Fix the messed up query params passed by Telegram Mini Apps (#184)

wpsocio · Oct 19, 2024 · 97ad3cd · 97ad3cd
1 parent df5b9fa
commit 97ad3cd
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/.changeset/wild-squids-lick.md b/.changeset/wild-squids-lick.md
@@ -0,0 +1,5 @@
+---
+"wptelegram-login": patch
+---
+
+Fixed the messed up query params passed by Telegram Mini Apps
diff --git a/plugins/wptelegram-login/src/includes/AssetManager.php b/plugins/wptelegram-login/src/includes/AssetManager.php
@@ -240,11 +240,13 @@ public function get_inline_script_data( string $for ) {
 			$confirm_login     = (bool) $query_params['confirm_login'];
 			$is_user_logged_in = is_user_logged_in();
 			$login_auth_url    = add_query_arg(
-				[
-					'action'      => 'wptelegram_login',
-					'source'      => 'WebAppData',
-					'redirect_to' => $redirect_to,
-				],
+				array_filter(
+					[
+						'action'      => 'wptelegram_login',
+						'source'      => 'WebAppData',
+						'redirect_to' => $redirect_to,
+					]
+				),
 				site_url()
 			);
 
@@ -437,11 +439,17 @@ public function login_enqueue_scripts() {
 	 */
 	private function get_webapp_login_params() {
 
-		// Using $_SERVER['QUERY_STRING'] to avoid a bug in Telegram Mini Apps which pass HTML encoded query string.
+		// Using $_SERVER['QUERY_STRING'] to avoid a bug in Telegram Mini Apps which pass HTML/URL encoded query string ¯\_(ツ)_/¯.
+
 		$query_string = ! empty( $_SERVER['QUERY_STRING'] )
-			? html_entity_decode( sanitize_text_field( wp_unslash( $_SERVER['QUERY_STRING'] ) ) )
+			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- We are sanitizing the input below.
+			? wp_unslash( $_SERVER['QUERY_STRING'] )
 			: '';
 
+		$query_string = sanitize_text_field(
+			str_replace( [ '&amp%3B', '&amp;' ], '&', $query_string )
+		);
+
 		return wp_parse_args(
 			$query_string,
 			[