Opened 2 years ago
Last modified 9 months ago
#16788 new defect (bug)
Ampersands in e-mail address become invalid
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | Users | Version: | 3.0.5 |
| Severity: | major | Keywords: | dev-feedback needs-patch |
| Cc: | jeff@…, joachim.kudish@… |
Description
When an e-mail address contains an ampersand, WordPress improperly escapes the ampersand invalidating the e-mail address.
Example: h&f@… becomes h&amp@…
First of all, the proper HTML entity for "&" is &. Where did the extra amp come from?
Also, an ampersand is a valid character in an e-mail address and should not be escaped. Escaping it could be a completely different e-mail address.
I have not dug into the code to find out where this is happening but I'd assume in sanitize_email().
Change History (9)
comment:2
jfarthing84
— 2 years ago
Upon registration.
comment:3
ericmann
— 2 years ago
I can verify this bug exists.
Testing on WordPress 3.2-bleeding.
- Attempted to register user with email t&est@eamann.com
- User was registered with no visible errors
- Registered user is listed with email t&est@eamann.com in WordPress admin
- Mailto mousover lists mailto:t&est@eamann.com as the link
- Editing the user lists t&est@eamann.com as the email address <- This is correct!
- Updating the user with t&est@eamann.com doesn't change any of the above behavior
comment:4
ericmann
— 2 years ago
Also, the new user email sent to the admin states the following:
New user registration on your site WordPress Test Site:
Username: thisisatest
E-mail: t&est@eamann.com
comment:5
garyc40
— 2 years ago
Network Users table don't have this issue. This is because in class-wp-users-list-table.php, we sanitize_user_object() before outputting user details, while in class-wp-ms-users-list-table.php, we don't. That being said, I still think it's appropriate to sanitize user object in Network Users table as well before printing out.
When user object is sanitized, user_email filter is applied on the user's email. As a result, the email address is passed through sanitize_email(), resulting in t&est@eamann.com. Now if you're in the admin panel, wp_filter_kses() will further mutilate the email address, resulting in t&ampest@eamann.com. See this code.
comment:6
garyc40
— 2 years ago
Actually, upon further investigation, sanitize_email() seems to be innocent.
Here's a more accurate recap of the process:
- User data is sanitized before being saved to the database. pre_user_email filter is applied to user_email, which passes the email to wp_filter_kses(). Here, the email address is mutilated the first time. (t&est@test.com becomes t&est@test.com)
- When the user info is displayed in wp-admin/users.php, sanitize_user_object() is called, which in turn applies user_email filter to user_email. This results in wp_kses being called when is_admin(), thus, double-escape the email address (t&est@test.com becomes t&ampest@test.com).
comment:7
SergeyBiryukov
— 2 years ago
- Keywords needs-patch added
comment:8
SergeyBiryukov
— 9 months ago
Related: #21537
Where is this occurring?