Ticket #18039: 18039.diff
| File 18039.diff, 3.9 KB (added by , 15 years ago) |
|---|
-
wp-includes/formatting.php
2350 2350 return apply_filters( 'attribute_escape', $safe_text, $text ); 2351 2351 } 2352 2352 2353 2353 2354 /** 2355 * Escape an email address 2356 * 2357 * This works just like esc_html(), except that single quotes are permitted 2358 * 2359 * @since 3.3 2360 * 2361 * @param string $email The email address to be escaped 2362 * @return string The escaped email 2363 */ 2364 function esc_email( $email ) { 2365 $safe_email = wp_check_invalid_utf8( $email ); 2366 $safe_email = _wp_specialchars( $safe_email, ENT_COMPAT ); 2367 return apply_filters( 'esc_email', $safe_email, $email ); 2368 } 2369 2370 /** 2354 2371 * Escaping for textarea values. 2355 2372 * 2356 2373 * @since 3.1 -
wp-admin/includes/user.php
89 89 } 90 90 91 91 if ( isset( $_POST['email'] )) 92 $user->user_email = sanitize_text_field( $_POST['email']);92 $user->user_email = sanitize_text_field( stripslashes( $_POST['email'] ) ); 93 93 if ( isset( $_POST['url'] ) ) { 94 94 if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { 95 95 $user->user_url = ''; -
wp-admin/user-new.php
39 39 check_admin_referer( 'add-user', '_wpnonce_add-user' ); 40 40 41 41 $user_details = null; 42 if ( false !== strpos($_REQUEST[ 'email' ], '@') ) { 43 $user_details = get_user_by('email', $_REQUEST[ 'email' ]); 42 $email = stripslashes( $_REQUEST['email'] ); 43 if ( false !== strpos( $email, '@' ) ) { 44 $user_details = get_user_by( 'email', $email ); 44 45 } else { 45 46 if ( is_super_admin() ) { 46 $user_details = get_user_by( 'login', $_REQUEST[ 'email' ]);47 $user_details = get_user_by( 'login', $email ); 47 48 } else { 48 49 wp_redirect( add_query_arg( array('update' => 'enter_email'), 'user-new.php' ) ); 49 50 die(); … … 59 60 wp_die(__('Cheatin’ uh?')); 60 61 61 62 // Adding an existing user to this blog 62 $new_user_email = esc_ html(trim($_REQUEST['email']));63 $new_user_email = esc_email( trim( $email ) ); 63 64 $redirect = 'user-new.php'; 64 65 $username = $user_details->user_login; 65 66 $user_id = $user_details->ID; … … 102 103 } 103 104 } else { 104 105 // Adding a new user to this blog 105 $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] ); 106 $email = stripslashes( $_REQUEST[ 'email' ] ); 107 $user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $email ); 106 108 unset( $user_details[ 'errors' ]->errors[ 'user_email_used' ] ); 107 109 if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) { 108 110 $add_user_errors = $user_details[ 'errors' ]; … … 111 113 if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { 112 114 add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email 113 115 } 114 wpmu_signup_user( $new_user_login, $ _REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );116 wpmu_signup_user( $new_user_login, $email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) ); 115 117 if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { 116 $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $ _REQUEST[ 'email' ]) );118 $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $email ) ); 117 119 wpmu_activate_signup( $key ); 118 120 $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' ); 119 121 } else {