Fix/issue 2768 #2845
Fix/issue 2768 #2845
Conversation
|
Hey @donnapep! I suspect you deleted your comment because I can't find it... Anyways, I fixed the Travis CI issues... Let me know your thoughts on this PR's approach and if there's anything else I could do to help! Thanks! |
| @@ -1705,6 +1707,10 @@ public function sensei_process_registration() { | |||
| $new_user_email = $_POST['sensei_reg_email']; | |||
| $new_user_password = $_POST['sensei_reg_password']; | |||
|
|
|||
| if ( isset( $_POST['sensei_reg_http_referer'] ) && '' !== $_POST['sensei_reg_http_referer'] ) { | |||
| $new_user_http_referer = esc_url_raw( wp_unslash( $_POST['sensei_reg_http_referer'] ) ); | |||
There was a problem hiding this comment.
Is wp_unslash necessary?
The URL is also being double escaped. It's being escaped here and on line 1775. It's always better to escape late, so I would do the escaping further down.
There was a problem hiding this comment.
I had to add wp_unslash and the escaping here to pass the Travis CI build. Those were the issues that blocked my first attempt...
I found this article that explains why we should use the wp_unslash for $_POST, so I think that's why the sniffer marked that as a violation.
So, what is your suggestion? Leave it like this? Add the sniffer ignore comment? Or something else?
Fixes #2768
Changes proposed in this Pull Request:
What I found to be causing this issue was that the
wp_get_referer()function in line 1768,class-sensei-frontend.phpfile, always returned false (thus, the$returnvariable was always being set to the home url value). Thewp_get_referer()function checks that the http referer is different than the request uri, and in the register process case, they are the same since the form action calls itself.Testing instructions: