In wp_sanitize_redirect(), don't eat @ characters. According to RFC 3986, "@" is a perfectly valid character in a URL path or query string.

Adds unit test.

Props markjaquith.
Fixes #18818.


git-svn-id: https://develop.svn.wordpress.org/trunk@33707 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/pluggable.php

@@ -1232,7 +1232,7 @@ function wp_sanitize_redirect($location) {
 		){1,40}                              # ...one or more times
 		)/x';
 	$location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location );
-	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()]|i', '', $location);
+	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location);
 	$location = wp_kses_no_null($location);
 
 	// remove %0d and %0a from location

tests/phpunit/tests/formatting/redirect.php

@@ -18,5 +18,6 @@ class Tests_Formatting_Redirect extends WP_UnitTestCase {
 		$this->assertEquals('http://example.com/whyisthisintheurl/?param[1]=foo', wp_sanitize_redirect('http://example.com/whyisthisintheurl/?param[1]=foo'));
 		$this->assertEquals('http://[2606:2800:220:6d:26bf:1447:aa7]/', wp_sanitize_redirect('http://[2606:2800:220:6d:26bf:1447:aa7]/'));
 		$this->assertEquals('http://example.com/search.php?search=(amistillhere)', wp_sanitize_redirect('http://example.com/search.php?search=(amistillhere)'));
+		$this->assertEquals('http://example.com/@username', wp_sanitize_redirect('http://example.com/@username'));
 	}
 }