diff --git a/10up-experience.php b/10up-experience.php
index 40a13c8..064e71e 100644
--- a/10up-experience.php
+++ b/10up-experience.php
@@ -3,7 +3,7 @@
  * Plugin Name:       10up Experience
  * Plugin URI:        https://github.com/10up/10up-experience
  * Description:       The 10up Experience plugin configures WordPress to better protect and inform clients, aligned to 10up’s best practices.
- * Version:           1.10.2
+ * Version:           1.10.3
  * Author:            10up
  * Author URI:        https://10up.com
  * License:           GPLv2 or later
@@ -19,7 +19,7 @@
 
 use YahnisElsts\PluginUpdateChecker\v5\PucFactory;
 
-define( 'TENUP_EXPERIENCE_VERSION', '1.10.2' );
+define( 'TENUP_EXPERIENCE_VERSION', '1.10.3' );
 define( 'TENUP_EXPERIENCE_DIR', __DIR__ );
 define( 'TENUP_EXPERIENCE_FILE', __FILE__ );
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 43372b5..6943c04 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,71 +2,98 @@
 
 All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).
 
+## [1.10.3] - 2023-08-15
+
+- Make sure redirect_to is a string
+
 ## [1.10.2] - 2023-07-11
 
-* Remove WP Acceptance
-* Upgrade build process to 10up Toolkit
-* Upgrade Plugin Update Checker
-* Allow SSO to be turned off in the admin
+- Remove WP Acceptance
+- Upgrade build process to 10up Toolkit
+- Upgrade Plugin Update Checker
+- Allow SSO to be turned off in the admin
 
 ## [1.10.1] - 2022-09-13
+
 ### Fixed
-* Fix bug allowing admin username user to authenticate
+
+- Fix bug allowing admin username user to authenticate
 
 ## [1.10.0] - 2022-09-13
+
 ### Added
-* Added Activity Log
-* Support for PHP 8.1
+
+- Added Activity Log
+- Support for PHP 8.1
 
 ## [1.9.0] - 2022-03-21
+
 ### Added
-* Bundled 10up SSO plugin into 10up Experience
+
+- Bundled 10up SSO plugin into 10up Experience
 
 ## [1.8.2] - 2022-02-28
+
 ### Fixed
-* Ensure mbstring exists before using password strength checker.
-* If Gutenberg is disabled, also make sure widget editor doesn't use Gutenberg.
+
+- Ensure mbstring exists before using password strength checker.
+- If Gutenberg is disabled, also make sure widget editor doesn't use Gutenberg.
 
 ## [1.8.1] - 2021-06-28
+
 ### Fixed
-* Fix Filtering WP List Table Views by 10up Author
-* Unhide Stream menu
-* Add filter around disabling X Frame header. Props [jamesmorrison](https://github.com/jamesmorrison).
+
+- Fix Filtering WP List Table Views by 10up Author
+- Unhide Stream menu
+- Add filter around disabling X Frame header. Props [jamesmorrison](https://github.com/jamesmorrison).
 
 ## [1.8.0] - 2020-12-08
+
 ### Added
-* Improves detection of object cache drop-ins. Props [christianc1](https://github.com/christianc1).
-* Adds themes to support monitor reporting. Props [tylercherpak](https://github.com/tylercherpak).
-* Adds web vitals to support monitor reporting. Props [christianc1](https://github.com/christianc1).
+
+- Improves detection of object cache drop-ins. Props [christianc1](https://github.com/christianc1).
+- Adds themes to support monitor reporting. Props [tylercherpak](https://github.com/tylercherpak).
+- Adds web vitals to support monitor reporting. Props [christianc1](https://github.com/christianc1).
 
 ## [1.7.3] - 2020-07-20
+
 ### Fixed
-* Fix how we retrieve WP version.
-* Improve how we generate message ID for Support Monitor
+
+- Fix how we retrieve WP version.
+- Improve how we generate message ID for Support Monitor
 
 ### Added
+
 - Show welcome admin notification
 - Change API restriction to default to only restricting the users endpoint.
 - 10up Experience header added during author redirect to improve debugging. Props [petenelson](https://github.com/petenelson).
 
 ### Fixed
+
 - Fix how we retrieve WP version.
 - Improve how we generate message ID for Support Monitor
 
 ## [1.7.2] - 2020-06-01
+
 ### Added
+
 - Send object cache info to Support Monitor
 
 ### Fixed
+
 - Fix `esc_html__` call.
 - Query for users across network if network activated
 
 ## [1.7.1] - 2020-05-28
+
 ### Fixed
+
 - Fix number of users being queried by Support Monitor.
 
 ## [1.7] - 2020-05-21
+
 ### Added
+
 - Support monitor functionality. Sends non-PII data e.g. plugin versions back to 10up.
 - Require strong passwords by default. This can be disabled in general settings.
 - Disallow reserved usernames from being used e.g. admin.
@@ -74,66 +101,91 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Add constant `TENUP_DISABLE_BRANDING` to disable 10up admin branding.
 
 ### Fixed
+
 - Refactored to use classes and modern build scripts.
 
 ## [1.6.2] - 2020-04-15
+
 ### Added
+
 - Changelog and License files, updated Readme (props [@jeffpaul](https://github.com/jeffpaul) via [#49](https://github.com/10up/10up-experience/pull/49), [#62](https://github.com/10up/10up-experience/pull/62))
 
 ### Fixed
+
 - Resolved version number mismatch between GitHub and Packagist (props [@ivankruchkoff](https://github.com/ivankruchkoff), [@jeffpaul](https://github.com/jeffpaul), [@cameronterry](https://github.com/cameronterry), [@colegeissinger](https://github.com/colegeissinger) via [#56](https://github.com/10up/10up-experience/pull/56))
 - WP Acceptance environment instruction for 5.3 version test (props [@felipeelia](https://github.com/felipeelia) via [#62](https://github.com/10up/10up-experience/pull/62))
 
 ## [1.6.1] - 2019-12-09
+
 ### Removed
+
 - Option failsafes
 
 ## [1.6] - 2019-12-03
+
 ### Added
+
 - Password protected post functionality turned off by default. Add a setting to "Writing" to re-enable.
 
 ### Fixed
+
 - Rewrite rule flushing bug.
 
 ## [1.5] - 2019-03-29
+
 ### Added
+
 - WP Acceptance tests
 - Failsafes if temporary loss of database connection causes required options to be stored in the `notoptions` cache
 
 ## [1.4] - 2019-03-22
+
 ### Added
+
 - If plugin updates via dashboard are disabled, still show notifcation that an update exists
 
 ### Removed
+
 - 10up users from author archives
 
 ## [1.3] - 2018-11-04
+
 ### Added
+
 - "Use Classic Editor" toggle to writing settings
 
 ### Fixed
+
 - Properly call a hook as a filter, not an action
 
 ## [1.2] - 2018-09-24
+
 ### Added
+
 - Use a base64-encoded admin bar icon so it can be colorized
 
 ### Changed
+
 - Only load admin bar CSS on front-end if the admin bar is showing
 
 ### Fixed
+
 - Ensure plugin deactivation message linebreaks are displayed correctly
 
 ## [1.1] - 2018-08-03
+
 ### Added
+
 - `tenup_experience_remove_stream_menu_item` filter
 - `composer.json` file
 - `editorconfig` file
 
 ### Fixed
+
 - Coding standard issues
 
 ## [1.0] - 2018-03-01
+
 - Initial release
 
 [Unreleased]: https://github.com/10up/10up-experience/compare/master...develop
diff --git a/includes/classes/SSO/SSO.php b/includes/classes/SSO/SSO.php
index 305e15e..6e4651d 100644
--- a/includes/classes/SSO/SSO.php
+++ b/includes/classes/SSO/SSO.php
@@ -297,7 +297,7 @@ public function process_client_login() {
 			$tenup_login_failed = true;
 		} else {
 			$redirect_url = wp_login_url();
-			if ( isset( $_REQUEST['redirect_to'] ) ) {
+			if ( isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) {
 				$redirect_url = add_query_arg( 'redirect_to', rawurlencode( $_REQUEST['redirect_to'] ), $redirect_url );
 			}