When working with the Settings API (or any other API that handles options, serialization, validation, and page redirections), dealing with custom messages in WordPress isn’t something that we typically have to worry about it.
The API takes care of all of that for us, and if we need to use other pieces of information, like the query string, we’re able to take advantage of API functions like
get_query_var to check for the presence of a given value without much thought for how it was added in the first place.
But what about when you’re working on your administration page, and you need to display custom messages in WordPress after a redirect?
Custom Messages in WordPress
Specifically, let’s state the problem like this:
What if you need to display custom messages in WordPress after performing a safe redirect and don’t have access to the information by traditional means?
The challenge is that using a custom implementation of an administration page – which is okay depending on the project – often requires a safe redirect.
And this can trash different things (like query string variables), so we’re left having to come up with a way to display custom messages.
Looking at a Safe Redirect
For this example, let’s assume that the project in question has all of the necessary things in place to make sure data is saving securely.
- A WordPress nonce,
- The presence of the
_wp_http_referervariable in the
- And proper sanitization.
Next, let’s also assume that the redirect is being performed by the
wp_safe_redirect function versus another given PHP function or another type of magic to get the user to the desired page.
This function does the following:
Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.
If the host is not allowed, then the redirect is to wp-admin on the siteurl instead. This prevents malicious redirects which redirect to another host, but only used in a few places.
With that, the initial version of the function might look something like this:
It’s straightforward enough and should be clear as to what it’s doing (especially given the code comments). In short, we want to redirect back to the URL that ultimately results in hitting this function in the first place.
In the context of an administration page, this is typically the page from which the user came. And once there, it’s time to display custom messages. Perhaps these messages are error messages, notices, success messages, whatever.
So what now?
Saving Custom Messages
There are likely different ways to do this, but the one I’ve found to be the most maintainable and easiest to follow uses the following:
Depending on how you structure your work you may not need a class, and you may already have functions available that can do some of this. To that end, I won’t bother walking through an entire example for how this can be achieved with a set of classes and what not.
Instead, I’ll focus on the core points that are