Ticket #38744: 38744-fixes.diff

.gitignore

@@ -72 +72 @@
 *.diff
 .svn
 !/src/js/_enqueues/vendor
+/nbproject/private/
+ No newline at end of file

src/wp-admin/includes/user.php

@@ -41 +41 @@
         }
 
         if ( ! $update && isset( $_POST['user_login'] ) ) {
-                $user->user_login = sanitize_user( $_POST['user_login'], true );
+                $user->user_login = sanitize_user( wp_unslash( $_POST['user_login'] ), true );
         }
 
         $pass1 = $pass2 = '';

src/wp-includes/user.php

@@ -35 +35 @@
                 $credentials = array(); // Back-compat for plugins passing an empty string.
 
                 if ( ! empty( $_POST['log'] ) ) {
-                        $credentials['user_login'] = $_POST['log'];
+                        $credentials['user_login'] = wp_unslash( $_POST['log'] );
                 }
                 if ( ! empty( $_POST['pwd'] ) ) {
                         $credentials['user_password'] = $_POST['pwd'];

src/wp-login.php

@@ -796 +796 @@
 
                 if ( $http_post ) {
                         if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
-                                $user_login = $_POST['user_login'];
+                                $user_login = wp_unslash( $_POST['user_login']);
                         }
 
                         if ( isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ) {
@@ -904 +904 @@
 
                 // If the user wants SSL but the session is not SSL, force a secure cookie.
                 if ( ! empty( $_POST['log'] ) && ! force_ssl_admin() ) {
-                        $user_name = sanitize_user( $_POST['log'] );
+                        $user_name = sanitize_user( wp_unslash( $_POST['log'] ));
                         $user      = get_user_by( 'login', $user_name );
 
                         if ( ! $user && strpos( $user_name, '@' ) ) {