Merge pull request #105 from danielbachhuber/safe-redirect

Use `wp_safe_redirect()` for safer redirects

Author: rmccue

lib/class-wp-rest-oauth1-admin.php

@@ -409,7 +409,7 @@ public static function handle_delete() {
 			return;
 		}
 
-		wp_redirect( self::get_url( 'deleted=1' ) );
+		wp_safe_redirect( self::get_url( 'deleted=1' ) );
 		exit;
 	}
 
@@ -432,7 +432,7 @@ public static function handle_regenerate() {
 		$client = WP_REST_OAuth1_Client::get( $id );
 		$client->regenerate_secret();
 
-		wp_redirect( self::get_url( array( 'action' => 'edit', 'id' => $id, 'did_action' => 'regenerate' ) ) );
+		wp_safe_redirect( self::get_url( array( 'action' => 'edit', 'id' => $id, 'did_action' => 'regenerate' ) ) );
 		exit;
 	}
 }

lib/class-wp-rest-oauth1-ui.php

@@ -166,6 +166,7 @@ public function handle_callback_redirect( $verifier ) {
 		$args = urlencode_deep( $args );
 		$callback = add_query_arg( $args, $callback );
 
+		// Offsite, so skip safety check
 		wp_redirect( $callback );
 
 		return null;