[wp-trac] [WordPress Trac] #63376: Enhancement: wp_login_form() $redirect params default value fetching update
WordPress Trac
noreply at wordpress.org
Thu May 1 05:59:53 UTC 2025
#63376: Enhancement: wp_login_form() $redirect params default value fetching update
------------------------------------+-----------------------------
Reporter: sh4lin | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: trunk
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
Our current method for retrieving the current URL is as follows:
`$current_url = ( is_ssl() ? 'https://' : 'http://' ) .
$_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];`
- https://github.com/WordPress/gutenberg/blob/trunk/packages/block-
library/src/loginout/index.php#L20C2-L20C105
This approach relies on `is_ssl()` and `$_SERVER['HTTP_HOST']`, and it
accesses `$_SERVER['HTTP_HOST']` without checking if it is set. It also
lacks proper usage of sanitization.
## What is your proposed solution?
Why rely on `$_SERVER['HTTP_HOST']` and `is_ssl()` when we can construct
the URL directly using:
`home_url( wp_unslash( sanitize_url( $_SERVER['REQUEST_URI'] ) ) )`
This provides a more secure and WordPress-native approach.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63376>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list