Deprecate wp_sanitize_redirect

[malthert]

All places that currently use it are better served with esc_url_raw and there seems to be no correct usage of it anywhere (most plugins use it where esc_url_raw should be used instead).

I'm happy to provide a PR, I just need to get some heads up about how the deprecation process works in WP exactly.

[costdev]

Hi @malthert, thanks for opening this ticket. I've left a few thoughts below.

---

[53455] changed esc_url_raw() calls to sanitize_url() as this is now the recommended function for sanitizing a URL as of WordPress 6.1.

---

All places that currently use it are better served with esc_url_raw and there seems to be no correct usage of it anywhere (most plugins use it where esc_url_raw should be used instead).

For discussion, posterity, and for making committers' lives easier should this get support, could you provide your thoughts on why esc_url_raw() serves some of these usages better, or where it's more appropriate than wp_sanitize_redirect()?

---

An impact analysis is an important part of any deprecation. I'll kick it off with some numbers:

• There are ​309 plugin results for sanitize_url_redirect\(.
• There are ​0 theme results for sanitize_url_redirect\(.
• There are ​99k+ results in GitHub, but 10 pages in, it seemed to be entirely within PHPUnit tests. I'll admit that I stopped looking after page 10.

---

I've added the 2nd-opinion keyword to draw attention to this ticket.

[malthert]

WP core uses it only in 3 functions:

• wp_redirect
• wp_safe_redirect
• wp_validate_redirect

​https://developer.wordpress.org/reference/functions/esc_url_raw/
States:

The resulting URL is safe to use in database queries, redirects and HTTP requests.

So if esc_url_raw is safe to use in (= sanitize), then there is no need for wp_sanitize_redirect, as esc_url_raw already does this.
If esc_url_raw is NOT safe for sanitizing data in redirects, this needs to be updated in docs to highlight wp_sanitize_redirect has to be used.

Additionally, it's unclear what the difference between the use cases for sanitize_url and wp_sanitize_redirect are?

sanitize_url() description says:

Sanitizes a URL for database or redirect usage.

Therefore a separate function does not make sense, as it creates inconsistent behavior.

[kkmuffme]

I want to take over this ticket and created a PR to alias the functions like what happened to esc_url_raw with sanitize_url in WP 6.1. I didn't mark it as deprecated though to keep the external (plugins,...) minimal.

I didn't look at the internals - if these functions actually did the same. In case they did not, the docs for sanitize_url and esc_url_raw should be updated instead to clarify that they're NOT safe for redirects.

[swissspidy]

The current PR breaks existing tests for wp_sanitize_redirect and wp_validate_redirect so clearly the behavior is not identical.

[kkmuffme]

Yes, so the PR should be to update the docs to remove "redirect" from sanitize_url docs?

[kkmuffme]

And maybe mark the wp_sanitize_redirect @internal since it doesn't really have a use case outside of wp_(safe_)redirect, does it?

[kkmuffme]

Duplicate of #60864.