Opened 8 weeks ago
Last modified 4 weeks ago
#63376 new enhancement
Enhancement: wp_login_form() $redirect params default value fetching update
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | |
Focuses: | Cc: |
Description
Our current method for retrieving the current URL is as follows:
$current_url = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
This approach relies on is_ssl()
and $_SERVER['HTTP_HOST']
, and it accesses $_SERVER['HTTP_HOST']
without checking if it is set. It also lacks proper usage of sanitization.
## What is your proposed solution?
Why rely on $_SERVER['HTTP_HOST']
and is_ssl()
when we can construct the URL directly using:
home_url( wp_unslash( sanitize_url( $_SERVER['REQUEST_URI'] ) ) )
This provides a more secure and WordPress-native approach.
Change History (4)
#2
in reply to:
↑ description
@
8 weeks ago
Replying to sh4lin:
home_url( wp_unslash( sanitize_url( $_SERVER['REQUEST_URI'] ) ) )
That will not work for all WordPress installations - suppose get_option( 'home' )
returns something like 'https://example.com/wordpress'
.
There is a function get_self_link()
in wp-includes/feed.php
which attempts to handle this situation. (But I'm not sure it will work for all cases.)
#3
@
8 weeks ago
@siliconforks By WordPress definition, https://example.com/wordpress
is supposed to be the value of site_url()
:
Retrieves the URL for the current site where WordPress application files (e.g. wp-blog-header.php or the wp-admin/ folder) are accessible.
https://developer.wordpress.org/reference/functions/site_url/
Whereas home_url()
is intended to retrieve:
The URL for the current site where the front end is accessible.
https://developer.wordpress.org/reference/functions/home_url/
Also, get_self_link()
uses home_url()
. It parses the URL, extracts the domain and port, sets the scheme for the URL, and appends REQUEST_URI
from the server global variable.
<?php function get_self_link() { $parsed = parse_url( home_url() ); $domain = $parsed['host']; if ( isset( $parsed['port'] ) ) { $domain .= ':' . $parsed['port']; } return set_url_scheme( 'http://' . $domain . wp_unslash( $_SERVER['REQUEST_URI'] ) ); }
Same is being done in Gutenberg loginout block, raised the issue there as well - https://github.com/WordPress/gutenberg/issues/70024