Skip to content

Commit

Permalink
Fix nonce double escaping
Browse files Browse the repository at this point in the history
  • Loading branch information
@defunctl
defunctl committed Nov 14, 2023
1 parent eef8106 commit f57fb87
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 5 deletions.
6 changes: 3 additions & 3 deletions src/Uplink/Auth/Nonce.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,14 @@ public function create(): string {
/**
* Attach a nonce to a URL.
*
* @note Unlike WordPress' function, you should escape this manually.
*
* @param string $url The existing URL to attach the nonce to.
*
* @return string
*/
public function create_url( string $url ): string {
$url = str_replace( '&', '&', $url );

return esc_html( add_query_arg( '_uplink_nonce', $this->create(), $url ) );
return add_query_arg( '_uplink_nonce', $this->create(), $url );
}

/**
Expand Down
3 changes: 1 addition & 2 deletions tests/wpunit/Auth/NonceTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,7 @@ public function test_it_creates_a_nonce_url(): void {
public function test_it_creates_a_nonce_url_with_extra_query_arguments(): void {
$url = 'http://wordpress.test/wp-admin/post.php?post=1&action=edit';

// URL is escaped, reverse that.
$nonce_url = html_entity_decode( $this->nonce->create_url( $url ) );
$nonce_url = $this->nonce->create_url( $url );

$this->assertStringStartsWith(
'http://wordpress.test/wp-admin/post.php?post=1&action=edit&_uplink_nonce=',
Expand Down

0 comments on commit f57fb87

Please sign in to comment.