Password recovery key must not contain hash # character
|Reported by:||mastermind||Owned by:||anonymous|
On a site where I was registered, I tried to retrieve a new password. The activation URL was like:
When calling the URL, the WP install told me the key was invalid -- obviously, because the hash and the part thereafter are not sent to the server, but are interpreted as anchor. Encoding the hash as %23 didn't help neither; I assume this is because the respective function does not urldecode() the key.