Difference between wp_remote_post and wp_safe_remote_post

wordpress.stackexchange https://wordpress.stackexchange.com/questions/294596

  •  13-03-2021
  •  | 
  •  

Question

The documentation for wp_remote_post says

In many cases you may be better served with wp_safe_remote_post

Looking at the source code, the only line that's different between the two is that wp_safe_remote_post has this: $args['reject_unsafe_urls'] = true;

This article was the best explanation I found, which seems to indicate that the only time I should use wp_remote_post is when I am making a remote call to my own site.

So is there ever any other situation in which I would want to use wp_remote_post or should I always stick with wp_safe_remote_post?

Was it helpful?

Solution

So is there ever any other situation in which I would want to use wp_remote_post or should I always stick with wp_safe_remote_post?

The two functions are exactly the same, except wp_safe_remote_post() sets the reject_unsafe_urls argument to true. That argument causes the URL to be passed through wp_http_validate_url() in WP_Http::request().

From that function, we see that there are a few use cases where you would need to use wp_remote_post() instead of wp_safe_remote_post().

  1. If you are using a protocol that is not http or https.*
  2. If you need to pass a user or pass in the URL.
  3. If you are posting to the localhost.**
  4. If you need to use a port other than 80, 443, or 8080.

It's also possible to use the http_request_reject_unsafe_urls filter to pass URLs through wp_http_validate_url() in an HTTP request whether wp_safe_remote_post() or wp_remote_post() is called.

[*] If reject_unsafe_urls is not set, the URL is still passed though wp_kses_bad_protocol() and the allowed protocols are http, https, and ssl.

[**] It's possible to use wp_safe_remove_post() to the localhost by using the http_request_host_is_external filter and returning a truthy value.

OTHER TIPS

the _safe_ functions are kind of a late attempt at input sanitation, something that should have happened long before the code have reached that point. (at that point the request will fail without any ability to notify a user that there is a configuration problem he should resolve).

You should probably always use them, and be ready to handle the situations in which they fail due to you trying to access anything which do not have "basic" url format and uses the most common port numbers.

What a question? You found all interested information.

wp_safe_remote_post() function comment says

Retrieve the raw response from a safe HTTP request using the POST method. This function is ideal when the HTTP request is being made to an arbitrary URL. The URL is validated to avoid redirection and request forgery attacks.

I think always should use wp_safe_remote_post. Its safe.

Licensed under: CC-BY-SA with attribution
Not affiliated with wordpress.stackexchange
scroll top