3.8.2 Security Release (#284)

* Feature/travis ci to GitHub actions (#282) * Updates Composer/NPM Dependencies & Adds New GitHub Actions * Moves All CI/CI Functionality to GitHub Actions - Updates Composer & NPM dependencies to newer versions. - Updates default development environment WordPress version to 5.6.x. - Fixes missing updated to the language POT file. - Moves to using a GitHub Release for WordPress.org deployment. - Removes TravisCI configuration. * Fixes Login Page XSS Issue (#283) - Adds escaping to the errot output message. - Adds escaping to the login button output. * Patch Version Bump & Changelog Updates for Release
4 years ago · 14dbc06203
parent 3a300e92bb
commit 14dbc06203
21 changed files with 4054 additions and 3423 deletions
--- a/.github/workflows/i18n.yml
+++ b/.github/workflows/i18n.yml
@ -0,0 +1,49 @@
 name: Internationalization
 on:
  pull_request:
  push:
    branches:
      - dev
      - main
      - 'release/**'
      - 'feature/**'
      - 'fix/**'
 env:
  WP_MULTISITE: 0
 jobs:
  check:
    name: Setup & Check
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v2
    - name: Setup Node Environment
      uses: actions/setup-node@v1
      # https://github.com/marketplace/actions/setup-node-js-environment
      with:
        node-version: 12.x
    - name: Cache node modules
      uses: actions/cache@v2
      env:
        npm-cache-name: cache-node-modules
      with:
        # npm cache files are stored in `~/.npm` on Linux/macOS
        path: ~/.npm
        key: ${{ runner.os }}-build-${{ env.npm-cache-name }}-${{ hashFiles('**/package-lock.json') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.npm-cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-
    - name: NPM Install
      run: npm install
    - name: Check i18n Compliance
      run: npm run i18n:check
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@ -0,0 +1,50 @@
 name: Coding Standards
 on:
  pull_request:
  push:
    branches:
      - dev
      - main
      - 'release/**'
      - 'feature/**'
      - 'fix/**'
 env:
  PHP_VERSION: 7.3
  WP_MULTISITE: 0
 jobs:
  check:
    name: Setup & Check
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v2
    - name: Setup PHP Environment
      uses: shivammathur/setup-php@v2
      # https://github.com/marketplace/actions/setup-php-action
      with:
        php-version: ${{ env.PHP_VERSION }}
        tools: composer:v1
    - name: Cache Composer dependencies
      uses: actions/cache@v2
      env:
        composer-cache-name: cache-vendor
      with:
        path: ~/vendor
        key: ${{ runner.os }}-build-${{ env.composer-cache-name }}-${{ hashFiles('**/composer.lock') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.composer-cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-
    - name: Install Composer Dependencies
      run: composer install
    - name: Check WordPress Coding Standards
      run: composer run-script lint
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -1,29 +0,0 @@
 name: Deploy to WordPress.org
 on:
  push:
    tags:
      - "*"
 jobs:
  tag:
    name: New tag
    if: github.repository == 'oidc-wp/openid-connect-generic'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@main
        # - name: Validate composer.json and composer.lock
        #   run: composer validate
        # - name: Install dependencies
        #   run: composer install --prefer-dist --no-progress --no-suggest --no-dev
      # - name: Build
      #   run: |
      #     npm install
      #     npm run build
      - name: WordPress Plugin Deploy
        uses: 10up/action-wordpress-plugin-deploy@1.4.0
        env:
          SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
          SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
          SLUG: daggerhart-openid-connect-generic
--- a/.github/workflows/pr-unit-testing.yml
+++ b/.github/workflows/pr-unit-testing.yml
@ -0,0 +1,76 @@
 name: PR Unit Testing
 on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
  # Triggers the workflow on pull request events
  pull_request:
 env:
  PHP_PREF_MIN_VERSION: '7.3'
  WP_STABLE_VERSION: '5.6.*'
  WP_MULTISITE: 0
 jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - job-name: 'Latest Stable Requirements'
            bleeding-edge: false
            php-version: '7.3'
            wordpress-version: '5.6.*'
            wp-multisite-mode: 0
    name: '${{ matrix.job-name }} (PHP:${{ matrix.php-version }}/WP:${{ matrix.wordpress-version }})'
    steps:
    - name: Checkout Code
      uses: actions/checkout@v2
    - name: Setup PHP Environment
      uses: shivammathur/setup-php@v2
      # https://github.com/marketplace/actions/setup-php-action
      with:
        php-version: ${{ matrix.php-version }}
        tools: composer:v1
    - name: Setup Node Environment
      uses: actions/setup-node@v1
      # https://github.com/marketplace/actions/setup-node-js-environment
      with:
        node-version: 12.x
    - name: Cache Composer dependencies
      uses: actions/cache@v2
      env:
        composer-cache-name: cache-vendor
      with:
        path: ~/vendor
        key: ${{ runner.os }}-build-${{ env.composer-cache-name }}-${{ hashFiles('**/composer.lock') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.composer-cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-
    - name: Require Specified WordPress Version
      run: composer require wordpress/wordpress:${{ matrix.wordpress-version }} --dev --prefer-source --update-with-all-dependencies
    - name: Update Composer Lockfile for Specified WordPress Version
      run: composer update wordpress/wordpress:${{ matrix.wordpress-version }} --lock --prefer-source
    - name: PHPUnit PHP 7.4 Support
      if: matrix.php-version == '7.4'
      run: |
        composer global require phpunit/php-code-coverage=dev-master
        composer global require sebastian/global-state:dev-master
        composer global require phpunit/phpunit=dev-master
    - name: NPM Setup
      run: npm install
    - name: Unit Tests
      run: npm run test
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,54 @@
 name: Prepare & Deploy a Release
 on:
  release:
    types: [published]
 env:
  WP_MULTISITE: 0
 jobs:
  release:
    name: New Release
    if: github.repository == 'oidc-wp/openid-connect-generic'
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v2
    - name: Setup Node Environment
      uses: actions/setup-node@v1
      # https://github.com/marketplace/actions/setup-node-js-environment
      with:
        node-version: 12.x
    - name: Cache Node Modules
      uses: actions/cache@v2
      env:
        npm-cache-name: cache-node-modules
      with:
        # npm cache files are stored in `~/.npm` on Linux/macOS
        path: ~/.npm
        key: ${{ runner.os }}-build-${{ env.npm-cache-name }}-${{ hashFiles('**/package-lock.json') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.npm-cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-
    - name: NPM Install
      run: npm install
    - name: Prepare a WordPress.org Release
      run: npm run release
    - name: WordPress.org Plugin Deploy
      uses: nk-o/action-wordpress-plugin-deploy@master
      # https://github.com/marketplace/actions/wordpress-plugin-deploy
      env:
        SVN_PASSWORD: ${{ secrets.SVN_PASSWORD }}
        SVN_USERNAME: ${{ secrets.SVN_USERNAME }}
        SOURCE_DIR: dist/
        SLUG: daggerhart-openid-connect-generic
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@ -0,0 +1,55 @@
 name: Static Code Analysis
 on:
  pull_request:
  push:
    branches:
      - dev
      - main
      - 'release/**'
      - 'feature/**'
      - 'fix/**'
 env:
  PHP_VERSION: 7.3
  WP_MODE: 'single'
  WP_MULTISITE: 0
  WP_VERSION: '5.6.*'
 jobs:
  check:
    name: Setup & Check
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v2
    - name: Setup PHP Environment
      uses: shivammathur/setup-php@v2
      # https://github.com/marketplace/actions/setup-php-action
      with:
        php-version: ${{ env.PHP_VERSION }}
        tools: composer:v1
    - name: Cache Composer dependencies
      uses: actions/cache@v2
      env:
        composer-cache-name: cache-vendor
      with:
        path: ~/vendor
        key: ${{ runner.os }}-build-${{ env.composer-cache-name }}-${{ hashFiles('**/composer.lock') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.composer-cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-
    - name: Require Specified WordPress Version
      run: composer require wordpress/wordpress:${{ env.WP_VERSION }} --dev --prefer-source --update-with-all-dependencies
    - name: Install Composer Dependencies
      run: composer install
    - name: Perform Static Analysis
      run: composer run-script analyze
--- a/.github/workflows/unit-testing.yml
+++ b/.github/workflows/unit-testing.yml
@ -0,0 +1,108 @@
 name: Unit Testing
 on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
  # Triggers the workflow on push events only for the matching branches
  push:
    branches:
      - dev
      - main
      - 'release/**'
      - 'feature/**'
      - 'fix/**'
 env:
  PHP_MIN_VERSION: '7.1'
  PHP_PREF_MIN_VERSION: '7.2'
  PHP_STABLE_VERSION: '7.4'
  WP_MIN_VERSION: '5.3.*'
  WP_PREF_MIN_VERSION: '5.4.*'
  WP_STABLE_VERSION: '5.6.*'
 jobs:
  test:
    runs-on: ubuntu-latest
    continue-on-error: ${{ matrix.bleeding-edge }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - job-name: 'Latest Stable Requirements'
            bleeding-edge: false
            php-version: '7.3'
            wordpress-version: '5.6.*'
            wp-multisite-mode: 0
          - job-name: 'Preferred Minimum Requirements'
            bleeding-edge: false
            php-version: '7.2'
            wordpress-version: '5.4.*'
            wp-multisite-mode: 0
          - job-name: 'Minimum Requirements'
            bleeding-edge: false
            php-version: '7.1'
            wordpress-version: '5.3.*'
            wp-multisite-mode: 0
          - job-name: 'Bleeding Edge Requirements'
            bleeding-edge: true
            php-version: '7.4'
            wordpress-version: 'dev-master'
            wp-multisite-mode: 0
          - job-name: 'Multisite Compatibility Requirements'
            bleeding-edge: false
            php-version: '7.3'
            wordpress-version: '5.6.*'
            wp-multisite-mode: 1
    name: '${{ matrix.job-name }} (PHP:${{ matrix.php-version }}/WP:${{ matrix.wordpress-version }})'
    steps:
    - name: Checkout Code
      uses: actions/checkout@v2
    - name: Setup PHP Environment
      uses: shivammathur/setup-php@v2
      # https://github.com/marketplace/actions/setup-php-action
      with:
        php-version: ${{ matrix.php-version }}
        tools: composer:v1
    - name: Setup Node Environment
      uses: actions/setup-node@v1
      # https://github.com/marketplace/actions/setup-node-js-environment
      with:
        node-version: 12.x
    - name: Cache Composer dependencies
      uses: actions/cache@v2
      env:
        composer-cache-name: cache-vendor
      with:
        path: ~/vendor
        key: ${{ runner.os }}-build-${{ env.composer-cache-name }}-${{ hashFiles('**/composer.lock') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.composer-cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-
    - name: Require Specified WordPress Version
      run: composer require wordpress/wordpress:${{ matrix.wordpress-version }} --dev --prefer-source --update-with-all-dependencies
    - name: Update Composer Lockfile for Specified WordPress Version
      run: composer update wordpress/wordpress:${{ matrix.wordpress-version }} --lock --prefer-source
    - name: PHPUnit PHP 7.4 Support
      if: matrix.php-version == '7.4'
      run: |
        composer global require phpunit/php-code-coverage=dev-master
        composer global require sebastian/global-state:dev-master
        composer global require phpunit/phpunit=dev-master
    - name: NPM Setup
      run: npm install
    - name: Unit Tests
      env:
        WP_MULTISITE: ${{ matrix.wp-multisite-mode }}
      run: npm run test
--- a/.travis.yml
+++ b/.travis.yml
@ -1,132 +0,0 @@
 # Travis CI Configuration File
 # Tell Travis CI which distro to use
 dist: trusty
 sudo: false
 # Tell Travis CI we're using PHP
 language: php
 # Tell Travis CI which notifications to send
 notifications:
  email:
    on_success: never
    on_failure: change
 # whitelist branches for the "push" build check
 branches:
  only:
    - dev
    - main
    - /^dev\-release\/.*$/
    - /^feature\/.*$/
    - /^fix\/.*$/
 # Git clone depth
 # By default Travis CI clones repositories to a depth of 50 commits
 git:
  depth: 1
 cache:
  directories:
    - $HOME/.composer/cache
 # Define a matrix of additional build configurations
 # The versions listed above will automatically create our first configuration,
 # so it doesn't need to be re-defined below.
 matrix:
  fast_finish: true
  include:
    - name: Internationalization
      php: 7.3
      env: WP_MODE=single WP_VERSION=5.6.* I18N=1
    - name: Coding Standards
      php: 7.3
      env: WP_MODE=single WP_VERSION=5.6.* PHP_LINT=1 COVERAGE=1
    - name: Static Code Analysis
      php: 7.3
      env: WP_MODE=single WP_VERSION=5.6.* PHP_ANALYZE=1
    - name: Latest Stable
      php: 7.3
      env: WP_MODE=single WP_VERSION=5.6.* PHP_UNIT=1
    - name: Preferred Minimum requirements
      if: (branch IN (dev, main) OR branch =~ /^dev\-release\/.*$/) AND NOT type = pull_request
      php: 7.2
      env: WP_MODE=single WP_VERSION=5.4.* PHP_UNIT=1
    - name: Minimum requirements
      if: (branch IN (dev, main) OR branch =~ /^dev\-release\/.*$/) AND NOT type = pull_request
      php: 7.1
      env: WP_MODE=single WP_VERSION=5.3.* PHP_UNIT=1
    - name: Bleeding Edge
      if: (branch IN (dev, main) OR branch =~ /^dev\-release\/.*$/) AND NOT type = pull_request
      php: 7.4
      env: WP_MODE=single WP_VERSION=dev-master PHP_UNIT=1
    - name: Multisite Compatibility
      if: (branch IN (dev, main) OR branch =~ /^dev\-release\/.*$/) AND NOT type = pull_request
      php: 7.3
      env: WP_MODE=multi WP_VERSION=5.6.* PHP_UNIT=1
  allow_failures:
    - name: Bleeding Edge
 addons:
  apt:
    packages:
      - nodejs
 # We need to make sure we stick with Composer 1.x for compatibility.
 before_install:
  - npm install -g npm@6.14
  - npm install -g grunt-cli
  - composer self-update --1
  - composer require "wordpress/wordpress:${WP_VERSION}" --dev --prefer-source --no-update
 install:
  - composer update "wordpress/wordpress" --prefer-source --no-interaction --optimize-autoloader
  - composer install
  - npm install
 before_script:
  - export PATH="$HOME/.composer/vendor/bin:$PATH"
  # Setup WordPress coding standards
  - |
    if [[ "$PHP_LINT" == "1" ]]; then
      composer global require wp-coding-standards/wpcs
    fi
  # Setup unit testing environment
  - |
    if [[ "$PHP_UNIT" == "1" ]]; then
      # bash scripts/install-wp-tests.sh wordpress_test root '' localhost $WP_VERSION
      if [[ $TRAVIS_PHP_VERSION == "7.4" ]]; then
        composer global require "phpunit/php-code-coverage=dev-master"
        composer global require "sebastian/global-state:dev-master"
        composer global require "phpunit/phpunit=dev-master"
      else
        composer global require "phpunit/phpunit=7.*"
      fi
    fi
 script:
  - |
    if [[ "$I18N" == "1" ]]; then
      if [[ "$WP_MODE" == "single" ]]; then WP_MULTISITE=0 npm run i18n:check; fi
    fi
  - |
    if [[ "$PHP_LINT" == "1" ]]; then
      if [[ "$WP_MODE" == "single" ]]; then WP_MULTISITE=0 npm run lint; fi
    fi
  - |
    if [[ "$PHP_ANALYZE" == "1" ]]; then
      if [[ "$WP_MODE" == "single" ]]; then WP_MULTISITE=0 npm run analyze; fi
    fi
  - |
    if [[ "$PHP_UNIT" == "1" ]]; then
      if [[ "$WP_MODE" == "multi" ]]; then WP_MULTISITE=1 npm run test; fi
      if [[ "$WP_MODE" == "single" ]]; then WP_MULTISITE=0 npm run test; fi
    fi
 after_success:
  - |
    if [[ "$COVERAGE" == "1" ]]; then
      bash <(curl -s https://codecov.io/bash)
    fi
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 # OpenId Connect Generic Changelog
 3.8.2
 * Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
 3.8.1
 * Fix: @timnolte - Prevent SSO redirect on password protected posts.
--- a/Gruntfile.js
+++ b/Gruntfile.js
@ -46,8 +46,7 @@ module.exports = function (grunt) {
 		},
 		clean: {
-			main: ['dist'], //Clean up build folder
+			main: ['dist'] //Clean up build folder
 			i18n: ['languages/*.mo', 'languages/*.pot']
 		},
 		copy: {
@ -57,15 +56,17 @@ module.exports = function (grunt) {
 					'**',
 					'!*.xml', '!*.log', //any config/log files
 					'!node_modules/**', '!Gruntfile.js', '!package.json', '!package-lock.json', //npm/Grunt
-					'!assets/**', //wp-org assets
+					'!.wordpress-org/**', //wp-org assets
 					'!dist/**', //build directory
 					'!.git/**', //version control
 					'!.github/**', //GitHub platform files
 					'!tests/**', '!scripts/**', '!phpunit.xml', '!phpunit.xml.dist', //unit testing
 					'!vendor/**', '!composer.lock', '!composer.phar', '!composer.json', //composer
 					'!wordpress/**',
 					'!.*', '!**/*~', //hidden files
 					'!CONTRIBUTING.md',
 					'!README.md',
 					'!HOWTO.md',
 					'!phpcs.xml', '!phpcs.xml.dist', '!phpstan.neon.dist', '!grumphp.yml.dist', // CodeSniffer Configuration.
 					'!docker-compose.override.yml', // Local Docker Development configuration.
 					'!codecov.yml', // Code coverage configuration.
@ -74,16 +75,6 @@ module.exports = function (grunt) {
 				dest: 'dist/',
 				options: {
 					processContentExclude: ['**/*.{png,gif,jpg,ico,mo}'],
 					processContent: function (content, srcpath) {
 						if (srcpath == 'readme.txt' || srcpath == 'openid-connect-generic.php') {
 							if (grunt.config.get('gitinfo').local.tag.current.name !== 'undefined') {
 								content = content.replace('{{version}}', grunt.config.get('gitinfo').local.tag.current.name);
 							} else {
 								content = content.replace('{{version}}', grunt.config.get('gitinfo').local.tag.current.nameLong);
 							}
 						}
 						return content;
 					},
 				},
 			}
 		},
@ -114,9 +105,10 @@ module.exports = function (grunt) {
 					domainPath: '/languages',         // Where to save the POT file.
 					exclude: [
 						'node_modules/.*',				//npm
-						'assets/.*', 							//wp-org assets
+						'.wordpress-org/.*', 			//wp-org assets
 						'dist/.*', 								//build directory
 						'.git/.*', 								//version control
 						'.github/.*',							//GitHub platform
 						'tests/.*', 'scripts/.*',	//unit testing
 						'vendor/.*', 							//composer
 						'wordpress/.*',
@ -145,7 +137,9 @@ module.exports = function (grunt) {
 		checkrepo: {
 			deploy: {
 				tagged: true, // Check that the last commit (HEAD) is tagged
-				clean: true // Check that working directory is clean
+				tag: {
 					eq: '<%= pkg.version %>' // Check if highest repo tag is equal to pkg.version
 				}
 			}
 		},
@ -214,10 +208,9 @@ module.exports = function (grunt) {
 	grunt.registerTask('phpunit', ['shell:phpunit']);
 	grunt.registerTask('i18n', ['addtextdomain', 'makepot', 'po2mo']);
 	grunt.registerTask('readme', ['wp_readme_to_markdown']);
-	grunt.registerTask('test', ['checktextdomain']);
+	grunt.registerTask('test', ['checktextdomain', 'phpcs']);
-	grunt.registerTask('build', ['gitinfo', 'test', 'clean', 'i18n', 'readme', 'copy']);
+	grunt.registerTask('build', ['gitinfo', 'test', 'i18n', 'readme']);
-	//grunt.registerTask( 'deploy', [ 'checkbranch:master', 'checkrepo', 'build' ] );
+	grunt.registerTask('release', ['checkbranch:HEAD', 'checkrepo', 'gitinfo', 'checktextdomain', 'clean', 'copy']);
 	grunt.registerTask('deploy', ['checkrepo', 'build']);
 };
--- a/readme.md
+++ b/readme.md
--- a/README.md
+++ b/README.md
@ -0,0 +1,201 @@
 # OpenID Connect Generic Client #
 **Contributors:** [daggerhart](https://profiles.wordpress.org/daggerhart), [tnolte](https://profiles.wordpress.org/tnolte)  
 **Donate link:** http://www.daggerhart.com/  
 **Tags:** security, login, oauth2, openidconnect, apps, authentication, autologin, sso  
 **Requires at least:** 4.9  
 **Tested up to:** 5.6  
 **Stable tag:** 3.8.2  
 **Requires PHP:** 7.1  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
 A simple client that provides SSO or opt-in authentication against a generic OAuth2 Server implementation.
 ## Description ##
 This plugin allows to authenticate users against OpenID Connect OAuth2 API with Authorization Code Flow.
 Once installed, it can be configured to automatically authenticate users (SSO), or provide a "Login with OpenID Connect"
 button on the login form. After consent has been obtained, an existing user is automatically logged into WordPress, while
 new users are created in WordPress database.
 Much of the documentation can be found on the Settings > OpenID Connect Generic dashboard page.
 Please submit issues to the Github repo: https://github.com/daggerhart/openid-connect-generic
 ## Installation ##
 1. Upload to the `/wp-content/plugins/` directory
 1. Activate the plugin
 1. Visit Settings > OpenID Connect and configure to meet your needs
 ## Frequently Asked Questions ##
 ### What is the client's Redirect URI? ###
 Most OAuth2 servers will require whitelisting a set of redirect URIs for security purposes. The Redirect URI provided
 by this client is like so:  https://example.com/wp-admin/admin-ajax.php?action=openid-connect-authorize
 Replace `example.com` with your domain name and path to WordPress.
 ### Can I change the client's Redirect URI? ###
 Some OAuth2 servers do not allow for a client redirect URI to contain a query string. The default URI provided by
 this module leverages WordPress's `admin-ajax.php` endpoint as an easy way to provide a route that does not include
 HTML, but this will naturally involve a query string. Fortunately, this plugin provides a setting that will make use of
 an alternate redirect URI that does not include a query string.
 On the settings page for this plugin (Dashboard > Settings > OpenID Connect Generic) there is a checkbox for
 **Alternate Redirect URI**. When checked, the plugin will use the Redirect URI
 `https://example.com/openid-connect-authorize`.
 ## Changelog ##
 ### 3.8.2 ###
 * Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
 ### 3.8.1 ###
 * Fix: @timnolte - Prevent SSO redirect on password protected posts.
 * Fix: @timnolte - CI/CD build issues.
 * Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.
 ### 3.8.0 ###
 * Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
 * Improvement: @timnolte - Plugin development & contribution updates.
 * Improvement: @timnolte - Refactored to meet WordPress coding standards.
 * Improvement: @timnolte - Refactored to provide localization.
 ### 3.7.1 ###
 * Fix: Release Version Number.
 ### 3.7.0 ###
 * Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
 * Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
  - Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`.
 ### 3.6.0 ###
 * Improvement: @RobjS - Improved error messages during login state failure.
 * Improvement: @RobjS - New developer filter for login form button URL.
 * Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
 * Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
 * Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
 * Improvement: @flat235 - Username transliteration and normalization.
 ### 3.5.1 ###
 * Fix: @daggerhart - New approach to state management using transients.
 ### 3.5.0 ###
 * Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
 * Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
 * Feature: @gassan - New action on use login
 * Fix: @daggerhart - Avoid double question marks in auth url query string
 * Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
 * Syntax change: @mullikine - Change PHP keywords to comply with PSR2
 ### 3.4.1 ###
 * Minor documentation update and additional error checking.
 ### 3.4.0 ###
 * Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
 * Feature: @anttileppa - State time limit can now be changed on the settings page.
 * Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
 * Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url
 ### 3.3.1 ###
 * Prefixing classes for more efficient autoloading.
 * Avoid altering global wp_remote_post() parameters.
 * Minor metadata updates for wp.org
 ### 3.3.0 ###
 * Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51
 ### 3.2.1 ###
 * Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46
 ### 3.2.0 ###
 * Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
 * Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
 * Feature: New setting to set redirect URL when session expires.
 * Feature: @robbiepaul - New filter for modifying authentication URL
 * Fix: @cedrox - Adding id_token_hint to logout URL according to spec
 * Bug fix: Provide port to the request header when requesting the user_claim
 ### 3.1.0 ###
 * Feature: @rwasef1830 - Refresh tokens
 * Feature: @rwasef1830 - Integrated logout support with end_session endpoint
 * Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
 * Feature: @ahatherly - Support for IDP behind reverse proxy
 * Bug fix: @robertstaddon - case insensitive check for Bearer token
 * Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
 * Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
 * Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
 * UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso
 ### 3.0.8 ###
 * Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
  to take action using the fresh claims received when an existing user logs in.
 ### 3.0.7 ###
 * Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in
 section 5.3.1 of the specs.
 ### 3.0.6 ###
 * Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
 ### 3.0.5 ###
 * Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
 * Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.
 ### 3.0.4 ###
 * Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login
 ### 3.0.3 ###
 * Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
 * Bug fix: Incrementing username in case of collision.
 * Bug fix: Wrong error sent when missing token body
 ### 3.0.2 ###
 * Added http_request_timeout setting
 ### 3.0.1 ###
 * Finalizing 3.0.x api
 ### 3.0 ###
 * Complete rewrite to separate concerns
 * Changed settings keys for clarity (requires updating settings if upgrading from another version)
 * Error logging
 ### 2.1 ###
 * Working my way closer to spec. Possible breaking change.  Now checking for preferred_username as priority.
 * New username determination to avoid collisions
 ### 2.0 ###
 Complete rewrite
--- a/composer.json
+++ b/composer.json
@ -50,10 +50,10 @@
 		"phpstan/phpstan": "*",
 		"phpstan/extension-installer": "^1.0",
 		"szepeviktor/phpstan-wordpress": "*",
 		"php-stubs/wordpress-stubs": "~5.4.2",
 		"roave/security-advisories": "dev-master",
 		"mnsami/composer-custom-directory-installer": "~1.0",
-		"wordpress/wordpress": "~5.4.2",
+		"wordpress/wordpress": "~5.6.0",
 		"php-stubs/wordpress-stubs": "~5.6.0",
 		"dealerdirect/phpcodesniffer-composer-installer": "~0.6",
 		"brain/monkey": "^2.4",
 		"mockery/mockery": "^1.3",
@ -89,7 +89,10 @@
 		],
 		"phpcs": "vendor/bin/phpcs",
 		"phpcbf": "vendor/bin/phpcbf",
-		"phpstan": "\"vendor/bin/phpstan\""
+		"phpstan": "vendor/bin/phpstan",
 		"lint": "vendor/bin/phpcs --report=full .",
 		"lint-fix": "vendor/bin/phpcbf .",
 		"analyze": "vendor/bin/phpstan analyze ."
 	},
 	"extra": {
 		"installer-paths": {
--- a/composer.lock
+++ b/composer.lock
--- a/grumphp.yml.dist
+++ b/grumphp.yml.dist
@ -49,4 +49,3 @@ grumphp:
        - '/^assets\/(.*)/'
      memory_limit: '-1'
      triggered_by: [php]
    securitychecker: ~
--- a/includes/openid-connect-generic-login-form.php
+++ b/includes/openid-connect-generic-login-form.php
@ -132,7 +132,8 @@ class OpenID_Connect_Generic_Login_Form {
 	function handle_login_page( $message ) {
 		if ( isset( $_GET['login-error'] ) ) {
-			$message .= $this->make_error_output( $_GET['login-error'], $_GET['message'] );
+			$error_message = ! empty( $_GET['message'] ) ? $_GET['message'] : 'Unknown error.';
 			$message .= $this->make_error_output( $_GET['login-error'], $error_message );
 		}
 		// Login button is appended to existing messages in case of error.
@ -158,7 +159,7 @@ class OpenID_Connect_Generic_Login_Form {
 			<?php print esc_html( $error_message ); ?>
 		</div>
 		<?php
-		return ob_get_clean();
+		return wp_kses_post( ob_get_clean() );
 	}
 	/**
@ -184,7 +185,7 @@ class OpenID_Connect_Generic_Login_Form {
 			<a class="button button-large" href="<?php print esc_url( $href ); ?>"><?php print $text; ?></a>
 		</div>
 		<?php
-		return ob_get_clean();
+		return wp_kses_post( ob_get_clean() );
 	}
 	/**
--- a/languages/openid-connect-generic.pot
+++ b/languages/openid-connect-generic.pot
@ -1,15 +1,15 @@
-# Copyright (C) 2020 daggerhart
+# Copyright (C) 2021 daggerhart
 # This file is distributed under the GPL-2.0+.
 msgid ""
 msgstr ""
-"Project-Id-Version: OpenID Connect Generic 3.7.1\n"
+"Project-Id-Version: OpenID Connect Generic 3.8.2\n"
 "Report-Msgid-Bugs-To: "
 "https://github.com/daggerhart/openid-connect-generic/issues\n"
-"POT-Creation-Date: 2020-08-29 04:30:04+00:00\n"
+"POT-Creation-Date: 2021-03-24 13:50:19+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2020-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2021-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: en\n"
@ -29,43 +29,43 @@ msgstr ""
 msgid "Session expired. Please login again."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:432
+#: includes/openid-connect-generic-client-wrapper.php:433
 msgid "User identity is not linked to an existing WordPress user."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:478
+#: includes/openid-connect-generic-client-wrapper.php:479
 msgid "Invalid user."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:597
+#: includes/openid-connect-generic-client-wrapper.php:598
 msgid "No appropriate username found."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:604
+#: includes/openid-connect-generic-client-wrapper.php:605
 msgid "Username %1$s could not be transliterated."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:608
+#: includes/openid-connect-generic-client-wrapper.php:609
 msgid "Username %1$s could not be normalized."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:641
+#: includes/openid-connect-generic-client-wrapper.php:642
 msgid "No nickname found in user claim using key: %1$s."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:668
+#: includes/openid-connect-generic-client-wrapper.php:669
 msgid "User claim incomplete."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:770
+#: includes/openid-connect-generic-client-wrapper.php:771
 msgid "Bad user claim result."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:825
+#: includes/openid-connect-generic-client-wrapper.php:826
 msgid "Can not authorize."
 msgstr ""
-#: includes/openid-connect-generic-client-wrapper.php:844
+#: includes/openid-connect-generic-client-wrapper.php:845
 msgid "Failed user creation."
 msgstr ""
@ -137,11 +137,11 @@ msgstr ""
 msgid "Unauthorized access."
 msgstr ""
-#: includes/openid-connect-generic-login-form.php:156
+#: includes/openid-connect-generic-login-form.php:158
 msgid "ERROR (%1$s)"
 msgstr ""
-#: includes/openid-connect-generic-login-form.php:172
+#: includes/openid-connect-generic-login-form.php:174
 msgid "Login with OpenID Connect"
 msgstr ""
@ -211,72 +211,72 @@ msgid ""
 "provider server."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:229
+#: includes/openid-connect-generic-settings-page.php:230
 msgid "Client Secret Key"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:230
+#: includes/openid-connect-generic-settings-page.php:231
 msgid ""
 "Arbitrary secret key the server expects from this client. Can be anything, "
 "but should be very unique."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:235
+#: includes/openid-connect-generic-settings-page.php:237
 msgid "OpenID Scope"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:236
+#: includes/openid-connect-generic-settings-page.php:238
 msgid "Space separated list of scopes this client should access."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:242
+#: includes/openid-connect-generic-settings-page.php:244
 msgid "Login Endpoint URL"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:243
+#: includes/openid-connect-generic-settings-page.php:245
 msgid "Identify provider authorization endpoint."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:249
+#: includes/openid-connect-generic-settings-page.php:252
 msgid "Userinfo Endpoint URL"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:250
+#: includes/openid-connect-generic-settings-page.php:253
 msgid "Identify provider User information endpoint."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:256
+#: includes/openid-connect-generic-settings-page.php:260
 msgid "Token Validation Endpoint URL"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:257
+#: includes/openid-connect-generic-settings-page.php:261
 msgid "Identify provider token endpoint."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:263
+#: includes/openid-connect-generic-settings-page.php:268
 msgid "End Session Endpoint URL"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:264
+#: includes/openid-connect-generic-settings-page.php:269
 msgid "Identify provider logout endpoint."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:270
+#: includes/openid-connect-generic-settings-page.php:276
 msgid "Identity Key"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:271
+#: includes/openid-connect-generic-settings-page.php:277
 msgid ""
 "Where in the user claim array to find the user's identification data. "
 "Possible standard values: preferred_username, name, or sub. If you're "
 "having trouble, use \"sub\"."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:277
+#: includes/openid-connect-generic-settings-page.php:283
 msgid "Disable SSL Verify"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:278
+#: includes/openid-connect-generic-settings-page.php:284
 msgid ""
 "Do not require SSL verification during authorization. The OAuth extension "
 "uses curl to make the request. By default CURL will generally verify the "
@ -285,27 +285,27 @@ msgid ""
 "sites.%2$s"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:283
+#: includes/openid-connect-generic-settings-page.php:289
 msgid "HTTP Request Timeout"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:284
+#: includes/openid-connect-generic-settings-page.php:290
 msgid "Set the timeout for requests made to the IDP. Default value is 5."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:290
+#: includes/openid-connect-generic-settings-page.php:296
 msgid "Enforce Privacy"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:291
+#: includes/openid-connect-generic-settings-page.php:297
 msgid "Require users be logged in to see the site."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:296
+#: includes/openid-connect-generic-settings-page.php:302
 msgid "Alternate Redirect URI"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:297
+#: includes/openid-connect-generic-settings-page.php:303
 msgid ""
 "Provide an alternative redirect route. Useful if your server is causing "
 "issues with the default admin-ajax method. You must flush rewrite rules "
@ -313,78 +313,78 @@ msgid ""
 "settings page."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:302
+#: includes/openid-connect-generic-settings-page.php:308
 msgid "Nickname Key"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:303
+#: includes/openid-connect-generic-settings-page.php:309
 msgid ""
 "Where in the user claim array to find the user's nickname. Possible "
 "standard values: preferred_username, name, or sub."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:309
+#: includes/openid-connect-generic-settings-page.php:315
 msgid "Email Formatting"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:310
+#: includes/openid-connect-generic-settings-page.php:316
 msgid ""
 "String from which the user's email address is built. Specify \"{email}\" as "
 "long as the user claim contains an email claim."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:316
+#: includes/openid-connect-generic-settings-page.php:322
 msgid "Display Name Formatting"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:317
+#: includes/openid-connect-generic-settings-page.php:323
 msgid "String from which the user's display name is built."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:323
+#: includes/openid-connect-generic-settings-page.php:329
 msgid "Identify with User Name"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:324
+#: includes/openid-connect-generic-settings-page.php:330
 msgid ""
 "If checked, the user's identity will be determined by the user name instead "
 "of the email address."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:329
+#: includes/openid-connect-generic-settings-page.php:335
 msgid "State time limit"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:330
+#: includes/openid-connect-generic-settings-page.php:336
 msgid "State valid time in seconds. Defaults to 180"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:335
+#: includes/openid-connect-generic-settings-page.php:341
 msgid "Enable Refresh Token"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:336
+#: includes/openid-connect-generic-settings-page.php:342
 msgid ""
 "If checked, support refresh tokens used to obtain access tokens from "
 "supported IDPs."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:341
+#: includes/openid-connect-generic-settings-page.php:347
 msgid "Link Existing Users"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:342
+#: includes/openid-connect-generic-settings-page.php:348
 msgid ""
 "If a WordPress account already exists with the same identity as a "
 "newly-authenticated user over OpenID Connect, login as that user instead of "
 "generating an error."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:347
+#: includes/openid-connect-generic-settings-page.php:353
 msgid "Create user if does not exist"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:348
+#: includes/openid-connect-generic-settings-page.php:354
 msgid ""
 "If the user identity is not link to an existing Wordpress user, it is "
 "created. If this setting is not enabled and if the user authenticates with "
@ -392,11 +392,11 @@ msgid ""
 "authentication failed"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:353
+#: includes/openid-connect-generic-settings-page.php:359
 msgid "Redirect Back to Origin Page"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:354
+#: includes/openid-connect-generic-settings-page.php:360
 msgid ""
 "After a successful OpenID Connect authentication, this will redirect the "
 "user back to the page on which they clicked the OpenID Connect login "
@ -407,71 +407,71 @@ msgid ""
 "account page."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:359
+#: includes/openid-connect-generic-settings-page.php:365
 msgid "Redirect to the login screen when session is expired"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:360
+#: includes/openid-connect-generic-settings-page.php:366
 msgid ""
 "When enabled, this will automatically redirect the user back to the "
 "WordPress login page if their access token has expired."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:365
+#: includes/openid-connect-generic-settings-page.php:371
 msgid "Enable Logging"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:366
+#: includes/openid-connect-generic-settings-page.php:372
 msgid "Very simple log messages for debugging purposes."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:371
+#: includes/openid-connect-generic-settings-page.php:377
 msgid "Log Limit"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:372
+#: includes/openid-connect-generic-settings-page.php:378
 msgid ""
 "Number of items to keep in the log. These logs are stored as an option in "
 "the database, so space is limited."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:432
+#: includes/openid-connect-generic-settings-page.php:438
 msgid "Notes"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:435
+#: includes/openid-connect-generic-settings-page.php:441
 msgid "Redirect URI"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:439
+#: includes/openid-connect-generic-settings-page.php:445
 msgid "Login Button Shortcode"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:443
+#: includes/openid-connect-generic-settings-page.php:449
 msgid "Authentication URL Shortcode"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:448
+#: includes/openid-connect-generic-settings-page.php:454
 msgid "Logs"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:527
+#: includes/openid-connect-generic-settings-page.php:534
 msgid "Example"
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:540
+#: includes/openid-connect-generic-settings-page.php:547
 msgid "Enter your OpenID Connect identity provider settings."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:549
+#: includes/openid-connect-generic-settings-page.php:556
 msgid "Modify the interaction between OpenID Connect and WordPress users."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:558
+#: includes/openid-connect-generic-settings-page.php:565
 msgid "Control the authorization mechanics of the site."
 msgstr ""
-#: includes/openid-connect-generic-settings-page.php:567
+#: includes/openid-connect-generic-settings-page.php:574
 msgid "Log information about login attempts through OpenID Connect Generic."
 msgstr ""
--- a/openid-connect-generic.php
+++ b/openid-connect-generic.php
@ -16,7 +16,7 @@
 * Plugin Name:       OpenID Connect Generic
 * Plugin URI:        https://github.com/daggerhart/openid-connect-generic
 * Description:       Connect to an OpenID Connect generic client using Authorization Code Flow.
- * Version:           3.8.1
+ * Version:           3.8.2
 * Author:            daggerhart
 * Author URI:        http://www.daggerhart.com
 * Text Domain:       daggerhart-openid-connect-generic
@ -80,7 +80,7 @@ class OpenID_Connect_Generic {
 	 *
 	 * @var
 	 */
-	const VERSION = '3.8.1';
+	const VERSION = '3.8.2';
 	/**
 	 * Plugin settings.
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "openid-connect-generic",
-	"version": "3.8.1",
+	"version": "3.8.2",
 	"description": "OpenID Connect generic WordPress plugin.",
 	"main": "Gruntfile.js",
 	"repository": {
@ -28,8 +28,8 @@
 		"@floatwork/grunt-po2mo": "^0.3.0",
 		"@ndigitals/grunt-checkrepo": "^0.2.0",
 		"@wordpress/env": "^1.6.0",
-		"@wordpress/scripts": "12.2.0",
+		"@wordpress/scripts": "12.2.1",
-		"check-node-version": "^4.0.3",
+		"check-node-version": "~4.1.0",
 		"grunt": "1.3.0",
 		"grunt-checkbranch": "^1.0.4",
 		"grunt-checktextdomain": "^1.0.1",
@ -38,14 +38,14 @@
 		"grunt-contrib-copy": "^1.0.0",
 		"grunt-gitinfo": "^0.1.9",
 		"grunt-shell": "^2.1.0",
-		"grunt-version": "2.0.0",
+		"grunt-version": "~2.0.0",
 		"grunt-wp-i18n": "^1.0.3",
 		"grunt-wp-readme-to-markdown": "^2.0.0",
 		"load-grunt-tasks": "^3.5",
-		"node": "^12.18.3",
+		"node": "^12.21.0",
-		"npm": "^6.14.8",
+		"npm": "^6.14.11",
 		"puppeteer": "^1.20.0",
-		"typescript": "^3.9.7"
+		"typescript": "~3.9.9"
 	},
 	"wp-env": {
 		"plugin-dir": "daggerhart-openid-connect-generic",
@ -54,26 +54,30 @@
 		"welcome-build-command": "npm start"
 	},
 	"scripts": {
-		"setup": "composer install && npm install && cd wordpress && npm install && npm run build && cd .. && composer install --optimize-autoloader",
+		"setup": "npm run setup:npm && npm run setup:composer && npm run build:wordpress",
 		"setup:npm": "npm install",
 		"setup:composer": "composer install",
 		"build": "npm run grunt build",
 		"build:wordpress": "cd wordpress && npm install && npm run build && cd .. && composer install --optimize-autoloader",
 		"release": "npm run grunt release",
 		"start": "wp-env start",
 		"stop": "wp-env stop",
 		"restart": "npm run wp-env stop && npm run wp-env start",
 		"grunt": "node_modules/.bin/grunt",
 		"test": "npm run grunt test",
 		"build": "npm run grunt build",
 		"version": "npm run grunt version",
 		"version:bump": "npm version --no-git-tag-version",
 		"check:engines": "wp-scripts check-engines",
 		"check:licenses": "wp-scripts check-licenses",
 		"wp-env": "wp-env",
 		"wp": "wp-env run cli wp",
 		"test": "npm run grunt test",
 		"i18n:check": "npm run grunt checktextdomain",
 		"i18n:make": "npm run grunt i18n",
 		"i18n:make:cli": "wp-env run cli wp i18n make-pot . languages/ --slug=daggerhart-openid-connect-generic --include=openid-connect-generic.php,includes",
 		"lint": "npm run lint:php",
-		"lint:php": "vendor/bin/phpcs --report=full .",
+		"lint:php": "composer run-script lint",
-		"lint:php:fix": "vendor/bin/phpcbf .",
+		"lint:php:fix": "composer run-script lint-fix",
 		"analyze": "npm run analyze:php",
-		"analyze:php": "vendor/bin/phpstan analyze ."
+		"analyze:php": "composer run-script analyze"
 	}
 }
--- a/readme.txt
+++ b/readme.txt
@ -4,7 +4,7 @@ Donate link: http://www.daggerhart.com/
 Tags: security, login, oauth2, openidconnect, apps, authentication, autologin, sso
 Requires at least: 4.9
 Tested up to: 5.6
-Stable tag: 3.8.1
+Stable tag: 3.8.2
 Requires PHP: 7.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@ -51,6 +51,10 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
 == Changelog ==
 = 3.8.2 =
 * Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
 = 3.8.1 =
 * Fix: @timnolte - Prevent SSO redirect on password protected posts.