From 7be935c7fbb7f9c328e6b349203565cb2fcf7463 Mon Sep 17 00:00:00 2001
From: Evan Sims <hello@evansims.com>
Date: Mon, 8 Jul 2024 15:03:03 -0500
Subject: [PATCH] fix: classic login override param

---
 WP_Auth0.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/WP_Auth0.php b/WP_Auth0.php
index ca16aef6..c825a2ae 100644
--- a/WP_Auth0.php
+++ b/WP_Auth0.php
@@ -642,15 +642,17 @@ function wp_auth0_filter_login_override_url( $wp_login_url ) {
 	// Not processing form data, just using a redirect parameter if present.
 	// phpcs:disable WordPress.Security.NonceVerification.NoNonceVerification
 
-	if ( wp_auth0_can_show_wp_login_form() && isset( $_REQUEST['wle'] ) ) {
+	$options = WP_Auth0_Options::Instance();
+	$wle = $options->get( 'wle_code' );
+
+	if ( wp_auth0_can_show_wp_login_form() && $wle !== null ) {
 		// We are on an override page.
-		$wp_login_url = add_query_arg( 'wle', sanitize_text_field( wp_unslash( $_REQUEST['wle'] ) ), $wp_login_url );
 	} elseif ( wp_auth0_is_current_login_action( [ 'resetpass' ] ) ) {
 		// We are on the reset password page with a link to login.
 		// This page will not be shown unless we get here via a valid reset password request.
 		$wp_login_url = wp_auth0_login_override_url( $wp_login_url );
 	}
-	return $wp_login_url;
+	return esc_url($wp_login_url);
 
 	// phpcs:disable WordPress.Security.NonceVerification.NoNonceVerification
 }