From cf871405e4e2cff1b73aaabf687f14db52678263 Mon Sep 17 00:00:00 2001
From: Irshad Ahmad <irshad@wpsocio.com>
Date: Sat, 26 Oct 2024 17:38:28 +0530
Subject: [PATCH] Fix Telegram login redirect for Mini Apps

---
 .changeset/sour-papayas-perform.md            |  5 ++++
 .../src/includes/AssetManager.php             | 24 +++++++++----------
 2 files changed, 17 insertions(+), 12 deletions(-)
 create mode 100644 .changeset/sour-papayas-perform.md

diff --git a/.changeset/sour-papayas-perform.md b/.changeset/sour-papayas-perform.md
new file mode 100644
index 00000000..6c74c628
--- /dev/null
+++ b/.changeset/sour-papayas-perform.md
@@ -0,0 +1,5 @@
+---
+"wptelegram-login": patch
+---
+
+Fixed Telegram login redirect for Mini Apps
diff --git a/plugins/wptelegram-login/src/includes/AssetManager.php b/plugins/wptelegram-login/src/includes/AssetManager.php
index b0fd7714..d705f3a8 100644
--- a/plugins/wptelegram-login/src/includes/AssetManager.php
+++ b/plugins/wptelegram-login/src/includes/AssetManager.php
@@ -236,7 +236,7 @@ public function get_inline_script_data( string $for ) {
 
 			$query_params = $this->get_webapp_login_params();
 
-			$redirect_to       = esc_url( $query_params['redirect_to'] );
+			$redirect_to       = rawurlencode( $query_params['redirect_to'] );
 			$confirm_login     = (bool) $query_params['confirm_login'];
 			$is_user_logged_in = is_user_logged_in();
 			$login_auth_url    = add_query_arg(
@@ -439,6 +439,12 @@ public function login_enqueue_scripts() {
 	 */
 	private function get_webapp_login_params() {
 
+		$defaults = [
+			'action'        => '',
+			'confirm_login' => '1',
+			'redirect_to'   => '',
+		];
+
 		// Using $_SERVER['QUERY_STRING'] to avoid a bug in Telegram Mini Apps which pass HTML/URL encoded query string ¯\_(ツ)_/¯.
 
 		$query_string = ! empty( $_SERVER['QUERY_STRING'] )
@@ -447,19 +453,13 @@ private function get_webapp_login_params() {
 			: '';
 
 		$query_string = html_entity_decode(
-			sanitize_text_field(
-				str_replace( [ '&amp%3B', '&amp;' ], '&', $query_string )
-			)
+			str_replace( [ '&amp%3B', '&amp;' ], '&', $query_string )
 		);
 
-		return wp_parse_args(
-			$query_string,
-			[
-				'action'        => '',
-				'confirm_login' => '1',
-				'redirect_to'   => '',
-			]
-		);
+		$args = wp_parse_args( $query_string, $defaults );
+
+		// Sanitize each value.
+		return array_map( 'sanitize_text_field', $args );
 	}
 
 	/**