windws.location redirect to a URLencoded link

Question

i am trying to redirect to a url that is passed as a param from another page.

<?PHP $location   = urlencode($_GET['url']); ?>

    <script>
    window.location = ("<?PHP echo $location; ?>");
    </script

the problem is instead of redirecting to the external site, it thinks the encoded URL string is a file name relative to the current directory.

how can i make it redirect to the right place?

Answer 1

First of all, you should verify the passed URL is in fact a URL and not someone trying to inject JS into your site.

if(filter_var($_GET['url'], FILTER_VALIDATE_URL) !== false) {
    header("Location: " . filter_var($_GET['url'], FILTER_VALIDATE_URL));
}

//Alternatively using JS
if(filter_var($_GET['url'], FILTER_VALIDATE_URL) !== false) {
    echo('<script>
    window.location = ("' . filter_var($_GET['url'], FILTER_VALIDATE_URL) . '");
    </script>');
}

Answer 2

you should add http:// before your url

Edit

I noticed you mentioned you get a string like this: http%3A%2F%2Fexample.com%3Faaa%3Dbbb

So you can decode that string:

$location   = urldecode($_GET['url']); ?>

Answer 3

I would suggest using a php header direction method:

<?php
    header('Location: '.$_GET['url']);
?>

See: http://php.net/manual/en/function.header.php ...for more details.

Answer 4

Remove the urlencode() and ensure the url is starting with http://

<?PHP $location = $_GET['url']; ?>
    <script>
    window.location = ("<?PHP echo $location; ?>");
    </script>

Or:

<?php 
$location = $_GET['url'];
header("Location: $location"); 
?>