fix: classic login override param

auth0 · Jul 8, 2024 · 7be935c · 7be935c
1 parent 257c59d
commit 7be935c
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/WP_Auth0.php b/WP_Auth0.php
@@ -642,15 +642,17 @@ function wp_auth0_filter_login_override_url( $wp_login_url ) {
 	// Not processing form data, just using a redirect parameter if present.
 	// phpcs:disable WordPress.Security.NonceVerification.NoNonceVerification
 
-	if ( wp_auth0_can_show_wp_login_form() && isset( $_REQUEST['wle'] ) ) {
+	$options = WP_Auth0_Options::Instance();
+	$wle = $options->get( 'wle_code' );
+
+	if ( wp_auth0_can_show_wp_login_form() && $wle !== null ) {
 		// We are on an override page.
-		$wp_login_url = add_query_arg( 'wle', sanitize_text_field( wp_unslash( $_REQUEST['wle'] ) ), $wp_login_url );
 	} elseif ( wp_auth0_is_current_login_action( [ 'resetpass' ] ) ) {
 		// We are on the reset password page with a link to login.
 		// This page will not be shown unless we get here via a valid reset password request.
 		$wp_login_url = wp_auth0_login_override_url( $wp_login_url );
 	}
-	return $wp_login_url;
+	return esc_url($wp_login_url);
 
 	// phpcs:disable WordPress.Security.NonceVerification.NoNonceVerification
 }