Opened 7 months ago
Last modified 6 months ago
#63376 new enhancement
Enhancement: wp_login_form() $redirect params default value fetching update
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Login and Registration | Keywords: | |
| Focuses: | Cc: |
Description
Our current method for retrieving the current URL is as follows:
$current_url = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
This approach relies on is_ssl() and $_SERVER['HTTP_HOST'], and it accesses $_SERVER['HTTP_HOST'] without checking if it is set. It also lacks proper usage of sanitization.
## What is your proposed solution?
Why rely on $_SERVER['HTTP_HOST'] and is_ssl() when we can construct the URL directly using:
home_url( wp_unslash( sanitize_url( $_SERVER['REQUEST_URI'] ) ) )
This provides a more secure and WordPress-native approach.
Change History (4)
#2
in reply to:
↑ description
@
7 months ago
Replying to sh4lin:
home_url( wp_unslash( sanitize_url( $_SERVER['REQUEST_URI'] ) ) )
That will not work for all WordPress installations - suppose get_option( 'home' ) returns something like 'https://example.com/wordpress'.
There is a function get_self_link() in wp-includes/feed.php which attempts to handle this situation. (But I'm not sure it will work for all cases.)
#3
@
7 months ago
@siliconforks By WordPress definition, https://example.com/wordpress is supposed to be the value of site_url():
Retrieves the URL for the current site where WordPress application files (e.g. wp-blog-header.php or the wp-admin/ folder) are accessible.
https://developer.wordpress.org/reference/functions/site_url/
Whereas home_url() is intended to retrieve:
The URL for the current site where the front end is accessible.
https://developer.wordpress.org/reference/functions/home_url/
Same is being done in Gutenberg loginout block, raised the issue there as well - https://github.com/WordPress/gutenberg/issues/70024