Make WordPress Core

Opened 8 weeks ago

Last modified 4 weeks ago

#63376 new enhancement

Enhancement: wp_login_form() $redirect params default value fetching update

Reported by: sh4lin's profile sh4lin Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:

Description

Our current method for retrieving the current URL is as follows:

$current_url = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];

This approach relies on is_ssl() and $_SERVER['HTTP_HOST'], and it accesses $_SERVER['HTTP_HOST'] without checking if it is set. It also lacks proper usage of sanitization.

## What is your proposed solution?

Why rely on $_SERVER['HTTP_HOST'] and is_ssl() when we can construct the URL directly using:

home_url( wp_unslash( sanitize_url( $_SERVER['REQUEST_URI'] ) ) )

This provides a more secure and WordPress-native approach.

Change History (4)

#1 @sh4lin
8 weeks ago

Same is being done in Gutenberg loginout block, raised the issue there as well - https://github.com/WordPress/gutenberg/issues/70024

Last edited 8 weeks ago by sh4lin (previous) (diff)

#2 in reply to: ↑ description @siliconforks
8 weeks ago

Replying to sh4lin:

home_url( wp_unslash( sanitize_url( $_SERVER['REQUEST_URI'] ) ) )

That will not work for all WordPress installations - suppose get_option( 'home' ) returns something like 'https://example.com/wordpress'.

There is a function get_self_link() in wp-includes/feed.php which attempts to handle this situation. (But I'm not sure it will work for all cases.)

#3 @sh4lin
8 weeks ago

@siliconforks By WordPress definition, https://example.com/wordpress is supposed to be the value of site_url():

Retrieves the URL for the current site where WordPress application files (e.g. wp-blog-header.php or the wp-admin/ folder) are accessible.
https://developer.wordpress.org/reference/functions/site_url/

Whereas home_url() is intended to retrieve:

The URL for the current site where the front end is accessible.
https://developer.wordpress.org/reference/functions/home_url/

Also, get_self_link() uses home_url(). It parses the URL, extracts the domain and port, sets the scheme for the URL, and appends REQUEST_URI from the server global variable.

<?php
function get_self_link() {
        $parsed = parse_url( home_url() );

        $domain = $parsed['host'];
        if ( isset( $parsed['port'] ) ) {
                $domain .= ':' . $parsed['port'];
        }

        return set_url_scheme( 'http://' . $domain . wp_unslash( $_SERVER['REQUEST_URI'] ) );
}
Last edited 8 weeks ago by sh4lin (previous) (diff)

#4 @johnbillion
4 weeks ago

  • Version trunk deleted
Note: See TracTickets for help on using tickets.