I’ve seen a lot of warnings about using
$_SERVER['REQUEST_URI'] because it can open things up to XSS, but I haven’t been able to find anything confirming a safe way to use it. Some people have mentioned using
esc_url(), but I wasn’t able to find anything confirming how to safely use it. This is my best guess, would this safely prevent XSS attacks?
echo esc_url(( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
If I want to use the URL internally rather than display it, it seems I have to use
esc_url_raw(). Is this safe as well?
$pageurl = esc_url_raw(( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
If you are printing the URL out, say to the front end… that is, it is to be displayed as a normal URL to a visitor etc. then:
If you are going to use the URL in, say, a WordPress redirect (or anything else that sends http header ‘location’, then you will need:
This is actually the basis and fix of this recent security vulnerability: