fix for XSS against attack

kinabalu · joshcanhelp · commit b4c8ac737e42 · 2020-01-30T10:49:37.000-08:00
diff --git a/WP_Auth0.php b/WP_Auth0.php
@@ -635,7 +635,8 @@ function wp_auth0_filter_login_override_url( $wp_login_url ) {
  */
 function wp_auth0_filter_login_override_form() {
 	if ( wp_auth0_can_show_wp_login_form() && isset( $_REQUEST['wle'] ) ) {
-		printf( '<input type="hidden" name="wle" value="%s" />', $_REQUEST['wle'] );
+		$wle_encoded = esc_attr($_REQUEST['wle']);
+		printf( '<input type="hidden" name="wle" value="%s" />', $wle_encoded );
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -635,7 +635,8 @@ function wp_auth0_filter_login_override_url( $wp_login_url ) {`
`635`	`635`	`*/`
`636`	`636`	`function wp_auth0_filter_login_override_form() {`
`637`	`637`	`if ( wp_auth0_can_show_wp_login_form() && isset( $_REQUEST['wle'] ) ) {`
`638`		`- printf( '<input type="hidden" name="wle" value="%s" />', $_REQUEST['wle'] );`
	`638`	`+ $wle_encoded = esc_attr($_REQUEST['wle']);`
	`639`	`+ printf( '<input type="hidden" name="wle" value="%s" />', $wle_encoded );`
`639`	`640`	`}`
`640`	`641`	`}`
`641`	`642`