Fix/issue 2768#2845
Conversation
|
Hey @donnapep! I suspect you deleted your comment because I can't find it... Anyways, I fixed the Travis CI issues... Let me know your thoughts on this PR's approach and if there's anything else I could do to help! Thanks! |
donnapep
left a comment
donnapep
left a comment
There was a problem hiding this comment.
Added a few comments about escaping.
| $new_user_password = $_POST['sensei_reg_password']; | ||
|
|
||
| if ( isset( $_POST['sensei_reg_http_referer'] ) && '' !== $_POST['sensei_reg_http_referer'] ) { | ||
| $new_user_http_referer = esc_url_raw( wp_unslash( $_POST['sensei_reg_http_referer'] ) ); |
There was a problem hiding this comment.
Is wp_unslash necessary?
The URL is also being double escaped. It's being escaped here and on line 1775. It's always better to escape late, so I would do the escaping further down.
There was a problem hiding this comment.
I had to add wp_unslash and the escaping here to pass the Travis CI build. Those were the issues that blocked my first attempt...
I found this article that explains why we should use the wp_unslash for $_POST, so I think that's why the sniffer marked that as a violation.
So, what is your suggestion? Leave it like this? Add the sniffer ignore comment? Or something else?
2 participants
Fixes #2768
Changes proposed in this Pull Request:
What I found to be causing this issue was that the
wp_get_referer()function in line 1768,class-sensei-frontend.phpfile, always returned false (thus, the$returnvariable was always being set to the home url value). Thewp_get_referer()function checks that the http referer is different than the request uri, and in the register process case, they are the same since the form action calls itself.Testing instructions: