wp_is_authorize_application_redirect_url_valid

The timeline below displays how wordpress function wp_is_authorize_application_redirect_url_valid has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.5

/**
 * Validates the redirect URL protocol scheme. The protocol can be anything except `http` and `javascript`.
 *
 * @since 6.3.2
 *
 * @param string $url The redirect URL to be validated.
 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
 */
function wp_is_authorize_application_redirect_url_valid($url)
{
    $bad_protocols = array('javascript', 'data');
    if (empty($url)) {
        return true;
    }
    // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
    $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
    if (!preg_match($valid_scheme_regex, $url)) {
        return new WP_Error('invalid_redirect_url_format', __('Invalid URL format.'));
    }
    /**
     * Filters the list of invalid protocols used in applications redirect URLs.
     *
     * @since 6.3.2
     *
     * @param string[] $bad_protocols Array of invalid protocols.
     * @param string   $url The redirect URL to be validated.
     */
    $invalid_protocols = apply_filters('wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url);
    $invalid_protocols = array_map('strtolower', $invalid_protocols);
    $scheme = wp_parse_url($url, PHP_URL_SCHEME);
    $host = wp_parse_url($url, PHP_URL_HOST);
    $is_local = 'local' === wp_get_environment_type();
    // Validates if the proper URI format is applied to the URL.
    if (empty($host) || empty($scheme) || in_array(strtolower($scheme), $invalid_protocols, true)) {
        return new WP_Error('invalid_redirect_url_format', __('Invalid URL format.'));
    }
    if ('http' === $scheme && !$is_local) {
        return new WP_Error('invalid_redirect_scheme', __('The URL must be served over a secure connection.'));
    }
    return true;
}

WordPress Version: .12

/**
 * Validates the redirect URL protocol scheme. The protocol can be anything except http and javascript.
 *
 * @since 6.3.2
 *
 * @param string $url - The redirect URL to be validated.
 *
 * @return true|WP_Error True if the redirect URL is valid, a WP_Error object otherwise.
 */
function wp_is_authorize_application_redirect_url_valid($url)
{
    $bad_protocols = array('javascript', 'data');
    if (empty($url)) {
        return true;
    }
    // Based on https://www.rfc-editor.org/rfc/rfc2396#section-3.1
    $valid_scheme_regex = '/^[a-zA-Z][a-zA-Z0-9+.-]*:/';
    if (!preg_match($valid_scheme_regex, $url)) {
        return new WP_Error('invalid_redirect_url_format', __('Invalid URL format.'));
    }
    /**
     * Filters the list of invalid protocols used in applications redirect URLs.
     *
     * @since 6.3.2
     *
     * @param string[]  $bad_protocols Array of invalid protocols.
     * @param string    $url The redirect URL to be validated.
     */
    $invalid_protocols = array_map('strtolower', apply_filters('wp_authorize_application_redirect_url_invalid_protocols', $bad_protocols, $url));
    $scheme = wp_parse_url($url, PHP_URL_SCHEME);
    $host = wp_parse_url($url, PHP_URL_HOST);
    $is_local = 'local' === wp_get_environment_type();
    // validates if the proper URI format is applied to the $url
    if (empty($host) || empty($scheme) || in_array(strtolower($scheme), $invalid_protocols, true)) {
        return new WP_Error('invalid_redirect_url_format', __('Invalid URL format.'));
    }
    if ('http' === $scheme && !$is_local) {
        return new WP_Error('invalid_redirect_scheme', __('The URL must be served over a secure connection.'));
    }
    return true;
}