redirect_url ); + um_safe_redirect( $redirect_url ); exit; } diff --git a/includes/um-short-functions.php b/includes/um-short-functions.php index 955ac7d0..7d1bbdb6 100644 --- a/includes/um-short-functions.php +++ b/includes/um-short-functions.php @@ -2841,3 +2841,117 @@ function um_is_amp( $check_theme_support = true ) { return apply_filters( 'um_is_amp', $is_amp ); } + +/** + * UM safe redirect + * + * @since 2.6.9 + * + * @param string $url redirect URL. + * + * @return string + */ +function um_safe_redirect( $url ) { + add_filter( 'allowed_redirect_hosts', 'um_allowed_redirect_hosts', 10, 1 ); + add_filter( 'wp_safe_redirect_fallback', 'um_wp_safe_redirect_fallback', 10, 2 ); + + wp_safe_redirect( $url ); + exit; +} + +/** + * UM allowed hosts + * + * @since 2.6.9 + * + * @param array $hosts allowed hosts. + * + * @return array + */ +function um_allowed_redirect_hosts( $hosts ) { + $hosts = UM()->options()->get( 'secure_allowed_redirect_hosts' ); + + $hosts = explode( "\n", $hosts ); + $hosts = array_unique( $hosts ); + + $additional_hosts = array(); + + foreach ( $hosts as $key => $host ) { + if ( '' !== trim( $host ) ) { + $host = trim( $host ); + $host = str_replace( array( 'http://', 'https://' ), '', $host ); + $host = trim( $host, '/' ); + + if ( ! in_array( $host, $additional_hosts, true ) ) { + $additional_hosts[] = $host; + } + + if ( strpos( $host, 'www.' ) !== false ) { + if ( ! in_array( str_replace( array( 'www.' ), '', $host ), $additional_hosts, true ) ) { + $additional_hosts[] = str_replace( array( 'www.' ), '', $host ); + } + } else { + if ( ! in_array( 'www.' . $host, $additional_hosts, true ) ) { + $additional_hosts[] = 'www.' . $host; + } + } + } + } + /** + * Filters change allowed hosts. + * + * @since 2.6.9 + * @hook um_allowed_redirect_hosts + * + * @param {array} $additional_hosts allowed hosts. + * @param {array} $hosts default hosts. + * + * @return {array} allowed hosts. + * + * @example