fix: corruption in JSON payloads due to escaping

evansims · evansims · commit 2e93c6fed3cb · 2024-07-12T11:46:41.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## [Unreleased]
+
+**Fixed**
+
+- Resolved an issue with corrupted JSON payloads.
+
 ## [4.6.1](https://github.com/auth0/wp-auth0/tree/4.6.1) (2024-07-08)
 
 [Full Changelog](https://github.com/auth0/wp-auth0/compare/4.6.0...4.6.1)
@@ -11,7 +17,7 @@
 
 **Fixed**
 
-- Resolved issue with `?wle` parameter handling.
+- Resolved [CVE-2023-6813](ttps://github.com/auth0/wordpress/security/advisories/GHSA-x6p7-44rh-m3rr) involving a sanitization issue with `?wle` parameter.
 
 ## [4.6.0](https://github.com/auth0/wp-auth0/tree/4.6.0) (2024-01-11)
 
diff --git a/lib/WP_Auth0_Routes.php b/lib/WP_Auth0_Routes.php
@@ -109,7 +109,7 @@ public function custom_requests($wp, $return = false)
 			$wp->send_headers();
 		}
 
-		echo esc_js($output);
+		echo str_replace('&quot;', '"', $output);
 		exit;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ public function custom_requests($wp, $return = false)`
`109`	`109`	`$wp->send_headers();`
`110`	`110`	`}`
`111`	`111`
`112`		`- echo esc_js($output);`
	`112`	`+ echo str_replace('"', '"', $output);`
`113`	`113`	`exit;`
`114`	`114`	`}`
`115`	`115`