diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index 0c5106221e..6245eb90f1 100644
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@@ -1283,7 +1283,7 @@ if ( !function_exists('wp_validate_redirect') ) :
  * @return string redirect-sanitized URL
  **/
 function wp_validate_redirect($location, $default = '') {
-	$location = trim( $location );
+	$location = trim( $location, " \t\n\r\0\x08\x0B" );
 	// browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
 	if ( substr($location, 0, 2) == '//' )
 		$location = 'http:' . $location;
diff --git a/tests/phpunit/tests/formatting/redirect.php b/tests/phpunit/tests/formatting/redirect.php
index 8628bbf282..dee7d4d9da 100644
--- a/tests/phpunit/tests/formatting/redirect.php
+++ b/tests/phpunit/tests/formatting/redirect.php
@@ -59,6 +59,8 @@ class Tests_Formatting_Redirect extends WP_UnitTestCase {
 			array( 'http://user@example.com/', 'http://user@example.com/' ),
 			array( 'http://user:@example.com/', 'http://user:@example.com/' ),
 			array( 'http://user:pass@example.com/', 'http://user:pass@example.com/' ),
+			array( " \t\n\r\0\x08\x0Bhttp://example.com", 'http://example.com' ),
+			array( " \t\n\r\0\x08\x0B//example.com", 'http://example.com' ),
 		);
 	}
 
@@ -71,6 +73,10 @@ class Tests_Formatting_Redirect extends WP_UnitTestCase {
 			// non-safelisted domain
 			array( 'http://non-safelisted.example/' ),
 
+			// non-safelisted domain (leading whitespace)
+			array( " \t\n\r\0\x08\x0Bhttp://non-safelisted.example.com" ),
+			array( " \t\n\r\0\x08\x0B//non-safelisted.example.com" ),
+
 			// unsupported schemes
 			array( 'data:text/plain;charset=utf-8,Hello%20World!' ),
 			array( 'file:///etc/passwd' ),