WordPress.org
Get WordPress

Make WordPress Core

Ticket #18039: 18039.04.patch

File 18039.04.patch, 4.0 KB (added by boonebgorges, 12 years ago)

  • src/wp-admin/includes/user.php 

    diff --git src/wp-admin/includes/user.php src/wp-admin/includes/user.php
index 85939fa..a125f3b 100644
    function edit_user( $user_id = 0 ) { 
    6363        }
    6464
    6565        if ( isset( $_POST['email'] ))
    66                 $user->user_email = sanitize_text_field( $_POST['email'] );
     66                $user->user_email = sanitize_text_field( stripslashes( $_POST['email'] ) );
    6767        if ( isset( $_POST['url'] ) ) {
    6868                if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
    6969                        $user->user_url = '';

  • src/wp-admin/network/user-new.php 

    diff --git src/wp-admin/network/user-new.php src/wp-admin/network/user-new.php
index 04ef34a..58ea667 100644
    if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) { 
    3838        if ( ! is_array( $_POST['user'] ) )
    3939                wp_die( __( 'Cannot create an empty user.' ) );
    4040
    41         $user = $_POST['user'];
     41        $user = stripslashes_deep( $_POST['user'] );
    4242
    4343        $user_details = wpmu_validate_user_signup( $user['username'], $user['email'] );
    4444        if ( is_wp_error( $user_details[ 'errors' ] ) && ! empty( $user_details[ 'errors' ]->errors ) ) {
    4545                $add_user_errors = $user_details[ 'errors' ];
    4646        } else {
    4747                $password = wp_generate_password( 12, false);
    48                 $user_id = wpmu_create_user( esc_html( strtolower( $user['username'] ) ), $password, esc_html( $user['email'] ) );
     48                $user_id = wpmu_create_user( esc_html( strtolower( $user['username'] ) ), $password, sanitize_email( $user['email'] ) );
    4949
    5050                if ( ! $user_id ) {
    5151                        $add_user_errors = new WP_Error( 'add_user_fail', __( 'Cannot add user.' ) );

  • src/wp-admin/user-new.php 

    diff --git src/wp-admin/user-new.php src/wp-admin/user-new.php
index 6b18ad5..e7a084e 100644
    if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) { 
    4141        check_admin_referer( 'add-user', '_wpnonce_add-user' );
    4242
    4343        $user_details = null;
    44         if ( false !== strpos($_REQUEST[ 'email' ], '@') ) {
    45                 $user_details = get_user_by('email', $_REQUEST[ 'email' ]);
     44        $user_email = stripslashes( $_REQUEST['email'] );
     45        if ( false !== strpos( $user_email, '@' ) ) {
     46                $user_details = get_user_by( 'email', $user_email );
    4647        } else {
    4748                if ( is_super_admin() ) {
    48                         $user_details = get_user_by('login', $_REQUEST[ 'email' ]);
     49                        $user_details = get_user_by( 'login', $user_email );
    4950                } else {
    5051                        wp_redirect( add_query_arg( array('update' => 'enter_email'), 'user-new.php' ) );
    5152                        die();
    Please click the following link to confirm the invite: 
    112113                }
    113114        } else {
    114115                // Adding a new user to this site
    115                 $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] );
     116                $new_user_email = stripslashes( $_REQUEST['email'] );
     117                $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $new_user_email );
    116118                if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) {
    117119                        $add_user_errors = $user_details[ 'errors' ];
    118120                } else {
    Please click the following link to confirm the invite: 
    127129                        if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
    128130                                add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
    129131                        }
    130                         wpmu_signup_user( $new_user_login, $_REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
     132                        wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
    131133                        if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
    132                                 $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $_REQUEST[ 'email' ] ) );
     134                                $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
    133135                                wpmu_activate_signup( $key );
    134136                                $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
    135137                        } else {