diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index 82ad4ea606..e2c6a59c2b 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -401,8 +401,18 @@ function wp_redirect($location, $status = 302) {
 	$location = preg_replace('|[^a-z0-9-~\+_\.\?#=&;,/:%]|i', '', $location);
 	$location = wp_kses_no_null($location);
 
+	// remove %0d and %0a from location
 	$strip = array('%0d', '%0a');
-	$location = str_replace($strip, '', $location);
+	$found = true;
+	while($found) {
+		$found = false;
+		foreach($strip as $val) {
+			while(strpos($location, $val) !== false) {
+				$found = true;
+				$location = str_replace($val, '', $location);
+			}
+		}
+	}
 
 	if ( $is_IIS ) {
 		header("Refresh: 0;url=$location");