diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
index e4af0548d9..20fbcd851f 100644
a
|
b
|
function edit_user( $user_id = 0 ) { |
41 | 41 | } |
42 | 42 | |
43 | 43 | if ( ! $update && isset( $_POST['user_login'] ) ) { |
44 | | $user->user_login = sanitize_user( $_POST['user_login'], true ); |
| 44 | $user->user_login = sanitize_user( wp_unslash( $_POST['user_login'] ), true ); |
45 | 45 | } |
46 | 46 | |
47 | 47 | $pass1 = ''; |
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 505048e57a..44b802b5fa 100644
a
|
b
|
function wp_signon( $credentials = array(), $secure_cookie = '' ) { |
35 | 35 | $credentials = array(); // Back-compat for plugins passing an empty string. |
36 | 36 | |
37 | 37 | if ( ! empty( $_POST['log'] ) ) { |
38 | | $credentials['user_login'] = $_POST['log']; |
| 38 | $credentials['user_login'] = wp_unslash( $_POST['log'] ); |
39 | 39 | } |
40 | 40 | if ( ! empty( $_POST['pwd'] ) ) { |
41 | 41 | $credentials['user_password'] = $_POST['pwd']; |
diff --git a/src/wp-login.php b/src/wp-login.php
index ee0e212e2c..ff70d59492 100644
a
|
b
|
switch ( $action ) { |
1032 | 1032 | |
1033 | 1033 | if ( $http_post ) { |
1034 | 1034 | if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) { |
1035 | | $user_login = $_POST['user_login']; |
| 1035 | $user_login = wp_unslash( $_POST['user_login'] ); |
1036 | 1036 | } |
1037 | 1037 | |
1038 | 1038 | if ( isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ) { |
… |
… |
switch ( $action ) { |
1150 | 1150 | |
1151 | 1151 | // If the user wants SSL but the session is not SSL, force a secure cookie. |
1152 | 1152 | if ( ! empty( $_POST['log'] ) && ! force_ssl_admin() ) { |
1153 | | $user_name = sanitize_user( $_POST['log'] ); |
| 1153 | $user_name = sanitize_user( wp_unslash( $_POST['log'] ) ); |
1154 | 1154 | $user = get_user_by( 'login', $user_name ); |
1155 | 1155 | |
1156 | 1156 | if ( ! $user && strpos( $user_name, '@' ) ) { |
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index d90793958b..19a688f653 100644
a
|
b
|
class Tests_User extends WP_UnitTestCase { |
35 | 35 | ); |
36 | 36 | self::$user_ids[] = self::$contrib_id; |
37 | 37 | |
| 38 | self::$user_ids[] = $factory->user->create( |
| 39 | array( |
| 40 | 'user_login' => "testemailaddress'@test.com", |
| 41 | 'user_nicename' => 'user_email_with_apostrophe', |
| 42 | 'user_pass' => 'password', |
| 43 | 'first_name' => 'John', |
| 44 | 'last_name' => 'Doe', |
| 45 | 'display_name' => 'John Doe', |
| 46 | 'user_email' => "testemailaddress'@test.com", |
| 47 | 'user_url' => 'http://tacos.com', |
| 48 | 'role' => 'contributor', |
| 49 | 'nickname' => 'Johnny', |
| 50 | 'description' => 'I am a WordPress user that cares about privacy.', |
| 51 | ) |
| 52 | ); |
| 53 | |
38 | 54 | self::$author_id = $factory->user->create( |
39 | 55 | array( |
40 | 56 | 'user_login' => 'author_login', |
… |
… |
class Tests_User extends WP_UnitTestCase { |
65 | 81 | $this->author = clone self::$_author; |
66 | 82 | } |
67 | 83 | |
| 84 | public function test_that_you_can_login_with_an_email_that_has_apostrophe() { |
| 85 | |
| 86 | //create the user with an email that has an apostrophe (see test setup) |
| 87 | |
| 88 | //login as the user |
| 89 | $credentials = [ |
| 90 | 'user_login' => "testemailaddress'@test.com", |
| 91 | 'user_password' => 'password', |
| 92 | ]; |
| 93 | |
| 94 | //attempt to login |
| 95 | $user = wp_signon( $credentials ); |
| 96 | |
| 97 | //assert that login was successfull |
| 98 | //if the login fails, an instance of WP_Error is returned rather than User object |
| 99 | $this->assertNotWPError( $user ); |
| 100 | } |
| 101 | |
68 | 102 | function test_get_users_of_blog() { |
69 | 103 | // add one of each user role |
70 | 104 | $nusers = array( |