When entering a custom "SAML Link Message" text and saving, the page will reload with the value prefixed with "http://". The issue is that the plugin escapes the value using esc_url() function instead of esc_attr(). The value itself is not a url, but regular text.
When entering a custom "SAML Link Message" text and saving, the page will reload with the value prefixed with "http://". The issue is that the plugin escapes the value using
esc_url()
function instead ofesc_attr()
. The value itself is not a url, but regular text.L372 is the line in question: https://github.com/onelogin/wordpress-saml/blob/050a9e952369235c1da0702a2829231e836e52c2/onelogin-saml-sso/php/configuration.php#L370-L374
Wordpress version: 4.9.4